Ireland’s data watchdog has launched an EU-wide probe into Ryanair’s use of facial recognition technology to verify customer identities when booking through third-party websites. The controversial practice has raised concerns about data privacy and regulatory compliance. This blog post explores the intricacies of Ryanair’s verification methods and the potential implications for passenger privacy. GDPR and data protection laws are also discussed in the context of this investigation.
Verification By Ryanair
Budget airline Ryanair, infamous for cutting frills to the bone limits, is facing an audit over its customer verification process. Passengers who reserve tickets via third party web sites and online travel agents (OTAs) must undergo an extra lot of verification procedure by the firm.
Part of this process is a facial recognition technology Ryanair says needs to be in place to prevent fraud against their customers. The airline says the verification is necessary to ensure passengers make the requisite security declarations and are subject to all safety and regulatory protocols.
But this has drawn the ire of Ryanair customers in the EU, and as a result, several complaints have been lodged with Data Protection Commission (DPC) Ireland.
Data Security and GDPR
The DPC probe will examine the legality of Ryanair’s use of facial recognition technology in combination with other means to process personal data under EU GDPR. The GDPR is a sweeping data privacy law that enforces the protection of personal data from EU citizens — this also covers biometric data like facial recognition.
Ryanair has already been hit by a complaint from privacy campaign group NOYB (None Of Your Business), which filed a complaint in Spain saying there was “no reasonable justification” for the airline to introduce such a system. The group says that Ryanair’s practices are in violation of GDPR regulations, which stipulate that “a data controller should not collect or process more personal data than they need and ‘data controllers’ must be clear about what it is they are going to do with the personal data they obtain.”
As part of its EU-wide Ryanair inquiry, the DPC said this study would look at if Ryanair’s verification system is in compliance with these GDPR principles and are compliant under which the carrier recollects customer characters.
The fine line between security and privacy
This incident involving Ryanair’s procedures is a good example of how the interests of security and privacy are often pitted against each other. Although the initiative is meant to help stop fraud, it could be argued that Ryanair’s verification measures are going too far and delving into passengers’ privacy too much by using facial recognition technology.
Both the GDPR and other data protection laws operate on the basis that capturing personal data, like biometric data, can only be justifiable where it needs to be collected in a “necessary” and “proportionate” manner for a particular purpose. Du chimed in on the kind of inquiry the DPC would likely launch, noting that it will also look into whether Ryanair uses appropriate methods to achieve its security objectives if these checking methods are by far the least intrusive.
The battle over facial recognition and other biometric data uses in the airline industry is only expected to get worse as technology develops. To enforce the current data protection laws, policies and regulations regulators must consider two competing interests on either side of scale: passenger safety from one end and passenger privacy rights from the other end; this challenge requires to strike a balance in-order not to undermine the need for security while ensuring that One does not breach data protection rights.
