Vienna-based digital rights organization noyb (European Center for Digital Rights) has filed a complaint against Ryanair, alleging multiple violations of the General Data Protection Regulation (GDPR). The filing, submitted to the Italian Data Protection Authority, accuses the airline of unlawfully processing customer data, imposing excessive verification procedures, and failing to provide mechanisms for account deletion.
The complaint centers around Ryanair’s requirement that all customers create a “myRyanair” account to purchase tickets. Introduced in December 2023, the system mandates account creation and verification before transactions can proceed. Verification includes either “Express Verification,” which collects biometric data through facial recognition, or “Standard Verification,” requiring a scanned government ID and signature. Both options, according to noyb, violate GDPR principles of data minimization and purpose limitation.
Noyb claims these requirements are unnecessary for booking flights and serve Ryanair’s business interests by discouraging third-party bookings through online travel agencies (OTAs). “Such measures appear designed to force customers to engage directly with Ryanair, limiting competition and increasing opportunities for cross-selling ancillary services like hotel bookings,” noyb stated.
The “Express Verification” option, which involves biometric data collection, has raised particular concern. Noyb argues that consent for biometric data processing was neither freely given nor informed, violating GDPR Articles 6 and 9. The complaint highlights issues such as pre-selected verification options, misleading terminology, and insufficient transparency about data usage.
The submission also notes that requiring sensitive data such as government IDs and biometric information increases cybersecurity risks in the event of a breach. Noyb suggests that less intrusive measures, such as two-factor authentication, would sufficiently verify accounts without compromising privacy.
The complaint further alleges that Ryanair makes it difficult for customers to delete their accounts, thereby violating Article 12(2) of the GDPR. According to the filing, a customer was unable to delete their account despite following instructions provided by Ryanair. Instead, the airline’s website and app prompted the user to input additional personal information.
Under GDPR Article 17, individuals have the right to request the erasure of their personal data. Noyb claims Ryanair has failed to meet this obligation, leaving customers without a viable way to remove their information from the airline’s systems.
The filing also references ongoing investigations by the Italian Competition Authority, which has previously accused Ryanair of leveraging its dominant position in the air transport market to restrict competition. Noyb’s complaint reinforces these allegations, arguing that the airline’s account and verification policies distort the market by limiting the role of OTAs.
Noyb is urging the Italian Data Protection Authority to take decisive action, including ordering Ryanair to delete unlawfully processed data, cease mandatory account requirements, and implement GDPR-compliant data practices. The complaint also calls for significant administrative fines to deter future violations.
Need Help?
If you’re concerned or have questions about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.
