Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42 3 LEGAL IMPLICATIONS OF DATA COLLECTION AT AIRPORTS Donald R. Zoufal, CrowZ Nest Consulting, Inc., Chicago, IL; Sean Cusson, Del Ray Solutions LLC, Alexandria, VA; Diane J. Larsen (Ret.), Circ. Ct. of Cook County, State of Illinois, Chicago, IL; Tobias Person, Von Oxon, LLC, Los Angeles, CA; Daniel Hantman, Chicago, IL; and E. Austin Maliszewski, Austin, TX I. INTRODUCTION A. Background of the Research As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, mar- keting, understanding passenger preferences, and enhancing the travel experience. Similarly, airports and their tenants have considered whether and how they can collect data. A wide range of functions within the airport environment will use this data, including management, operations, marketing, external affairs, concessions, and planning and development. Those seeking to gather information may not consider or be aware of the appli- cable legal requirements governing data collection and use, let alone the far-reaching implications associated with compliance. Implications include generating, preserving, and storing public records and financial data; complying with data privacy statutes and regulations; and creating infrastructure to prevent and re- spond to data breaches. Over the last two decades, the aviation sector increasingly employed sensor systems, data collection, and information pro- cessing to facilitate the passenger journey. Especially since the advent of smartphones and the digitization of virtually every- thing in recent years, data is generated from almost every aspect of the passenger journey. Data can be produced and collected from a passengerâs device; it can be captured by systems owned and operated by the airport or its partners; it can be collected by third-party businesses; or it can be collected by federal agen- cies. In most cases, data services are trending toward a complex partnership of various parties collaborating to support the pas- senger journey more seamlessly. For example, the 2019 publication of the Transportation Security Administrationâs (TSA) TSA Biometric Roadmap1 en- capsulates a vision for data collection and use, including bio- metric data, to facilitate passenger movement across the passen- ger experience. TSAâs Biometric Roadmap involves data sharing between air carriers, TSA, and Customs and Border Patrol (CBP) to address commercial, operational, and security mea- sures essential to travel. While TSAâs vison of the passenger journey does not specifi- cally address airport participation in the program, airports and 1 U.S. Depât of Homeland Sec., Transp. Sec. Admin., TSA Bio- metrics Roadmap: For Aviation Security and the Passenger Experience, 18 (2018), available at https://www.tsa.gov/sites/default/ files/tsa_biometrics_roadmap.pdf. their staff coordinate these implementations within the spaces that belong to them, and at times are beneficiaries of some of the data produced by those systems. The model is also instructive of the type of data being collected and shared among airport stake- holders. More direct airport involvement in data collection and sharing programs occurs in the developing areas that enhance the passenger experience. This collection and sharing involves data from personalized information and wayfinding through websites, apps, kiosks, chat bots, and even roaming information service robots; from loyalty programs for parking, concessions and other support services; as well as from passenger path- way analytics (from video and other sensors), from automated license plate recognition for transportation and parking man- agement, and from other emerging capabilities. Operational data sharing between airport stakeholders can enhance airport operations. For example, sharing of passenger load counts and airline operational data can significantly assist airports in short-term and long-term planning. Enhanced data sharing can also provide significant efficiencies and enhance- ments for facilities, planning, and maintenance; airfield, termi- nal, and landside operations; safety and security; and so on. That sharing can include both anonymized and privacy data, but also involves significant proprietary concerns on the part of the air- lines and other commercial operators. Another area of growing data concern is increased data col- lection, or the potential of collection, by security operations in airports. Often this data collection involves the use of CCTV systems operated in connection with airport security programs. Security providers, however, are not the only CCTV users. Other actors in the airport context recognize the operational value of CCTV to enhance airport operations or customer engagement. In many instances, despite capability for image sharing, separate stovepipe systems are created. The proliferation of continually advancing CCTV creates large pools of data at airports. Further, as the use of CCTV grows, biometric analytic tech- nologies, such as facial recognition, continue to develop. These analytic tools are increasingly available to leverage existing sys- tems, such as CCTV or other camera systems. However, this growing ability raises additional privacy concerns. While the use of such technologies has been primarily in the retail sector, currently most of the biometric use with respect to passengers is limited to security and passenger processing programs man- aged by TSA or CBP along with the airlines. The advancement of biometrics has also seen increasing use in connection with
