Legal Implications of Data Collection at Airports (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

6    ACRP LRD 42 Section XI reviews the payment card industry data secu- protections.11 Warren and Brandeis were concerned with news- rity standard (PCI DSS). Understanding and complying with papers and recent photography innovations like instantaneous PCI DSS is important for airports that wish to process credit photographs. They distinguished potential common law privacy card transactions. PCI DSS is not a federal statutory require- protections such as intellectual property, contract, and fiduciary ment, though some states have legislation referencing the PCI obligations and found a proper remedy in the broader “right to DSS. Rather, the standard is set by the major credit card com- be let alone.” panies through the Payment Card Industry Security Standards Warren and Brandeis argued that although privacy is as old ­Council. PCI DSS regulates the security of credit card informa- as common law, it is necessary from time to time to assess the tion and the systems used to process that information. The pur- nature of the right as it applies to current political, social, and pose of the PCI DSS is to reduce the likelihood of credit card economic demands. This revolutionary view of privacy was fraud. not adopted at that time, but it became a foundational under­ Section XII overviews international data protection efforts. current of privacy law over the last century. Portions of the Worldwide there is a growing body of legal activity addressing concept of privacy constructed in the article were eventually data privacy. As entities integrally involved in a global travel adopted in the First Restatement of Torts, which defines privacy business, airports must be sensitive to international trends with as an “unreasonabl[e] and serious[] interference with another’s respect to the management of personal data. interest in not having his affairs known to others or his likeness Section XIII explores contractual and policy issues for data exhibited to the public . . . .”12 collection and usage. As airports collect and exchange data with a range of stakeholders, issues like data ownership, access B. Adapting to Technology Change and Developing storage, use, dissemination, and destruction will need to be ad- Considerations dressed in contractual agreements. Additionally, the develop- William Prosser’s 1960 article Privacy discusses the develop- ment and implementation of proper governance structures and ment of privacy law in the wake of Warren and Brandeis’ The programs is of critical importance for airports to ensure airports Right to Privacy.13 Prosser discusses four distinct invasions of a have proper practices in place to protect privacy, ensure secu- person’s interest: intrusion into seclusion or solitude, disclosure rity, and promote transparency. of secrets, false publication, and appropriation of identity. The Section XIV provides a resource guide to assist users in Second Restatement of Torts adopted Prosser’s four invasions of assess­ing the risk and requirements for different types of data privacy.14 collection and retention. In Privacy, Prosser argues that the mere act of photograph- Section XV offers some concluding thoughts about the chal- ing a person in public does not invade privacy because this lenges and the opportunities presented by the new digital envi- amounts to nothing more than a public record. He compares ronment and uses of data by airports and airport stakeholders the photo­graph to a written description of a public sight that anyone ­present would be free to see. This approach reflects II. LITERATURE REVIEW ­society’s f­amiliarity with photography and its use. By 1960, Data collection at airports presents novel privacy concerns as people under­stood how cameras worked, that they are portable, data collection processes and systems rely on new technologies and how pictures may be taken and used. As a result, seventy that test the boundaries of personal privacy. These technologies years after the introduction of the portable camera, the public’s collect data in many ways and can generate conclusions about perspective on privacy shifted. These shifts can be seen in the personal actions. Some identify people whereas others track Supreme Court’s discussions of privacy from the 1970s onward. personal things, such as vehicles or electronic devices. But these objects may, or may not, be directly tied to specific individuals. C. Statutory and Regulatory Move Toward Therefore, we must ask how and where privacy principles apply. Prevention This section examines the founding principles of privacy and The development of computing in the 1960s and 1970s like- current trends to assist with analysis of privacy for airport appli- wise caused a change in privacy law. Before the 1970s, tort law cations.10 The literature reviewed here is augmented by case law, remedied harm to individuals; after the 1970s, Congress enacted legislation, and legal commentary in the various sections of this statutes to prevent harm.15 At the time, the government c­ reated report. This literature review strives to provide general insights electronic records that resulted in massive data sets. Privacy ad- and focus on current issues confronting the aviation sector. A. New Technology–New Concerns 11   See Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890). Samuel Warren and Justice Louis Brandeis’ The Right to 12   Restatement (First) of Torts § 867 (1938). Privacy examines the nature and extent of individual privacy 13   See William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 384-85 (1960). 10   See Daniel J. Solove, A Brief History of Information Privacy Law, 14   See Restatement (Second) of Torts § 652B (1977). GW Law Scholarly Commons (2006), https://scholarship.law.gwu. 15   Paul Ohm, Broken Promises of Privacy: Responding to the Surpris- edu/cgi/viewcontent.cgi?article=2076&context=faculty_publications. ing Failure of Anonymization, 57 UCLA L. Rev. 1701 (2010). 

