Ireland's Data Protection Commission (DPC) initiated an inquiry into Ryanair's Customer Verification Process, which affects travelers booking flights through third-party websites or online travel agents (OTAs). This action stems from growing concerns about data privacy, particularly regarding the use of biometric data and facial recognition technology.
The DPC expressed apprehension over Ryanair's practice of requiring additional ID verification for customers purchasing tickets via third-party platforms. The verification process involves collecting sensitive data, including biometrics, which raises questions about compliance with the General Data Protection Regulation (GDPR).
Graham Doyle, Deputy Commissioner with the DPC, stated, "The verification methods used by Ryanair included the use of facial recognition technology using customers' biometric data. This inquiry will consider whether Ryanair's use of its verification methods complies with the GDPR."
A Ryanair spokesperson defended the practice, asserting, "We welcome this DPC inquiry into our Booking Verification process, which protects customers, both of which fully comply with GDPR."
The inquiry is part of the increasing scrutiny global enterprises face regarding data privacy and compliance. The DPC's cross-border investigation will assess Ryanair's adherence to GDPR obligations, focusing on data processing lawfulness and transparency.Â
Ryanair's long-standing opposition to OTAs and unauthorized ticket reselling is well-documented.Â
Following a recent U.S. court ruling against Booking.com for screen-scraping, Ryanair has emphasized the importance of its verification process to protect customers from potential fraud by non-approved OTAs.
In other news, state-controlled Chinese media said in August that a "National Network Identity Authentication Pilot Version" app was launched on major app stores in China, with 81 apps, including WeChat, already signed up for beta testing of the national ID system that uses facial recognition and real names.
Meanwhile, Uber was issued a massive €290 million for moving sensitive driver details from Europe to the U.S., allegedly failing to offer a similar level of protection as the GDPR framework while exporting data such as collaborators’ IDs, payment details, criminal records, and more.