Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42 63 privacy concerns, the agency emphasizes measures to achieve commitment to privacy at the highest level of an organization. The settlement agreement in United States v. Facebook,659 dem- onstrates the FTCâs focus on governance. The settlement agree- ment requires board-level involvement in the organizationâs pri- vacy activities. At airports looking to engage in data collection and use activities, similar involvement at the highest executive oversight levels of the organization should be considered. This can be accomplished by executive level involvement in privacy matters. a. Development of an Organizational Privacy Officer or Similar Position Consideration should be given to the creation of a data pri- vacy officer or position. The officer or position would focus on data collection and use and on administering an organizations privacy program. Such a consideration is particularly important in an organization that is looking to engage in substantial collec- tion and use of data. The role should include such functions as: interfacing with external privacy authorities to include regula- tors and others; ensuring compliance with internal policies and external privacy and data protection requirements; administer- ing and overseeing planning and implementation of privacy and data protection requirements; and accepting and resolving com- plaints regarding improper practices. This position should have some degree of independence in addressing privacy concerns and should have the ability to directly address concerns at the highest executive levels of the organization. The existence of data protection officers is commonplace in organizations operating under the GDPR.660 While they are not required in every instance, the GDPR certainly encourages this practice and in certain cases mandate it. The establish- ment of such a position could certainly be characterized as part of the mainstream practice for data protection. However, no such posi tions are required to be established for either Privacy Shield661 or APEC-CBPR662 compliance though the functions performed by people in such positions are specified as part of those agreements. The FTC has begun to include the creation of corporate posi tions to ensure data privacy in some of its settlements.663 The NIST Privacy Framework notes that responsibilities for pri- vacy can be left to cross-functional team implementation, an ap- proach that was criticized by the FTC. The FTC contends that 659 No. 19-cv-02184-TJK, 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. 23, 2020). 660 (EU) 2016/679. 661 Privacy Shield Overview, Privacy Shield Framework, https:// www.privacyshield.gov/Program-Overview. 662 APEC Cross-Border Privacy Rules System, Cross Border Privacy Rules System (Nov. 2019), http://cbprs.org/wp-content/uploads/2019/ 11/4.-CBPR-Policies-Rules-and-Guidelines-Revised-For-Posting- 3-16-updated-1709-2019.pdf. 663 See, e.g., U.S. v. Facebook, Inc., No. 19-cv-02184-TJK, 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. 23, 2020). E. Conclusions While the direct jurisdiction of GDPR over airports and air- port stakeholders in the United States is limited to a narrow set of circumstances, the influence of GDPR is larger. The âBrussels Effectâ656 of the GDPR has had significant effect on the develop- ment of U.S. law. Airports that seek to operate in a global eco- system of travel and commerce need to understand the develop- ments in the EU Attorneys advising airports need to be familiar with these international developments to understand potential direct impact on airport data protection and privacy programs as well as the trends in U.S. law that may derive from EU legal initiatives. XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE A. Policy Considerations Airport operators should consider policies that help mitigate legal concerns related to data collection. Each use case presents a distinct set of challenges that the airports must mitigate to ensure the value of the data collection outweighs the risks. Effective policies will address the risks posed by collection activ- ity. As discussed throughout this guidebook, airport operators must consider individual privacy concerns, notice, interactions with airlines and tenants, other third parties, and open records requirements. The following policy considerations should assist airport operators in addressing these challenges. 1. Governance Proper governance structures show a commitment to re- specting principles of data protection and privacy. Governance structures assist entities in addressing proper data collection and use practices. The FTC and other regulatory agencies focus on governance and organizational practices and frameworks to ad- minister data protection programs and protect privacy.657 These efforts must reflect the fact that data protection requires more than an identification of principles to be protected, it requires organizational structures and commitments to ensure that those principles are respected. The NIST Privacy Framework658 iden- tifies governance as a critical component of managing privacy risk. To that end organizations should consider some of the follow ing concepts in their governance strategy. 2. Executive Level Focus on Privacy The need for executive level commitment to privacy is hard to overstate. In examining the FTCâs latest efforts to address 656 Anupam Chander, Margot E. Kaminski, & William McGeveran, Catalyzing Privacy Law, 2190 Georgetown L. Fac. Publâns & Other Works, 27 (2019), https://scholarship.law.georgetown.edu/ facpub/2190. 657 See discussion of federal agency actions sections V and IX. 658 NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.1, Nat. Inst. of Standards. & Tech. (Apr.16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST. CSWP.04162018.pdf.