ACRP LRD 42   7 vocates rallied against government data collection because of While the FIPPs are designed to address personal informa- the fear of privacy invasions. tion given in relation to consumer practices, for example credit card purchases, these core principles provide an evaluative tool 1. Theoretical Underpinnings that can be applied to data collected by airports. The FIPPs There is a wealth of literature on the issue of privacy theory ­offers a good starting point for evaluation of any system where and its influence on American jurisprudence. Emanuel Gross, data is being collected or retained. in his article The Struggle of a Democracy Against Terrorism— a. Notice/Awareness Protection of Human Rights: The Right to Privacy Versus the National Interest—the Proper Balance,16 provides an excellent This principle, described as the “most fundamental one,”23 survey of the literature defining privacy. This literature offers addresses the need for organizations involved in information an important context for legal developments seeking to protect collection to advise the subjects of data collection regarding its indi­vidual privacy rights. occurrence and the purposes to which data collected will be ap- Alan Westin’s work, Privacy and Freedom, exploring individ- plied. Information available to the public should include iden- ual privacy at the dawn of the computer age was, perhaps one tity of the “entity collecting data,” “uses to which the data will be of the most influential in shaping early privacy protections.17 put,” identity of “any potential recipients of the data,” nature of P rivacy and Freedom defines privacy as an individual’s, group’s, the data collected and means of doing so, whether compliance is or institution’s control over how and to what extent information voluntary and the means of assuring confidentiality and quality about them will be communicated to others. Further, the work of the data.24 The notice provisions may also include providing established a framework to assess privacy interests, finding that information as to procedures for individual access to the data as privacy: involves the voluntary and temporary withdrawal from well as redress and correction procedures. general society; can occur through either physical or psycho- b. Choice/Consent logical means; and can take many forms, such as solitude or This principle of the FIPPs means “giving consumers op- seeking anonymity18 in a larger group.19 The work also addresses tions as to how any personal information collected by them will the concept of reserve. Reserve is the notion that an individual be used.”25 Applying this principle requires that a data subject holds back information about himself or herself to protect the understands the collection and use of the data and voluntarily public perception of who the individual really is.20 The work of agrees to that collection and use. The choice/consent addressed Westin is important to an understanding of the early privacy by the FIPPs frequently concerns the secondary use of con­ protections developed by the U.S. government as it sought to sumer information. For example, an individual who presents address privacy in the modern area of data. a credit card and the attendant information associated with it 2. The Fair Information Practice Principles to make a purchase is not consenting to the secondary market The U.S. Department of Health and Human Services (HHS) research purposes that a vendor may have for the information. formed an advisory committee to address data collection Choice for data subjects is often accomplished through “opt-in ­privacy concerns. The committee recommended congressional or opt-out” provisions. adoption of a code of “Fair Information Practice” scheme in- Challenges to the application of opt-in and opt-out arise in volving notice and consent, access, data integrity, enforcement, several contexts. Data collectors must consider the default if an and remedies.21 Those core principles evolved into the Fair election is not made by the individual. Consideration needs to Infor­mation Practice Principles (FIPPs) which have influenced be given to whether the individual is being coerced into surren- much of the current thought about privacy and data protection dering consent. Additionally, consent can be something other in the United States and around the globe.22 than a binary choice, with an individual allowed to “tailor” in- formation provided.26 With respect to choice/consent, the FTC notes that “[i]n order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to ex- 16   Emanuel Gross, The Struggle of a Democracy Against Terrorism— ercise their choice.”27 Protection of Human Rights: The Right to Privacy Versus the National Interest—The Proper Balance, 37 Cornell Int’l L. J. 27 (2004). c. Access/Participation 17   See Alan F. Westin, Privacy and Freedom (1970). This principle concerns the right of the individual to under- 18   The right to preserve anonymity has not yet gained full protec- stand the nature of data gathered concerning him or her by ex- tions in the United States, but it has gained more full acceptance in other influential data protection frameworks elsewhere. amining it. It allows the individual to ensure that data collected 19   Alan F. Westin, Privacy and Freedom 7 (1970). about one’s self is accurate and is being held in accordance with 20   Id. 21   Computers and the Rights of Citizens, U.S. Dep’t Health, Educ., 23   Id. at 7. & Welfare (1973), https://www.justice.gov/opcl/docs/rec-com-rights. pdf. 24   Id. at 7-8. 22   See Privacy Online: Report to Congress, F.T.C. (1998), at 48, n. 27, 25   Id. at 8. https://www.ftc.gov/sites/default/files/documents/reports/privacy- 26   Id. online-report-congress/priv-23a.pdf. 27   Id. 

