Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42ââ 59 pedestrian analytic data collection where various data points GDPR history provides helpful context for understanding its can be collected, sold, and used to implicate privacy concerns. importance. The GDPR was enacted in 2016 with a two-year Common use kiosks or other operational efficiency tools may grace period before coming into effect in May 2018. It strength- collect or use passenger data. Facial biometric technologies are ened legal protections for privacy replacing the European Data increasingly being deployed within airports by airports them- Protection Directive (EDPD)607 that had been in effect since selves, airlines, and government agencies. These deployments 1995.608 Thus, when the GPDR finally came into effect, the EU have received some resistance from privacy groups. Standards already had significant experience with concepts of data privacy can help control these data collection activities to ensure they and state enforced measures to protect it. are tailored to operational needs, mitigate public concerns with The GDPR focuses on protecting the individualâs ownership the activity, do not invade user privacy, and benefit airportsâ over data and implementing measures to safeguard those owner- commercial interests. ship rights. The GDPR sets out responsibility for those control- ling or processing data. Those responsibilities include account- XII. INTERNATIONAL EFFORTS ability measures, security measures and requirements for data protection âby design and by default.â It also addresses the criti- Data protection is not just a focus of U.S. courts and law cal issue of consent. With respect to the treatment of personal makers. Worldwide there is a growing body of legal activity data the GDPR requires adherence to seven data protection and seeking to address data privacy. As entities integrally involved in accountability principles: the global travel industry, airports need to be sensitive to inter national trends in how personal data is managed. Just as this ⢠âLawfulness, fairness, and transparencyâ: must be resource cannot examine the law of every state in the United achieved in the processing of data.609 States, it similarly cannot examine every international legal ⢠âPurpose limitationâ: data must be processed for the legit- development. Nevertheless, the global trend toward increased imate purposes under which it was originally c ollected.610 protections for data is unmistakable. Research by Australian ⢠âData minimizationâ: only the data necessary and re- Graham Greenleaf in 2018 indicates continued strong growth lated to the purposes specified should be collected and of international data privacy protections Âprocessed.611 In 2017-18, the number of countries that have enacted data privacy laws has risen from 120 to 132, a 10% increase. These 132 jurisdictions ⢠âAccuracyâ: data must be kept up to date with reasonable have data privacy laws covering both the private sector and public steps to erase or rectify inaccurate data.612 sectors in most cases, and which meet at least minimum formal stan- ⢠âStorage limitationâ: data permitting identification of dards based on international agreements.1 At least 28 other countries data subjects should for only as long as necessary for the have official Bills for such laws in various stages of progress, includ- specified purpose to process personal data.613 ing 9 that have introduced or replaced Bills in 2017-18. Many others, in the wake of the GDPR [General Data Protection Regulation] and ⢠âIntegrity and confidentialityâ: processing must be done âmodernisationâ of Convention 108 [European Council-Convention in such a manner way as to ensure appropriate security for the Protection of Individuals with regard to Automatic Processing for data and the implementation of appropriate technical of Personal Data], are updating or replacing existing laws.605 measures to protect against unauthorized processing or An introduction to some international efforts to manage and accidental loss damage or destruction of data.614 protect private data is provided below. ⢠âAccountabilityâ: the data controller is responsible for being able to demonstrate GDPR compliance with all A. GDPR these principles.615 Perhaps the most well-known of the international efforts to address individual privacy is the GDPR. Effecting all EU countries, the GDPR is a holistic attempt to address individual privacy concerns in data usage. It applies to both and private sector entities subject to the laws and regulations of the EU The influence of the GDPR on global expansion of individual data 607 â Eur. Data Prot. Dir., 95/46/EC (1995). privacy rights is hard to overstate.606 608 â Under the law in the European Union a âdirectiveâ sets forth results that need to be achieved by Member States, which then incorpo- 605 â Graham Greenleaf, Global Data Privacy Laws 2019: 132 National rate measures into their national laws. In contrast, a âregulationâ is a Laws & Many Bills, 157 Privacy Laws & Business International legal requirement that has direct binding force and effect in all Member Report, 14-18 (Feb. 8, 2019), https://papers.ssrn.com/sol3/papers. States. cfm?abstract_id=3381593. Supporting tables outlining the countries 609 â Gen. Data Protection Reg., 2016/679, art 5, § 1(a) (EU). surveyed are provided at Graham Greenleaf, Global Tables of Data Pri- 610 â Gen. Data Protection Reg., 2016/679, art. 5, § 1(b) (EU). vacy Laws and Bills (6th Ed January 2019), (Feb. 9, 2019)  https://ssrn. 611 â Gen. Data Protection Reg., 2016/679, art. 5, § 1(c) (EU). com/abstract=3380794.