Austrian privacy foundation Noyb has filed a complaint against Ryanair with Spanish privacy watchdog AEPD. The reason for this complaint is the fact that Ryanair performs a verification process with people who have not booked directly with them where they scan their face to verify their contact information.
The facts
A Spanish woman had her flight at Ryanair booked through the online travel agency eDreams. Ryanair gave her the choice of going through the process online or at least two hours before departure. The online process would also require her to pay 0.35 euros to Ryanair and verify herself through facial recognition. Without implementing one of the two options, she would not be allowed to board the plane. Customers booking directly through Ryanair will not be affected.
The data processed from customers are Biometric data and fall under the heading of special personal data.
GDPR prohibits companies and organizations from processing such special personal data, other than in the exceptional cases for health purposes.
Ryanair says they are entitled to use facial recognition, as customers here permission have given for it. In order to process (special) personal data, one of the bases described in Article 6 of the GPDR must be met.
The bases are as follows:
- permission;
- necessity (a processing constitutes an exception to the protection of personal data and its limitations must remain within the limit of what is strictly necessary, which is no more than the application of principle of minimum data processing mentioned in Article 5.c) GDPR):
- the performance of a contract;
- legal obligation;
- protection of an individual’s vital interests;
- public interest or the exercise of public authority;
- pursuit of a legitimate interest.
Noyb accuses facial scans as misleading verification method
Noyb believes that travelers hardly give sincere consent, as the information Ryanair provides is so confusing that they often believe their booking is not valid if they do not allow the face scan to be performed. In addition, nyob makes the valid point about the necessity of the face scan since data such as your mail address is not on your face or passport.
Noyb believes Ryanair introduced this verification process to discourage travelers from booking directly through them. This is because if a customer arranges their flight through another party, it means less revenue and lower profits for Ryanair. By discouraging potential customers from booking flights through other platforms, they secure their market position.
For this reason, Noyb filed a complaint with AEPD, Spain’s data protection authority. If the regulator follows Noyb’s line of thinking, the authority could fine Ryanair up to 192 million euros.
