How Will the GDPR Affect Inflight Connectivity?

From 25 May 2018, the long-awaited legislation will introduce requirements on areas ranging from the way data is collected to subject’s rights, mandated data protection officers, and cross-border transfer. Together, they bring the EU into the firmest data privacy framework ever.

The General Data Protection Regulation (GDPR) introduces a new EU data privacy regime with fines for non-compliance reaching up to 4% of a company’s annual global turnover. From 25 May 2018, the long-awaited legislation will introduce requirements on areas ranging from the way data is collected to subject’s rights, mandated data protection officers, and cross-border transfer. Together, they bring the EU into the firmest data privacy framework ever.

How will the GDPR affect inflight connectivity and other service providers? Jurisdiction has always been at the centre of telecommunication regulations on board aircraft. The GDPR now extends its scope to all flights to and from the EU.

Why comply? Because Europe is now everywhere

The headline of the new regulation is an increased territorial scope. Jurisdiction extends to non-EU companies processing the personal data of EU subjects.

Generally, the regulatory framework that applies to an aircraft is determined by the country of registration, as provided by International Civil Aviation Organization agreements. Under the GDPR, however, any data that can be assumed to be from EU residents must be processed according to the regulation. The GDPR therefore extends to all flights to or from the EU, in addition to EU-registered aircraft.

This sends the number of airlines subject to the EU regulation soaring. Accordingly, stakes have been raised to ensure compliance. The GDPR is enforceable directly by supervisory authorities in any EU member state – and the European Commission will make sure they do. Any company collecting or processing data from EU subjects can face penalties of up to 4% of annual global turnover. With this in mind, non-compliance is not really an option.

GDPR: Key aspects for inflight services

The regulation spans 88 pages, and some key points directly affect inflight services. These are aspects related to data collection, data processing, and the most specific to inflight services: cross-border data flows.

Collection and processing

The GDPR includes requirements for data collection and processing. For example, to obtain consent to collect data, the user’s terms and conditions must be accessible, intelligible and explain the conditions of the processing and use of the data. The possibility to opt-out of data collection should be offered by default. Telecom companies should designate a data protection officer to monitor, lead processes and notify the supervisory authority of data breaches.

Essentially, data protection mechanisms must now be considered in the design of new products and services, rather than as an additional feature.

Cross-border data transfer

The framework for cross-border data transfer is the most striking feature of the GDPR for inflight services. When connectivity is facilitated by satellite, data transits through ground infrastructure. On board an aircraft crossing different jurisdictions, data transmitted by satellite connectivity will have to transit through different hubs located on the ground. When flying across other regions, it will not be physically possible to use ground infrastructure located in the EU. This data would therefore be considered to have crossed borders.

Cross-border data transfer rules are becoming a lot stricter under the GDPR. Although the regulation recognises the importance of international data flow, it mandates that international transfer should not undermine data protection. In practice, there is no change in the countries where an adequacy decision has been adopted by the European Commission. So far, only eleven countries have gone through the process and met the requirements, of which only Switzerland is in the EU’s top-ten trade partners. The US has a similar arrangement called the privacy shield, but this may be challenged by the EU’s citizen-driven model.

Alternatively, companies will have the possibility to set up appropriate safeguards. These safeguards can be contractual, under the approval of the data protection authority: binding corporate rules for organisations with an office in the EU, national authority-led certifications, and corporate association-led code of conducts. Safeguards are also technical risk mitigation mechanisms such as encryption or pseudonymisation of the data. In any case, free data flow cannot be taken for granted and should be considered in designing the network.

Conclusion

In a world where lacking inflight connectivity is becoming a commercial disadvantage, GDPR compliance is essential. From now, data protection will shift from an additional consideration to a key requirement that will determine how data can be processed.

International inflight services cannot avoid compliance with the new and more stringent regulation to collect and process data. Compliance will require a carefully considered selection of ground infrastructure with cross-border requirements in mind. In the run-up to May 2018, there will certainly be a lot of work to do to reach full compliance and avoid headaches.

On the bright side, dealing with one GDPR is still better than dealing with twenty-eight or more data protection regulatory frameworks.

Related Articles

Access Alert: What the abolition of Mexico’s telecoms and competition regulators means and what to do next

Access Alert: What the abolition of Mexico’s telecoms and competition regulators means and what to do next

Mexico’s Congress has approved the constitutional reform for the elimination of the Federal Institute of Telecommunications (IFT) and the Federal...

25 Nov 2024 Opinion
Access Partnership Concludes 2024 with Double Recognition: Best Tech Policy Advisory and Innovative Tech Consultancy of the Year

Access Partnership Concludes 2024 with Double Recognition: Best Tech Policy Advisory and Innovative Tech Consultancy of the Year

London, UK – Access Partnership has celebrated the end of 2024 by winning Best Technology Policy Advisory at The Business...

22 Nov 2024 General
Access Alert: New agency for digital transformation and telecommunications in Mexico

Access Alert: New agency for digital transformation and telecommunications in Mexico

The Mexican Congress has approved the creation of the Agency of Digital Transformation and Telecommunications, which will have the level...

19 Nov 2024 Opinion
Access Alert: The wider impact of Australia’s social media ban for under-16s

Access Alert: The wider impact of Australia’s social media ban for under-16s

Australia’s states and territories have unanimously backed a national plan to ban children under sixteen from most forms of social...

18 Nov 2024 Opinion