The Privacy Guarantor has blocked the FaceBoarding system at Milan Linate airport, declaring the processing of personal information managed by the SEA company unlawful. The official investigation transformed the temporary suspension of September 2025 into a permanent ban, motivated by structural problems in the way in which the faces of airport users were managed. Unlike systems in which sensitive data remains kept on the individual user’s device, the infrastructure accumulated the scans in a single digital archive, preventing interested parties from having exclusive control over their information. Added to this were also aggravating techniques, such as the absence of encryption to protect the mathematical models derived from somatic traits, and unjustified retention times, which reached 12 months. The most critical element raised by the Authority concerns the involuntary acquisition of data: the cameras at the hybrid gates captured the images of those who had chosen not to participate in the service, configuring a collection without consent for those passing through the so-called “hybrid gates”.
How Milan-Linate FaceBoarding works
To understand the reasons for the block, let’s analyze the functioning of the Milan-Linate FaceBoarding system. The service was designed to replace the physical presentation of an identity card, passport and boarding pass at airport controls. Adult passengers could register on a voluntary basis via a mobile application or through physical kiosks in the departures area. The procedure required scanning the travel document. Using the smartphone, the MRZ code was framed (Machine Readable Zone), the string of letters and numbers at the bottom of ID documents, designed specifically for optical reading.
Next, the camera acquired an image of the face. In this step the concept of biometric data and template comes into play. An advanced recognition system does not store a banal two-dimensional photograph, but analyzes the geometries of the face, measuring invariable distances such as the space between the eyes, to generate a unique mathematical model: the biometric template. At the dedicated turnstiles, the cameras carried out an instant reading, comparing the face with the registered template to authorize access.
Because the Guarantor blocked FaceBoarding at Milan-Linate
The Guarantor has established that this practice violates the GDPR, or the General Data Protection Regulation, placing itself in open conflict with the directives of the European Committee for the Protection of Personal Data, the EDPB (European Data Protection Board), drawn up specifically for airports.
One of the main critical issues encountered by the Guarantor is related to the storage of thousands of biometric templates in a single company server. This practice creates a potentially irreversible IT risk. If an attacker were to manage to penetrate the archive, it would compromise the identity traits of the passengers, since a human face cannot be reset or changed like a password. This risk factor was amplified by the total lack of data encryption, i.e. the absence of those algorithms that mask sensitive information, making it illegible without the aid of a specific cryptographic key.
A further anomaly concerned the data retention times on the databases. Passengers could choose whether to sign up to the system for a single flight or keep their profile active long-term, but the investigation found that the infrastructure captured sensitive information for up to an entire calendar year, greatly increasing vulnerability to digital theft. To make the general picture worse, the inspection highlighted a space problem: as the gates were of a hybrid nature, the cameras’ lenses constantly acquired the biometric features of even those who simply passed through using the standard lanes without ever having given their informed consent, all aggravated by a privacy information provided to the public deemed inaccurate.
All these reasons are well summarized in the official note issued by the Guarantor itself available on its website, partly reproduced below:
The Authority, during the investigation launched ex officio, ascertained that “FaceBoarding” violates the GDPR and is in contrast, in particular, with the EDPB’s opinion on the use of facial recognition at the airport. In fact, the system requires that the biometric data acquired be entirely stored centrally on SEA’s servers, preventing passengers from exercising exclusive control over their data. The Guarantor also found that SEA has not adopted encryption measures for biometric models; retained the templates for an excessive period of time (up to 12 months), thus leading to a significant increase in the risk of personal data breaches, and issued information with inaccurate information. Furthermore, the company acquired, without their consent, images of the faces of passengers who, despite not having joined “FaceBoarding”, used the hybrid gates.
