Ryanair challenged by Noyb over ‘invasive’ facial recognition

28 Jul 2023

Image: © Tobias Arhelger/Stock.adobe.com

The digital privacy group claims Ryanair’s use of facial recognition breaches GDPR and is being used to push users away from external online travel agencies.

Noyb, the non-profit established by privacy advocate Max Schrems, has filed a complaint against Ryanair for its use of facial recognition technology.

The digital privacy group claims the airline makes certain customers go through a verification process that involves “invasive” facial recognition. The complaint claims this form of verification is requested from customers that make a booking through an online travel agent and not directly on Ryanair’s website or app.

In the complaint, Noyb alleges that one customer was given the choice of verifying her booking through facial recognition or going to the check-in counter at the airport “more than two hours before departure”. The group claims this alternative option was not feasible for the complainant and that she was also charged a fee for the verification process.

The privacy advocacy group claims there is a “questionable justification” behind Ryanair’s need for facial verification, as the airline doesn’t use facial recognition if a customer books directly on the Ryanair website or app.

“A verification of contact details via biometrics also doesn’t make a lot of sense: Your email address is not printed on your face or in your passport,” said Noyb programme director Romain Robert.

“Ryanair’s verification process looks like another attempt to make the lives of travellers and competitors more complicated to increase profits.”

Noyb alleged that Ryanair is pushing this biometric verification on customers to deter them from booking flights with online travel agencies. The group also claimed the lack of clear information means a user’s consent “can’t be informed or specific” when using this facial recognition tech, making it invalid under GDPR.

Noyb data protection lawyer Felix Mikolasch claimed the information provided by Ryanair is “so confusing” that travellers might think their booking is “invalid”.

“By nudging customers to go through its intrusive facial recognition process, the airline manages to both violate their customer’s privacy and ensure that they don’t book via external providers another time,” Mikolasch said.

Controversial technology

The use of facial recognition technology has been a long debate in the EU, with some arguing for its security benefits and others highlighting the risk of abuse.

The EU’s AI Act takes a stance against the use of biometric identification and surveillance. In particular, real-time remote biometric identification is prohibited.

An example of this would be people walking down a public street where there are CCTV cameras. Real-time remote biometric identification would mean identifying everyone using biometrics in real time.

But the use of biometric identification does not appear to be banned entirely. While the EU AI Act outlaws the use of real-time facial recognition technology, post-remote biometric identification will be permitted in very limited circumstances.

William Fry’s Barry Scannell recently spoke to SiliconRepublic.com to discuss the AI Act and what it really means.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic