Thought leadership from our experts

Air carriers transferring sensitive personal data to authorities: accountability requires careful assessment

The EU General Data Protection Regulation ("GDPR")1 shall apply, from 25 May 2018, to any processing of personal data in the context of the activities of an establishment of a data controller or a data processor in the EU. Establishment implies the effective and real exercise of activity through stable arrangements. Many carriers flying to and from EU airports are thus concerned. Not only EU carriers, but also non EU carriers with branches in the EU or being represented by GSA's.

Not only passengers data are concerned but also crew data.

Also carriers not established in the EU, but offering transport services to passengers in the EU, shall have to be GDPR – compliant for the related processing.

For air carriers it is a particularly difficult exercise to render all relevant processing GDPR –compliant: their data processing is governed not only by the general data protection legislation, however also by sector specific legislation which may include specific data processing or data transfer obligations such as provisions on information transfers to authorities for safety or security reasons.

It is possible for such specific legislation to further specify the conditions for lawfulness of the concerned processing, or establish specifications for determining the type of data which are subject to the processing2. This legislation however should respect the provisions of the GDPR.

Aviation safety legislation e.g. provides for information repositories serving a purpose of safety certification and oversight, which may contain personal data and more particularly health data on aircraft pilots3. Some of the safety information may originate from air carriers, following application of the legislation on occurrence reporting a.o., or it may have been provided by the carriers on a voluntary basis. Information sharing for safety purposes is indeed crucial. Where air carriers however transfer information to authorities that concerns health data of pilots, considered as particularly sensitive data by the GDPR, they should in light of the accountability principle examine and be able to demonstrate that (i) sharing the concerned personal data, where they did not obtain the pilots' explicit consent thereto, is necessary for reasons of substantial public interest and is based on Union or Member State law, and (ii) the pilots are informed of the processing by the authorities in a transparent way or where allowed by the carrier itself (transparency principle), and (iii) the other general principles of the GDPR are respected: the principles of lawfulness and fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.

The safety and security requirements, of substantial public interest, are constantly balanced against the fundamental right to privacy.

Also in relation to security, air carriers constantly have to monitor the changing legal framework, often involving organizational and practical measures.

Authorities indeed have different viewpoints.

As an example, reference can be made to the recent opinion of the Court of Justice of the EU according to which the draft agreement between the EU and Canada on the transfer of PNR data4 may not be concluded in its current form since the fundamental privacy and data protection rights of the passengers as under EU law would not sufficiently be safeguarded.

The envisaged agreement provides for systematic transfer of data of passengers to the Canadian authorities for the purpose of combating terrorism and serious transnational crime. The Court observed that the PNR data reveal a complete travel itinerary, travel habits, dietary habits or state of health, and other sensitive data, and moreover the data are intended to be analyzed systematically by automated means, so that the envisaged agreement entails an interference with the fundamental right to protection of personal data. The Court observed that although indeed ensuring public security can be a valid justification thereto, the transfer of sensitive data such as health data requires "a precise and particularly solid justification based on grounds other than the protection of public security against terrorism and serious transnational crime."5

The Court considered that "the communication of personal data to a third party, such as a public authority, constitutes an interference" with the fundamental rights to privacy and the protection of personal data, "whatever the subsequent use of the information communicated"6. The Court recognizes that those rights are not absolute rights, but must be considered in relation to their function in society7. The Court added that the requirement that any limitation on the exercise of fundamental rights must be provided for by law, and the legal basis which permits the interference with data protection rights must itself define the scope of the limitation. The derogation or limitation should apply only in sofar as is strictly necessary (proportionality principle).

The Court gave guidelines for the negotiators to reach a new agreement that would be more in respect of the fundamental right to protection of personal data as under EU law.

Important is that safety and security are recognized as objectives of general interest of the EU capable of justifying even serious interferences with the fundamental rights of privacy and data protection, but it remains necessary to assess the necessity of the interferences8.

It is the legislator or the competent authority who in the first place needs to make such assessment.

However, in general, the air carrier under the GDPR will be accountable: when processing passenger data or pilots' data, it always should at the same time consider safety and security issues on the one hand, and privacy and data protection on the other hand. The carrier should not process more data then strictly necessary for the concerned purposes, should not store the data any longer than necessary for the purposes, every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Adequate measures for data security must be taken.

Where adequate, encryption, pseudonymization or even anonymization techniques should be used.

Pseudonymization is promoted by the GDPR as a technique which can protect data subjects; the data still can be attributed to a natural person by the use of additional information so that the GDPR still applies to the data9. The GDPR does not apply to anonymous data: information which does not relate to an identified or identifiable natural person, data rendered anonymous in such a manner that the data subject is not or no longer identifiable. In relation to occurrence reports e.g. the safety legislation provides for "de-identification"10.

The carriers, as required under the GDPR, should adopt adequate internal policies and implement "data protection by design" and "data protection by default" measures. When sensitive data are being processed, likely to result in "a high risk" to the data protection rights of passengers or crew, it is necessary to carry out "data protection impact assessments" for determining the appropriate measures to be taken to demonstrate that the processing is GDPR-compliant.

Air carriers are in the difficult position of having to follow up on different regulations that concern fundamental rights. Where the Charter of Fundamental Rights of the EU in its Article 7 contains the fundamental right of privacy protection and in its Article 8 the fundamental right to protection of personal data, it also in its Article 6 provides for a fundamental right to security.

Where the related legislation is ambiguous, unclear or contradictory, or where legislation contains a void, the air carrier is in the position where it needs to make itself the required necessity and proportionality assessments. Assessments will evolve, depending on the measures that the related fundamental rights require. It is thus necessary for air carriers to regularly review the assessment of the impact of their processing. It is advisable to involve the relevant authorities, under the GDPR this is even required.

Air carriers moreover will have to make the exercise of assessment at an international level given the international nature of their activity. It is important that authorities, when further specifying requirements for data sharing and data transfers keep in mind these specific sector issues.

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
  2. Recital (45) of the GDPR
  3. The proposed new “Basic Regulation” , proposal for a Regulation of the European Parliament and of the Council on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency (EASA), e.g. provides for an information repository through which authorities, aeromedical examiners and aeromedical centers shall exchange information concerning medical fitness of pilots, this with a number of safeguards, such as a limited retention period, but also with a possibility for EASA and the Member States to restrict the scope of the rights of the data subject to access, rectify and erase its personal data included in the repository when strictly necessary for civil aviation safety
  4. Passenger Name Record Data
  5. Opinion 1/15 of 26 July 2017; the Court was seized by the European Parliament to give its opinion
  6. Opinion 1/15, points 124 and 126
  7. Opinion 1/15, point 136
  8. Opinion 1/15, point 149
  9. Hereby account should be taken of all objective factors, such as the costs of and the amount of time required for identification: recital (26) of the GDPR
  10. Cf. Article 16 of Regulation 376/2014 and recital 35