4 ACRP LRD 42 airport employee security, credentialing, and access control sys- tems. These uses also raise privacy issues.2 Arrayed against the growing availability and use case for data with privacy implications is a growing body of law devoted to protecting privacy. Unlike some foreign jurisdictions that have developed more comprehensive programs of data protection, the U.S. system remains a patchwork of somewhat independent- ly evolving protections. Thus, capturing a snapshot of various federal, state, and local protections would be both difficult and likely unhelpful in the long run. A more productive approach would be to focus on legal trends in privacy protection. In addi- tion to looking at governmental enforcement actions as a part of the legal trends, this research will also examine the nongovern- mental solutions of pay card industry data security standards. In addition to focusing on legal protections for privacy, there is a need to understand developments and trends in laws govern- ing public records, specifically addressing issues like data reten- tion and dissemination. These statutes addressing public records are often in tension with privacy protection policy. Expansive re- cords retention statutes that exist in some states can conflict with data minimization requirements. Similarly, broad open records or freedom of information statutes can make the protection of private and proprietary data difficult. This has significant impli- cations for the sharing of data with commercial value. In whatever arrangements are made to collect or share data, airport operators, airlines, and tenants must employ appropri- ate contractual language. Airports must consider what data they own, how and under what circumstances they can collect data, what can be done with that data, how the data will be safeguard- ed, and what they will have to pay for accessing and using data. In structuring contractual arrangements regarding data collec- tion and use, those airports receiving funding through the Fed- eral Aviation Administration (FAA) (or other federal sources) must ensure that data arrangements are consistent with grant assurances.3 For example, if an airport were found to be using data in a discriminatory fashion, perhaps thorough application of a racially-biased artificial intelligence application, several Grant Assurances (for instance 1, 22, and 30) could be impli- cated. Concerns over potential misuse of data extend not only to the airport, but also to third-party contractors who may be involved in data collection and processing. Some third-party companies have offered to install their technology in airports at âno costâ and provide the airport with 2 The use of facial recognition presents challenges beyond the issue of privacy. Concerns have been raised regarding racial and ethnic bias in artificial intelligence applications that power facial recognition software. There also is the concern of false negative and false positive rates under- mining the utility of these technologies. See e.g., Natasha Stringer & Cade Metz, Many Facial Recognition Systems are Biased, U.S. Study, N.Y. Times, Dec. 19, 2019, https://www.nytimes.com/2019/12/19/ technology/facial- recognition-bias.html?auth=login-email&login=email. These factors along with privacy are important considerations in the decision to use and how to use facial recognition technology. 3 Airport Sponsor Assurances, FAA. (Feb. 2, 2020), https://www.faa. gov/airports/aip/grant_assurances/media/airport-sponsor-assurances- aip-2020.pdf. data. In these cases, the company usually attempts to reserve the rights to sell that data to third parties. Understanding who owns the data, and the rights of all parties with respect to the data, is essential for safeguarding privacy. The COVID-19 pandemic in 2020 offers an example of how technology developers and aviation industry stakeholders, as well as other industries, can rapidly develop sensors, data col- lection strategies, and information processing techniques to address new challenges. In response to the new realities cre- ated by this public health crisis, monitoring health conditions, social distance monitoring, and contact tracing and movement tracking have become national and even global priorities. More specifically, innovative software solutions have been deployed on existing and new enhanced camera systems to perform temperature and social monitoring in public spaces, including airports.4 Similarly, shortly after the early 2020 COVID-19 out- break in the United States, Google and Apple collaborated to develop a phone application to trace and track voluntary par- ticipants.5 The application traced the movement of the partici- pantsâ phones in relation to the phones of other participants. If a participant was diagnosed with COVID-19, the other phones that met established contact criteria6 were sent an automated notification. The identity of phone owners is not shared. Only the determination of proximity to a device of someone who was diagnosed COVID-19 positive is shared. Thus, collection of biometric health-related information and largescale tracking of individual movement have raised novel concerns previously unaddressed by U.S. law. Responding to those concerns, Congress has considered several bills address ing privacy.7 The United States was, however, not alone in looking to adapt its legal system in the face of technology develop ments to respond to COVID-19. EU countries, interfacing with the General Data Protection Regulation (GDPR),8 looked to adapt that comprehensive system to allow government to use the new tools to fight the pandemic.9 4 Hugo Martin, Airports are Testing Thermal Cameras and Other Technology to Screen Travelers, L.A. Times, May 13, 2020, https://www. latimes.com/business/story/2020-05-13/airports-test-technology- screen-covid-19. 5 Russell Brandon & Adi Roberson, Apple and Google are Building a Coronavirus Tracking System into iOS and Android, The Verge, Apr. 10, 2020, https://www.theverge.com/2020/4/10/21216484/google-apple- coronavirus-contract-tracing-bluetooth-location-tracking-data-app. 6 Extended time within the proximity of the phone of the COVID- 19 positive individual. 7 See The COVID-19 Consumer Data Protection Act, S. 3663, 116th Cong. Â§ 2 (2020); The Public Health Emergency Privacy Act, S. 3749, 116th Cong. Â§Â 2 (2020). 8 Gen. Data Protection Reg., 2016/679 (EU). 9 See Statement on the Processing of Personal Data in the Context of the COVID-19 Epidemic, European Data Protection Board (Mar. 19, 2020), https://edpb.europa.eu/our-work-tools/our-documents/other/ statement-processing-personal-data-context-covid-19- outbreak_en; Guidelines 04/2020 on the Use of Location Data and Tracing Tools in the Context of the COVID-19 Outbreak, European Data Protection Board, Apr. 21, 2020, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_ guidelines_20200420_contact_tracing_covid_with_annex_en.pdf.
