Ryanair has become the latest organization to face legal action over its use of facial recognition technology, due to potential data collection and privacy issues.
The European Center for Digital Rights, a Vienna-based digital rights group that prefers to be referred to as Noyb, filed a lawsuit this week accusing Ryanair of violating the privacy rights of some of its customers.
The complaint has to do with Ryanair's practice of requiring customers who book flights with third-party online agents to go through an additional identity verification process. The quickest option that customers have is to submit to identity verification through facial recognition technology. Those who don't want to do that must either show up at the airport at least two hours prior to flight time or submit their identification documents to Ryanair and wait for up to a week for the airline to vet their signatures.
In its lawsuit, Noyb called Ryanair's facial recognition option as needless and presenting an unacceptably high privacy risk for the airline's customers. "The airline outsources this process to an external company named GetID," Noyb said, in a statement. "This means that customers have to entrust their biometric data to a company they have never heard of or had a contract with."
Ryanair however described the additional verification as necessary because third-party agents often do not provide Ryanair with a passenger's correct contact information and payment details. "Ryanair needs to carry out this verification process in order to ensure we can comply with safety and security requirements," the company maintained.
The nonprofit privacy rights group claimed Ryanair's real motive in subjecting some customers to additional verification was to discourage them from using third-party agents for future bookings. "The verification of contact details via biometrics doesn't make a lot of sense: Your email address is not printed on your face or in your passport," Noyb said.
The lawsuit claims Ryanair's requirement is a violation of Europe's General Data Protection Regulation (GDPR) and requests the company be fined the equivalent $210 million.
In a statement to Dark Reading, a Ryanair spokesman again defended the company's practice. She called the additional verification requirement necessary to ensuring that Ryanair customers who book through third-party agents make all required security declarations, and are aware of all safety and regulatory protocols.
"[Online travel agents (OTAs)] scrape Ryanair’s inventory and in many cases miss-sell our flights and ancillary services with hidden markups, and provide incorrect customer contact information / payment details," the statement said. "As a result, and in order to protect customers, any customers who book through an OTA are required to complete a simple customer-verification process, and can choose biometric verification or alternatively complete a digital verification form which are both fully compliant with all GDPR regulations."
One of Many Similar Lawsuits
The Ryanair lawsuit is one of many that challenges the use of facial recognition technologies in recent years.
Ryanair itself is using the technology to purportedly verify and authenticate a person's identity. It's a use case that is rapidly growing — for instance, to match an individual's face to an existing photo ID document when issuing a digital ID card, passport, or driver's license, or to passively authenticate a person as they access multiple services. Other rapidly growing rapidly use cases for facial recognition include security and surveillance, photo tagging, and as an alternative to signatures, PIN codes, and passwords.
Privacy and digital rights groups have sounded the alarm over growing use of facial recognition and are fighting to put guardrails around its use. Their biggest concerns include a lack of informed consent around the use of facial recognition technology, the potential for facial recognition data getting breached and misused, spoofing, and inaccuracies leading to misidentification.
There have been several lawsuits in the US that have challenged to use of facial recognition technologies. Many of them have invoked the Illinois Biometric Information Privacy Act (BIPA), which some legal experts consider to be among the toughest in the country. The law requires organizations using facial recognition technologies to obtain informed written consent and adequately disclose the collection, storage, and use of the data. It also imposes strict retention limits for biometric data and provides for up to $5,000 per violation for Illinois residents.
Notable cases that have been filed under BIPA include one challenging Facebook's use of facial recognition for its photo-tagging app. The lawsuit ended with Facebook agreeing to pay a record-breaking $550 million to Illinois residents. In 2022, a federal judge ordered TikTok to pay a $92 million settlement over its use of facial recognition technology for similar photo-tagging purposes. The settlement also restricted TikTok's ability to collect and store biometric data without user consent. And photo-sharing app Shutterfly was forced into a $6.76 million class action settlement in 2021 for running afoul of BIPA.