Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42 3 LEGAL IMPLICATIONS OF DATA COLLECTION AT AIRPORTS Donald R. Zoufal, CrowZ Nest Consulting, Inc., Chicago, IL; Sean Cusson, Del Ray Solutions LLC, Alexandria, VA; Diane J. Larsen (Ret.), Circ. Ct. of Cook County, State of Illinois, Chicago, IL; Tobias Person, Von Oxon, LLC, Los Angeles, CA; Daniel Hantman, Chicago, IL; and E. Austin Maliszewski, Austin, TX I. INTRODUCTION A. Background of the Research As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, mar- keting, understanding passenger preferences, and enhancing the travel experience. Similarly, airports and their tenants have considered whether and how they can collect data. A wide range of functions within the airport environment will use this data, including management, operations, marketing, external affairs, concessions, and planning and development. Those seeking to gather information may not consider or be aware of the appli- cable legal requirements governing data collection and use, let alone the far-reaching implications associated with compliance. Implications include generating, preserving, and storing public records and financial data; complying with data privacy statutes and regulations; and creating infrastructure to prevent and re- spond to data breaches. Over the last two decades, the aviation sector increasingly employed sensor systems, data collection, and information pro- cessing to facilitate the passenger journey. Especially since the advent of smartphones and the digitization of virtually every- thing in recent years, data is generated from almost every aspect of the passenger journey. Data can be produced and collected from a passengerâs device; it can be captured by systems owned and operated by the airport or its partners; it can be collected by third-party businesses; or it can be collected by federal agen- cies. In most cases, data services are trending toward a complex partnership of various parties collaborating to support the pas- senger journey more seamlessly. For example, the 2019 publication of the Transportation Security Administrationâs (TSA) TSA Biometric Roadmap1 en- capsulates a vision for data collection and use, including bio- metric data, to facilitate passenger movement across the passen- ger experience. TSAâs Biometric Roadmap involves data sharing between air carriers, TSA, and Customs and Border Patrol (CBP) to address commercial, operational, and security mea- sures essential to travel. While TSAâs vison of the passenger journey does not specifi- cally address airport participation in the program, airports and 1 U.S. Depât of Homeland Sec., Transp. Sec. Admin., TSA Bio- metrics Roadmap: For Aviation Security and the Passenger Experience, 18 (2018), available at https://www.tsa.gov/sites/default/ files/tsa_biometrics_roadmap.pdf. their staff coordinate these implementations within the spaces that belong to them, and at times are beneficiaries of some of the data produced by those systems. The model is also instructive of the type of data being collected and shared among airport stake- holders. More direct airport involvement in data collection and sharing programs occurs in the developing areas that enhance the passenger experience. This collection and sharing involves data from personalized information and wayfinding through websites, apps, kiosks, chat bots, and even roaming information service robots; from loyalty programs for parking, concessions and other support services; as well as from passenger path- way analytics (from video and other sensors), from automated license plate recognition for transportation and parking man- agement, and from other emerging capabilities. Operational data sharing between airport stakeholders can enhance airport operations. For example, sharing of passenger load counts and airline operational data can significantly assist airports in short-term and long-term planning. Enhanced data sharing can also provide significant efficiencies and enhance- ments for facilities, planning, and maintenance; airfield, termi- nal, and landside operations; safety and security; and so on. That sharing can include both anonymized and privacy data, but also involves significant proprietary concerns on the part of the air- lines and other commercial operators. Another area of growing data concern is increased data col- lection, or the potential of collection, by security operations in airports. Often this data collection