eu travel tech Files Complaint Against Ryanair for Invasive Biometric Data Processing and Encourages European Commission to Ensure Effective GDPR Enforcement

eu travel tech has officially filed a complaint with the French and Belgian Data Protection Authorities (DPAs) against Ryanair, concerning its recent implementation of a biometric data processing requirement for customer verification. This move by Ryanair, announced on December 8, 2023, mandates that customers without an existing account, including those booking through Online Travel Agencies (OTAs), undergo biometric verification, involving the provision of live self-images or signature images and passport details, to access booking management and online check-in features.

This procedure not only infringes on individual privacy but also raises significant legal concerns under the General Data Protection Regulation (GDPR). Ryanair’s biometric verification process violates the principles of lawfulness, fairness, and transparency required by the GDPR, particularly concerning the processing of special category data such as biometric information.

The use of biometric data for customer verification, especially without clear, necessary, and proportionate justification, introduces risks including data breaches, identity theft, and unwarranted surveillance. Once biometric data is compromised, it cannot be revoked or changed, posing permanent risks to individuals’ privacy and security.

Given these issues, we urge the Data Protection Authorities to investigate Ryanair’s biometric verification process and take immediate provisional measures to halt its application, in line with GDPR Article 66. This case’s urgency and potential harm to individuals’ rights and freedoms demand swift action, including the imposition of an effective, proportionate, and dissuasive fine in accordance with GDPR Article 83.

Furthermore, we express our deep concern regarding the slow pace of investigative processes, particularly in light of the fact that a complaint against Ryanair’s facial verification process was already filed in July 2023 by NOYB, the European Center for Digital Rights. As of now, it remains unclear at what stage the investigation by the Irish DPA is. This delay raises significant concerns about the efficacy of enforcement mechanisms under the GDPR, especially when it involves practices that could have a widespread and detrimental impact on the fundamental rights and freedoms of individuals regarding their personal data.

We urge the relevant authorities to expedite their investigative and enforcement actions to ensure timely protection of data subjects’ rights in accordance with the GDPR. In addition, in a letter sent today to Vice-President Věra Jourová jointly with organisations representing travel agents and tour operators (ECTAA) and European passengers (EPF), we called on the European Commission to consider what actions can be taken to ensure the timely and adequate enforcement of the GDPR.