Italy Suspends Facial Recognition at Milan Airport Over Privacy Concerns

Italy’s Suspension of Facial Recognition at Milan Airport: A Critical Analysis of Privacy, Security, and the Future of Biometric Technology in European Aviation

Italy’s privacy watchdog, the Garante per la Protezione dei Dati Personali, has temporarily suspended the use of facial recognition technology at Milan’s Linate airport, marking a significant moment in the ongoing global debate over biometric surveillance in aviation security. This decision, announced on September 17, 2025, represents the latest development in a complex regulatory landscape where privacy rights increasingly clash with technological innovation and security imperatives. The suspension affects the “FaceBoarding” system, which had been operational since May 2024 and was designed to streamline passenger processing through automated identity verification. The Garante justified its action by citing insufficient safeguards to prevent the system from processing biometric data of passengers who had not explicitly consented to participate. This case illuminates broader tensions within the European Union regarding the deployment of artificial intelligence and biometric technologies in public spaces, particularly as the bloc continues to refine its regulatory approach through instruments like the General Data Protection Regulation and the emerging AI Act.

The implications of this suspension extend far beyond a single airport, touching on fundamental questions about digital privacy, algorithmic accountability, and the balance between technological efficiency and individual rights in an increasingly connected world. As Airports globally race to implement biometric solutions for security and operational efficiency, the Milan case serves as a critical reference point for regulators, industry leaders, and privacy advocates alike.

Background and Historical Context of Biometric Technology in Aviation

The integration of biometric technology into aviation security reflects a convergence of technological advancement and evolving policy frameworks. Following the September 11, 2001 attacks, airports worldwide began adopting increasingly sophisticated security measures, with biometric identification, such as facial recognition, emerging as a preferred solution to enhance both security and passenger flow. In the United States, the Transportation Security Administration (TSA) pioneered early applications, deploying facial recognition at more than 80 airports as part of its Credential Authentication Technology program. These systems operate by capturing real-time images of travelers and comparing them against scanned identification documents, with reported high accuracy rates.

In contrast, European adoption of airport biometrics has been more cautious, shaped by the General Data Protection Regulation (GDPR) that came into force in 2018. The GDPR classifies biometric data as a special category of personal information, subject to enhanced protection. The European Data Protection Board (EDPB) has issued comprehensive guidance, emphasizing that biometric data processing “entails heightened risks to data subjects’ rights and freedoms” and requires the highest level of justification for deployment. This has led to a more measured approach, with regulatory oversight at the forefront of any biometric implementation in the EU.

Milan Linate’s FaceBoarding system, launched in May 2024 after years of regulatory review, is emblematic of the European approach. The technology was presented to authorities in 2019 and underwent several modifications to comply with privacy expectations. The global market for airport biometric services continues to grow rapidly, with estimates ranging from USD 26.4 billion in 2023 to over USD 100 billion by 2032, yet regional adoption rates and regulatory frameworks vary significantly.

The Milan Linate Airport Case: Key Facts and Timeline

The suspension at Milan Linate followed a multi-year regulatory process. SEA Milan Airports, the operator of both Milan Malpensa and Milan Linate, introduced the FaceBoarding system as a voluntary, opt-in service for adults. Passengers could register at kiosks or via a mobile app, with the promise of encrypted data storage and deletion after use. The system was designed to allow seamless passage through security and boarding without physical documents.

Despite these safeguards, the Italian Data Protection Authority determined that insufficient mechanisms were in place to prevent biometric data processing of non-consenting passengers. This action was influenced by EDPB Opinion 11/2024, which set out strict requirements for biometric data handling. SEA Milan Airports responded by affirming its compliance efforts and cooperation with regulators, emphasizing that the service was voluntary and only available to registered adults.

The suspension underscores the difficulties in aligning technological innovation with evolving privacy standards. Even with opt-in participation, the system was found lacking in transparency and control, reflecting the high bar set by European regulators for biometric data processing.

“Individuals should have maximum control over their own biometric data.”

, European Data Protection Board, Opinion 11/2024

European Regulatory Framework and GDPR Compliance

The GDPR’s special classification of biometric data means that airport operators must implement robust technical and organizational measures to ensure data security and privacy. EDPB’s guidance distinguishes between different storage models, with only decentralized or passenger-controlled storage deemed potentially compatible with GDPR. Centralized storage, even with encryption, raises concerns about unauthorized access and misuse.

The Italian Garante has been a prominent enforcer of GDPR, with over 484 enforcement actions and more than EUR 300 million in sanctions as of late 2024. The Authority’s decision in the Milan case reflects a broader trend in Europe: a preference for privacy by design and default, and skepticism toward even voluntary biometric systems unless all risks are fully mitigated.

With the introduction of the EU Artificial Intelligence Act, further restrictions on biometric surveillance in public spaces are anticipated. The Act prohibits real-time biometric identification except in narrowly defined circumstances, signaling an even more cautious approach to such technologies in European airports.

Global Airport Biometrics Market and Industry Trends

The airport biometric services market is experiencing rapid growth, with projections of substantial increases in market value over the coming decade. North America leads in adoption, driven by advanced infrastructure and government support, while Asia-Pacific and the Middle East are seeing accelerated growth due to modernization and expansion of air travel. In these regions, biometric systems are often integrated with broader digital transformation initiatives.

