Legal Implications of Data Collection at Airports (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42   71 • National Institute of Science and Technology, Risk Man- o Brussels Airport, Brussels Airport-Privacy Policy, avail- agement Framework for Information Systems and Orga- able at https://www.brusselsairport.be/en/­privacy- nizations, (December 2018), available at https://nvlpubs. policy; and nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2. o Toronto Pearson International Airport, Complete Pri- pdf. This report offers guidance on a comprehensive vacy Policy, available at https://www.torontopearson. program for the preparation of appropriate data security com/en/privacy-policy/complete-privacy-policy. measures. • National Institute of Science and Technology, Guide for XV. CONCLUSIONS Developing Security Plans for Federal Information Systems, As the use case studies referenced earlier in this work dem- Rev. 1, (February 2006), available at https://nvlpubs.nist. onstrate, airports can and do use data from an ever-expanding gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1. range of sources. Some of those data sources are commercial ac- pdf. While this report is somewhat dated, the template at tivities, and some include airport operating systems like ­cameras appendix A is useful in outlining requirements for system and sensor networks developed for other purposes. These uses security. of data raise a host of opportunities and challenges for airports. As the uses of data grow and develop, so also does the legal F. Sample Airport Privacy Policies envi­ronment governing data collection and use. These legal devel­ • Sample U.S. airport privacy policies (principally focused opments are occurring at the federal, state, and local levels. And on website use): as explained, even international efforts to address data protection o San Francisco International Airport, available at require consideration. Those developments may directly affect https://www.flysfo.com/privacy-cookie-policy; collection or use of data in some circumstances or they influence o Charlotte Mecklenburg International Airport, Pri- both U.S. legal developments and the actions of large corporate vacy Notice, available at https://www.cltairport.com/­ entities that look to operate in the global economy. The trend of privacy-notice/; all these developments is to move toward greater respect for data o Dallas Fort Worth International Airport, Legal, Pri- subjects and the protection of their data. vacy Policy, available at https://dfwairport.com/legal/ Given the fact that most airports are governmental entities, index.php; collection of this data and its use is subject to additional and o Cincinnati/Northern Kentucky International Airport, unique regulatory regimes. Constitutional provisions at state Privacy Policy, available at https://www.cvgairport. and federal levels often constrain government collection and com/privacy; use of data. State laws on data privacy may also affect the ability o Tampa International Airport, Privacy Policy, available of airports in the collection and use of data. Further complicat- at https://www.tampaairport.com/privacy-policy; ing airport efforts in data collection and usage are a web of state o Des Moines International Airport, Privacy Policy and local record retention requirements and open records laws Use Terms and Disclaimer, available at https://www.­ designed to ensure transparency in government. These laws can dsmairport.com/about-the-airport/privacy.aspx; sometimes cause tension with efforts to protect private data of o Rapid City Regional Airport, Privacy Policy, available individuals and/or proprietary information that an airport may at https://www.rapairport.com/privacy-policy; seek to monetize. As a further complication, the control over o Palm Beach International Airport, Privacy Policy, public access and records retention may well be outside the con- available at http://www.pbia.org/privacy-policy/; and trol or even influence of airports. o Los Angeles World Airports, LAWA Privacy, available The body of federal and state case law governing data pro- at https://www.lawa.org/privacy. tection is growing particularly with respect to commercial use. • Sample U.S, Airport privacy policy for applications: LAX, Commercial enforcement activities are being led at the federal Application Privacy Statement, available at https://www. level by agencies like the FTC and in the states by state attorneys flylax.com/en/Application-Privacy-Statement. general. Increasing requirements to safeguard data and focus on • Sample International Privacy Polices (broader more enforcing the rights of data subjects are the hallmarks of these comprehensive privacy coverages): efforts as state governments like California continue to provide o Gatwick Airport, Privacy Policy, Official Website, enhanced protections. available at https://www.gatwickairport.com/privacy- In addition to a growing focus on collection of data and its policy/; use, there is a growing focus on tools used to analyze that data. o Munich Airport, Privacy Policy, available at As data sources grow, so too grows the need for a corresponding https://www.munich-airport.com/privacy-policy- increase in the power of the tools needed for analysis. The rise of 376755#26255d8dSingapore; facial recognition as a tool to organize and make sense of an ex- o Changi International Airport, Privacy Policy, available ponentially increasing pool of video data is one example. Other at https://www.changiairport.com/en/privacy-policy. applications of AI and ML are being constructed to analyze data. html; and The scope, power, and limitations of these tools are matters of growing public concern. Calls for constraints by privacy advo- 

72    ACRP LRD 42 cates seem to be gaining public approval, and some legislative initiatives limiting the use of these measures are beginning to take hold. Arrayed against this rapidly developing legal environment is the quickly developing technical environment that airports need to master to avail themselves of the benefits of exponen- tially increasing stores of available data. Two key themes are emerging: governance and substantive protections. Airports and airport stakeholders may find that an under- standing of both the “California Effect” of the CCPA and the “Brussels Effect” of the GDPR are useful in assessing practices that they might wish to consider in the development and execu­ tion of policy. While these measures may not have de jure con- trol over actions of airports and stakeholders, they do represent approaches that are viewed as at the forefront of privacy pro- tection. They are also seen as influencing the development of privacy law that may someday be a de facto requirement within regions, countries, or even internationally. Examining the concepts of governance and substantive pro- tections, particularly though the lenses of GDPR and CCPA devel­opments, offers airports a menu of choices and approaches to addressing privacy. These concepts can take many shapes or forms. They are not offered as mandates or even as “best prac- tices.” Rather, they are concepts accepted regionally, nationally, and internationally as effective measures to address data protec- tion issues.