Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42 59 GDPR history provides helpful context for understanding its importance. The GDPR was enacted in 2016 with a two-year grace period before coming into effect in May 2018. It strength- ened legal protections for privacy replacing the European Data Protection Directive (EDPD)607 that had been in effect since 1995.608 Thus, when the GPDR finally came into effect, the EU already had significant experience with concepts of data privacy and state enforced measures to protect it. The GDPR focuses on protecting the individualâs ownership over data and implementing measures to safeguard those owner- ship rights. The GDPR sets out responsibility for those control- ling or processing data. Those responsibilities include account- ability measures, security measures and requirements for data protection âby design and by default.â It also addresses the criti- cal issue of consent. With respect to the treatment of personal data the GDPR requires adherence to seven data protection and accountability principles: â¢ âLawfulness, fairness, and transparencyâ: must be achieved in the processing of data.609 â¢ âPurpose limitationâ: data must be processed for the legit- imate purposes under which it was originally collected.610 â¢ âData minimizationâ: only the data necessary and re- lated to the purposes specified should be collected and processed.611 â¢ âAccuracyâ: data must be kept up to date with reasonable steps to erase or rectify inaccurate data.612 â¢ âStorage limitationâ: data permitting identification of data subjects should for only as long as necessary for the specified purpose to process personal data.613 â¢ âIntegrity and confidentialityâ: processing must be done in such a manner way as to ensure appropriate security for data and the implementation of appropriate technical measures to protect against unauthorized processing or accidental loss damage or destruction of data.614 â¢ âAccountabilityâ: the data controller is responsible for being able to demonstrate GDPR compliance with all these principles.615 607 Eur. Data Prot. Dir., 95/46/EC (1995). 608 Under the law in the European Union a âdirectiveâ sets forth results that need to be achieved by Member States, which then incorpo- rate measures into their national laws. In contrast, a âregulationâ is a legal requirement that has direct binding force and effect in all Member States. 609 Gen. Data Protection Reg., 2016/679, art 5, Â§Â 1(a) (EU). 610 Gen. Data Protection Reg., 2016/679, art. 5, Â§ 1(b) (EU). 611 Gen. Data Protection Reg., 2016/679, art. 5, Â§ 1(c) (EU). 612 Gen. Data Protection Reg., 2016/679, art. 5, Â§ 1(d) (EU). 613 Gen. Data Protection Reg., 2016/679, art. 5, Â§ 1(e) (EU). 614 Gen. Data Protection Reg., 2016/679, art. 5, Â§ 1(f) (EU). 615 Gen. Data Protection Reg., 2016/679, art. 5, Â§ 2 (EU). pedestrian analytic data collection where various data points can be collected, sold, and used to implicate privacy concerns. Common use kiosks or other operational efficiency tools may collect or use passenger data. Facial biometric technologies are increasingly being deployed within airports by airports them- selves, airlines, and government agencies. These deployments have received some resistance from privacy groups. Standards can help control these data collection activities to ensure they are tailored to operational needs, mitigate public concerns with the activity, do not invade user privacy, and benefit airportsâ commercial interests. XII. INTERNATIONAL EFFORTS Data protection is not just a focus of U.S. courts and law- makers. Worldwide there is a growing body of legal activity seeking to address data privacy. As entities integrally involved in the global travel industry, airports need to be sensitive to inter- national trends in how personal data is managed. Just as this resource cannot examine the law of every state in the United States, it similarly cannot examine every international legal development. Nevertheless, the global trend toward increased protections for data is unmistakable. Research by Australian Graham Greenleaf in 2018 indicates continued strong growth of international data privacy protections In 2017-18, the number of countries that have enacted data privacy laws has risen from 120 to 132, a 10% increase. These 132 jurisdictions have data privacy laws covering both the private sector and public sectors in most cases, and which meet at least minimum formal