ACRP LRD 42 65 vacy risk assessment. At every step from the time data is sought and received, through its use, until its destruction, privacy con- siderations must be addressed. The application of PbD princi- ples is extremely useful in that regard.676 PbD principles suggest a proactive, transparent system that addresses privacy protection as a positive value in meeting orga- nizational goals and objectives. The system of protection needs to center around individuals ensuring security at every step in the lifecycle of data use in the organization from collection to destruction. PbD imposes a default position in favor of privacy. The data subject does not have to take action to protect privacy, the system provides that protection without the subjectâs action. IT systems in particular should embrace these concepts. The application of PbD is referenced in both the GDPR and the NIST Privacy Framework. Both these foundational works recognize the importance of a comprehensive approach to privacy protection. Weaving privacy protection into the fabric of organizational processes is the hallmark of PbD. This ap- proach includes technical, operational, and administrative considerations. 8. Establishment of Measures to Ensure Compliance While PbD seeks to shift focus on privacy away from what was seen as reactive and traditional compliance-oriented mind- set, ensuring compliance remains a necessary function. The development of any well-functioning system must include measures to ensure that internal processes are being followed. A system of evaluative processes can ensure that the organiza- tion is operating consistent with its legitimate privacy goals and directives. Audits, both internal and external, as well as internal com- pliance reporting systems, provide useful measures to achieve a compliance posture that is more proactive in nature. In sev- eral of its settlements, the FTC has sought and received com- mitments for enhancing audit and reporting in their settlement orders.677 These measures help to ensure the type of organiza- tional accountability raised by the GDPR and NIST Privacy Framework. 9. Establishment of Measures to Ensure Data Security In an era of growing cybersecurity threats, the importance of data security is hard to overstate. Both the GDPR and NIST Privacy Framework stress the importance of appropriate secu- rity measures. Designing those measures and ensuring their ap- plication is of critical importance. In response to court criticism concerning the vagueness of remedial orders, the FTC has developed a more detail-oriented approach to outlining requirements for data security. A careful review of the FTC approach offers airports insights into data security measure design that meets acceptable standards. The FTCâs new approach includes requirements for âcomprehensive, 676 See discussion of PbD principles in section II. 677 See, e.g., U.S. v. Facebook, Inc., No. 19-2184 (TJK), 2020 U.S. Dist. LEXIS 72162 (D.C.C. Apr. 23, 2020). 5. Establishment of Data Minimization Practices The concept of data minimization adopted by the GDPR flows from the requirement of defining a legitimate purpose for data collection and using that purpose as the central operat- ing provision. Only data necessary to accomplish the legitimate purpose should be collected or maintained. Airports should focus on narrowing the field of data collected wherever possible and discarding data no longer needed. The concept of data minimization is not universally adopted. In contrast to the GDPR the CCPA does not require data minimi- zation, only transparency with respect is collected.674 Moreover, a policy of data minimization may create tension with statutorily imposed data retention requirements or those imposed by local ordinance. Data retention by government agencies may be com- pelled even in instances where there is no operational need. The exercise of data minimization practice can have benefits beyond privacy protection. Because these practices minimize the amount of data on hand, there is a reduction on the admin- istrative burden producing its information in response to public requests. There is also a reduction in storage and a reduced risk of breach. Airports should strongly consider these factors when making decisions to engage in data collection. 6. Establishment of Process to Assess Privacy Risk GDPR Data Protection Impact Assessments offer a path forward to the assessment of privacy risk.675 The NIST Privacy Framework suggests similar risk evaluative processes. Risk as- sessments should be conducted before data is collected and should be updated as the system operates. Assessing the neces- sity and proportionality of the data collection effort constitute two key issues in the risk assessment process. Looking at the sensitivity of the data collected is also important. The more sen- sitive the information the more circumspect an airport should be in collecting it and the grater the efforts that should be ex- tended to ensure that it is securely maintained. As an example, financial or health-related information is extremely sensitive and therefore should receive special considerations. Airports must assess data usage with the understanding that while collecting data may be useful and profitable, misuse or loss of personal data not only poses risk to the data subject, but also to the organization collecting, processing, and using it. The loss or misuse of data can result in lost customers, damage to an organizationâs brand, financial penalties, and possible civil and even criminal liability. 7. Establishment of Process to Develop and Implement Privacy Protection Airports should consider employing a comprehensive ap- proach to privacy protection across the enterprise. Such an ap- proach requires an understanding of the circumstances under which data is collected and used, and consistency with the pri- 674 Id. pp. 21-22. 675 While these assessments can be mandatory in certain circum- stances under the GDPR, it is not a requirement under the CCPA. Id. at 21.
