Airports are collecting and processing a large amount of data from a traveler, including but not limited to personal identification, medical records (COVID-19 related), and biometric information. The guidebook intends to analyze the status quo of how US airports handle data privacy and to inform airport stakeholders of a comprehensive strategy to guide them towards better data privacy management.
Airports are facing a compliance crisis as legislators of different levels are introducing an increasing number of regulations on data protection and privacy, e.g., the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR). These consumer-friendly regulations are established to give back the control of personal information to the owners by increasing the transparency of data processing and enabling access to critical data functions. The legislative move is driven by the public sentiment that consumers have the right to know what personal information is being collected, the right to control if their data can be sold and disclosed to any third parties, and the right to delete the data upon request. While the COVID-19 pandemic is tanking the traffic volume and thus revenues of the aviation sector at an unprecedented rate, the extra burden of accessing and processing COVID-19 related health information of passengers, such as SARS-CoV-2 testing results and vaccination records, has further exposed airports to compliance requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Non-compliance or violations of data privacy regulations could lead to significant financial loss and legal consequences. For instance, Cathay Pacific, a Hong Kong-based carrier, was fined £500,000 over customer data protection failure by the UK Information Commissioner's Office (ICO) (BBC, 2020). In 2012, then California Attorney General Kamala D. Harris filed suit against Delta Airlines for failing to comply with California Privacy Law (Office of the Attorney General, 2012). Even though the Delta case was eventually dismissed, these are wake-up calls for the global aviation industry. Organizations need to realize their obligations when handling passengers' personal information in order to be compliant with the applicable privacy regulations within and beyond their immediate state.
Recently, as businesses worldwide are moving promptly to add consent notices on their websites to notify visitors how their information is being collected and processed, the airport sector is lagging. A quick review of the websites of the 10 busiest airports in the US (measured by the 2019 passenger enplanements) finds that 8 out of 10 airports do not provide any information concerning data privacy as of March 2021. Therefore, it is pressing for ACRP to lead the effort of investigating the current practice of data privacy management and provide guidance for airports in order to foster the awareness of compliance, clarify the misunderstanding and facilitate informed technical and policy responses. In our opinion, this effort should go beyond basic compliance as the public is eyeing improved data privacy worldwide. It is imperative for airports to provide clearer signages, enhance communication with travelers, and adopt the Privacy by Design approach in planning both physical and digital presences. This guidebook is proposed to help airports of different categories on that journey.
The proposed guidebook aims to help US airports of different categories:
Comply with relevant privacy-centered regulations, e. g. CCPA and GDPR, by actively communicating the most essential details of how the traveler's data is collected, used, and stored (transparency) in a clear, simple, and understandable manner.
Build and embed robust data privacy management into short-term operational practice as well as long-term business strategies.
Use effective and proactive data privacy management as leverage to enhance trust with the broad community.
We anticipate accomplishing the following tasks within approximately 12 months:
Review current and proposed regulations related to data privacy at the state and federal levels in the US, as well as pertinent laws in other regions of the world.
Analyze relevant privacy regulations and identify the applicable requirements for US airports of different categories.
Examine the organizational structure and business process of selected airports with the input from the project panel, and specify units or components that collect, process, or store travelers' personal information.
Conduct a gap analysis to reveal the deficiencies in the current information processing and data privacy handling approach.
Propose technical solutions that enable the intended data use while fulfilling the obligations of privacy requirements.
Create guidance and support materials to foster a business culture that advocates robust data privacy management.
Provide solutions for airports to build strong community trust using adequate data privacy as leverage.
Provide clear guidance and examples of how to effectively communicate technically complex issues to the passenger.
Draft the guidebook and present the final deliverables to the project panel and ACRP.
This project is anticipated to be jointly undertaken by academic research institutions and dedicated airport consulting firms in order to build a transdisciplinary team comprising investigators from diverse backgrounds. We estimate the proposed project will cost approximately $300,000 to complete, including direct, indirect, and other ancillary costs and expenses. The estimated time for the project is 12 months, including 3 months for review and revision of a draft final report.
We have thoroughly reviewed existing literature on or related to the proposed topic. Within the ACRP community, there is no project explicitly addressing the data privacy issue. A couple of past and present projects are related to the proposed topic, including ACRP 05-02 Guidebook on Best Practices for Airport Cybersecurity (2015), which focused on revealing security threats for airports and educating airport staff for mitigations, and ACRP 03-55 Airport Biometrics – A Primer, which aims to develop a primer that defines and describes the landscape of biometric processes and applications and therefore has a privacy component. Outside ACRP publications, IATA briefly introduced the privacy requirements for the broader aviation industry in Aviation Cyber Security Guidance Material (2021) and Compilation of Cyber Security Regulations, Standards, and Guidance Applicable to Civil Aviation (2021). Both IATA reports do not entirely center on the privacy issues faced by airports, though they provide helpful information on how to leverage existing frameworks to assess the privacy risks and build mitigations.
BBC. (2020). Cathay Pacific fined £500,000 over customer data protection failure. Retrieved from https://www.bbc.com/news/technology-51736857
Murphy, R. (2015). Guidebook on Best Practices for Airport Cybersecurity. In ACRP 05-02. https://doi.org/10.17226/22116
InterVISTAS. (Active). Airport Biometrics -- A Primer. ACRP 03-55. Retrieved from https://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=4843
IATA (2021). Aviation Cyber Security Guidance Material. Retrieved from https://www.iata.org/en/programs/security/cyber-security/
IATA (2021). Compilation of Cyber Security Regulations, Standards, and Guidance Applicable to Civil Aviation. Retrieved from https://www.iata.org/contentassets/4c51b00fb25e4b60b38376a4935e278b/compilation_of_cyber_regulations_standards_and_guidance_1.0.pdf
Office of the Attorney General. (2012). Attorney General Kamala D. Harris files suit against Delta Airlines for failure to comply with California Privacy Law. Retrieved from https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-files-suit-against-delta-airlines-failure