8    ACRP LRD 42 system requirements. The FIPPs notes that this principle re- rather than prescriptive.”30 The FIPPs note that compliance can quires simple, timely, inexpensive procedures to access and con- come from self-regulation or be externally imposed in the form test inaccuracy.28 While affording individual access can serve as of civil actions or civil and criminal penalties through govern- a check against government abuse, providing access presents ment action. several technical problems. Where the data has already been While the FIPPs principles do not apply where data is not segregated, providing access might be easy. individuated or cannot be linked to an individual’s identity, the Affording individuals access to data, especially when it is growth of databases and analytic tools makes it increasingly indi­viduated and categorized, is important to privacy interests of possible to identify individuals by aggregating data without anonymity and reserve. It is important for individuals to under­ identifiers. stand exactly what type of information is being maintained about them. Accessing this information allows indi­viduals some D. International Distinctions understanding of the degree to which their ­privacy interests Differences regarding data laws and regulations around the may be compromised. world provide interesting insights into societal focuses on pri- d. Integrity and Security vacy and the dynamic environments that technology companies must navigate to build scalable data collection products and ser- Integrity and Security ensures that the data collected is un- vices. Companies seeking to deploy their systems around the compromised and accurate. It also provides assurance that the world will find substantially different requirements and focuses data will only be used for authorized purposes that supported on data collection. Determann’s Field Guide to Data Privacy its collection and maintenance. Physical and logical security Law: International Corporate Compliance, details data privacy measures, including cyber security measures, are critical. Ap- concepts around the world, and more specifically compares plication of both “managerial and technological” measures are ­European and U.S. regulations.31 important measures.29 For example, U.S. laws and regulations focus on the privacy As measures for Integrity and Security are being developed, intrusion caused by data collection and use whereas EU’s GDPR thought must be given to external processes like requirements protects individuals by restricting and limiting automated pro- imposed by legal process (court orders, subpoenas, and admin- cessing and storage of an individual’s personal data. U.S. statutes istrative mandates like open records requests). Unless specific tend to focus privacy concerns on narrowly defined personally statutory relief is provided, local governments may be compelled identifiable information (PII) tailored to the context and pur- by open records laws or court procedures to provide informa- pose of the data collection. In contrast, the EU applies a slid- tion to third parties completely or in some redacted form. ing scale to determine if personal data can be linked to an indi­ Integrity and Security also impacts data retention. The es- vidual. Similarly, the United States and EU perceive sensitive tablishment of a retention schedule and the elimination of data data that require higher standards of protection differently. For at the conclusion of retention are universally accepted require- example, the United States focuses on social security numbers ments. Also accepted is the notion that retention beyond the and credit card information because of the risk of theft. The EU’s schedule may be appropriate for certain data (i.e., data to be focus on sensitive information includes political opinion, affilia- used as evidence in a criminal proceeding). The setting of reten- tions, medical history, racial and ethnic origins, religious beliefs, tion schedules can vary widely and may in some circumstances sexual orientation, and criminal records. be controlled externally by state or local records retention laws One concept that has won broad international acceptance for or ordinances. protection of privacy is that of “privacy by design” (PbD). PbD The Integrity and Security of the system is of critical impor- was introduced in the mid-1990s by the Privacy Commissioner tance to the concept of reserve as described by Westin. While of Ontario, Canada who contended that a simple compliance- the individual may feel discomfort in knowing that information based strategy was inadequate to address growing threats to is in the possession of the government, an