European budget airline Ryanair is facing potential fines of up to €450 million following complaints filed with Italy’s Data Protection Authority regarding its facial recognition verification requirements for customers booking flights. The development follows an ongoing investigation by Ireland’s Data Protection Commissioner into the airline’s biometric verification practices.
The privacy advocacy group NOYB (None of Your Business) has submitted formal complaints alleging multiple violations of the EU’s General Data Protection Regulation (GDPR). At issue is Ryanair’s mandatory account creation process, which requires customers to undergo biometric facial recognition verification or submit handwritten signatures and government ID copies to book flights.
According to the complaint, Ryanair’s practices violate several core GDPR principles, including data minimization and purpose limitation. The airline requires customers to create permanent accounts that retain combined data until deletion, which noyb argues exceeds necessary data collection requirements under Article 5(1)(c) of the GDPR. This contrasts with other major carriers’ approaches to passenger verification, as highlighted by Turkish Airlines’ optional biometric boarding system that maintains separate data streams.
The verification system appears designed to prevent online travel agencies from creating accounts to resell Ryanair flights. However, NOYB contends this violates GDPR Article 5(1)(b) on purpose limitation, which restricts data processing to specified legitimate purposes. The complaint comes amid broader industry discussions about decentralized approaches to biometric data storage that could better protect consumer privacy.
Felix Mikolasch, a data protection lawyer at NOYB, stated, “Ryanair unlawfully nudges its users towards the processing of their highly sensitive biometric data, completely disregarding its legal obligations. There seems to be no obvious reasons why Ryanair needs such verification, given that other airlines do not require a face scan to buy a ticket.”
The potential fine could reach €450 million, calculated based on Ryanair’s 2023 turnover of €10 billion. Under GDPR guidelines, maximum penalties can amount to 4 percent of a company’s annual global revenue. The case represents one of the largest potential GDPR penalties in the aviation sector to date.
The complaint specifically challenges Ryanair’s two-option verification system. While facial recognition is pre-selected as the primary method, customers choosing to decline must provide additional documentation, which NOYB argues creates an undue burden that effectively removes free choice in consent. This approach differs significantly from government-mandated biometric systems like TSA’s Credential Authentication Technology, which includes clear opt-out procedures.
Sources: NOYB, International Employment Law, Travel Research Online
–
December 19, 2024 – by the ID Tech Editorial Team
Related News
Ryanair Faces Privacy Complaint Over Biometric IDV
Irish Data Protection Commissioner Opens EU Investigation Into Ryanair’s Use of Facial Recognition
Ryanair Faces GDPR Complaint Over Biometric Verification Process
ID Tech Digest – December 20, 2024
German Regulator Orders Worldcoin to Delete Biometric Data Over GDPR Violations
British High School Gets Formal Reprimand Over Facial Recognition Use
Follow Us