The EU will soon have the largest hoard of biometric data on earth – and travellers could suffer

Robert Jackman
·6-min read
Flying
Experts have warned that collecting passenger information could put tourists at risk of data theft

Remember the anti-tourism protesters in Spain this spring? It turns out they may be getting their way after all, as a cohort of British holidaymakers has vowed never to return to the county’s shores again – albeit it for a slightly unexpected reason.

The disgruntled minority have been voicing their displeasure at a new Spanish law which will require all hoteliers and Airbnb hosts in the country to keep track of their guests’ personal data, including passport and payment details. While the system is largely a tightening of existing rules, it hasn’t gone down well with some privacy-conscious travellers.

“They are off my holiday list,” thundered one unhappy Briton on social media. “So much for a Spanish holiday, but I am sure another country will be happy to take my money,” declared another. Comparisons have even been made with George Orwell’s 1984.

Perhaps it’s a slight overreaction to deploy such dramatic rhetoric. But on the other hand, given the travel sector’s seemingly insatiable appetite for our personal data, perhaps this was just the straw that broke the camel’s back.

From the EU’s controversial new entry rules (which will soon require non-citizens to register their fingerprints before entering the Schengen area) to the growing use of similar biometric data in airports and at the border, data harvesting is only becoming a bigger part of the travel experience, whether we like it or not. But why is it happening?

“The main reason has been the unprecedented level of state cooperation around security issues,” says Chris Jones, director of the civil liberties watchdog Statewatch. He highlights the use of numerous UN resolutions – typically backed by the US, Russia, and China – calling for the use of biometric data to combat terrorism.

While no-one (including Statewatch) would take issue with thwarting terrorism, the past 20 years of surveillance measures – well-intentioned or otherwise – have provided more than the occasional reminder that these things don’t always work out so well in practice.

Fingerprints in airport
The EU will soon require non-citizens to register their fingerprints before entering the Schengen area - Getty

Jones points to the particular example of PNR (Passenger Name Record) data, by which airlines are often mandated to record the names, passport numbers and payment details of their passengers on behalf of government authorities. The practice became compulsory for US-bound flights in the wake of 9/11 but has since expanded in reach and scope.

“The mass gathering of this data makes it easier for authorities to use algorithms to do what’s called rules-based targeting,” he says. In theory, the system is meant to help identify potential security threats. In practice, it can mean passengers being held up or grounded just because their data happens to match someone else’s.

Compulsory data harvesting usually brings more mundane problems too, not least since the burden of providing it will almost always fall on travellers themselves. Indeed, those that will be tasked with implementing the new EU entry system – for example, Eurostar and Port of Dover – have been warning for years about the risk of crippling delays.

“One of the arguments for biometric data is that it’s machine-readable, meaning that you can do away with some of the human checks and have computers do the work,” says Jones. “However, we can see from recent history that is rarely the case in practice.” Particularly when the system suffers from the kinds of outages that have caused havoc for air travel.

Then there is the potential for hacking or foul play. In 2019, the US hotel chain Marriott apologised after a data breach led to the unencrypted passport details of some 5 million guests being stolen. Compare that to the 700 million people or so who visit the EU each year and you get some idea of how devastating such a breach could be for our personal information.

“The EU is looking to create the largest database of biometric data of regular human beings – people who are just going about their daily business by travelling – on earth,” says Gus Hosein, who leads the London-based charity Privacy International. “It will end up being the top target of every intelligence agency on the planet,” he predicts.

Biometric databases aren’t the only challenge to travellers’ privacy. There’s also the ever-growing reach of facial recognition technology, which is quickly becoming the norm in more advanced airports – none more so than the ultra-flashy Zayed International in Abu Dhabi, where passengers can now check in just by peering into a camera.

Would you be happy to have your face kept on file? The world’s richest man seems quite relaxed about the idea. When a travel influencer posted a video of the facial recognition check-in system on X, Elon Musk replied saying that he wanted to see the same kind of technologies rolled out in American airports.

Border control system Frankfurt
Elon Musk is a fan of facial recognition check-in systems, which could one day replace passport gates - Getty

He might not have to wait long. Two American airlines, Delta and United, are already using face-tracking cameras for parts of the check-in process, but only for those passengers happy to opt in. Closer to home, British Airways has been making limited use of facial recognition for over a decade.

As for airports, the head of the British Border Force, Phil Douglas, is on record predicting that facial recognition technology will eventually mean the end of passport e-gates. But could it soon end up tracking passengers all the way from the entrance to their boarding gate too?

While the UK has much tighter restrictions than the UAE on face-tracking technology, there are still some workarounds. The tech journalist James O’Malley has monitored how British train stations have trialled “smart station” systems to track passengers using everything but their face – thus staying within the law.

“A lot of this is driven by the huge technology consultancy firms who are trying to sell this stuff to governments,” says Gus Hosein. “If you’re one of those kinds of firms, then the border is often the most exciting area you can work on. It’s obviously a priority for governments, but there are also few protections for people’s privacy rights.”

Is it time to make peace with losing our data privacy when it comes to travel? When everyone from the US Department of Homeland Security to Elon Musk is pushing in one direction, it’s hard to see any other outcome. Still, it certainly doesn’t mean we have to like it.

Latest stories