Is Ryanair Violating GDPR with Mandatory Biometric Data Collection?

The European Center for Digital Rights (noyb) has lodged a GDPR complaint against Ryanair, alleging that the airline’s requirements for customers to create accounts and submit intrusive biometric data to book flights violate European data protection laws. Unlike many other airlines, Ryanair mandates new customers to set up an account by providing personal information, including a biometric facial recognition process. If customers refuse to partake in the facial recognition process, they are instead required to provide a handwritten signature and an ID photograph, further complicating the booking process.

Noyb argues that this mandatory data collection infringes upon customers’ free choice and fails to comply with GDPR consent requirements. They contend that the practices imposed by Ryanair lack a lawful basis and present an undue burden on consumers who simply wish to book a flight. The complaint highlights how the airline’s forced data collection methods undermine the principles of data minimization, purpose limitation, and accountability, which are fundamental pillars of GDPR. This case underscores the tension between technological advancement in customer verification methods and the legal and ethical obligations to protect personal privacy.

This is the second complaint filed against Ryanair by noyb, and the airline is facing a potential fine of €431 million ($447 million) from the Italian Garante. Ryanair’s practices are also under investigation by the Irish Data Protection Commission, particularly regarding the additional ID verification required from customers booking flights through third-party vendors. These legal challenges reflect growing regulatory scrutiny over companies that implement intrusive data policies, particularly those that compel biometric data collection.

Ryanair’s ongoing legal troubles highlight the need for companies to reassess their data collection strategies to avoid potential violations of GDPR. The outcome of these proceedings could set a precedent for how companies handle customer data in the future, emphasizing the importance of balancing security needs with respect to individual privacy rights. For consumers, this situation serves as a reminder to be vigilant about the data they are asked to provide and to advocate for their privacy rights when interacting with service providers.

Explore more