Ireland’s Data Protection Commission (DPC) has launched an inquiry into Ryanair’s use of facial recognition technology as part of its online customer verification process for bookings from third parties.
Ryanair launched its controversial policy of requiring biometric data from passengers who did not book directly through its website in 2023. This move caused “friction” and “frustrations” for business travellers using online booking tools or travel management companies to book the airline’s flights.
Following “numerous” complaints from passengers, the DPC has now announced an official inquiry into Ryanair’s policy to see whether it complies with the EU’s General Data Protection Regulation (GDPR).
Graham Doyle, the commission’s deputy commissioner, said: “The DPC has received numerous complaints from Ryanair customers across the EU/EEA who after booking their flights were subsequently required to undergo a verification process.
“The verification methods used by Ryanair included the use of facial recognition technology using customers’ biometric data. This inquiry will consider whether Ryanair’s use of its verification methods complies with the GDPR.”
The DPC’s move is a “cross-border” inquiry and it will “consider whether Ryanair has complied with its various obligations under the GDPR, including the lawfulness and transparency of the data processing”.
Earlier this year, trade body EU Travel Tech joined data protection authorities in France and Belgium in filing a complaint against Ryanair over the online verification process.
The budget carrier has previously stated that the verification process was implemented to avoid “unauthorised” online agents from selling flights and ancillary services at “inflated” prices.
Ryanair has signed several recent partnership deals with third parties, such as Travelfusion, Kyte and SAP Concur, to allow their customers to avoid the online customer verification process. The airline also rekindled its relationship with global distribution system Amadeus last year.
The airline said in a statement: “We welcome this DPC inquiry into our booking verification process, which protects customers from those few remaining non-approved OTAs (online travel agencies), who provide fake customer contact and payment details to cover up the fact that they are overcharging and scamming consumers.
"Customers who book through these unauthorised OTAs are required to complete a simple verification process (either biometric or a digital verification form) both of which fully comply with GDPR. This verification ensures that these passengers make the necessary security declarations and receive directly all safety and regulatory protocols required when travelling, as legally required.”