Ryanair flies into privacy storm over forced accounts

Ryanair might face regulary complaints about poor working conditions, extra charges, and a tendency to generate controversy in order to gain publicity but now it must answer serious questions over its privacy record, after incurring the wrath of Austrian lawyer and campaigner Max Schrems.

The airline, which once threatened to charge customers to even go to the toilet, risks its reputation going further down the pan over its use of biometric profiling.

Booking a flight on the Ryanair website not only requires a mandatory account, new customers must also go through a verification process which, for many people, involves invasive biometrics.

According to Schrems’ organisation, NOYB, there is no reasonable justification for such a system. Instead, it appears that Ryanair is willingly violating its customers’ right to data protection in order to increase its market power. This is already the second NOYB complaint against this practice. Despite a previous complaint, Ryanair has decided to force even more customers to go through its verification system.

By forcing customers to create a permanent account, this means that data is combined and kept until the account is deleted – which is usually never. However, NOYB insists it is clearly not necessary to have an account to book a flight.

The organisation points out that rivals including Lufthansa, EasyJet, Air France and Norwegian, among many others, require setting up an account for purchasing a flight.

In reality, NOYB maitains that Ryanair’s ‘forced accounts’ violate the GDPR’s data minimisation principle. Article 5(1)(c) GDPR requires that personal data should only be processed if it is necessary. Ryanair fails to meet this requirement.

But forced accounts are not the only issue. In order to fly with the airline, all new account owners must go through a mandatory ‘verification’ process. At this point, people can theoretically choose between two options. In reality, Ryanair nudges them towards a pre-selected and highly invasive biometric facial recognition process to verify their account – despite biometric data being specially protected by EU law.

European data protection authorities even say that facial recognition can pose “unacceptably high risks” to people.

If customers do not want their biometric data to be processed, Ryanair requires them to send in a hand-written signature and a copy of their Government ID. This creates an additional burden for refusing consent to the use of their biometric data, leading to customers being robbed of their free choice – and Ryanair not complying with the consent requirements of the GDPR, NOYB argues.

NOYB data protection lawyer Felix Mikolasch said: “We all know that Ryanair is a master of annoying and deceptive website design. But when it comes to using people’s personal data, the airline has to follow the law like everyone else.”

“Ryanair unlawfully nudges its users towards the processing of their highly sensitive biometric data, completely disregarding its legal obligations. There seems to be no obvious reasons why Ryanair needs such verification, given that other airlines do not require a face scan to buy a ticket.”

The organisation has now filed a complaint with the Italian Garante, insisting the airline is violating the data minimisation principle according to Article 5(1)(c) of GDPR, as well as the purpose limitation principle (Article 5(1)(b) of GDPR. The complaint also alleges the airline fails to meet the consent requirements in accordance with Articles 6 and 9 of GDPR.