While international airlines can’t hope to comply with every jurisdiction’s data protection regime, the advent of the EU’s General Data Protection Regulation (GDPR) later in the year will encourage a “baseline” standard of compliance that will help them feel protected, according to a panel at IATA’s Legal Symposium in Bangkok.
Airlines and other multi-jurisdictional businesses have faced a challenge in the past to find a global standard of conduct that would prevent them from running afoul of divergent data laws. “That’s why GDPR is a gamechanger,” Crowell & Moring partner Jeffrey Poston told attendees of a session on the growth of data protection regulations on 1 March, “As onerous as it is and as stringent as it is, it’s tangible, it’s clear, and I think it’s going to become the global default.”
His comments followed those of Air Canada’s senior counsel for labour, employment and privacy Rachelle Henderson, who said that her airline’s policy was to follow data laws that “comply with as many other applicable laws as possible, or at least those that pose the greatest risk if you don’t comply.” For Henderson, this law was embodied in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which she said was based in international recognised best practices, including the OECD fair information principles.
Karen Clayton, general counsel at Air New Zealand, agreed, saying the best approach was to identify the highest standards and apply them across the board. She added her airline had spent a lot of time trying to embed privacy principles into the fabric of its business and adopting a “privacy by design” culture, which addressed the issue up front.
Alan Meneghetti, of Katten Muchin in London, said Poston was right that using GDPR as the baseline was the best approach to achieve high standards of compliance. He said airlines would still need to be take appropriate measures to prepare for jurisdictional differences between European countries, as they all could derogate from the GDPR on certain issues, but added this process would be much quicker and cheaper than it might have been under previous regulations because there would be fewer opportunities for derogation after the regulation comes into force in May.
One reason he gave for the GDPR getting global attention, as opposed to other regimes, was the possibility of large fines for non-compliance: under the regulation, organisations can be fined up to 4% of their annual turnover or €20 million, whichever is greater. He also pointed to the regulation’s mandatory data breach reporting requirements, which apply to industries – including airlines – that haven’t previously been required to report hacks.
Meneghetti noted, however, that even without a requirement to report a breach, airlines had a strong record of voluntary reporting, “because it’s a way of managing good will”.
Poston agreed, saying that customers and the public at large were becoming desensitised to the breaches themselves, which no longer do long term damage to companies’ reputations, but that what people found harder to forgive was a poor response by the company when a breach occurred. “You take a bigger reputational hit if you’re not prepared to respond and if you fail to respond efficiently and comprehensively,” he said.
The reputational damage from a breach was much more keenly felt by companies than any monetary damages a court could mete out as a result of a class action, he added. He noted that his litigation team had been able to defend against lawsuits filed when customer data went missing because US Supreme Court precedent says this isn’t enough to prove actual damages.
Sze-Hui Goh, of Eversheds Harry Elias in Singapore, said the situation was similar in many Asian jurisdictions, where the culture is less litigious and preserving company reputations is a priority. This had led to a surge in local interest in GDPR, she said, with companies asking lawyers to formulate Asia-wide compliance strategies.
Compliance in action
Moderator Leslie MacIntosh of IATA tasked the panel with analysing a fictional scenario involving a US-Brazilian dual citizen, named Mary, lawfully resident in Canada, travelling to New Zealand via London and Singapore.
Mary booked flights on Canadian and New Zealand-based airlines via a UK travel agent, handing over various pieces of personal information during the booking process, including her frequent flyer number, which was stored on US and Singaporean servers. This personal information was used by the inflight entertainment system and flight crew to offer her catered services based on previous preferences derived from the data, including a kosher meal. During the Singapore stopover, the local police arrested several passengers on the flight and compelled the airline to disclose information on all the passengers. Finally, having completed her journey, Mary learned that there was a security breach at the servers in the US.
MacIntosh began by asking the panel what privacy laws applied at the various stages of Mary’s journey.
Neil Montgomery, of Montgomery & Associados in São Paulo, started by saying that Brazilian law wouldn’t apply at any stage because Mary, while a citizen, wasn’t resident in Brazil and didn’t use a computer in the country to make her booking.
Meneghetti said the GDPR would definitely apply if it was in force because Mary used a UK travel agent for the booking. He added that the regulation is “citizenship agnostic” meaning it didn’t matter if Mary was a citizen of a EU member state or not; if the data is collected in the EU, the GDPR would apply.
Poston said that US law would be triggered by Mary’s US citizenship and one of the servers on which her information was stored being based in the country, but he added that most of the focus would be on the airline that chose to outsource its data to the US.
PIPEDA would apply to the Canadian airline, Henderson said, as it collected information during the course of its commercial activities in Canada. Likewise, the New Zealand airline, to the extent that it had any similar commercial activities in the country, would also be caught.
Clayton said New Zealand law would also apply: “We are the carrier, she is one of our frequent flyers, we have collected, used and stored her data, so perhaps it’s no surprise.”
MacIntosh then asked the panel whether either of the airlines had to receive Mary’s consent to use her personal information in offering its inflight services.
Meneghetti noted that the GDPR says if information is “freely given, unambiguous, informed and express”, companies can infer the subjects consent to their use of it. It must also be possible for subjects to withdraw their consent as freely as they give it, he added.
In this case, in storing information and using it to provide a kosher meal, which implies religious orientation and is potentially sensitive, the airline would have to make clear that the data was being stored to build a flight profile, Meneghetti said.
Clayton said the contractual terms of frequent flyer programmes mean that passengers who join up to them have consented to the use of the data in their profile by the airline. She said that airlines – including her own – increasingly make it their business strategy to personalise the passenger experience using the data they have collected, as long as this complies with the law.
As to the disclosure of Mary’s information to the Singapore police, Goh said there were exceptions to the consent principle under Singapore’s data laws, including whether the information is being used in the national interest. “If the airline believes that having to seek consent will compromise the investigation it wouldn’t have to seek passengers’ consent in order to disclose their information to the authorities,” she said.
Clayton said that airlines had to balance the risk of what might happen were the information to be withheld – in the fictional example, the Singapore police were investigating alleged terrorists – against customer privacy rights.
“You also don’t want to communicate to your customers that if you get a knock on the door you’re just going to turn over their data,” Poston said, adding that airlines need to have the due process mechanisms in place to be able to show customers that they were legally compelled to share the data. “That’s a tightrope all companies are walking.”
PIPEDA would require the airlines to notify the passengers that their data was going to be used by foreign authorities, Henderson said: “It’s not the same as getting consent but you have to say that the information will be transferred to a jurisdiction where it may be subject to an order to disclose.”
The session took place on the third day of IATA’s legal symposium, held at the Shangri-La hotel in Bangkok between 27 February and 1 May. ALN will provide further coverage of the event in the coming weeks.