Noyb files complaint against Ryanair over facial scan
Travelers who want to book a flight at Ryanair, are not only required to create an account, but also have to endure a verification process in which they have to provide a facial scan.
According to Austrian privacy advocacy group Noyb, Ryanair forces customers to create a ‘permanent account’. All the information that travelers provide will be kept by the airline carrier, until they delete the account. However, this usually never happens, which means Ryanair will have their personal information forever.
This constitutes a violation of the General Data Protection Regulation’s principle of data minimization. Article 5 of the GDPR states that personal data may only be processed if it’s necessary. Noyb says that Ryanair fails to meet this requirement.
It doesn’t stop there. In order to fly with Ryanair, customers are obliged to go through a mandatory verification process. This involves a facial recognition scan to verify their account. Handing over biometric data is considered to pose ‘unacceptably high risks’ according to the European Data Protection Board (EDPB).
Noyb argues there’s no reasonable justification for such a system and Ryanair willingly violates its customers’ right to data protection.
“Ryanair unlawfully nudges its users towards the processing of their highly sensitive biometric data, completely disregarding its legal obligations. There seems to be no obvious reasons why Ryanair needs such verification, given that other airlines do not require a face scan to buy a ticket,” Felix Mikolasch, data protection lawyer at Noyb, says in a statement.
Travelers who don’t want to provide a facial scan are required to send Ryanair a hand-written signature and copy of their ID, which creates an additional obstacle for people who don’t want to hand over their biometric data and robs them of their free choice.
Noyb suspects that the real purpose of the verification process is to prevent travel agencies from setting up an account at Ryanair to buy and resell flight tickets.
“If customers book their flight elsewhere, they won’t spend any additional money on hotels, insurance, airport transfers or rental cars with Ryanair, but book these extra services with a travel agency. In this respect, Ryanair and travel agencies are competitors. By requiring biometrics and alike, Ryanair seems to seek a competitive advantage in a business to business fight by throwing user privacy under the bus,” Noyb states.
To make Ryanair stop with these practices, Noyb has filed a complaint with the Garante per la Protezione dei Dati Personali (GPDP).
The privacy advocacy group wants the Italian data protection authority (DPA) to force the airline carrier to no longer violate the GDPR’s principle of data minimization and to put an end to its mandatory verification process.
Furthermore, Noyb demands that Ryanair delete all data that was acquired by violating European privacy laws. Lastly, the privacy group wants the GDPD to impose an administrative fine as a deterrence. Based on a turnover of €10 billion in 2023, the fine could go up to €431 million.
Ryanair has always stated that facial recognition is a necessary part of the verification process and it has a legitimate interest in doing so.
This is the second time Noyb has filed a complaint against Ryanair over its verification process. The first time was in July 2023 with the Spanish Agencia Española de Protección de Datos (AEPD).
In October, the Irish Data Protection Commission (DPC) launched an investigation into Ryanair’s use of customers’ biometric data.
Your email address will not be published. Required fields are marked