Ireland’s privacy watchdog says that it has received complaints from travellers across the EU who are asked for biometric “verification” when booking from outside Ryanair.com
“The DPC has received numerous complaints from Ryanair customers across the EU/EEA who after booking their flights were subsequently required to undergo a verification process,” said Graham Doyle, deputy commissioner with the DPC.
“The verification methods used by Ryanair included the use of facial recognition technology using customers’ biometric data. This inquiry will consider whether Ryanair’s use of its verification methods complies with the GDPR.”
The inquiry will span the EU, instead of just Ireland.
Ryanair has been in conflict for years with online travel reservation engines such as Booking.com, eDreams and others, which the airline accuses of “screen scraping”, or selling Ryanair tickets without the formal permission of Ryanair.
During the summer, Ryanair won a case against Booking.com in Delaware on the issue, securing an award of $5,000. It is currently trying to secure a permanent injunction against Booking.com, despite admitting that less than 0.01pc of its seats were sold through the Dutch-based travel site.
A spokesperson for Ryanair said that the measures it took were justified in the interests of protecting its customers.
“We welcome this DPC inquiry into our booking verification process, which protects customers from those few remaining non-approved OTAs, who provide fake customer contact and payment details to cover up the fact that they are overcharging and scamming consumers,” the spokesperson said.
“Customers who book through these unauthorised OTAs are required to complete a simple verification process, either biometric or a digital verification form, both of which fully comply with GDPR. This verification ensures that these passengers make the necessary security declarations and receive directly all safety and regulatory protocols required when travelling, as legally required.”
According to the DPC’s inquiry, ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or “dactyloscopic” (fingerprint) data.
The inquiry comes a week after the DPC fined Meta €91m for storing passwords in plain text. It has fined the owner of Facebook, Instagram and Whatsapp over €2.6bn in the last three years.
The watchdog is expected to announce a fine of up to €400m on Microsoft-owned Linkedin in the coming weeks for violating EU GDPR law through targeted ad practices. Linkedin has previously said it had been notified of the size of the fine in draft format and that it would dispute the finding.
