Today, noyb filed a complaint against Ryanair. When booking through an online travel agent and not directly on its website or app, Europe’s biggest airline requires a part of its customers to go through a “verification process” involving invasive facial recognition. There is no reasonable justification for Ryanair to implement this system. Instead, it seems like the airline is willingly violating their customers' right to data protection in order to obtain an unfair competitive advantage over alternative booking channels.
- Complaint with the Spanish Data Protection Authority (AEPD) (ES)
- English auto-translation of the complaint
No holiday without invasive verification process. After booking a Ryanair flight through the online travel agency eDreams, the complainant received an email from Ryanair requesting her to complete a “verification process”. She was presented with the choice of either verifying through facial recognition – or going to the check-in counter at the airport more than two hours before departure. The complainant would not have been able to board the flight if she had refused to obey these instructions. She was even charged a small fee for the “verification process”.
A questionable justification. According to Ryanair, this tedious and invasive process is allegedly meant to help verify a customer’s contact details, although the airline already has all the relevant information. Also, Ryanair doesn’t require biometric scanning if a customer books directly with them. The purpose of facial recognition systems is the verification of faces, not of email addresses.
Romain Robert, Program Director at noyb: “They already have your contact details to send you the link to the ‘verification’ process. A verification of contact details via biometrics also doesn’t make a lot of sense: Your email address is not printed on your face or in your passport. Ryanair’s verification process looks like another attempt to make the lives of travelers and competitors more complicated to increase profits.”
“Unacceptably high risks”. Facial recognition systems require people’s biometric data - a category, that’s specially protected by law. The European Data Protection Authorities even say that facial recognition can pose “unacceptably high risks” to people. Ryanair, on the other hand, promotes it for its questionable online verification. The airline outsources this process to an external company named GetID. This means that customers have to entrust their biometric data to a company they have never heard of or had a contract with.
Unlawful consent. Although Ryanair claims that the legal basis for its usage of facial recognition is consent, it didn’t provide comprehensible information about the purpose of this intrusive process. Without clear information, a user’s consent can’t be informed or specific – which means it’s not valid under the GDPR.
Felix Mikolasch, Data Protection Lawyer at noyb: “The information provided by Ryanair is so confusing that travelers may even think their booking is invalid. By nudging customers to go through its intrusive facial recognition process, the airline manages to both violate their customer’s privacy and ensure that they don’t book via external providers another time.”
Profit as the hidden agenda. It seems that the real purpose of the verification process is to keep customers from booking a flight through online travel agencies. Ryanair profits not only from selling flights, but also from offering car rental and hotel bookings directly on its website. If a customer books their flight elsewhere, they won’t spend any additional money with Ryanair.
From litigation to nudging. Ryanair has tried unsuccessfully in the past to sue online travel agencies for offering its flights. Now, the airline is trying to secure its market position at the expense of customer privacy and via mere annoyance. It seems clear that the process exists mainly to ‘nudge’ people into booking directly with Ryanair. noyb has now filed a complaint with the Spanish AEPD. Based on Ryanair’s turnover of € 4.8 billion in 2022, the Data Protection Authority could issue a fine of up to € 192 million.