Ryanair is under scrutiny as EU Travel Tech, in conjunction with data protection authorities in France and Belgium, has filed a formal complaint against the airline’s biometric verification process.
This procedure, which utilises facial recognition technology, has raised significant privacy and legal issues under the General Data Protection Regulation (GDPR).
The budget airline introduced this verification process in 2023 to prevent “unauthorised” online agents from selling flights and ancillary services at inflated prices. Under this system, customers booking through third parties must complete an online biometric verification or pay an additional €55 fee to check-in at the airport.
Corporate travellers have reported friction and security concerns with this verification process. One company has even removed Ryanair from its travel programme due to these issues.
In a statement on 21 May, EU Travel Tech criticised the process for infringing on individual privacy and failing to comply with GDPR requirements. The group stated, “Ryanair’s biometric verification process violates the principles of lawfulness, fairness, and transparency required by the GDPR, particularly concerning the processing of special category data such as biometric information.”
They further warned that using biometric data for customer verification without clear, necessary, and proportionate justification introduces risks of data breaches, identity theft, and unwarranted surveillance. “Once biometric data is compromised, it cannot be revoked or changed, posing permanent risks to individuals’ privacy and security,” the statement added.
This complaint follows a similar grievance filed by digital rights group NOYB last July, which also alleged that Ryanair’s facial recognition technology breached GDPR rules. EU Travel Tech expressed frustration with the slow pace of the investigation following NOYB’s complaint and urged data protection authorities to “take immediate provisional measures” to halt Ryanair’s verification process.
EU Travel Tech called for swift action to prevent potential harm to individuals’ rights and freedoms, suggesting that a significant fine, as per GDPR Article 83, should be imposed on Ryanair.
In response, Ryanair defended its verification process, claiming it was introduced to “protect consumers” from “OTA pirates” and to ensure passengers are directly informed of all safety and regulatory protocols. The airline maintains that the process is fully compliant with GDPR regulations.
Ryanair has existing distribution agreements with companies such as Sabre, Amadeus, and Travelport, and recently partnered with travel tech company Kyte. In December, Ryanair also entered an agreement with SAP Concur to make its fares and ancillary products available via the Concur Travel online booking tool from Q3 2024.
As this issue develops, the outcome of the complaint will likely impact how biometric verification processes are handled and regulated within the travel industry.