European markets, however, face unique regulatory challenges. The GDPR and AI Act create a complex compliance environment, requiring technology providers to develop solutions that prioritize privacy and consent. The competitive landscape includes major companies such as IDEMIA, Thales, NEC, and Vision-Box, all of which are investing in privacy-preserving technologies to meet diverse regulatory requirements.

The COVID-19 pandemic further accelerated demand for contactless processing technologies, making biometric solutions more attractive to both airport operators and travelers. However, the uneven regulatory landscape means that implementation strategies must be tailored to local legal and cultural expectations.

“The global airport biometric services market is projected to reach over USD 100 billion by 2032, but regional adoption is shaped by privacy regulations and public trust.”

Privacy Concerns and Data Protection Challenges

Facial recognition in airports raises profound privacy issues. Biometric data is immutable, once compromised, it cannot be changed. The EDPB highlights the heightened risks of biometric processing, especially in environments where individuals may feel compelled to participate, such as airports. Even opt-in systems can be problematic if consent is not fully informed or freely given.

Accuracy and bias are additional concerns. Studies show that facial recognition systems can have higher error rates for certain demographic groups, raising the risk of discrimination. The European Commission against Racism and Intolerance has warned of the potential for misidentification and racial profiling.

Security breaches involving biometric data have already occurred. For example, in 2019, a U.S. Customs and Border Protection subcontractor’s breach led to traveler images being leaked online. Such incidents highlight the need for rigorous security practices and supply chain oversight in biometric system deployments.

Comparative Analysis: International Approaches to Airport Biometrics

Approaches to airport biometrics vary widely. The U.S. TSA has aggressively expanded facial recognition, with opt-out provisions but differing data retention policies for citizens and non-citizens. European regulators require higher standards of consent and data minimization, often favoring decentralized storage and voluntary participation.

In Hungary, legislative changes have broadened the use of facial recognition beyond airports, raising concerns about surveillance of peaceful demonstrations and minor infractions. Asian and Middle Eastern airports often integrate biometrics into smart city initiatives, with fewer privacy protections than in Europe.

These differences reflect underlying legal, cultural, and policy variations. The Milan Linate case is a clear example of the European preference for stringent privacy safeguards, in contrast to more permissive environments elsewhere.

Expert Perspectives and Industry Response

SEA Milan Airports maintains that its FaceBoarding system complied with Regulations and stresses its cooperation with authorities. Industry players like IDEMIA and Thales argue that privacy-preserving architectures can enable secure and efficient biometric processing, while privacy advocates such as NOYB emphasize the need for strict consent standards and warn against commercial overreach.

The EDPB and other regulatory bodies urge airport operators to consider less intrusive alternatives, and civil society organizations warn of “function creep”, the gradual expansion of surveillance technologies into broader public spaces. Academic researchers continue to highlight technical limitations and social implications, particularly regarding accuracy and bias.

The debate over biometric technology in airports is thus multifaceted, involving operational, ethical, and legal considerations. The Milan suspension has amplified these discussions and is likely to influence future regulatory and industry strategies.

“Biometric identification systems should only be deployed where strictly necessary, and with the highest standards of privacy protection.”

, European Data Protection Board

Future Implications and Regulatory Evolution

The Milan Linate suspension signals a shift toward more stringent oversight of biometric technologies in Europe. The evolving regulatory framework, including the Artificial Intelligence Act, will likely require even more robust consent mechanisms, transparency, and technical safeguards for future deployments. Operators must demonstrate that biometric processing is necessary and proportionate, not merely convenient.

International coordination remains a challenge, as Airlines and airports serving global travelers must navigate a patchwork of regulatory regimes. Technological innovation in privacy-preserving authentication may offer alternatives, but the bar for compliance is rising. The influence of privacy advocates and civil society organizations is set to grow, ensuring sustained scrutiny of biometric surveillance in public spaces.

Conclusion

The decision to suspend facial recognition at Milan Linate airport is a landmark in the ongoing tension between technological innovation and privacy protection. It demonstrates that even voluntary, opt-in systems with privacy safeguards can fall short of evolving European standards if they lack adequate transparency and control mechanisms. The case underscores the importance of robust regulatory oversight and the need for continuous adaptation as both technology and societal expectations evolve.

As the global market for airport biometrics continues to expand, the Milan case will serve as a reference for future deployments, regulatory actions, and public debates. The path forward will require a delicate balance between operational efficiency, security imperatives, and the fundamental rights of individuals, a challenge that will shape the future of aviation and digital privacy for years to come.

FAQ

Why was facial recognition suspended at Milan Linate airport?
Italy’s privacy watchdog suspended the technology due to insufficient safeguards to prevent the processing of biometric data from passengers who had not explicitly consented, reflecting concerns over GDPR compliance.

What is the GDPR’s stance on biometric data?
The GDPR classifies biometric data as a special category of personal information, requiring enhanced protection and strict consent mechanisms for its processing, especially in public spaces like airports.

Are facial recognition systems still used in other airports?
Yes, facial recognition is widely used in airports globally, particularly in the United States and parts of Asia and the Middle East, though regulatory requirements and privacy protections vary by region.

What are the main privacy concerns with airport biometrics?
Key concerns include the immutability of biometric data, risks of unauthorized access or misuse, potential for bias or discrimination, and challenges in obtaining truly informed and voluntary consent.

How might future regulations affect biometric technology in airports?
The European Union’s Artificial Intelligence Act and evolving data protection standards are expected to impose stricter requirements on biometric deployments, potentially limiting their use and requiring advanced privacy-preserving technologies.

Sources: Reuters / Yahoo News