stan- dards based on international agreements.1 At least 28 other countries have official Bills for such laws in various stages of progress, includ- ing 9 that have introduced or replaced Bills in 2017-18. Many others, in the wake of the GDPR [General Data Protection Regulation] and âmodernisationâ of Convention 108 [European Council-Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data], are updating or replacing existing laws.605 An introduction to some international efforts to manage and protect private data is provided below. A. GDPR Perhaps the most well-known of the international efforts to address individual privacy is the GDPR. Effecting all EU countries, the GDPR is a holistic attempt to address individual privacy concerns in data usage. It applies to both and private sector entities subject to the laws and regulations of the EU The influence of the GDPR on global expansion of individual data privacy rights is hard to overstate.606 605 Graham Greenleaf, Global Data Privacy Laws 2019: 132 National Laws & Many Bills, 157 Privacy Laws & Business International Report, 14-18 (Feb. 8, 2019),Â https://papers.ssrn.com/sol3/papers. cfm?abstract_id=3381593. Supporting tables outlining the countries surveyed are provided at Graham Greenleaf, Global Tables of Data Pri- vacy Laws and Bills (6th Ed January 2019), (Feb. 9, 2019) Â https://ssrn. com/abstract=3380794. 606 See Paul M Schwartz, Symposium: Global Data Privacy the EU Way, 94 N. Y. U. L. Rev. 771 (October 2019). In this journal article the author surveys the literature examining the influence of the GDPR internationally, including in the United States.
60 ACRP LRD 42 ble.622 While privacy advocates anticipated rigorous enforcement, early reports have indicated that the imposition of penalties is less than expected, largely owing to a lack of resources in enforcement agencies and legal maneuvering by large tech companies.623 âSupervisory authorityâ624 of the GDPR is conducted by each EU Member through independent public authorities (some- times referred to as Data Protection Authorities) in each coun- try. Those authorities ensure consistent application of GDPR provisions. Member states are, however, free to impose higher data protection standards. With respect to jurisdiction of the GDPR, there are two pro- visions that generally address applicability outside the EU: the provisions in Article 3 on âTerritorial scopeâ and Article 45 ad- dressing âAdequacy.â625 Through these two measures, the GDPR exercises authority outside its borders to ensure data protection. Commentators have noted that exercise of jurisdiction outside its borders was a principal objective of the GDPR as the EU sought to address a market imbalance in favor of large U.S. technology companies like Apple and Google that they felt benefited unfairly from more lax privacy protections in the United States.626 While the jurisdiction of the GDPR would generally not ex- tend to U.S. airports that collect data for their own purposes,627 the provisions of this regulation may extend to stakeholders such as air carriers and other corporations that do business in and with U.S. airports. Article 3 also lays out two principal circumstances628 for juris diction over extraterritorial activities by entities that in- volve themselves in data collection or processing. Those provi- sions include: a. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or b. the monitoring of their behavior as far as their behavior takes place within the Union.629 622 Gen. Data Protection Reg., 2016/679, art. 84 (EU). 623 Adam Satariano, Europeâs Privacy Law Hasnât Shown Its Teeth, Frustrating Advocates, N.Y. Times (updated Apr. 28, 2020), https:// www.nytimes.com/2020/04/27/technology/GDPR-privacy-law- europe.html. 624 Gen. Data Protection Reg., 2016/679, art. 83 (EU). 625 Gen. Data Protection Reg., 2016/679, arts. 3, 45 (EU). 626 Kimberly A. Houser & W. Gregory Voss, GDPR: The End of Google and Facebook or a New Paradigm in Data Privacy,â 25 Rich. J. L. & Tech. 1, 4 (2018). 627 There is some language in the GDPR suggesting that in some circumstances a foreign entity could be subject to jurisdiction under the GDPR if that entity is conducting data collection of persons in the EU where that collection is related to the offer of goods or services in the EU or monitoring behavior in the EU See Gen. Data Protection Reg., 2016/679, art. 3 (EU). Where airports seek to capture and utilize data concerning residents in the EU, these jurisdictional issues should be specifically assessed by counsel. 