Aviation connectivity relies on data connectivity

While transporting over 4 billion passengers per year, airlines must share personal data with partners in the aviation value chain, including other airlines, airports, ground handlers, travel agents, and border control authorities.  The sharing of this data must be done in strict compliance with national data protection laws.

Today, over 160 countries have data protection laws in place. These laws have been developed in a fragmented and inconsistent way, and often without regard for the unique operating and regulatory considerations applicable to international civil aviation.  Extraterritorial application means that multiple data protection laws can apply simultaneously to a passenger’s itinerary, causing confusion for passengers and complexity for airlines. Airlines face fines or sanctions when laws in one country conflict with those in their home country. These issues undermine the intended policy outcomes and could impact global air connectivity.

IATA focuses on raising awareness of governments on data privacy issues for airlines and identifying multilateral solutions.

The need for greater consistency  

While many data privacy issues are not specific to aviation, the sector relies heavily on global regulations to facilitate efficient services for passengers and shippers. That’s why IATA is asking the International Civil Aviation Organization (ICAO) to convene a multi-disciplinary group consisting of data protection, privacy and facilitation experts, as well as international organizations, to review the interaction of national data protection laws and civil aviation and come up with recommendations to promote greater consistency.

> White Paper: data protection and international carriage by air (pdf)

What data do airlines handle ?

Bookings

Personal data is shared when a passenger books air travel and related services either directly with an airline, via another airline (e.g., under an interline or codeshare arrangement) or through a travel agent or a travel management company. The passenger (as well as employees assisting them during their journey) needs to be able to access these booking details and make changes to it from a range of locations.

Check-in and airport processes

Personal data is shared between airlines and is involved in the provision of different services to passengers such as check-in, access to airside areas within the airport and boarding of the aircraft.

Government requirements

This includes information contained in passports or other identity documents (“API” data) and passenger name record (“PNR” data) from a booking. This information is used by governments to maintain records of those entering and exiting countries, to validate a passenger’s entitlement to travel (visa and visa waiver programs), and to identify if a passenger is a person of interest to enforcement authorities.

Key issues

Inconsistency

Data protection laws have developed in a fragmented and inconsistent way, making it an acute challenge for international aviation.  Airlines do not operate in each country in isolation but in a connected network with aircraft, crew, and passengers travelling between multiple locations. The ability to take a consistent approach is a necessity.

The required legal grounds for processing personal data vary significantly. For instance, some laws say that all processing is allowed unless specifically prohibited, and others prohibit processing unless the activity comes under a specific legal ground. Consent, as one possible ground, also varies by jurisdiction. This is not to mention the important issue of international data transfers, which are regulated differently as to when permitted and under what procedures.

Simultaneous application

The primary basis for the application of data protection laws is the physical or legal presence of the business collecting and processing the personal data within the jurisdiction of the country.  However, many data protection laws also apply extra-territorially even when there is no physical or legal presence in the country. For instance, some laws apply based on offering products and services to individuals within a jurisdiction (e.g. EU, Brazil, Vietnam, China and India); and others based on the citizenship of the individuals whose data is being collected or processed (e.g. Nigeria and Philippines).  In the airline context, this means that two or more data protection laws can apply at the same time.

Conflict with other laws

Airlines must provide data to government authorities, such as border control and law enforcement. Those requirements can come into direct conflict with applicable data protection laws, with airlines facing the threat of fines or other regulatory action.  This issue is particularly acute today for PNR (Passenger Name Record) data.

Barriers to cross-border data flows

Increasingly governments require complex verifications that create barriers to cross-border data flows, and in many cases require an assessment to confirm if the laws of a foreign country are “adequate”.  The requirement of adequacy under EU GDPR has been adopted by many countries outside the EU, currently 61 countries, and adds an additional layer of complexity.

Approaches differ between countries on who should be doing the assessment, when it is required and the substantive requirements for adequacy. There is at present no mutual recognition or interoperability.

Data localization

The term “data localization” refers to a country requiring data to be hosted within that country and not allowing it to be transferred outside that country.  Such requirements pose significant problems for airlines who, as part of their activities, must move people and their data across international borders and need to operate an integrated international bookings system for reservations.