Six days before Christmas, privacy advocacy group noyb filed a GDPR complaint against Ryanair with the Italian Data Protection Authority, challenging the airline's mandatory account verification system that requires facial recognition or government ID submission from new customers.
According to the complaint filed on December 19, 2024, Ryanair implemented the verification requirement in December 2023, making it impossible for customers to purchase flights without creating an account and completing identity verification. The system offers two options: an "Express Verification" using facial recognition technology or a "Standard Verification" requiring government ID and signature submission.
Felix Mikolasch, Data Protection Lawyer at noyb, stated: "We all know that Ryanair is a master of annoying and deceptive website design. But when it comes to using people's personal data, the airline has to follow the law like everyone else."
The privacy group's investigation revealed that while Ryanair claims the verification protects customers from fraud and cybercrime, the actual purpose appears to target online travel agencies. Internal documents indicate the airline aims to prevent third-party sellers from purchasing tickets, thereby maintaining direct control over ancillary service sales like hotel bookings and car rentals.
The Italian Competition Authority (AGCM) launched a separate investigation into these practices in September 2023. The authority's preliminary findings suggest Ryanair leverages its market position in air transport to extend control over tourism services, potentially violating competition laws.
The verification system presents significant privacy concerns. When choosing Express Verification, customers must provide biometric data through facial recognition and upload government ID photos. The Standard Verification option requires ID submission and signature comparison, taking up to seven days to process.
According to European Data Protection Authorities, facial recognition technology poses "unacceptably high risks" to individuals. The complaint argues that Ryanair's implementation violates multiple GDPR provisions, including:
- Data minimization principle (Article 5(1)(c)) - requiring more personal information than necessary for flight bookings
- Purpose limitation principle (Article 5(1)(b)) - using customer data for competitive advantages rather than stated security purposes
- Consent requirements (Articles 6 and 9) - pre-selecting the biometric option and making verification mandatory
The complaint highlights that major airlines like Lufthansa, EasyJet, Air France, and Norwegian do not require account creation or identity verification for ticket purchases. Based on Ryanair's reported turnover of €10 billion in 2023, potential GDPR fines could reach €431 million.
Noyb's legal analysis found additional violations regarding account deletion. Despite Ryanair's published instructions for account deactivation, the complaint documented that no such option exists on either the website or mobile app. This apparent discrepancy violates GDPR Article 12(2), which requires companies to facilitate users' rights to data erasure.
The case represents the second noyb complaint against this verification system. The privacy group reports filing approximately 800 cases targeting various companies' data protection violations, including actions against major technology firms such as Google, Apple, Facebook, and Amazon.
Technical implementation details show Ryanair pre-selects the facial recognition option and designs the interface to nudge users toward providing biometric data. The system cross-references video data captured during verification against ID photo submissions, creating a comprehensive biometric profile without clear necessity for basic flight booking services.
The complaint requests that the Italian Data Protection Authority order Ryanair to cease mandatory account creation and verification requirements, delete unlawfully processed personal data, and bring operations into GDPR compliance. The case highlights growing tensions between commercial interests and privacy rights in digital services.