The watchdog has received several complaints regarding additional verification Ryanair customers have to go through.
Ireland’s Data Protection commission (DPC) is looking into how Ryanair processes personal data – including potentially biometric data.
The DPC has received several complaints regarding the airline’s practice of requesting additional ID verification from customers who book their travel with third-party websites.
Biometric data refers to unique physical or behavioural characteristics that can be used to identify an individual and includes fingerprints, facial recognition data and retinal scans.
Under the General Data Protection Regulation (GDPR), biometric data is a special category of personal data, which means it is subject to even stricter regulations.
Graham Doyle, deputy commissioner with the DPC said Ryanair customers across the EU/EEA have complained that they were required to undergo a verification process after booking their flight.
“The verification methods used by Ryanair included the use of facial recognition technology using customers’ biometric data. This inquiry will consider whether Ryanair’s use of its verification methods complies with the GDPR.”
In July 2023, digital privacy group NOYB claimed that the airline’s use of facial recognition breaches GDPR and is being used to push users away from external online travel agencies.
The group said at the time there is a “questionable justification” behind Ryanair’s need for facial verification, as the airline doesn’t use facial recognition if a customer books directly on the Ryanair website or app.
“By nudging customers to go through its intrusive facial recognition process, the airline manages to both violate their customer’s privacy and ensure that they don’t book via external providers another time,” said Felix Mikolasch, a data protection lawyer with NOYB.
In a statement sent to SiliconRepublic.com, a Ryanair spokesperson said the airline welcomes the DPC inquiry and added that its booking verification process protects customers from non-approved online travel agents (OTA).
“Customers who book through these unauthorised OTAs are required to complete a simple verification process (either biometric or a digital verification form), both of which fully comply with GDPR,” the spokesperson said.
“This verification ensures that these passengers make the necessary security declarations and receive directly all safety and regulatory protocols required when travelling, as legally required.”
The use of facial recognition tech
Earlier this year, the European Data Protection Board issued an opinion on the use of facial recognition to streamline airport passenger flow.
In its opinion, it warned due to the “heightened risks to data subjects’ rights and freedoms” that come with using such biometric data, any use must be carefully considered.
It is worth noting that this opinion was strictly in relation to use within airports, such as at security checkpoints, baggage drop-off and boarding the aircraft rather than during the process of booking the travel ticket.
Even then, this use would only comply with GDPR under strict centralised storage restrictions with appropriate safeguards or if it remains in the sole hands of the data subject.
Facial recognition technology continues to be a controversial topic, with many companies landing in hot water over its use.
In July, Meta agreed to pay a $1.4bn settlement to resolve a 2022 lawsuit in Texas accusing the tech giant of illegally using facial recognition technology to collect biometric data.
Ireland’s Minister for Justice Helen McEntee, TD, faces ongoing pressure to halt plans to give facial recognition technology to the Gardaí.
And US facial recognition technology company Clearview AI was fined more than €30m by the Dutch Data Protection Authority for allegedly creating an illegal database that contains billions of images of people worldwide.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.