The General Data Protection Regulation (GDPR) introduces a new EU data privacy regime with fines for non-compliance reaching up to 4% of a company’s annual global turnover. From 25 May 2018, the long-awaited legislation will introduce requirements on areas ranging from the way data is collected to subject’s rights, mandated data protection officers, and cross-border transfer. Together, they bring the EU into the firmest data privacy framework ever.
How will the GDPR affect inflight connectivity and other service providers? Jurisdiction has always been at the centre of telecommunication regulations on board aircraft. The GDPR now extends its scope to all flights to and from the EU.
Why comply? Because Europe is now everywhere
The headline of the new regulation is an increased territorial scope. Jurisdiction extends to non-EU companies processing the personal data of EU subjects.
Generally, the regulatory framework that applies to an aircraft is determined by the country of registration, as provided by International Civil Aviation Organization agreements. Under the GDPR, however, any data that can be assumed to be from EU residents must be processed according to the regulation. The GDPR therefore extends to all flights to or from the EU, in addition to EU-registered aircraft.
This sends the number of airlines subject to the EU regulation soaring. Accordingly, stakes have been raised to ensure compliance. The GDPR is enforceable directly by supervisory authorities in any EU member state – and the European Commission will make sure they do. Any company collecting or processing data from EU subjects can face penalties of up to 4% of annual global turnover. With this in mind, non-compliance is not really an option.
GDPR: Key aspects for inflight services
The regulation spans 88 pages, and some key points directly affect inflight services. These are aspects related to data collection, data processing, and the most specific to inflight services: cross-border data flows.
Collection and processing
The GDPR includes requirements for data collection and processing. For example, to obtain consent to collect data, the user’s terms and conditions must be accessible, intelligible and explain the conditions of the processing and use of the data. The possibility to opt-out of data collection should be offered by default. Telecom companies should designate a data protection officer to monitor, lead processes and notify the supervisory authority of data breaches.
Essentially, data protection mechanisms must now be considered in the design of new products and services, rather than as an additional feature.
Cross-border data transfer
The framework for cross-border data transfer is the most striking feature of the GDPR for inflight services. When connectivity is facilitated by satellite, data transits through ground infrastructure. On board an aircraft crossing different jurisdictions, data transmitted by satellite connectivity will have to transit through different hubs located on the ground. When flying across other regions, it will not be physically possible to use ground infrastructure located in the EU. This data would therefore be considered to have crossed borders.
Cross-border data transfer rules are becoming a lot stricter under the GDPR. Although the regulation recognises the importance of international data flow, it mandates that international transfer should not undermine data protection. In practice, there is no change in the countries where an adequacy decision has been adopted by the European Commission. So far, only eleven countries have gone through the process and met the requirements, of which only Switzerland is in the EU’s top-ten trade partners. The US has a similar arrangement called the privacy shield, but this may be challenged by the EU’s citizen-driven model.
Alternatively, companies will have the possibility to set up appropriate safeguards. These safeguards can be contractual, under the approval of the data protection authority: binding corporate rules for organisations with an office in the EU, national authority-led certifications, and corporate association-led code of conducts. Safeguards are also technical risk mitigation mechanisms such as encryption or pseudonymisation of the data. In any case, free data flow cannot be taken for granted and should be considered in designing the network.
In a world where lacking inflight connectivity is becoming a commercial disadvantage, GDPR compliance is essential. From now, data protection will shift from an additional consideration to a key requirement that will determine how data can be processed.
International inflight services cannot avoid compliance with the new and more stringent regulation to collect and process data. Compliance will require a carefully considered selection of ground infrastructure with cross-border requirements in mind. In the run-up to May 2018, there will certainly be a lot of work to do to reach full compliance and avoid headaches.
On the bright side, dealing with one GDPR is still better than dealing with twenty-eight or more data protection regulatory frameworks.