Spain’s New Rules Require Confidential Information From Incoming Travelers

Published on November 26, 2024

Spain’s Royal Decree 933/2021, often dubbed the “Tourism Big Brother,” is set to take effect on December 2. However, it has faced opposition from both the Spanish Parliament and Senate, which have called for the government to suspend and reconsider the decree.

The European Travel Agents and Tour Operators’ Associations (ECTAA), together with its Spanish counterpart ACAVE and in partnership with FETAVE and UNAV, are sounding the alarm over the far-reaching consequences of Royal Decree 933/2021. These organizations stress the importance of raising public awareness, especially among travelers in Spain, as they will bear the brunt of this regulation. Under the decree, travel agencies, hotels, and car rental businesses will be compelled to submit more than 40 details for accommodation reservations and over 60 for car rental bookings to the Ministry of the Interior, many of which involve sensitive personal data.

The Ministry of the Interior introduced this regulation with the intention of enhancing security and providing law enforcement with more detailed information about travelers entering and passing through Spain. However, the breadth of the data being requested is deemed excessive and raises concerns about potential violations of data protection laws. As a result, on October 23, a majority in the Spanish Congress called for the government to reopen discussions and delay the regulation’s enforcement. The Spanish Senate also voted against it on November 20.

Despite this opposition, the Spanish Government has ignored the calls from Parliament and failed to respond to requests for a suspension or revision of the decree, pressing ahead with its December 2, 2024, implementation deadline.

These new requirements pose a significant threat to personal privacy, compelling travel agencies, hotels, and car rental businesses to collect and transmit sensitive data—including financial information, traveler relationships, and even travel patterns—for up to three years. Moreover, the regulation exposes citizens to the risk of misuse in the event of cyberattacks. This makes travelers the primary victims of potential data breaches, as no other EU country has introduced such an extensive measure.

ECTAA and ACAVE have voiced strong concerns regarding the new regulation, highlighting the serious risks it poses to both the European tourism industry and the safeguarding of travelers’ personal data. In response, they have reached out to the Spanish Government and the Spanish Data Protection Agency, urging a suspension of the regulation and seeking clarification on aspects that could breach European data protection laws. However, they have yet to receive any response to their inquiries.