Ryanair’s use of facial recognition technology investigated by data regulator

The inquiry centres on use of biometric data for bookings made through third party sites

Ryanair group CEO Michael O'Leary. The carrier says on its website that in order to comply with safety and security requirements it must verify the identity of passengers booking elsewhere.
Ryanair group CEO Michael O'Leary. The carrier says on its website that in order to comply with safety and security requirements it must verify the identity of passengers booking elsewhere.

The Data Protection Commission (DPC) has opened an EU-wide investigation into whether Ryanair’s use of facial-recognition technology to verify the identity of customers booking through third-party websites violates the bloc’s privacy laws.

The regulator said it had received complaints from Ryanair customers across the European Union over the airline’s practice of requesting additional verification from those booking tickets through third-party sites or online travel agents, as opposed to directly with Ryanair.

“The DPC has received numerous complaints from Ryanair customers across the EU/EEA who after booking their flights were subsequently required to undergo a verification process,” DPC deputy commissioner Graham Doyle said in a statement.

“The verification methods used by Ryanair included the use of facial-recognition technology using customers’ biometric data. This inquiry will consider whether Ryanair’s use of its verification methods complies with the GDPR (General Data Protection Regulation).”

READ MORE

The Irish carrier, Europe’s largest by passenger numbers, says on its website that in order to comply with safety and security requirements it must verify the identity of passengers booking elsewhere because agents often do not provide Ryanair with customers’ contact and payment details.

Passengers can avoid verifying through facial recognition by showing up at the airport at least two hours before departure or by submitting a form and picture of their passport or national ID card in advance, a process Ryanair said can take seven days to complete.

A similar process is not required when booking through Ryanair’s website or mobile phone app.

Ryanair said last year when a complaint was lodged on the issue that its biometric and non-biometric processes were both fully compliant with all the EU’s GDPR.

In a statement on Friday, the carrier welcomed the DPC inquiry and insisted its systems “protect customers”.

“We welcome this DPC inquiry into our booking verification process, which protects customers from those few remaining non-approved online travel agents, who provide fake customer contact and payment details to cover up the fact that they are overcharging and scamming consumers,” it said.

“Customers who book through these unauthorised online travel agents are required to complete a simple verification process (either biometric or a digital verification form) both of which fully comply with GDPR. This verification ensures that these passengers make the necessary security declarations and receive directly all safety and regulatory protocols required when travelling, as legally required.”

The DPC said it had opened an inquiry into Ryanair’s “processing of personal data as part of the customer verification processes for customers who book Ryanair flights from third party websites or online travel agents”.

Digital rights group NOYB (European Center for Digital Rights) last year filed a complaint against Ryanair, alleging it was violating customers’ rights to data protection by using facial recognition to verify their identity.

NOYB, led by Austrian privacy activist Max Schrems, filed the complaint with Spain’s data protection agency on behalf of a complainant who booked a Ryanair flight through the Spanish-based online travel agency eDreams Odigeo.

“There is no reasonable justification for Ryanair to implement this system,” said NOYB at the time, claiming the company was violating customers’ right to obtain an unfair competitive advantage over alternative booking channels.

European data regulators issued almost €3 billion in fines related to data protection infringements in 2022, with the Irish regulator accounting for more than a third of the figure, a report from global law firm DLA Piper found.

Although advertising and social media were the main talking points over the period, there was also a growing focus on artificial intelligence, and the role of personal data used to train the technology.

Among the investigations undertaken during that year were several into facial recognition company Clearview AI. – additional reporting: PA

  • Sign up for the Business Today newsletter and get the latest business news and commentary in your inbox every weekday morning
  • Opt in to Business push alerts and have the best news, analysis and comment delivered directly to your phone
  • Join The Irish Times on WhatsApp and stay up to date
  • Our Inside Business podcast is published weekly – Find the latest episode here
Colin Gleeson

Colin Gleeson

Colin Gleeson is an Irish Times reporter