Ireland’s Data Protection Commissioner (DPC) has launched an investigation across the European Union (EU) into Irish air carrier group Ryanair’s use of facial recognition technology for identity verification. The investigation aims to determine whether the airline’s practices, particularly for customers booking through third-party websites, comply with EU privacy laws.
The DPC stated that it had received complaints from Ryanair’s customers within the EU regarding additional identity verification required when booking tickets through third-party websites or online travel agents (OTAs), rather than directly with the company. Launched under Section 110 of the Data Protection Act 2018, the inquiry was announced by Data Protection Commissioners Des Hogan and Dale Sunderland.
The probe is cross-border in scope and will examine whether Ryanair’s data processing activities comply with the General Data Protection Regulation (GDPR). The focus of this will be on the lawfulness and transparency of the airline’s practices, said the regulator.
“The DPC has received numerous complaints from Ryanair customers across the EU/EEA who after booking their flights were subsequently required to undergo a verification process,” said DPC Deputy Commissioner Graham Doyle. “The verification methods used by Ryanair included the use of facial recognition technology using customers’ biometric data. This inquiry will consider whether Ryanair’s use of its verification methods complies with the GDPR.”
Ryanair defends facial recognition use
Ryanair acknowledged the investigation, stating that its verification process was introduced to address concerns about the accuracy of customer contact and payment details provided by OTAs not affiliated with the airline. According to the Irish carrier group, this process is intended to ensure compliance with safety and security measures.
Ryanair’s website notes that passengers subject to this verification process can avoid facial recognition by arriving at the airport at least two hours before departure or by submitting a form with a copy of their passport or national ID card in advance. However, this verification is not required for bookings made directly through Ryanair’s website, mobile app, or via OTAs that have agreements with the airline.
Ryanair has entered into 14 such agreements since the start of the year. The Irish company stated that its verification processes, both biometric and non-biometric, are in line with the GDPR requirements.
On a similar note, last month, Dutch data protection authority Autoriteit Persoonsgegevens (AP) issued a €30.5m penalty on Clearview AI, a facial recognition services provider to intelligence and investigative agencies. The regulator alleged that Clearview AI illegally collected data for facial recognition. The fine addresses the US-based firm’s creation of a vast database containing billions of images, including those of Dutch citizens.