Today, noyb filed a GDPR complaint against Ryanair. Booking a flight on the airline’s website not only requires a mandatory account. New customers must also go through a verification process which, for many people, involves invasive biometrics. There is no reasonable justification for such a system. Instead, it appears that Ryanair is willingly violating its customers’ right to data protection in order to increase its market power. This is already the second noyb complaint against this practice. Despite a previous complaint, Ryanair has decided to force even more customers to go through its verification system.
- Complaint with the Italian Data Protection Authority (EN)
- Complaint with the Italian Data Protection Authority (IT)
- Previous noyb complaint against Ryanair
Ryanair introduces ‘forced accounts’. Whoever wants to book a flight on the Ryanair website or app is forced to create a permanent account. This often means that data is combined and kept until you delete the account - which is usually never. However, an account is clearly not necessary to book a flight. Neither Lufthansa, EasyJet, Air France nor Norwegian, among many others, require setting up an account for purchasing a flight. In reality, Ryanair’s ‘forced accounts’ violate the GDPR’s data minimisation principle. Article 5(1)(c) GDPR requires that personal data should only be processed if it is necessary. Ryanair fails to meet this requirement.
Mandatory and confusing verification. But forced accounts are not enough for Ryanair. In order to fly with them, all new account owners must go through a mandatory ‘verification’ process. At this point, people can theoretically choose between two options. In reality, Ryanair nudges them towards a pre-selected and highly invasive biometric facial recognition process to verify their account - despite biometric data being specially protected by EU law. European Data Protection Authorities even say that facial recognition can pose “unacceptably high risks” to people.
Felix Mikolasch, Data Protection Lawyer at noyb: “We all know that Ryanair is a master of annoying and deceptive website design. But when it comes to using people’s personal data, the airline has to follow the law like everyone else.”
No face scan – no quick flight booking. If customers don’t want their biometric data to be processed, Ryanair requires them to send them a hand-written signature and a copy of their government ID. This creates an additional burden for refusing consent to the use of their biometric data, leading to customers being robbed of their free choice – and Ryanair not complying with the consent requirements of the GDPR.
Felix Mikolasch, Data Protection Lawyer at noyb: “Ryanair unlawfully nudges its users towards the processing of their highly sensitive biometric data, completely disregarding its legal obligations. There seems to be no obvious reasons why Ryanair needs such verification, given that other airlines do not require a face scan to buy a ticket.”
Hunting competition at the expense of customers. It seems that the real purpose of the verification process is to prevent online travel agencies from setting up accounts to buy and subsequently re-sell Ryanair flights on their websites. If customers books their flight elsewhere, they won’t spend any additional money on hotels, insurance, airport transfers or rental cars with Ryanair – but book these extra services with a travel agency. In this respect, Ryanair and travel agencies are competitors. By requiring biometrics and alike, Ryanair seems to seek a competitive advantage in a business to business fight by throwing user privacy under the bus.
Complaint filed in Italy. noyb has now filed a complaint with the Italian Garante. By forcing users to create an account to buy a plane ticket, the airline violates the data minimisation principle according to Article 5(1)(c) GDPR. In addition, the mandatory verification violates the purpose limitation principle (Article 5(1)(b) GDPR). Last but not least, Ryanair fails to meet the consent requirements in accordance with Articles 6 and 9 GDPR. Based on Ryanair’s turnover of € 10 billion in 2023, the data protection authority could issue a fine of up to € 431 million.