â 612 â Gen. Data Protection Reg., 2016/679, art. 5, § 1(d) (EU). 606 â See Paul M Schwartz, Symposium: Global Data Privacy the EU Way, 94 N. Y. U. L. Rev. 771 (October 2019). In this journal article the 613 â Gen. Data Protection Reg., 2016/679, art. 5, § 1(e) (EU). author surveys the literature examining the influence of the GDPR 614 â Gen. Data Protection Reg., 2016/679, art. 5, § 1(f) (EU). internationally, including in the United States. 615 â Gen. Data Protection Reg., 2016/679, art. 5, § 2 (EU).
60 ââ ACRP LRD 42 With respect to the individual, the GDPR concludes that pri- ble.622 While privacy advocates anticipated rigorous enforcement, vacy is a âfundamental rightâ that requires protection.616 GDPR early reports have indicated that the imposition of penalties is less provides data subjects with a list of privacy rights including: than expected, largely owing to a lack of resources in enforcement agencies and legal maneuvering by large tech companies.623 ⢠accessing information about the processing of your âSupervisory authorityâ624 of the GDPR is conducted by each personal data; EU Member through independent public authorities (some- ⢠obtaining access to the personal data held about you; times referred to as Data Protection Authorities) in each coun- ⢠asking for incorrect, inaccurate, or incomplete personal try. Those authorities ensure consistent application of GDPR data to be corrected; provisions. Member states are, however, free to impose higher ⢠requesting that personal data be erased when it is no data protection standards. longer needed or if processing it is unlawful; With respect to jurisdiction of the GDPR, there are two pro- ⢠objecting to the processing of your personal data for visions that generally address applicability outside the EU: the marketÂing purposes or on grounds relating to your par- provisions in Article 3 on âTerritorial scopeâ and Article 45 ad- ticular situation; dressing âAdequacy.â625 Through these two measures, the GDPR ⢠requesting the restriction of the processing of your per- exercises authority outside its borders to ensure data protection. sonal data in specific cases; Commentators have noted that exercise of jurisdiction outside its ⢠receiving your personal data in a machine-readable f ormat borders was a principal objective of the GDPR as the EU sought and send it to another controller (âdata p  ortabilityâ); and to address a market imbalance in favor of large U.S. technology ⢠requesting that decisions based on automated processing companies like Apple and Google that they felt benefited unfairly concerning you or significantly affecting you and based from more lax privacy protections in the United States.626 on your personal data are made by natural persons, not While the jurisdiction of the GDPR would generally not ex- only by computers. You also have the right in this case to tend to U.S. airports that collect data for their own purposes,627 express your point of view and to contest the Âdecision.617 the provisions of this regulation may extend to stakeholders such as air carriers and other corporations that do business in The structure of the GDPR provides insight into a range and with U.S. airports. of internationally accepted best practices for data governance. Article 3 also lays out two principal circumstances628 for Some of these structures serve as a guide for the efforts of states jurisÂdiction over extraterritorial activities by entities that in- and companies seeking to implement data protection Âregimes. volve themselves in data collection or processing. Those provi- For example, GDPRâs regulation of âautomated decision- sions include: making,â prohibits the use of tools like AI in processing data except (1) it is necessary for the completion of a contract, (2) it is a. the offering of goods or services, irrespective of whether authorized by law, or (3) an individual gives express consent to a payment of the data subject is required, to such data such processing.618 This type of measure limiting data process- subjects in the EU; or ing is something that airports, while not required to do so, may b. the monitoring of their behavior as far as their behavior want to consider. takes place within the Union.629 Another example is the appointment of a âData Protec- tion Officerâ619 and conducting âData Protection Impact 622 â Gen. Data Protection Reg., 2016/679, art. 84 (EU). Assessments.