Travel Tech Group Files GDPR Complaint Against Ryanair Over Biometric Data
We’ve all become accustomed to the convenience of online travel agencies (OTAs) like Booking.com and Expedia. But what happens when your preferred booking method clashes with data privacy regulations? Ryanair GDPR
This is the current situation with Ryanair, a popular low-cost airline, facing heat over its mandatory facial recognition policy.
Why is Ryanair under fire? Ryanair GDPR
The EU Travel Tech Association, representing giants like Airbnb and Skyscanner, has filed complaints against Ryanair with French and Belgian data protection authorities. Their core argument?
This move by Ryanair, announced on December 8, 2023, mandates that customers without an existing account, including those booking through Online Travel Agencies (OTAs), undergo biometric verification, involving the provision of live self-images or signature images and passport details, to access booking management and online check-in features.
This procedure not only infringes on individual privacy but also raises significant legal concerns under the General Data Protection Regulation (GDPR). Ryanair’s biometric verification process violates the principles of lawfulness, fairness, and transparency required by the GDPR, particularly concerning the processing of special category data such as biometric information.
The use of biometric data for customer verification, especially without clear, necessary, and proportionate justification, introduces risks including data breaches, identity theft, and unwarranted surveillance. Once biometric data is compromised, it cannot be revoked or changed, posing permanent risks to individuals’ privacy and security.
GDPR and Biometric Data: A Match Made in Disarray?
The GDPR, a cornerstone of EU data privacy law, emphasizes principles like lawfulness, fairness, and transparency. EU Travel Tech argues Ryanair’s policy fails on all these fronts. They believe forcing facial recognition on users booking through OTAs is not only unnecessary but also introduces risks like data breaches and unwarranted surveillance.
This isn’t the first time Ryanair’s facial recognition has come under scrutiny. The European Center for Digital Rights (Noyb) filed a similar complaint in July 2023 with Spanish authorities. They specifically challenged the practice’s application to OTA bookings, highlighting the lack of justification under GDPR.
A Slow-Moving Investigation and Frustrated Stakeholders
The EU Travel Tech association expresses deep concern over the seemingly glacial pace of the Noyb investigation. Almost a year has passed without a ruling, raising questions about the effectiveness of GDPR enforcement. They’ve even gone a step further, urging the European Commission to consider measures that guarantee proper enforcement by the Irish data protection authority (DPC) in this case.
This call for action has garnered support from other industry heavyweights like the European Travel Agents’ and Tour Operators’ Association (ECTAA) and the European Passengers’ Federation.
What Lies Ahead for Ryanair and Facial Recognition?
With complaints filed in France and Belgium, the investigation takes on a more complex dimension. These data protection authorities will need to collaborate with the Irish DPC, given Ryanair’s Dublin headquarters.
This situation also comes on the heels of the Italian Competition Authority’s April 2024 ruling against Ryanair. They found the airline’s restrictions on travel agency ticket sales to be anti-competitive. Ryanair’s CEO, Michael O’Leary, has publicly criticized the decision, but it adds another layer of controversy to the company’s business practices.