The Austrian privacy foundation Noyb has filed a complaint against Ryanair with the Spanish privacy regulator AEPD. Holidaymakers who do not book their holiday directly with the Irish airline must go through a verification process that uses ‘invasive facial recognition’. In this way, the company knowingly violates customers’ right to data protection in order to gain an unfair competitive advantage over online travel agencies and other booking channels.
Noyb, an acronym for None of your business, says this in a press statement.
Noyb: ‘Your email address is not on your face
A dissatisfied customer knocked on the door of the privacy foundation and told his story there. Through the online travel agency eDreams, she received an email from Ryanair asking her to complete the verification process. She was given a choice between facial recognition verification or going to the airport check-in desk more than two hours before departure. If she refused, she would not be allowed to board her flight. In addition, a small amount was charged for the verification process.
Noyb speaks of a ‘questionable justification’. Ryanair says facial recognition verification is necessary to verify a customer’s contact details. Romain Robert, program director at Noyb, says confirming contact details via biometrics is pointless. “Your email address is not on your face or in your passport,” he says.
Biometric data fall under the heading of special personal data. The General Data Protection Regulation (GDPR) prohibits companies and organizations from processing special personal data, with exceptions (such as achieving health goals). According to Noyb and European privacy regulators, facial recognition can pose ‘unacceptably high risks’ to people.
‘Profit as a hidden agenda’
Ryanair says it can use facial recognition because customers consent to it. According to Article 6 of the GDPR, consent is one of the legal bases for the lawful processing of (special) personal data. Noyb says that the Irish airline informs holidaymakers about this in an incomprehensible way, which is in violation of European privacy legislation.”Ryanair’s information is so confusing that travellers may even think their booking is invalid. By urging customers to go through the intrusive facial recognition process, the airline manages to both violate their customers’ privacy and ensure that they do not book through third-party providers again,” said privacy lawyer Felix Mikolasch.
The real purpose of the verification process, according to Noyb, is to deter vacationers from booking their trips through online travel agencies. If a customer arranges their flight through another party, it means less turnover and less profit for Ryanair. By burdening holidaymakers with facial recognition when they book through another party, the airline is trying to win extra business. Noyb calls this ‘profit as a hidden agenda’.
Ryanair risks a fine of 192 million euros
The Austrian privacy foundation states that Ryanair is trying to secure its market position at the expense of the privacy of its customers. “It seems clear that the main purpose of the process is to ‘persuade’ people to book directly with Ryanair,” says Noyb. Therefore, the organization has filed a complaint with the Spanish data protection authority AEPD. If the regulator rules in favour of Noyb, it can impose a fine of up to 192 million euros.