Privacy group challenges Ryanair’s use of facial recognition
Digital rights group NOYB has filed a complaint against Ryanair, Europe’s largest airline by passenger numbers. The complaint alleges that Ryanair is infringing on customers’ data protection rights by using facial recognition for identity verification when booking through online travel agents and directly on its website or app.
NOYB, a European non-profit group led by Austrian privacy activist Max Schrems, lodged the complaint with Spain’s data protection agency on behalf of a complainant who booked a Ryanair flight through the Spanish-based online travel agency, eDreams ODIGEO.
According to Ryanair’s website, the airline justifies using facial recognition to comply with safety and security requirements since travel agents often do not provide customers’ contact and payment details.
The airline’s face biometrics capability is supplied by GetID, according to NOYB.
To avoid facial recognition, passengers can arrive at the airport at least two hours before departure or submit a form with a picture of their passport or national ID card in advance. Ryanair states that the form submittal process may take up to seven days to complete. However, booking through Ryanair’s website or mobile app does not require such verification.
“There is no reasonable justification for Ryanair to implement this system,” NOYB said in a statement. “Instead, it seems like the airline is willingly violating their customer’s right to data protection in order to obtain an unfair competitive advantage over alternative booking channels.”
NOYB has previously succeeded in privacy challenges against some of the world’s largest multinational companies across the European Union under the General Data Protection Regulation (GDPR), introduced in 2018.
NOYB alleges that Ryanair’s verification procedures do not comply with GDPR because the company does not provide clear information about the purpose of the “invasive facial recognition process.”
In defense of its practices, Ryanair states that its biometric and non-biometric processes fully comply with all GDPR regulations. The airline argues, “Online travel agents scrape Ryanair’s inventory and, in many cases, miss-sell our flights and ancillary services with hidden mark-ups and provide incorrect customer contact information/payment details,” the airline said in a statement.
“As a result, and in order to protect customers, any customers who book through an online travel agent are required to complete a simple customer verification process. This is to ensure that they make the necessary security declarations.”
Ryanair is also facing a lawsuit over its facial recognition for third-party ticket sales, filed by an Italian tourism trade group.