â620 These organizational measures are designed to 623 â Adam Satariano, Europeâs Privacy Law Hasnât Shown Its Teeth, ensure that entities properly consider issues of data protection Frustrating Advocates, N.Y. Times (updated Apr. 28, 2020), https:// and sufficiently address them whenever an entity is collecting www.nytimes.com/2020/04/27/technology/GDPR-privacy-law- or processing data. europe.html. One feature of the GDPR that distinguishes it from its 624 â Gen. Data Protection Reg., 2016/679, art. 83 (EU). Âpredecessor, the EDPD, is the addition of significant fine and 625 â Gen. Data Protection Reg., 2016/679, arts. 3, 45 (EU). penalty provisions. The GDPR provides for fines and penalties 626 âKimberly A. Houser & W. Gregory Voss, GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy,â 25 Rich. J. L. up to â¬20 million or four percent of an entityâs global revenues.621 & Tech. 1, 4 (2018). Equitable remedies and even criminal penalties are also possi- 627 â There is some language in the GDPR suggesting that in some circumstances a foreign entity could be subject to jurisdiction under the 616 â Gen. Data Protection Reg., 2016/679, art. 1 (EU). GDPR if that entity is conducting data collection of persons in the EU where that collection is related to the offer of goods or services in the EU 617 â EU Data Protection Rules, Rights for Citizens, What are My or monitoring behavior in the EU See Gen. Data Protection Reg., Rights?, European Comm.,âhttps://ec.europa.eu/info/law/law-topic/ 2016/679, art. 3 (EU). Where airports seek to capture and utilize data data-protection/reform/rights-citizens/my-rights/what-are-my-rights_ concerning residents in the EU, these jurisdictional issues should be en (emphasis provided). specifically assessed by counsel. 618 â Gen. Data Protection Reg., 2016/679, art. 22 (EU). 628 â Article 3 also asserts liability for extraterritorial activities where 619 â Gen. Data Protection Reg., 2016/679, art. 35 (EU). Member States can exercise jurisdiction by provisions of âpublic inter- 620 â Gen. Data Protection Reg., 2016/679, arts. 38-39 (EU). national law.ââ Gen. Data Protection Reg., 2016/679, art. 3 (EU). 621 â Gen. Data Protection Reg., 2016/679, art. 83 (EU). 629 â Gen. Data Protection Reg., 2016/679, art. 3, § 2(a)-(b) (EU).
ACRP LRD 42ââ 61 in July 2016.633 This bilateral agreement set forth measures taken If an airport did not offer goods or services in the EU or col- by the United States and approved by the EU to ensure that data lect data about the behavior of persons in the EU, then there transferred from the EU was afforded protection. Those pro- likely would be no issue with respect to EU jurisdiction over tections were achieved through the voluntary participation of airport activity. However, with the proliferation of applications, organizations seeking to receive data. âWhile joining the Pri- some instances where jurisdiction is established become appar- vacy Shield is voluntary, once an eligible organization makes the ent. Consider the following: public commitment to comply with the Frameworkâs require- ments, the commitment will become enforceable under U.S. ⢠an EU citizen passenger in an EU airport about to travel law.â634 Participating organizations are required to self-certify to the U.S. orders food or an airport transportation ser- compliance with the International Trade Administration.635 vice on a U.S. airportâs application or website for when ÂEnforcement is conducted by the FTC and, in the circumstances they arrive at the U.S. airport. of airlines and ticket agents, by the U.S. Department of Trans- ⢠an EU citizen, at home in the EU, uses a U.S. airportâs App portation.636 The EU and United States must conduct an annual or website to book travel; or review of compliance with the Agreement.637 ⢠an EU citizen at home or at an airport uses a U.S. airportâs Privacy Shield replaced and an earlier bilateral agreement, App or website to check CBP processing times or other the U.S.-EU Safe Harbor Framework, which was in effect form airport processing times. July 2000 until October 2015 when it was declared invalid by the European Court of Justice (ECJ).638 The ECJ in the Schrems case In each of these circumstances, the airport would have to addressed a complaint that comply with other GDPR requirements to use its App or website in the light of the revelations made in 2013 by Edward Snowden to sell anything or provide a service. concerning the activities of the United States intelligence services Additional guidance on Article 3 jurisdiction was provided (in particular the National Security Agency (âthe NSAâ)), the law and practice of the United States do not offer sufficient protection against in a âGuidelinesâ document, published by the European Data surveillance by the public authorities of the data transferred