understanding of the privacy in the digital age. The essential tenet of PbD is to intro- rules for release of the information and the fact that it will not duce measures so that “privacy assurance must ideally become generally be released to others allows for some restoration of the an organization default mode of operation.”32 The introduction sense of reserve. of PbD was supported by seven principles for implementation. e. Enforcement and Redress These principles infuse measures to prioritize privacy protec- The final FIPP principle is for there to be some mechanism tion in organizational processes. for Enforcement and Redress to be incorporated into the sys- tem. The reasoning behind these provisions is that they will en- sure that entities collect data according to their own rules. With- 30   Id. out them there is concern that regulations will be “[s]uggestive 31   Lother Determann, Determann’s Field Guide to Data Privacy Law: International Corporate Compliance (3rd ed. 2017). 32  Ann Cavoukian, Privacy by Design, Information & Privacy   Id. at 9. 28 Commissioner (Jan. 2011), https://www.ipc.on.ca/wp-content/uploads/   Id. at 10. 29 Resources/7foundationalprinciples.pdf. 

ACRP LRD 42   9 PbD principles require organizations to take a proactive look ­statutes focus on PII. Yet Ohm identifies multiple studies show- at their systems to ensure privacy protection at all points from ing how even non-PII data can effectively identify a person and collection to disposal. These principles also focus on privacy invade their privacy. Additionally, he contends that the current protection in both technology systems as well as organizational regulatory frameworks fail because new data fields will always policies and procedures. Key goals are a secure and transparent emerge that effectively invade privacy, and these inherently re- use of data that places protection of privacy at the forefront. active regulatory regimes always lag behind perpetually unfold- The importance of the PbD concept to both the U.S. efforts to ing technological development. This work suggests that privacy enforce privacy protection by the FTC, as well as inter­national protection efforts should place greater attention on collection, adoption in the GDPR, is well established.33 Adoption of the use, and retention of data because anonymization strategies PbD concept is thought to strongly advance individual privacy have proven to have limited use. interests. The National Institute of Standards and Technology Over the years, the Federal Trade Commission (FTC) has (NIST) Privacy Framework34 specifically calls out the support of devoted substantial effort to regulating data privacy. This work PbD as one of the key benefits of its approach. includes both the development of influential reports and en- forcement activity. For example, the FTC issued a data pri- E. Present Day Challenges in Defining Privacy and vacy report in 2012 recommending that companies follow the Enforcement Practice FIPPs.39 Additionally, the FTC recommended sector specific codes of conduct, privacy by design, and clear and standardized Moving to the present day, with the increasingly rapid devel­ transparency. The report distinguishes between collecting data opment of technology, legal scholars, lawmakers, and the pub- consistent with a company’s interaction with a consumer and lic struggle to define privacy. Privacy law expert, Daniel Solove data collection that is inconsistent with typical customer inter- concluded in his 2008 book Understanding Privacy that privacy action. The FTC report concludes that a company does not need is a concept in disarray that is difficult to articulate.35 Solove to disclose data collection where the collection is consistent with challenges existing narrow views of privacy when assessing business interactions, but should provide customers a choice re- whether an activity may infringe upon a person’s privacy inter- garding their data when the collection does not rationally ad- est. He contends that this results in the conflation of distinct here to the business interaction. privacy issues or a failure to recognize that an issue even exists. The FTC has also enforced numerous privacy related cases. Solove argues that privacy consists of many things and requires Daniel Solove and Woodrow Hartzog argue in their 2013 article, a mapping to account for full situational context.36 The FTC and the New Common Law of Privacy, that the FTC Solove’s A Model of Privacy Protection addresses structural has created common law like regulatory regime because of its concerns over how the United States regulates privacy through consistent applications of rules in its complaints and o ­ rders.40 