Low-cost airline Ryanair has received a complaint about its use of facial scanning.
The European Center for Digital Rights (noyb) filed a complaint with Italy’s data protection authority (DPA) over Ryanair’s facial recognition verification process, which noyb claims infringes the EU’s General Data Protection Regulation (GDPR).
“Ryanair unlawfully nudges its users towards the processing of their highly sensitive biometric data, completely disregarding its legal obligations,” Felix Mikolasch, data protection lawyer at noyb, said in a statement. “There seems to be no obvious reasons why Ryanair needs such verification, given that other airlines do not require a face scan to buy a ticket,” he added.
Central to noyb’s complaint is Ryanair’s “mandatory and confusing verification,” according to the organization, with the airline requiring users to create a permanent account, when booking a flight through the company’s online platform(s), which then requires verification. “At this point, people can theoretically choose between two options,” noyb says.
“In reality, Ryanair nudges them towards a pre-selected and highly invasive biometric facial recognition process to verify their account – despite biometric data being specifically protected by EU law,” it continues. Noyb contends that Ryanair’s “forced accounts” violates the data minimization principle; as well as the purpose limitation principle and consent requirements of GDPR with the “mandatory verification.”
Ryanair has called for justification of the complaint. A spokesperson for the airline said it welcomes noyb’s complaint but that the company “call[s] on noyb to justify [their] retrograde attempt… to diminish the effectiveness of verification safeguards,” in a comment emailed to Euractiv yesterday.
This is not the first time noyb has complained about Ryanair’s alleged violation of customer’s data protection rights, and its use of facial recognition verification, with the organization filing a similar GDPR complaint last summer with the Spanish Data Protection Authority (AEPD).
Online travel agencies (OTAs) have also filed complaints with the French and Belgian data privacy authorities, with the OTAs arguing that Ryanair uses its facial recognition verification process to prevent customers from booking tickets on their marketplaces.
The Spanish (AEPD), French (CNIL), Belgian (APD-GBA), and Italian (Garante) data protection agencies are expected to cooperate with their Irish counterpart (DPC), since Ryanair is a Dublin-based company, which will lead the investigation into the airline following GDPR procedures.
Article Topics
airports | biometric data | biometrics | data privacy | data protection | face biometrics | facial verification | GDPR | identity verification | travel and tourism