to that Protection Board (EDPB) in November 2019.630 The Guide- country.639 lines offer a detailed discussion of territorial requirements. The The decision in Schrems demonstrated the depth of EU com- Guidelines also provide examples of conduct considered by the mitment to enforce data protection measures. EDPB as creating jurisdiction. Airports and stakeholders should Despite the changes made by the Privacy Shield over the carefully analyze these materials to determine whether GDPR Safe Harbor program, Mr. Schrems renewed his complaint. In jurisdiction is implicated. July 2020, in what is known as the Schrems II case,640 the ECJ invalidated Privacy Shield as a measure meeting the GDPR Ad- B. Bilateral Agreements to Enforce GDPR Principles equacy requirements. The court concluded that Privacy Shield In addition to analyzing the activity of entities that implicate did not address the central defect identified concerning the abil- the provisions of Article 3, there is the matter of entities prop- ity of U.S. government intelligence services to access privacy erly operating in the EU that share personal data with entities outside the EU While the EU desires to ensure privacy of its citi- zens, it also understood that the migration of data outside the 633 âCompliance can also be achieved though Model Contract EU was critical for commerce. Accordingly, under the A  dequacy Clauses or Binding Corporate Rules. Gen. Data Protection Reg., provisions of Article 45, data can be shared with entities operat- 2016/679, arts. 46(2), 47 (EU). The model contract clause could be used ing in countries outside the EU if those entities implement data in circumstances where an organization does not want to certify under Privacy Shield but wishes to receive information from a company oper- protection regimes compliant with GDPR requirements.631 ating in the GDPR. Some of the provisions from the model contract In the United States, since the GDPRâs inception, adequacy clauses may also be useful for consideration in drafting agreements to had been achieved primarily through the provisions of the âEU- protect data. The use of Model Contract Clauses is discussed infra Sec- U.S. Privacy Shield Agreement632 (âPrivacy Shieldâ) beginning tion 16. 634 â Privacy Shield Overview, Privacy Shield Framework, https:// www.privacyshield.gov/Program-Overview. 635 â Id. 630 â Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3)ââVersion Adopted after Public Consideration, European Data Pro- 636 â Id. tection Board (Nov. 12, 2019), https://edpb.europa.eu/our-work- 637 â Id. tools/our-documents/guidelines/guidelines-32018-territorial-scope- 638 â Case C-362/14, Schrems v. Data Protection Commissioner, EU. gdpr-article-3-version_en. C. 2015:650, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/ 631 â Gen. Data Protection Reg., 2016/679, art. 45 (EU). ?uri=CELEX:62014CJ0362&from=EN. 632 â The EU-U. S. Privacy Shield Agreement required participating 639 â The Court of Justice Declares that the Commissionâs U.S. Safe organizations to create a framework of privacy principles including: Harbour Decision is Invalid, Court of J. of the EU (Oct. 6, 2015) https:// notice; choice, third-party transfer protections; access; security; data curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/ integrity and enforcement. See, Privacy Shield Framework, Privacy cp150117en.pdf. Shield Framework, https://www.privacyshield.gov/servlet/servlet.Fil 640 âCase C-311/18, Data Prot.Comm. v. Facebook Ireland Ltd., eDownload?file=015t00000004qAg. ECLI:EU:C:2020:559.
62 ââ ACRP LRD 42  rotected data of EU residents. This left Privacy Shield fatally p express consent by the data subject. Read in conjunction with flawed. provisions of the GDPR concerning notice and consent, the ECJ The result of Schrems II is to leave two alternate measures for addressed the practices of an internet lottery site which had a transfer of privacy data to entities operating in the U.S.âModel practice of pre-checking a consent box with respect to cookie Contract Clauses641 and Binding Corporate Resolutions.642 But notifications it provided.648 The ECJ concluded that that practice even these measures are of questionable efficacy given the ECJâs was inconsistent with requirements for express consent under concern over potential U.S. governance overreach. In the wake the GDPR and Cookie Law. This decision also required that data of the Schrems II decisions, the EDPB has created two task subjects be advised of the duration of cookies and whether third forces.643 One task force was established to deal with a prolif- parties can access them. eration of complaints concerning compliance with the Schrems These notice and consent requirements are being adopted in II decision.644 The second was established to address the ap- the United States as major corporations seek to address EU con- propriate measures to ensure adequate protection of the data cerns. The EDPB has promulgated guidelines on GDPR consent of EU citizens.645 Additionally, the U.S. Department of Com- requirements,649 like many other elements of the GDPR, the merce and European Commission have begun discussions to deciÂsion on cookies is having effects outside of the EU itself. âevaluate the potential for an enhance EU-U.S. Privacy Shield framework . . . .