Online travel agencies file complaint against Ryanair alleging breach of GDPR

A European travel tech industry group filed two separate complaints on Tuesday (21 May) to French and Belgian data protection authorities over Ryanair’s use of biometric data, according to a press release shared with Euractiv.

The EU Travel Tech association, which counts Airbnb, Booking.com, Expedia, eDreams, and Skyscanner among its members, alleges that Ryanair has violated the EU’s key data privacy legislation, the General Data Protection Regulation (GDPR).

“Ryanair’s biometric verification process violates the principles of lawfulness, fairness and transparency required by the GDPR,” the press release said.

It called for a fine on the Dublin-based low-cost airline and an immediate halt to Ryanair’s biometric data processing until data protection authorities rule on their complaints.

“We urge the data protection authorities to […] take immediate provisional measures” to halt Ryanair’s biometric verification process and impose “an effective, proportionate and dissuasive fine”, the EU Travel Tech press release said.

The complaint centres around changes to Ryanair’s identity verification process introduced in December 2023. The airline uses an identity verification process using facial recognition for all users without a Ryanair account, purportedly to “protect customers from internet scams”.

Even customers “booking through online travel agencies (OTAs) undergo biometric verification,” said EU Travel Tech.

According to EU Travel Tech’s press release, Ryanair’s biometric verification process violates GDPR principles like lawfulness, fairness, and transparency and also “introduces risks including data breaches, identity theft, and unwarranted surveillance”.

The European Center for Digital Rights (Noyb), an Austrian non-profit, also filed a complaint with the Spanish data protection authority in July 2023 over Ryanair’s biometric verification process.

Under GDPR, there is no justification for Ryanair to use facial recognition when users book flights through an online travel agent and not directly on Ryanair’s website, said Nyob.

The EU Travel Tech association expressed concerns over the “slow pace” of the investigation into Nyob’s complaint, referring to the fact that almost a year has passed without a ruling.

The association also sent an open letter to European Commission Vice-President for Values and Transparency Věra Jourová, urging her “to consider actionable measures to guarantee” the GDPR’s enforcement by the Irish data protection authority in the case of Ryanair.

The European Travel Agents’ and Tour Operators’ Association (ECTAA) and the European Passengers’ Federation have co-signed the letter.

Euractiv has asked Ryanair for comment and will update the article accordingly.

Under GDPR, French (CNIL) and Belgian (APD/GBA) data protection authorities, which received the complaints, will have to reach a joint decision together with their Irish counterpart DPC, which will lead the investigation as Ryanair is an Irish-based company.

In April, the Italian Competition Authority (AGCM) ruled that Ryanair had to stop limiting travel agencies’ sale of flight tickets, which the authority said was anticompetitive.

Ryanair’s CEO Michael O’Leary said the decision showed that the Italian authority is “misled by clearly false claims from online travel agencies pirates.”

[Edited by Alice Taylor/Zoran Radosavljevic]

Read more with Euractiv