Data protection groups file complaint against Ryanair for biometric verification

Lobbying group EU Travel Tech has joined data protection authorities in France and Belgium in filing a complaint against Ryanair for its controversial online booking verification process, which uses facial recognition technology to identify travellers.

The budget carrier previously stated the verification process, introduced in 2023, was implemented to avoid “unauthorised” online agents from selling flights and ancillary services at inflated prices.

As a result, customers who book through third parties are now required to complete the online process, which includes an ‘express’ biometric verification, while those who do not are required to pay an additional €55 fee to complete check-in at the airport.

As previously reported by BTN Europe, the online verification process has already created friction in the booking process for many corporate travellers, and raised security concerns regarding the processing of travellers’ biometric data. BTN Europe is aware of at least one company that has removed Ryanair from its travel programme as a direct result of its security concerns.

In a statement on Tuesday (21 May) EU Travel Tech said the biometric verification process not only infringes on individual privacy but also raises “significant” legal concerns under the General Data Protection Regulation (GDPR).

“Ryanair’s biometric verification process violates the principles of lawfulness, fairness and transparency required by the GDPR, particularly concerning the processing of special category data such as biometric information,” the group said.

“The use of biometric data for customer verification, especially without clear, necessary and proportionate justification, introduces risks including data breaches, identity theft and unwarranted surveillance. Once biometric data is compromised, it cannot be revoked or changed, posing permanent risks to individuals’ privacy and security.”

This latest complaint follows a similar move by digital rights group NOYB last July, which also claimed Ryanair’s use of facial recognition breached GDPR rules.

EU Travel Tech, in its statement, raised concerns about the apparent “slow pace” of the investigative process following NOYB’s initial complaint and urged data protection authorities to “take immediate provisional measures” to stop Ryanair’s verification process.

“This case’s urgency and potential harm to individuals’ rights and freedoms demand swift action, including the imposition of an effective, proportionate and dissuasive fine in accordance with GDPR Article 83,” the group said.

In a statement sent to BTN Europe, Ryanair said its verification process was introduced to “protect consumers” who book through “OTA pirates” to “ensure that they (as the passenger) make the necessary security declarations and are informed directly of all safety and regulatory protocols as legally required, which is fully compliant with all GDPR regulations”.

The carrier has distribution agreements with the likes of Sabre, Amadeus and Travelport as well as with travel tech company Kyte, following a recent deal with the corporate travel distributor. Ryanair, in December, also entered an agreement with SAP Concur that will see its fares and ancillary products be made available via the Concur Travel online booking tool from Q3 2024.