The Data Protection Commission (DPC) has initiated an inquiry into Ryanair’s handling of personal data as part of the airline’s verification processes for customers who book flights through third-party websites or online travel agents. This investigation comes in response to multiple complaints regarding the airline’s practices, which include requests for additional identification verification.
Among the methods employed by Ryanair are facial recognition technologies that utilize customers’ biometric data. The DPC will evaluate whether Ryanair’s verification practices align with the General Data Protection Regulation (GDPR), focusing on the lawfulness and transparency of the data processing involved.
The decision to open the inquiry was announced by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, and was communicated to Ryanair earlier this week. Deputy Commissioner Graham Doyle stated, “The DPC has received numerous complaints from Ryanair customers across the EU/EEA who, after booking their flights, were subsequently required to undergo a verification process.”
Doyle further emphasized the concerns regarding the airline’s verification methods, which notably include the use of facial recognition technology.
In response, Ryanair welcomed the inquiry, asserting that its verification processes are designed to protect customers from unauthorized online travel agents (OTAs). The airline claims that these OTAs often provide fake contact and payment details, leading to overcharging and potential scams. “Customers who book through these unauthorized OTAs are required to complete a simple verification process—either biometric or a digital verification form—both of which fully comply with GDPR,” a Ryanair spokesperson explained.
The airline offers three ID verification methods for customers booking through third-party agents. The Express Verification method involves facial recognition technology provided by an external company. Customers are required to submit a photo of their travel documentation and take a selfie to verify their identity, as well as perform a “liveness check” by completing specific actions in front of their device’s camera. Ryanair charges a 59-cent fee for this service, which it claims is purely to cover the technology costs and does not benefit the company commercially.
Alternatively, customers can choose standard verification, which can take up to seven days, requiring the submission of a completed and signed verification form alongside a photo of their passport or ID card. For those preferring in-person verification, the airline provides an option to complete the process at the airport check-in desk at least two hours before departure.
The inquiry underscores the growing scrutiny over data privacy practices, particularly in the airline industry, as authorities seek to ensure compliance with stringent data protection regulations.