Vienna-based digital rights group noyb (European Center for Digital Rights) has filed a complaint against Ryanair with the Italian Data Protection Authority. The organization alleges several violations of the General Data Protection Regulation (GDPR). According to the filing, Ryanair unlawfully processes customer data, imposes excessive verification steps, and fails to provide a clear way to delete accounts.

The dispute centers on Ryanair’s mandatory “myRyanair” account system. The airline introduced this requirement in December 2023. Since then, customers must create and verify an account before purchasing tickets.

Biometric and ID Verification Concerns

Ryanair offers two verification options. The first, called “Express Verification,” collects biometric data through facial recognition. The second, “Standard Verification,” requires a scanned government ID and a signature.

Noyb argues that both methods violate GDPR principles of data minimization and purpose limitation. In its view, booking a flight does not require biometric data or copies of government IDs. Therefore, the group claims the measures exceed what is necessary.

The complaint also questions whether customers gave valid consent for biometric processing. Under GDPR Articles 6 and 9, consent must be freely given and informed. Noyb alleges that Ryanair used pre-selected options and unclear language. As a result, users may not have understood how their data would be used.

In addition, noyb warns that collecting sensitive data increases cybersecurity risks. If a breach occurs, exposed biometric or ID data could cause serious harm. The group suggests that less intrusive tools, such as two-factor authentication, could verify accounts without collecting sensitive information.

Market Competition and Third-Party Bookings

Noyb further claims that the account system discourages bookings through online travel agencies (OTAs). According to the complaint, the verification rules push customers to book directly with Ryanair. This shift could reduce competition and increase cross-selling of services like hotels and car rentals.

The filing also references past investigations by the Italian Competition Authority. That authority has accused Ryanair of limiting competition in the air travel market.

Barriers to Account Deletion

The complaint also focuses on account deletion. Under GDPR Article 17, individuals have the right to erase their personal data. However, noyb claims that one customer could not delete their account despite following Ryanair’s instructions.

Instead of allowing deletion, the website and app allegedly requested more personal data. Noyb argues this practice violates Article 12(2), which requires companies to make data rights easy to exercise.

Requested Enforcement Action

Noyb is asking the Italian Data Protection Authority to intervene. Specifically, it urges regulators to order Ryanair to delete unlawfully processed data and end mandatory account requirements. The group also calls for administrative fines to deter future violations.

If regulators pursue the case, the outcome could clarify how airlines and other platforms use biometric verification under the GDPR.

Need Help?

If you’re concerned or have questions about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.