a sectoral rather than a comprehensive statutory approach.37 According to Solove and Hartzog, the FCC has sought to pro- Contrasted with the EU’s omnibus approach to privacy and tect privacy interests through enforcement actions related to de- data protection, concern exists that the United States’ more ception, unfairness, statutory violations, or violations of inter­ piecemeal approach leaves significant gaps. For example, a more national agreements.41 balkanized approach to privacy and data protection requires a The fact that airports in the United States are governmental more diligent examination of several differing federal and state entities adds additional complexity and nuance in this context. measures rather than an easier analysis of a single comprehen- As governmental entities, airport authorities often must com- sive statutory framework. ply with record retention and record dissemination measures. In addition to the challenges caused by the lack of a com- Natural tension exists between governmental transparency and prehensive privacy approach, there are further challenges posed protecting privacy and proprietary data.42 by the increase in technological ability to circumvent privacy Just as the literature points to the need for a multi-­ protection. Paul Ohm argues anonymization strategies no lon- jurisdictional analysis within the United States to understand ger work given the ability to identify people through various the full requirements of privacy protection, international influ- data sets.38 Many statutes categorize data risk and prevent prac- ences r­ equire consideration as well. Commentators have noted tices that would collect or combine such data. Most often these the development of data protection regulatory regimes in the 33   See Stuart Pardau & Blake Edwards, The FTC, the Unfairness Doc- 39   Protecting Consumer Privacy in an Era of Rapid Changes, Recom- trine and Privacy by Design, New Legal Frontiers in Cybersecurity, 12 J. mendations for Business and Policy Makers F.T.C., (Mar. 2012), https:// Bus & Tech. L. 227, 264-66 (2017). www.ftc.gov/sites/default/files/documents/reports/federal-trade-­ 34   NIST Privacy Framework. commission-report-protecting-consumer-privacy-era-rapid-change- 35   Daniel Solove, Understanding Privacy (2008). recommendations/120326privacyreport.pdf. 36   Id. at 10. 40  Daniel Solove & Woodrow Hartzog, The FTC and the New 37   See Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of ­Common Law of Privacy, 114 Columbia L. Rev. 583, 620-21 (2014). Privacy Protection (Version 3.0), 2006 Univ. of Ill. L. Rev. 357, (2006), 41   Id. at 627-66. https://ssrn.com/abstract=881294. 42   See, e.g., Keith W. Rizzardi, Sunburned: How Misuse of the Public 38   Paul Ohm, Broken Promises of Privacy: Responding to the Surpris- Records Laws Creates an Overburdened. More Expensive, and Less Trans- ing Failure of Anonymization, 57 UCLA L. Rev. 1701 (2010). parent Government, 44 Stetson L. Rev. 425 (2015). 

10    ACRP LRD 42 EU are influencing approaches across the globe.43 Understand- The U.S. Chief Technology Officer announced the United ing this influence is critical to understanding future privacy States’ artificial intelligence (AI) strategy on January 7, 2020.47 trends. The strategy calls for federal agencies to consider rulemaking To assist organizations in addressing the challenges of grow- processes before deploying AI systems. Additionally, it calls on ing data sources and the need for protections, experts are de- federal agencies to consider fairness, transparency, safety, and veloping hermeneutic tools to help develop more effective security in developing AI programs. approaches to understanding privacy regulatory needs and implementation. In January 2020, NIST issued a privacy frame- G. Growing Discussions of Airport Data Use Cases in work to organize and manage privacy risk.44 This framework the Literature recommends considering privacy during system design and de- All aspects of an airport’s operation can involve some form of ployment, communicating privacy practices, and encouraging privacy data collection, used in processing a transaction, facili- cross-organizational workforce collaboration. It offers a struc- tating the flow of a passenger or their luggage, tracking people ture for the case study presentations and analysis offered in this volumes and movement within an area of the airport, screen- work. ing to identify security threats, and so on. A review of indus- try forums such as Airports Council International (ACI)48 and F. New Technology Driven Privacy Frontiers ­Future Travel Experience (FTE)49 offers a glimpse into trends in As facial recognition began gaining prominence, the