628 Article 3 also asserts liability for extraterritorial activities where Member States can exercise jurisdiction by provisions of âpublic inter- national law.â Gen. Data Protection Reg., 2016/679, art. 3 (EU). 629 Gen. Data Protection Reg., 2016/679, art. 3, Â§ 2(a)-(b) (EU). With respect to the individual, the GDPR concludes that pri- vacy is a âfundamental rightâ that requires protection.616 GDPR provides data subjects with a list of privacy rights including: â¢ accessing informationÂ about the processing of your personal data; â¢ obtaining access toÂ the personal data held about you; â¢ asking for incorrect, inaccurate, or incomplete personal data to be corrected; â¢ requesting that personalÂ data be erasedÂ when it is no longer needed or if processing it is unlawful; â¢ objectingÂ to the processing of your personal data for market ing purposes or on grounds relating to your par- ticular situation; â¢ requesting theÂ restrictionÂ of the processing of your per- sonal data in specific cases; â¢ receiving your personal data in a machine-readable format and send it to another controller (âdata portabilityâ); and â¢ requesting that decisions based onÂ automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.617 The structure of the GDPR provides insight into a range of internationally accepted best practices for data governance. Some of these structures serve as a guide for the efforts of states and companies seeking to implement data protection regimes. For example, GDPRâs regulation of âautomated decision- making,â prohibits the use of tools like AI in processing data except (1) it is necessary for the completion of a contract, (2) it is authorized by law, or (3) an individual gives express consent to such processing.618 This type of measure limiting data process- ing is something that airports, while not required to do so, may want to consider. Another example is the appointment of a âData Protec- tion Officerâ619 and conducting âData Protection Impact Assessments.â620 These organizational measures are designed to ensure that entities properly consider issues of data protection and sufficiently address them whenever an entity is collecting or processing data. One feature of the GDPR that distinguishes it from its predecessor, the EDPD, is the addition of significant fine and penalty provisions. The GDPR provides for fines and penalties up to â¬20 million or four percent of an entityâs global revenues.621 Equitable remedies and even criminal penalties are also possi- 616 Gen. Data Protection Reg., 2016/679, art. 1 (EU). 617 EU Data Protection Rules, Rights for Citizens, What are My Rights?, European Comm., https://ec.europa.eu/info/law/law-topic/ data-protection/reform/rights-citizens/my-rights/what-are-my-rights_ en (emphasis provided). 618 Gen. Data Protection Reg., 2016/679, art. 22 (EU). 619 Gen. Data Protection Reg., 2016/679, art. 35 (EU). 620 Gen. Data Protection Reg., 2016/679, arts. 38-39 (EU). 621 Gen. Data Protection Reg., 2016/679, art. 83 (EU).
ACRP LRD 42 61 in July 2016.633 This bilateral agreement set forth measures taken by the United States and approved by the EU to ensure that data transferred from the EU was afforded protection. Those pro- tections were achieved through the voluntary participation of organizations seeking to receive data. âWhile joining the Pri- vacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Frameworkâs require- ments, the commitment will become enforceable under U.S. law.â634Â Participating organizations are required to self-certify compliance with the International Trade Administration.635 Enforcement is conducted by the FTC and, in the circumstances of airlines and ticket agents, by the U.S. Department of Trans- portation.636 The EU and United States must conduct an annual review of compliance with the Agreement.637 Privacy Shield replaced and an earlier bilateral agreement, the U.S.