â646 D. Other International Efforts While the Privacy Shield Framework no longer meets GDPR A growing number of countries are also developing re- Adequacy requirements, the fact that it was previously adopted gimes to safeguard individual information. Some countries, by major corporations raised the bar for privacy protection. like ÂCanada, have a long tradition of privacy protection and Rather than having differing data protection rules for differing robust protection schemes. For example, the Privacy Act650 ap- groups of individuals, many companies applied Privacy Shield plies to the Canadian government, while the Personal Informa- protections to all their data processes. Accordingly, understand- tion Protection and Electronic Documents Act651 applies to its ing the safeguards afforded by agreements like Privacy Shield is private sector. However, even smaller countries, like Singapore important. Moreover, these agreements are coming to reflect the for example, are developing privacy governance regulations.652 growing consumer expectations of privacy protection. SurveyÂing some of these regulations will provide examples of the global concern over data privacy. C. The Cookie Law With respect to data privacy in Asia, there is a multilateral The EU has acted to address issues of consent in connection agreement in place, the Asia Pacific Economic Cooperation with the collection of data through cookies on websites and ap- Cross-Border Privacy Framework (APEC-CBPR)653 similar to plications. Prior to the adoption of the GDPR, the EU adopted Privacy Shield. Like Privacy Shield, the APEC-CBPR is a vol- 2002/58/EC647 a policy directive seeking to protect privacy in untary undertaking enforced by the FTC (with four actions re- electronic communication. Colloquially known as the âcookie portedly taken as of 2019).654 The APEC-CBPR enforces codes law,â this directive sought to limit the use of cookies without of conduct based on APECâs nine data privacy principles.655 641 â Gen. Data Protection Reg., 2016/679, art. 46(2) (EU). 642 â Gen. Data Protection Reg., 2016/679, art. 47 (EU). 648 â Case C-673/17, Bundesverband der Verbraucherzentralen und VerbraucherverbändeâVerbraucherzentrale Bundesverband eV v. 643 European Data Protection Board - Thirty-seventh Plenary session: Planet49 GmbH, ECLI:EU:C:2019:801. Guidelines controller-processor, Guidelines targeting social media users, taskforce complaints CJEU Schrems II judgement, taskforce supplemen- 649 â Guidelines 5/2020 on consent under Regulation 2016/679: Version tary measures,â European Data Prot. Bd. (Sept. 4, 2020),âhttps:// 1.1, European Data Prot. Bd. (May 4,2020) https://edpb.europa.eu/ edpb.europa.eu/news/news/2020/european-data-protection-board- sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. thirty-seventh-plenary-session-guidelines-controller_en?mkt_tok=ey- 650 â Privacy Act, R.S.C. 1985, c P-21, https://laws-lois.justice.gc.ca/ JpIjoiTVRrMVlqRmpOMlF3TnpCbCIsInQiOiJFekdLKzFydWlOSH- ENG/ACTS/P-21/index.html. paU1RDUTNUaHVWR2JxTVN4MnRDUm9jYTRkOGRxWG1LSD- 651 â Personal Info. Prot. & Elec. Docs. Act, S.C. 2000, c 5, https:// BWY1lBQkhaM2dsTkdoSEdYNlQrN2lFbm84d1Y3STRWMFlXZ- www.canlii.org/en/ca/laws/stat/sc-2000-c-5/latest/sc-2000-c-5.html. k5lM0dzeGFMd2p2NGFjVmltS1wvNnlCSmhrK3Nra1dGcGNjd2lE- 652 â See, e.g., The Personal Data Prot. Act 2012 No. 26 of 2012, https:// QWN6UW9EQVdtNmsifQ%3D%3D. sso.agc.gov.sg/Act/PDPA2012. 644 â Id. 653 â APEC Cross-Border Privacy Rules System,â Cross Border Privacy 645 â Id. Rules System (Nov. 2019), http://cbprs.org/wp-content/uploads/2019/ 646 â Joint Press Statement from U.S. Secretary of Commerce Wilbur 11/4.-CBPR-Policies-Rules-and-Guidelines-Revised-For-Posting- Ross and European Commissioner for Justice Didier Reynders, U.S. Dept. 3-16-updated-1709-2019.pdf. of Commerce (Aug. 10, 2020), https://www.commerce.gov/news/ 654 â 2019 Privacy and Data Security Update, F.T.C. (2019), at 8, press-releases/2020/08/joint-press-statement-us-secretary-commerce- https://www.ftc.gov/reports/privacy-data-security-update-2019. wilbur-ross-and-european. 655 â APEC Privacy Framework, APEC Secretariat (2005), https:// 647 â Directive 2002/58/EC of the European Parliament and of the www.apec.org/Publications/2005/12/APEC-Privacy-Framework. Council, Official J. of the European Cmtys., (July 12, 2002), https:// Those principles include: preventing harm; notice; collection limita- eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0 tions; choice; integrity of personal information; security safeguards; 058&from=EN. access, correction; and accountability.