Ireland’s Data Protection Commission (DPC) has opened an EU-wide investigation into the EU’s biggest budget carrier, questioning whether its use of facial recognition to verify the identities of passengers that booked through third-party sites is compliant with General Data Protection Regulation (GDPR) terms. The Irish DPC’s investigation applies to bookings made with certain aggregator and discount sites, as well as those made through independent travel agents.
Irish DPC investigates alternatives to facial recognition offered to third-party bookers
The Irish DPC said that the EU-wide investigation stems from EU-wide complaints about the facial recognition system. Ryanair has been headquartered in County Dublin since 2014.
Ryanair customers that book directly with the airline, whether in person at airports or via the company website or mobile app, are not subject to facial recognition verification. The company responded to the Irish DPC by saying that the system is necessary for third party bookings as these parties do not necessarily provide it with customer contact or payment details when the tickets are booked.
Ryanair does offer alternatives to facial recognition verification to these customers, but they are both time-consuming. The airline says that passengers with third-party tickets can either arrive at the airport at least two hours early for additional screening, or can fill out a form and submit a picture of their national ID card or passport at least a week in advance of their trip.
Ryanair has responded to the Irish DPC by saying that both its facial recognition and non-biometric processes are compliant with the GDPR, and that it welcomes the agency’s inquiry. It claims that the policy is in place to protect the company from non-approved online travel agents that overcharge and scam their clients, though this does not seem to address the complaints that come from bookings via legitimate third-party sites. A previous lawsuit against Ryanair centered on tickets booked via eDreams, one of Europe’s largest registered online travel agencies.
Ryanair’s facial recognition system previously challenged in Spain
Privacy group noyb, the persistent thorn in the side of Meta headed by Max Schrems, took on Ryanair’s facial recognition system in Spain one year ago. That complaint intimated that Ryanair does not use the system for necessary passenger verification so much as it does to pressure customers to make direct purchases by hassling and inconveniencing them, giving the airline an unfair competitive advantage.
The GDPR complaints center on the lack of information about the facial recognition process from the customer end. Ticket purchasers may not even be aware that they will be subject to these extra verification methods prior to booking, and are not necessarily provided with clear information about the purpose of requiring a biometric scan (when other less intrusive methods of verification are available). The regulation requires clear and informed consent from subjects whenever biometrics are taken. Ryanair also, at least at one time, appears to have charged an additional fee to those going the facial recognition route.
There is no indication that Ryanair is storing or making use of the biometrics collected during the facial recognition process, as it is outsourced to a company called GetID that asks users to submit a picture of their photo identification. At the back of this policy is the company’s core business model, which cuts costs to the bone to make ticket prices as cheap as possible. The company sometimes makes as little as a few euros per seat on flights, at least if a customer does not purchase ancillary services, and has thus been at war with travel agents since it retooled to its ultra-budget approach in the 1990s. Another factor in its business strategy is saving on expensive airport fees, charged for every minute a plane is on the ground, by pushing customers to complete as much of the boarding process as possible before even arriving.
Ryanair has tilted with third-party booking sites before as well. Earlier this year it won a lawsuit in the US against the site Booking.com (which owns a number of other major booking sites such as Priceline and Kayak), which it accused of scraping its site for fares without authorization. In December of last year it also received an injunction from the Irish High Court against Flightbox, a screenscraper that collects fare information for online travel agents.
The Irish DPC has also been active recently, settling on a fine of €91 million for Meta over a case of internally exposed user passwords and reportedly poised to deliver a very large fine to LinkedIn over GDPR violations in its use of targeted advertising. Last month the Irish DPC also launched formal inquiries into Google’s cross-border data practices and possible GDPR violations by its foundational AI model Pathways Language Model 2.