Case Study 7/01 Ryanair - Data Protection Commissioner Ireland

CASE STUDY 7/01

Ryanair – on-line booking – delayed credit card charge – whether charge activated upon a subsequent transaction – question of disclosure of passenger data

The complainant booked an airline ticket from Ryanair, a major ‘low-cost’ carrier, on the internet using her credit card. However, the charge did not appear on her subsequent credit cards bills. Over ten months later, however, she booked another flight with the same airline. Her next credit card bill included two charges – one for the recent booking, and one for the booking from ten months earlier. The complainant suspected that Ryanair had associated her details with her previous booking, and had taken the opportunity to charge her credit card account for the first flight, to compensate for its own oversight. The complainant accepted that she owed the money for the first flight; but she maintained that she had given her credit card details in good faith on the first occasion, and it was hardly her fault that the airline had neglected to charge her at the time. It was not acceptable, in her view, that her credit card details – made available specifically for the second flight – should be appropriated to pay for the first flight.

The data protection issue which arose was whether the credit card data, obtained for the second booking, had been ‘obtained and processed fairly’ by Ryanair, as required under section 2(1)(a) of the Act. On the face of it, there was a clear suggestion that the information obtained on the second occasion was used for the purpose of a completely separate transaction.

On investigating the matter, the airline company stated that the delay in processing the payment for the first flight was due to a computer error. A batch file containing data relating to the date of the first flight, including the complainant’s data, had not been sent to the bank for processing. This error was discovered some time after the event, whereupon the processing of the original batch file was reactivated. This processing happened to take place around the same time as the complainant made her second flight booking. Accordingly, the fact that both payments appeared together on the complainant’s credit card bill was simply a coincidence. The airline specifically denied that the data obtained on the second occasion had been used to secure payment for the first flight booking.

In order to confirm this version of events, my Office contacted the bank in question. The bank provided detailed confirmation of the airline’s sequence of events and established that problems had arisen with the processing of the transactions on the date of the complainant’s first booking. Accordingly, I was satisfied that the complainant’s concerns about possible misuse were not well-founded, and that there was no evidence of a contravention of the Data Protection Act by Ryanair in this instance.

Disclosure of Passenger Data
On a separate matter, it was brought to my notice during 2001 that a senior Ryanair representative had made comments on national radio, involving reference to named Ryanair passengers. There was a suggestion that the details might relate to a senior trade union official who bore a similar name to the passengers in question.

Although I did not receive any formal complaints from individuals, I was concerned that Ryanair’s public reference to named passengers appeared to be incompatible with the requirements of data protection law, and accordingly I raised the matter with the airline. Ryanair responded by noting my concerns, and by assuring me that the airline would not in future refer to any named passenger without their prior consent.

While I was prepared to accept these assurances in good faith, I consider it important to emphasise that any organisation holding personal data about its customers must treat these data as being confidential – and certainly must not allow private details to be broadcast over the national airwaves.