-EU Safe Harbor Framework, which was in effect form July 2000 until October 2015 when it was declared invalid by the European Court of Justice (ECJ).638 The ECJ in the Schrems case addressed a complaint that in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (âthe NSAâ)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.639 The decision in Schrems demonstrated the depth of EU com- mitment to enforce data protection measures. Despite the changes made by the Privacy Shield over the Safe Harbor program, Mr. Schrems renewed his complaint. In July 2020, in what is known as the Schrems II case,640 the ECJ invalidated Privacy Shield as a measure meeting the GDPR Ad- equacy requirements. The court concluded that Privacy Shield did not address the central defect identified concerning the abil- ity of U.S. government intelligence services to access privacy 633 Compliance can also be achieved though Model Contract Clauses or Binding Corporate Rules. Gen. Data Protection Reg., 2016/679, arts. 46(2), 47 (EU). The model contract clause could be used in circumstances where an organization does not want to certify under Privacy Shield but wishes to receive information from a company oper- ating in the GDPR. Some of the provisions from the model contract clauses may also be useful for consideration in drafting agreements to protect data. The use of Model Contract Clauses is discussed infra Sec- tion 16. 634 Privacy Shield Overview, Privacy Shield Framework, https:// www.privacyshield.gov/Program-Overview. 635 Id. 636 Id. 637 Id. 638 Case C-362/14, Schrems v. Data Protection Commissioner, EU. C. 2015:650, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/ ?uri=CELEX:62014CJ0362&from=EN. 639 The Court of Justice Declares that the Commissionâs U.S. Safe Harbour Decision is Invalid, Court of J. of the EU (Oct. 6, 2015) https:// curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/ cp150117en.pdf. 640 Case C-311/18, Data Prot.Comm. v. Facebook Ireland Ltd., ECLI:EU:C:2020:559. If an airport did not offer goods or services in the EU or col- lect data about the behavior of persons in the EU, then there likely would be no issue with respect to EU jurisdiction over airport activity. However, with the proliferation of applications, some instances where jurisdiction is established become appar- ent. Consider the following: â¢ an EU citizen passenger in an EU airport about to travel to the U.S. orders food or an airport transportation ser- vice on a U.S. airportâs application or website for when they arrive at the U.S. airport. â¢ an EU citizen, at home in the EU, uses a U.S. airportâs App or website to book travel; or â¢ an EU citizen at home or at an airport uses a U.S. airportâs App or website to check CBP processing times or other airport processing times. In each of these circumstances, the airport would have to comply with other GDPR requirements to use its App or website to sell anything or provide a service. Additional guidance on Article 3 jurisdiction was provided in a âGuidelinesâ document, published by the European Data Protection Board (EDPB) in November 2019.630 The Guide- lines offer a detailed discussion of territorial requirements. The Guidelines also provide examples of conduct considered by the EDPB as creating jurisdiction. Airports and stakeholders should carefully analyze these materials to determine whether GDPR jurisdiction is implicated. B. Bilateral Agreements to Enforce GDPR Principles In addition to analyzing the activity of entities that implicate the provisions of Article 3, there is the matter of entities prop- erly operating in the EU that share personal data with entities outside the EU While the EU desires to ensure privacy of its citi- zens, it also understood that the migration of data outside the EU was critical for commerce. Accordingly, under the Adequacy provisions of Article 45, data can be shared with entities operat- ing in countries outside the EU if those entities implement data protection regimes compliant with GDPR requirements.631 In the United States, since the GDPRâs inception, adequacy had been achieved primarily through the provisions of the âEU- U.S. Privacy Shield Agreement632 (âPrivacy Shieldâ) beginning 630 Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3)ââVersion Adopted after Public Consideration, European Data Pro- tection Board (Nov. 12, 2019), https://edpb.europa.eu/our-work- tools/our-documents/guidelines/guidelines-32018-territorial-scope- gdpr-article-3-version_en. 631 Gen. Data Protection Reg., 2016/679, art. 45 (EU). 632 The EU-U. S. Privacy Shield Agreement required participating organizations to create a framework of privacy principles including: notice; choice, third-party transfer protections; access; security; data integrity and enforcement. See, Privacy Shield Framework, Privacy Shield Framework, https://www.privacyshield.gov/servlet/servlet.Fil eDownload?file=015t00000004qAg.