Tech News : Ryanair Third-Party Data Protection Inquiry

Tech News : Ryanair Third-Party Data Protection Inquiry

What happens to data gathered as part of Ryanair’s extra ID verification requirement (from customers who don’t book directly through its website), has led to an inquiry being launched by Ireland’s Data Protection Commission (DPC).

Why ID Verification? 

For travellers booking flights through third-party websites or online travel agents (OTA), rather than directly through Ryanair, the Irish low-cost airline requires them to complete a Customer Verification Process. The reason, given by Ryanair, is that third-party agents sometimes provide incorrect or incomplete passenger information, e.g. fake contact or payment details, which can interfere with Ryanair’s ability to communicate important flight details directly to passengers.

Also, Ryanair has long opposed OTAs and third-party websites that sell its tickets without permission, often through “screen scraping” techniques. This practice involves OTAs gathering flight data from Ryanair’s website and reselling tickets, sometimes at inflated prices. Ryanair argues that this is what leads to the incorrect information being given to it, and to poor customer experiences. For example, in July 2024, a US court ruled against Booking.com in a screen-scraping case, reinforcing Ryanair’s stance. The airline, therefore, urges customers to book directly through its site to avoid such issues and ensure proper communication and service.

What Type of ID Verification Does Ryanair Require? 

Ryanair offers travellers two verification options when they attempt to book flights through OTAs and third-party websites. These are:

– Express verification. This (faster option) actually uses facial recognition technology to confirm the traveller’s identity. It costs around €/£0.59 and can be completed in a few minutes with the use of a passport or national ID and a device with a camera.

– Standard Verification. This is the free alternative where travellers submit a signed customer verification form along with their ID. However, this method can take up to seven days to process, so it’s not ideal for last-minute bookings.

Why The DPC Inquiry? 

It seems, however, that aspects of Ryanair’s ID verification requirement have led to scrutiny, particularly concerning the use of facial recognition and compliance with GDPR regulations.

On October 4, Ireland’s DPC announced that it had opened an inquiry into Ryanair’s processing of personal data as part of the Customer Verification Processes in question. Graham Doyle, Deputy Commissioner with the DPC commented: “The DPC has received numerous complaints from Ryanair customers across the EU/EEA who after booking their flights were subsequently required to undergo a verification process. The verification methods used by Ryanair included the use of facial recognition technology using customers’ biometric data. This inquiry will consider whether Ryanair’s use of its verification methods complies with the GDPR.” 

Data Processing  

The DPC said the decision to conduct the inquiry under Section 110 of the Data Protection Act 2018[2], taken by the Commissioners for Data Protection, Dr. Des Hogan and Dale Sunderland, “was notified to Ryanair earlier this week”. The DPC has also said the inquiry is “cross-border [3] in nature” (reportedly, with one other country) and “will consider whether Ryanair has complied with its various obligations under the GDPR, including the lawfulness and transparency of the data processing”. 

Considering Ryanair is an international airline, it’s perhaps not surprising that there’s a cross-border nature to the inquiry. Looking at the wider meaning of DPC’s statement about the inquiry, it looks likely that it will assess whether Ryanair’s data processing practices comply with the GDPR, particularly focusing on key areas like lawfulness (whether Ryanair had a legitimate basis to collect and use passengers’ data) and transparency (whether passengers were adequately informed about how their data would be used). This scrutiny is often triggered when there are concerns over how personal data, including sensitive information such as biometric data, is handled, especially given Ryanair’s use of facial recognition technology during its verification process.

What Does Ryanair Say? 

A Ryanair spokesperson has been (widely) quoted as saying: “We welcome this DPC inquiry into our Booking Verification process, which protects customers from those few remaining non-approved OTAs, who provide fake customer contact and payment details to cover up the fact that they are overcharging and scamming consumers. 

“Customers who book through these unauthorised OTAs are required to complete a simple verification process (either biometric or a digital verification form) both of which fully comply with GDPR. This verification ensures that these passengers make the necessary security declarations and receive directly all safety and regulatory protocols required when travelling, as legally required.” 

What Does This Mean For Your Business? 

The inquiry into Ryanair’s third-party booking verification process not only places the airline under scrutiny but also raises significant questions for the wider aviation industry. As data protection laws like the GDPR continue to evolve, airlines worldwide must carefully consider how they collect, process, and store customer data, particularly when it comes to sensitive biometric information. It’s worth remembering that this case relates to the use of acial recognition just at the booking stage, not at passport control, and with the DPC examining whether Ryanair’s use of facial recognition and other data practices comply with GDPR, this case could set a precedent that impacts other airlines, potentially forcing them to reassess their own data handling processes to avoid similar regulatory challenges.

For Ryanair’s competitors, should the DPC find Ryanair’s practices in breach of GDPR, it might prompt a broader review of data collection methods across the industry. Airlines that rely on similar verification processes, or those planning to introduce biometric solutions, may need to quickly adapt to ensure compliance. On the other hand, airlines with more traditional booking and verification systems could use this moment to differentiate themselves by emphasising stronger privacy protections and more transparent data use.

From a customer perspective, the inquiry highlights growing concerns about privacy and the use of personal data in an increasingly digital world. As biometric technology becomes more common in verification and security processes, passengers are becoming more aware of how their data is used and protected. Trust, transparency, and a clear explanation of how personal data is processed may become critical factors in how customers choose which airline to fly with. Airlines that successfully balance security with privacy may gain a competitive advantage, particularly in an industry where reputation and customer loyalty are so crucial.

Ultimately, the outcome of this inquiry may have some far-reaching consequences, not only for Ryanair but for the aviation sector as a whole. This case is a reminder that data protection is now a key pillar of operational strategy, and one that cannot be overlooked in the drive to enhance customer security and streamline digital processes. The industry will be watching closely to see how Ryanair navigates these regulatory waters and what this means for the future of data handling in the aviation world.