Digital rights group NOYB on Thursday filed a complaint against Ryanair (RYA.I), alleging that the airline is violating customers’ data protection rights by using facial recognition to verify their identity when booking through online travel agents. NOYB says that the airline’s verification process is unnecessary and seems to seek “an unfair competitive advantage over alternative booking channels.”
The complaint was filed with Spain’s data protection agency on behalf of a complainant who booked a Ryanair flight through the Spanish-based online travel agency eDreams ODIGEO. According to NOYB, the eDreams website told the complainant they would need to submit a photograph to proceed with the booking. The eDreams website then asked the complainant to sign an agreement stating that eDreams had permission to use the person’s image for identification purposes and that the eDreams could transfer the information obtained from the photograph to third parties, such as airlines.
NOYB is led by Austrian privacy activist Max Schrems, who gained fame after successfully reducing the EU-U.S. Safe Harbor data-sharing deal to tatters. The nonprofit organization aims to help people bring their consumer privacy cases to court under the new European Union General Data Protection Regulation. Its lawyers and activists will be able to support individuals financially, Schrems said, to reduce the risk associated with taking on global companies in court.
He says that while ideally, NOYB shouldn’t exist, the internet giants “make profits by violating laws” and that it is his job to keep them in check. “Ideally, publicly funded watchdogs should do this,” he says. “Unfortunately, in many member states, that’s not happening.”
Ryanair told AFP in an email that NOYB’s accusations were false. The budget airline only implements the verification process because online travel agents often “scrape our inventory and in many cases miss-sell our flights and ancillary services with hidden mark-ups or provide incorrect customer contact information/payment details.”
Clearview AI, a company that provides facial recognition software to a wide range of clients, including police forces, also comes under scrutiny from NOYB. The French data protection authority CNIL ruled last year that the company did not have a legal basis for storing and processing the facial images of people in France. It ordered CLEARVIEW AI to stop the practice and delete the data it held on French citizens.
In addition to pursuing individual cases, NOYB works with a handful of other organizations to file collective complaints against multinationals under the GDPR. A lawsuit against Google by NOYB and a dozen other privacy advocates was recently approved by the EU’s top court, which ruled that the tech giant did not have a valid reason for requiring users to accept intrusive terms of service or lose access to its products. The lawsuit will now go to trial, expected to take up to two years. It could affect how the firm collects and uses data on its millions of Android mobile device users.