Despite this ubiquity, the legal framework surrounding data privacy is little more than a fragmented patchwork of local rules.
“Airlines that operate across borders face multiple laws when it comes to privacy and data protection,” says Jeremy Moreton, Head of Legal at IAG and Chair of the Privacy Law Working Group (PLWG), an arm of IATA’s Legal Advisory Council.
“These laws are often inconsistent and can even be in conflict with other laws,” he adds. “An airline’s home country may have a law that elements of personal data cannot be sent to a destination country but that destination country may, in turn, insist that the same data is provided. If not, the airline is fined or cannot operate. Airlines are in an invidious position.
Moreton also points out that many regulations are extraterritorial, which means airlines can be subject to the jurisdiction of multiple laws for a single passenger journey. The scale of the challenge becomes obvious given that more than 10 million passengers take to the skies on a typical day.
Other industries also operate internationally, of course, but their businesses can be adjusted more readily to local conditions. But for airlines, it is the same business operating at both ends of a journey.
Data localism—a term for storing data locally—has been suggested as a solution but is a challenge for airlines. Airlines need a single source of truth for their inventory and booking systems and can’t hold a multitude of separate records in disparate locations.
A fragile system
The fragmented approach is being made even more challenging with a number of successful legal challenges—notably between the European Union and the United States—invalidating current data transfer arrangements and exposing the fragility of other bilateral arrangements.
Nor is passenger consent the way forward. “Consent has an important role to play but is not a panacea,” says Moreton. “The role of consent is different according to the jurisdiction….