66 ACRP LRD 42 acerbated by the use of emerging analytic tools like AI and ML that enhance the ability to individuate information. b. Questions Around Area Surveillance Systems The growing use of area surveillance tools like CCTV, par- ticularly by airports as governmental entities, raises questions not easily dealt with by existing law. Even the expanded cover- age offered by a statute like the CCPA, which focuses on con- sumer transactions, is of limited use. The expansive privacy law developed by the FTC is similarly unavailing. The sources of law that do touch on the use of technologies are state and federal constitutional provisions and some discrete statutes and local ordinances concerning surveillance and privacy protections. Whether data being collected is used for security or law enforce- ment purposes, or for commercial or administrative ones, the landscape of those laws needs to be understood and addressed. The use of area surveillance tools can be easily misunder- stood and miscast as an Orwellian experience of a surveillance state. While any civil liability would likely be limited, the brand damage and undermining of customer confidence could be sig- nificant. The application of emerging analytic technologies like facial recognition or ALPR, adds further controversy to the use of information form these data sources. Careful consideration should be given as to how an airport uses these tools. Decisions about that use should be transparent and well publicized. c. Newer Data Subject Centric Concepts The regime of substantive data protection suggested by the GDPR and the CCPA, while not necessarily controlling, should at least be considered by airports and airport stakeholders as they formulate substantive privacy protections. These concepts extend beyond the FIPPs requirements. d. Opt-Out The concept of opt-out is present in both the GDPR and CCPA. In offering individuals this alternative, an airport or air- port stakeholder would be extending customers the opportunity to limit or restrict the use of their data. In the case of the CCPA, that restriction would be limited to sale of the data. The GDPR offers opt outs for a more extensive number of uses. e. Nondiscrimination Related to the issue of opt-out is the concept of non- discrimination. The concept prohibits the practice of denying services to people who exercise their right to opt-out. f. Data Portability The concept of data portability augments the FIPPs concept of access by allowing individual data subjects to request data maintained by an organization in a portable and usable format. This right found in both the CCPA and GDPR is thought to enhance competition among data service providers. The imple- mentation of this requirement will require the development of infrastructure to respond to requests from data subjects. process-based data security program[s]â678 Those programs in- clude provisions for âyearly employee training, access controls, monitoring systems for data security incidents, patch manage- ment systems, and encryption.â679 In addition to the NIST Privacy Framework, NIST has authored some additional publications that may be helpful to airports in addressing security requirements. These publications provide a framework for assessing and evaluating security risk680 and technical support for the development of information secu- rity templates.681Adopting measures suggested by organizations like NIST will likely assist in defending the efficacy of data secu- rity measures. Failure to maintain proper data security exposes entities to civil liability, potential fines and penalties, and repu- tational damage. 10. Substantive Measures for Privacy Protection In addition to process related issues for privacy protection, airports and airport stakeholders engaging in data collection and processing need to ensure that policies and procedures are addressing substantive concerns. Those substantive concerns are more heightened in some of the international privacy re- gimes. The bare minimum requirements for those in the United States are included in the FIPPs. a. FIPPs Compliance The FIPPs remain the central focus for U.S. enforcement activities.682 Understanding and addressing FIPPs in system design and operation will assist airports in developing systems that comply with currently accepted approaches for privacy protection. The application of FIPPs should certainly serve as a baseline for commercial oriented data collection and processing practices. The application of FIPPs becomes more difficult with respect to collection and use of data from sources outside of traditional consumer-oriented transactions like website or application usage. The application of concepts like notice, consent, and ac- cess is challenging when dealing with data gathered from area surveillance tools like CCTV. Privacy challenges are further ex- 678 See Andrew Smith, âNew and Improved FTC Data Security Orders: Better Guidance for Companies, Better Protection for Consum- ers,â FTC Official Website, (2020) accessed at https://www.ftc.gov/ news-events/blogs/business-blog/2020/01/new-improved-ftc-data- security-orders-better-guidance (the Statement includes links to seven orders issued in 2019 utilizing the new format). 679 Id. 680 Risk Management Framework for Information Systems and Orga- nizations, Natâl Inst. of Standards & Tech. (Dec. 2018), https:// nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2. pdf (this version of the Special Publication supersedes two previous drafts of this Special Report the original issued in 2004 and Revision 1 issued in 2010). 681 Guide for Developing Security Plans for Federal Information Sys- tems, Natâl Inst. of Standards & Tech. (Feb. 2006), app. A at 27, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 18r1.pdf. 682 See the discussion of FIPPs in section II.
