Biometric verification: Online travel agencies accuse Ryanair of GDPR violation
Ryanair demands a "verification process" with biometric facial recognition from customers if they don't book directly. Travel associations are fighting it.
(Image: Ryanair)
The EU Travel Tech association, which includes companies such as Airbnb, Booking.com, eDreams, Expedia and Skyscanner, has complained to the French and Belgian data protection authorities about Ryanair. Since December 2023, the low-cost airline has required them to verify passengers without a Ryanair customer account using automated facial recognition and ID data. This primarily affects customers who book their flight via an online travel agency.
"This procedure not only violates the privacy of the individual, but also raises significant legal concerns under the General Data ProtectionRegulation (GDPR)," writes EU Travel Tech. The biometric verification process violates the principles of "lawfulness, fairness and transparency", especially with regard to particularly sensitive data categories such as biometric information. Their use poses risks such as data breaches, identity theft and unjustified surveillance. Once biometric data has been compromised, it "can no longer be revoked or changed".
EU Travel Tech is calling on the data protection authorities to immediately stop the verification process under Article 66 GDPR for the time being. The association is also deeply concerned about the slow pace of an investigation already underway, after the civil rights organization Noyb had already filed a complaint against the forced facial recognition with the Spanish data protection authority in July 2023. Back then, Ryanair had already asked a customer who had booked via eDreams to pay for a check.
Noyb: Facial recognition is not suitable for mail verification
According to Ryanair, it wants to verify contact details in order to protect customers from phishing, account misuse, dubious online travel agents and other fraudsters. "In reality, however, the airline already has all the relevant information," says Noyb. In addition, it does not require biometric scans for those who book directly via the Ryanair website. The purpose of facial recognition systems is to verify faces, not email addresses. Ryanair is apparently trying to "make the lives of travelers and competitors more complicated in order to increase its own profits". It is also not apparent that customers are informed and voluntarily consent to the process, as is actually required.
According to EU Travel Tech, the Noyb case has now landed at the Irish Data Protection Commission (DPC) because Ryanair is based in Ireland. It is completely unclear how far the investigations there have progressed. The delay raises considerable concerns as to whether the GDPR is being enforced effectively. EU Travel Tech, together with the European Travel Agents' and Tour Operators' Association (ECTAA) and the European Passengers' Federation (EPF), has therefore also sent a letter of complaint to the EU Commission.
The customer check informs consumers "about all legally required safety and regulatory protocols", a Ryanair spokesperson told the portal Euractiv. Online travel agencies often illegally take over the group's flight inventory by reading out screen information ("screen scraping") in order to sell consumers overpriced tickets.
(vbr)