involves the use of CCTV systems operated in connection with airport security programs. Security providers, however, are not the only CCTV users. Other actors in the airport context recognize the operational value of CCTV to enhance airport operations or customer engagement. In many instances, despite capability for image sharing, separate stovepipe systems are created. The proliferation of continually advancing CCTV creates large pools of data at airports. Further, as the use of CCTV grows, biometric analytic tech- nologies, such as facial recognition, continue to develop. These analytic tools are increasingly available to leverage existing sys- tems, such as CCTV or other camera systems. However, this growing ability raises additional privacy concerns. While the use of such technologies has been primarily in the retail sector, currently most of the biometric use with respect to passengers is limited to security and passenger processing programs man- aged by TSA or CBP along with the airlines. The advancement of biometrics has also seen increasing use in connection with
CONTENTS I. Introduction, 3 A. Background of the Research, 3 B. Objective of the Research, 5 C. How to Use the Digest, 5 D. Summary of Section Content, 5 II. Literature Review, 6 A. New TechnologyâNew Concerns, 6 B. Adapting to Technology Change and Developing Considerations, 6 C. Statutory and Regulatory Move Toward Prevention, 6 D. International Distinctions, 8 E. Present Day Challenges in Defining Privacy and Enforcement Practice, 9 F. New Technology Driven Privacy Frontiers, 10 G. Growing Discussions of Airport Data Use Cases in the Literature, 10 III. Airport Data Use Cases, 11 A. Use Case Domain #1âTechnology ServicesâPPA, 12 B. Use Case Domain #2âSecurity and Terminal OperationsâBiometrics, 14 C. Use Case Domain #3âLandside Operationsâ Automated License Plate Recognition (ALPR), 16 D. Use Case Domain #4âAirport Digital Landscape (Websites, Mobile Apps, e-Commerce, Wi-Fi and CRM), 18 E. Use Case Domain #5âHealth ChecksâTemperature Screening, 20 F. Conclusion, 22 IV. Developments in Federal Constitutional Protections, 22 A. Carpenter and the Contours of Privacy Protections, 22 B. Recurrent Themes in Supreme Courtâs Privacy Analysis, 24 V. Survey of Federal Statutory Provisions and Federal Agency Actions, 26 A. Early Federal Statutory Efforts to Address Privacy, 26 B. Additional Federal Statutory Provisions, 29 C. Federal Agency Actions, 34 VI. Federal Enforcement Activities and Other Federal Initiatives, 35 A. FTC Enforcement Activity and the Creation of âPrivacy Common Lawâ, 35 B. Rulemaking Authority, 40 C. Advocacy and Education, 40 D. Other Executive Branch and Congressional Initiatives, 41 E. Future Trends, 41 VII. Overview of State Constitutional Privacy Protections, 41 VIII. State Statutory Privacy Protections and Trends, 43 A. Data Security Laws Regulating the Public Sector, 43 B. Data Security Laws Regulating the Private Sector, 43 C. Data Disposal/Destruction Laws, 44 D. Data Breach Laws, 44 E. Consumer Protection, 45 F. State Legislative Initiatives and Trends, 47 G. Other State Legislative Bills, 48 H. Conclusions, 49 IX. Developing State and Local Laws, and Federal Agency Actions and Legislative Proposals on Biometrics Usage, 49 A. State Law Developments, 49 B. Local Restrictions, 51 C. Federal Agency Actions and Legislative Proposals, 52 X. Interplay of Privacy and Open Government Records, 54 A. Provisions for Open Government, 54 B. Public Records and Retention, 55 C. Trends in State FOIA Provisions, 55 XI. Payment Card Industry Data Security Standard (PCI DSS) and Airports, 57 A. Contractual Duties and Liabilities, 58 B. Model Industry Standard, 58 XII. International Efforts, 59 A. GDPR, 59 B. Bilateral Agreements to Enforce GDPR Principles, 61 C. The Cookie Law, 62 D. Other International Efforts, 62 E. Conclusions, 63 XIII. Policy Considerations and Contractual Provisions for Data Collection and Usage, 63 A. Policy Considerations, 63 B. Contractual Issues, 67 XIV. Resource Guide, 69 A. Resources Identifying State Laws on Data, 69 B. Resources Identifying State Laws on Records Retention and Freedom of Information, 69 C. Resources on Federal Law for Consumer Protection, 69 D. Resources on International Law, 70 E. Resources on Technical Issues Relative to Privacy and Data Protection, 70 F. Sample Airport Privacy Policies, 71 XV. Conclusions, 71 APPENDIX: Airport Technology and Privacy, 73 2 ACRP LRD 42