Close

Ryanair accused of misusing biometrics

The company has introduced facial recognition for customers who book through an agency
Reading time: 2 minutes

Content index

The airline is facing a complaint in Spain for violation of data protection rights linked to a facial recognition identity verification system deemed abusive. An association accuses the company of using an “invasive” and unjustified procedure.

Why make the experience more complex?

Ryanair required identity verification with facial recognition when a customer made a reservation through a travel agency. This verification procedure imposed on certain customers has drawn fierce criticism, as it appears to breach data protection laws and promote an unfair competitive advantage. In fact, this procedure is not required if the customer books directly with Ryanair.

This measure thus seems to be an attempt to discourage and complicate third-party bookings and encourage customers to book directly on its site. The strategy raises concerns about the ethics of the company’s business practices.

According to Ryanair, this process is intended to help verify a customer’s contact details, although the airline already has all the relevant information and this verification is not required if a customer books directly with them.

“They already have your contact details to send you the link to the ‘verification’ process. Biometric verification of contact details doesn’t make much sense either: your e-mail address isn’t printed on your face or in your passport. Ryanair’s verification process looks like another attempt to make life difficult for travellers and competitors in order to increase profits.“argues Romain Robert, Program Director at Noyb, the European Centre for Digital Rights. The purpose of these facial recognition systems is primarily to verify faces and identities, not customer details such as e-mail addresses.

The use of biometric data

In addition to user experience and unfair competition, data security is also under scrutiny, as the way in which data is processed remains unclear. The company has not provided any comprehensible information on the purpose of this process, and the user has no clear information on how his or her data will be used. As a result, user consent is neither informed nor specific, rendering its use invalid under the rules of the GDPR (General Data Protection Regulation).

This case highlights the growing importance of data protection and privacy in today’s digital environment, and could also have important implications for the way companies use facial recognition technologies in the future.

TAG