DPC Ryanair inquiry may have significant implications for airline verification

Data protection expert Andreas Carney of Pinsent Masons said: “The DPC’s decision to launch this inquiry underscores the importance of ensuring that data processing activities, especially those involving special category data, are conducted in a manner that respects individuals’ privacy rights and complies with legal standards”.

“Biometric data is categorised as ‘special category’ data under the GDPR. There are additional, more stringent compliance requirements in respect of special category data that go beyond other personal data. Regulators therefore take a keen interest in ensuring those requirements are met,” he said.

The DPC's inquiry is particularly focused on the airline’s handling of personal data for customers booking flights through third-party websites or online travel agents (OTAs).

The move comes in response to numerous complaints from customers across the EU and European Economic Area (EEA) regarding the additional ID verification methods employed by Ryanair. These measures were introduced to counteract any OTA sales without Ryanair’s authorisation, requiring passengers booking through third-party sites to complete an additional verification process. This process includes the use of biometric data, such as facial recognition technology, to verify the identity of travellers.

The DPC received a significant number of complaints from customers who expressed concerns over the necessity and transparency of these additional checks, questioning whether Ryanair’s practices comply with the General Data Protection Regulation (GDPR).

According to GDPR, biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allows for the unique identification of that person. The DPC’s inquiry will assess whether Ryanair’s use of such data meets the stringent requirements set forth by GDPR and will scrutinise the lawfulness and transparency of the airline’s data processing practices.

The outcome of the DPC’s inquiry could have significant implications for Ryanair and other controllers employing similar verification methods. If the DPC finds that Ryanair’s practices violate GDPR, the airline could face substantial fines and be required to alter its verification procedures.

“The travel industry, other controllers and privacy advocates alike will be observing the developments of this significant investigation,” said privacy law expert Nicola Barden of Pinsent Masons.