ACRP LRD 42 67 that vendors may seek to use that data or derive analytics for their own purposes. There may also be third-party systems or tools used by airports or vendors. Those third-party data collec- tion practices also need to be understood and addressed. Con- tractual language must firmly establish the parameters for data ownership as well as ownership of any analytics drawn from that data. Ownership should address rights associated with the use and sale of the data, including use by or sale to third parties. 2. Limitation on Data Access and Use Airports will have various reasons to limit access to and uses of data. Reasons for data access and use limitations may involve privacy interests, business considerations, or security concerns among other considerations. Similar to data ownership, the original intent of the data collection and purpose will determine the extent to which data can be shared. As discussed, in Section III, PPA vendors have differing business models. Most vendors are scoped to operate a system in support of airport needs. Some define a broader scope of service to the airport or provide anonymized data and refined analytics to airport partners such as airlines, concession- aires, or third parties such as hotels, transport providers, and mobile app companies. Airports must consider how broadly they want to share the data or derived analytics. If airports seek to preserve or protect data as a commercial product, then they need to understand how that can be accomplished consistent with freedom of information and state and local record reten- tion requirements.683 It is important here to clearly define the protected informa- tion and understand the metrics collected and analytics used to develop key performance indicators (KPIs) that may be of concern. Contractual language that limits data use should state that the data use and access is limited to purposes specified in the agreement. Similarly, the language should limit distribu- tion, sharing, and repurposing of the data. If the data can be broken apart into different KPIs or used for different purposes the airport should say what specific metrics of the data that a vendor can use or grant access to. Where an airport agrees that a vendor can repurpose or sell data to third parties, they should consider language that specify the purpose of the use and period the vendor can keep the data before deleting it.684 Like repurposing, reverse engineering and re-engineering present issues for privacy and commercial interests of data. A vendor could potentially re-engineer data points to avoid data re-sale limitations. Airports should include language in con- tracts that prevent companies from using reverse engineering techniques with stored data. Similarly, an airport may include language in its contract that restricts the sale of data in a form where a buyer could use reverse engineering techniques. 683 See Section X Interplay of Privacy and Open Government Records. 684 See The Eighth Data Protection Principle and International Data Transfers, United Kingdom, Info. Commissioners Office, https:// ico.org.uk/media/for-organisations/documents/1566/international_ transfers_legal_guidance.pdf. g. Right to Erasure and Right to be Forgotten The right to erasure is granted under the CCPA. This right allows individuals to choose to have the data collected about them deleted form the records of the entity they provided the information. The right does not extend to any third-party who may have received the information. More extensive is the right to be forgotten granted by the GDPR. That right permits an indi vidual to require any holder of the data to erase it under certain circumstances. Airports attempting to square these concepts with govern- ment record keeping requirements under state laws would likely have a difficult time. Absent express statutory expungement procedures, government entities are generally not at liberty to erase documents that constitute governmental records. Addi- tionally, first amendment protections may preclude any attempt to command nongovernmental parties to erase records. h. Protection of Anonymity With the growth of increasing robust surveillance systems in the United States, there is a growing concern over the ability to remain anonymous in public spaces. In the EU where privacy is viewed as a fundamental right, the ability to capture and use images that have not been anonymized is much more limited. The same is true in Canada. As airports seek to use CCTV, par- ticularly in conjunction with analytic technologies, they should consider anonymizing data where possible. i. Automated Processing Limitations A growing area of concern is the expanded use of automated processing and particularly the application of AI to data. This is particularly so where the use of the automated processing can lead to an adverse consequence for the data subject. The GDPR places limits on automated processing and requires notice of its occurrence and provides for the ability to have decisions made using the automated process redone by human actors. These are measures airports may wish to consider in the event they apply automated processing to their data. B. Contractual Issues Data collection and usage present multiple issues for airport operators to consider when contracting with vendors, airlines, tenants, and other third parties for data collection services, sharing agreements, or other types of relationships. Airports must consider issues of data ownership, use, access, storage, dis- semination, destruction, and jurisdiction. Airportsâ contractual strategies on these issues will vary based on the airportsâ posi- tion in the transaction and their governance structures, strate- gic plans, commercial data intentions, risk assessments, techni- cal and analytical capabilities, and the price they are willing to pay for the data. This section will address contractual consider- ations for airport operators. 1. Data Ownership Airports may maintain ownership rights for the data or allow the vendor to own and resell the data. It is not uncommon
