EU Travel Tech files GDPR complaint against Ryanair over biometric verification

EU Travel Tech has officially lodged a complaint with the French and Belgian Data Protection Authorities (DPAs) against Ryanair, challenging the airline’s recent mandate for biometric data processing for customer verification.

This requirement, announced on 8 December 2023, necessitates that customers without an existing account, including those booking through Online Travel Agencies (OTAs), provide live self-images or signature images alongside passport details to manage bookings and check-in online.

EU Travel Tech, formerly known as The European Technology and Travel Services Association (ETTSA), represents and promotes the interests of global distribution systems (GDSs) and travel distributors to European stakeholders, advocating for a consumer-driven, innovative, and competitive travel industry based on transparency and sustainability.

EU Travel Tech claims the new procedure not only compromises individual privacy but also raises significant legal concerns under the General Data Protection Regulation (GDPR).

According to EU Travel Tech, Ryanair’s biometric verification process appears to contravene GDPR principles of lawfulness, fairness, and transparency, particularly in relation to the processing of special category data, such as biometric information.

The utilisation of biometric data for customer verification, especially without clear, necessary and proportionate justification, introduces substantial risks, including potential data breaches, identity theft, and unwarranted surveillance, claims the association. Unlike other personal data, once biometric information is compromised, it cannot be changed, potentially posing a permanent risk to individuals’ privacy and security.

In light of these concerns, EU Travel Tech has called on the DPAs to investigate Ryanair’s biometric verification process and to take immediate provisional measures to halt its application, as stipulated under GDPR Article 66. The urgency of this case and the potential harm to individuals’ rights and freedoms demand prompt action, claims the association, including the imposition of an effective, proportionate, and dissuasive fine in accordance with GDPR Article 83.

EU Travel Tech has voiced concerns about the slow pace of investigative processes. A previous complaint against Ryanair’s facial verification process, filed by NOYB, the European Center for Digital Rights, in July 2023, remains unresolved. This delay underscores significant worries regarding the efficiency of GDPR enforcement mechanisms, especially when such practices could broadly and adversely impact fundamental rights and freedoms concerning personal data.

EU Travel Tech, alongside organisations representing travel agents and tour operators (ECTAA) and European passengers (EPF), has also written to Vice-President Věra Jourová, urging the European Commission to consider measures to ensure the timely and adequate enforcement of the GDPR.

If you need to book flights on Ryanair routes, please contact your Global Travel Management Account Manager.