Inter­ technology adaptation and data use in airports. Over the past national Justice and Public Safety Network issued a report dis- few years, top technology topics covered at annual conferences cussing law enforcement’s use of facial recognition technolo- include biometrics, blockchain, AI and machine learning (ML), gies and its impact on the public’s expectation of privacy.45 The robotics, RFID in baggage, chatbots and translation technolo- report recognizes that data collection can have a chilling effect gies, personalized wayfinding through augmented reality, vir- on an individual’s actions based on the type of information col- tual reality and immersive experiences, mobile app ordering lected and how the data is used. It recommends limiting dis- and delivery, internet of things (IOT), 5G cellphone service, and tribution of the data and implementation of proper access and cyber security.50 All these advancements change the way data is dissemination policies. collected about people and create potential privacy i­ mplications. Privacy Principles for Facial Recognition Technology in Com- Most importantly from a privacy perspective, the develop- mercial Applications establishes standards for privacy protec- ment and use of biometrics, an immutable digital identity at- tions where technology collects, creates, and maintains facial tribute, across the entire passenger experience, highlights the templates to identify individuals.46 This work argues that the importance of airport competency in privacy data collection, creation or storage of a photo or video on its own does not in- use, sharing, and protection. For example, beyond existing herently implicate facial recognition privacy concerns. Nor do U.S. CBP Traveler Verification System (TVS) used for security basic facial detection systems that do not create or collect per- purposes, the International Air Transport Association (IATA) sonalized information about an individual consumer’s image is working to create a biometric recognition program that will because it is not identifiable or linkable to the person. The enable passengers to travel without documentation.51 IATA in- standards discussed here include consent, context, transpar- tends to use facial biometric technology to identify passengers ency, data security, privacy by design, integrity and access, and at each airport touchpoint. IATA’s One ID will require coordi- ­accountability. nation between airports, airlines, and governments to become an interoperable system. One ID relies on four main elements: 47   Michael Kratsios, AI That Reflects Values, Bloomberg Opinion 43   See Paul M Schwartz, Symposium: Global Data Privacy the EU (Jan. 7, 2020), https://www.bloomberg.com/opinion/articles/2020-01-07/ Way, 94 N.Y.U. L. Rev. 771 (2019). In this journal article the author ai-that-reflects-american-values?srnd=opinion. surveys the literature examining the influence of the European Union’s 48   Airports Council International, https://aci.aero/ (last visited Aug. General Data Privacy Regulation, internationally, including in the 5, 2020). United States. 49  Future Travel Experience, https://www.futuretravelexperience. 44   NIST Privacy Framework: A tool for Improvising Privacy Through com (last visited Aug. 5, 2020). Enterprise Risk Management, Nat’l Inst. of Standards & Tech., U.S. 50   10 Technology Trends for Airlines and Airports in 2018, Future Dep’t of Commerce, (Jan. 16, 2020), https://www.nist.gov/system/ Travel Experience (Jan. 2018), https://www.futuretravelexperience. files/documents/2020/01/16/NIST%20Privacy%20Framework_ com/2018/01/10-technology-trends-airlines-airports-2018/; 10 Tech- V1.0.pdf. nology Trends for Airlines and Airports in 2019, Future Travel Expe- 45   The International Justice and Public Safety Network: Privacy rience (Jan. 2019), https://www.futuretravelexperience.com/2019/01/10-­ Impact Assessment Report for the Utilization of Facial Recognition Tech- technology-trends-airlines-airports-2019/; 10 Technology Trends for nologies to Identify Subjects in the Field, Nlets – the International Airlines and Airports in 2020, Future Travel Experience (Jan. 2020), Justice and Public Safety Network, (June 30, 2011), https://www. https://www.futuretravelexperience.com/2020/01/12-technology- eff.org/files/2013/11/07/09_-_facial_recognition_pia_report_final_ trends-for-airlines-and-airports-to-focus-on-in-2020/. v2_2.pdf. 51   Adele Berti, One ID: inside IATA’s plan to end paper travel docu- 46   Future Privacy Forum, Privacy Principles for Facial Recognition ments, Airport Technology (Jan. 16, 2020), https://www.airport- Technology in Commercial Applications (2018). technology.com/features/iata-one-id/.