68 ACRP LRD 42 hazards, protection from unauthorized access to the data, data disposal practices, and subcontractor responsibilities.686 Airports may also require a vendor to comply with NISTâs Special Publication 800-53.687 Airports can define the impact level, high, medium, low, that they want vendors to employ. Airports may choose to audit vendor information security practices or require vendors to audit their own practices or hire a third party to audit their practices. Contractual language should establish the airportsâ authorities to audit information security practices or specify the vendorsâ responsibilities to con- duct audits. This language should also include remediation re- sponsibilities vendors will have upon completion of the audits. 6. Data Confidentiality An airport may have various interests in maintaining the confidentiality of data collected. Contractual language to pro- tect confidentiality should define the protected information and require measures to protect the dataâs integrity, prevent un- authorized access or disclosure of the information, and prevent actions that could result in harm of the data subject. 7. Data Access Many data collection activities at airports will be subject to freedom of information laws.688. Contractual language should specify the vendorâs responsibility regarding the data collection and their responsibilities to provide data upon request. Addi- tionally, the contract should specify any exemptions that apply. Vendors may encounter instances where they are compelled by law or regulation to disclose data containing potentially pro- tected information. Contractual language should specify proce- dures the vendor should undertake before disclosing the data. Airports may require written notice of the data disclosure re- quest and appropriate time before the disclosure for the airports to seek appropriate remedial action or to decide what informa- tion can be disclosed. With respect to the collection of data, from individuals or in the context of data sharing agreements, airports, as public enti- ties covered by open records laws or regulations, need to pro- vide notice that information collected needs to be disseminated. Schemas for data collection and sharing need to align with pub- lic record requirements to ensure that information can be col- lected consistent with those laws and any representations made to preserve private or confidential information. 8. Data Sanitization and Disposal Deployments will need to periodically sanitize and dispose of data. Airports should consider the application of their own policies and procedures and require compliance as appropriate for data collection activities. Airports can also consider requir- 686 This information was taken from unpublished documents uti- lized by a category X airport. In accordance with National Academy of Sciences policies, this information is cited without attribution. 687 Security and Privacy Controls for Federal Information Systems and Organizations, Rev. 4. Natâl Inst. of Standards & Tech. (Jan. 2015). 688 See discussion of these laws in section X. Further, an airport should consider contractual language requiring the airportâs approval before a contract grants access, shares, or repurposes data. This language can specify that re- quests be made in writing to specific airport officials. 3. Commercial Value Airports looking to maximize the commercial value of data collected within their airport may use intellectual property principals to protect their data. Los Angeles World Airports (LAWA) has defined through contractual agreements that all data collected at the airport is the property of the City of Los Angeles.685 Therefore, a vendor cannot use or monetize the data without LAWAâs consent. LAWA leverages this strategy to con- trol the data and maximize their commercial opportunities in the data created at their airport. 4. Defining Collectible Data Elements Information that an airport will consider important to pro- tect will change with every data collection use case, technology used, and data collection specifications set. Airports should define parameters for data collection and identify what data collected constitutes protected information. Airports must con- sider how these restrictions may limit their potential uses of the data and ability to change data collection metrics or alter data analytics. Defining collectible data elements is a technology and op- eration specific task. Technologies will collect different forms of data and each deployment will require area specific modi- fications to meet operational objectives. Therefore, an airport will need to use caution when defining data elements that a deployment can measure to properly limit collection activities. But these limitations should not prevent a technologyâs ability to meet operational objectives. Similarly, data definitions may vary within a technology itself based on the technical specifica- tions of the data collection. Airports should consult a technical expert to ensure the language achieves the data protection and operational objectives. 5. Information Security Airports should consider including language in data col- lection contracts beyond general safekeeping statements. The language should include specific measures that address their security concerns. Concerns may include data retention, pre- vention of loss, and deletion of protected information. The contract should define what the airport considers protected information to consist of in each data collection example. The contract can also spell out specific measures that a contractor must implement in a security program. These elements may in- clude protections from security and data integrity threats and 685 This information was provided in an unpublished interview with a city corporation counsel providing services to a category X airport. In accordance with National Academy of Sciences policies, these remarks are cited without attribution.