A complaint has been filed against the Irish low-budget airline Ryanair by an NGO which claims that it, in some cases, requires customers to go through a "verification process" involving unwarranted use of facial recognition.
An Austrian association campaigning for the protection of privacy called noyb (for "None of your business") lodged its complaint against Europe's biggest airline on Thursday, arguing that the airline illegally imposes facial recognition when people book their trips through intermediary means other than on Ryanair's own website.
"There is no reasonable justification for Ryanair to implement this system. Instead, it seems like the airline is willingly violating its customer’s right to data protection in order to obtain an unfair competitive advantage over alternative booking channels," the organisation in a statement.
The organisation referred to the case of a claimant who, after booking a Ryanair flight through the online travel agency eDreams, received an email from Ryanair requesting her to complete a "verification process."
She was presented with the choice of either verifying through facial recognition – a process that can take seven days to be validated and for which she was charged a small fee (59 cents) – or be forced to go to the check-in counter at the airport more than two hours before departure for an additional fee ranging from €30 to 55.
If not complying with these instructions, she would not have been able to board the flight. She brought the matter to the Data Protection Authority in Spain, where she lives.
Not justified
Ryanair noted in a statement to The Brussels Times that third-party online travel agents are not authorised to sell its flights. "They scrape Ryanair’s inventory and in many cases miss-sell our flights and ancillary services with hidden mark-ups, while providing incorrect customer contact information and payment details."
It explained that, as a result of this, any customers who book through such a third-party organisation are "required to complete a simple customer verification process and can choose biometric verification or alternatively complete a digital verification form," which it argued are both fully compliant with all GDPR regulations.
"This is to ensure that they (as the passenger) make the necessary security declarations and are informed directly of all safety and regulatory protocols required when travelling, as legally required."
However, nyob argued that the airline does already have all the relevant information, proven by the fact that it has the contact details to send people the link to the ‘verification’ process. "Verification of contact details via biometrics also doesn’t make a lot of sense: Your email address is not printed on your face," Romain Robert, Program Director at noyb, said.
The NGO argued that this is "another attempt to make the lives of travellers and competitors more complicated to increase profits," and that the aim is to "encourage people to book directly with Ryanair," where it also offers to rent cars and hotel rooms.
Facial recognition systems require biometric data which must be transferred on the basis of "informed consent" as it is protected by law, according to the European Data Protection Authorities. However, there appears to be missing in this case, as Ryanair did not provide comprehensible information about the purpose of this intrusive process.
The Viennese organisation argued that, without clear information, a user’s consent can’t be informed or specific, which means it’s not valid under the GDPR. "The information provided by Ryanair is so confusing that travellers may even think their booking is invalid," Felix Mikolasch, a lawyer at noyb specialising in data protection, said.
Related News
- World first: European Parliament votes for ban on AI facial recognition
- Eurostar launches face-scan check-in system in London
Ryanair has tried unsuccessfully in the past to sue online travel agencies for offering its flights. The company has a reputation for going against the law, as it has in the past made it difficult for travellers to get compensation following cancelled flights.
Noyb has now filed a complaint with the Spanish AEPD. "Based on Ryanair’s turnover of €4.8 billion in 2022, the Data Protection Authority could issue a fine of up to €192 million," it concluded.