The Spanish government calls it Royal Decree 933/2021, but the tourism industry calls it something more sinister: Tourism Big Brother.
On December 2, 2024, a new law took effect in Spain. All hotels, vacation rental property owners, campsites, and rental car desks are now legally required to collect a long list of personal details about each and every adult visiting the country.
The list of demands is 42 items long and includes each traveler’s full name, gender, nationality, passport number, date of birth, home address, phone numbers, email address, and credit card data such as account number, expiration date, and security code.
But that’s not all. Spain also demands to know marital status, medical requirements, an occupation, employer’s name and address, and the reason for travel, among other details.
Travel sellers must transmit their customers’ personal information to the Spanish State Secretariat daily, and the full details must be stored by the travel vendor for 3 years. Failure to comply with the new law could result in fines for the businesses of up to €30,000 (US$31,589), although it’s worth noting that the penalties for failing to provide accurate information fall to the travel vendor and not to the traveler.
Hotel associations in Spain are fighting back against the new rules, but so far, the Spanish Interior Ministry has been unrelenting.
We probably don’t have to tell you why collecting data with this invasive depth of detail—especially without proper secure storage methods in place to protect all the info—presents a massive security problem for every traveler going to Spain.
Spanish authorities insist all the personal detail is necessary to “fight terrorism and organized crime.”
But wouldn’t criminals just lie?
Regardless, the purpose of Spain’s data collection isn’t in dispute as much as the slipshod and highly risky way it’s being done.
In the short time since the law went into effect, collecting all that detail is creating paperwork misery for travelers and slowing down check-in processes across the country—but even that frustration is the least of the law’s problems.
The European Travel Agents’ and Tour Operators’ Associations (ECTAA), which represents some 80,000 travel professionals in Europe, and its Spanish cohort, ACAVE, aren’t mincing words, calling the new law “a serious threat to the privacy of personal data” and warning of severe repercussions for the European tourism industry.
“This makes travelers the main victims of the potential exposure of their sensitive data, as this regulation is unprecedented in any other European Union country,” the groups wrote in a joint statement. “It also exposes citizens to potential risks of misuse of their information in the event of cyberattacks.”
Frankly, travelers wouldn’t even need a cyberattack to be at risk. With so much personally identifying information being handed over, any unscrupulous desk worker will already have enough personal data points to do major damage. They’ll even have your home address as well as the dates they’ll know you’ll be in Spain and not back at home.
The American consumer rights defense group Travelers United is pointing out yet another concerning aspect of the law’s disclosure demands.
“The law requires adults traveling with minor children under 14 to define their relationship with the children precisely,” warned Ned S. Levi in a post for the group. That demand means visitors with kids must “bring documentation of your legal relationship with the children, particularly if you’re a single parent, especially if you’re divorced. You may need to prove custody rights.”
The European Union, which includes Spain as a member state, is already gearing up to collect similar data from every tourist who enters its jurisdiction as part of its European Travel Information and Authorization System, or ETIAS, which will also be used for security purposes. But that information will be collected and stored by the EU and will not be in private hands, like the data collected by Spain.
“For now, I can’t recommend traveling to Spain for anyone,” wrote Levi. “Rather than put my personal identity and financial information at risk, I will avoid traveling to Spain for the foreseeable future. There are many other great locations in the world to see.”
Perhaps unflinching verdicts like that, which will chase tourism away from Spain, might be just what some officials in the country are secretly after.
After all, this is a place were some locals are battling overtourism and the destructive expansion of Airbnb by spraying tourists with water pistols and plastering walls with EL TURISME MATA ELS BARRIS (“tourism kills neighborhoods”) graffiti. If this new law scares business away, there are some Spaniards who will count that as a good thing.
This battle is only beginning. The ECTAA suggests the new law may be in direct violation of the European Union’s stringent personal data laws, Directive 2016/6801 and the General Data Protection Regulation (GDPR). The European tourism industry is mobilized for a fight.
Until then, if you’re heading to Spain, the risk is yours to take.