ACRP LRD 42 5 cases can help inform judgments with respect to common chal- lenges and opportunities. It also informs judgments regarding the range of stakeholders, both public and private, involved in data usage and the limits and restrictions imposed on disparate stakeholders. Section IV covers developments in federal constitutional protections. The U.S. Supreme Court has considered multiple privacy related data collection cases since the 1970s. Both con- servative and liberal justices have expressed concern over the effects of technology on privacy. The issues raised by the Court and legal analysis offered in the decisions offer valuable insights into the use of data gathered through systems like CCTV. Section V discusses several federal statutory provisions that may potentially impact risk assessment and policy develop- ments for various aspects of data collection, storage, access, and dissemination. Section VI explores federal government enforcement and other activities. This includes executive branch actions and the activities of Congress in developing future legislation. Section VII overviews state constitutional privacy protec- tions. Similar to federal constitutional protections, state con- stitutions afford protections for civil liberties. In some instances, state protections may even exceed federal protections. For in- stance, twelve states have specific constitutional provisions re- lated to privacy, while others have generalized provisions. Section VIII addresses state statutory privacy protections and trends. State measures have addressed both government and private use of data. The types of data addressed by state reg- ulations are also expanding to private consumer data. Analyzing these state law developments will both discern the mandatory compliance requirements for airports within those states as well as serve as a potential guide for airports in states lacking robust regulatory regimes. While it is impractical to examine every state law addressing this topic, understanding the types of regulatory schemes developed within various states will assist in determining trends that may control this perpetually unfolding airport policy. Section IX discusses developing state and local law related to biometric usage. With the growing usage of facial recognition technology and the development of governmental programs to apply this and similar technologies to the traveler screening pro- cess, there is growing airport focus on biometrics in general, and facial recognition in particular. Outside of the airport industry there is also significant court and legislative activity addressing the collection, storage, and use of facial recognition and other biometric identifiers. Section X looks at the interplay of privacy and open govern- ment records. The existence of measures to ensure open gov- ernment has interesting intersections with the issue of privacy. While some advocacy organizations lament government access to private personal data, they simultaneously seek liberal access to governmental records. The requirement for government to retain data it collects in accordance with defined retention re- quirements, combined with public access laws, can prove to be a challenging exercise. This cycle of technology development and legal reaction evidenced in the pandemic response, both in strengthening and loosening protections, is instructive. Aviation professionals should be mindful that scrutiny over data use and legal develop- ments that govern data use will continue as the ability to collect and analyze data becomes more sophisticated and powerful. These legal policy changes may occur rapidly and require the modification of data collection practices. The rapid technological adaptation and development of new data sets and assessments to address evolving challenges like those seen in the pandemic response showcases the need to understand the legal principles that govern data collection and use. This research focuses on identifying those principles to help airport lawyers better understand the implications of new data collection activities and technologies in their airports. B. Objective of the Research This digest provides a survey of applicable law; consider- ations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use. The analy- sis includes federal, state, local and international legal develop- ments as well as the respective compliance requirements and penalties. C. How to Use the Digest Outlined below is a summary of the content of this work by section. However, reading this digest from beginning to end may not be the most effective way to use it. Practitioners may wish to focus initially on the use cases outlined in Section III and the summaries of contractual and policy issues in Section XIII. Then, the reader may take a deeper dive into legal issues in other sections that address specific concerns. The use cases in Section III and contract and policy summaries in Section XIII are de- signed to orient practitioners to process and substantive consid- erations with respect to data collection and use. These sections will help to paint the âbig pictureâ for airports and airport stake- holders to consider in dealing with data collection and use. D. Summary of Section Content Section II provides a literature review addressing the de- velopment of privacy concepts and the impact of technology develop ments on privacy. Additionally, the literature review looks at government responses to data collection activities and identifies aviation industry trends. Section III outlines airport data use cases and examines shared areas of concerns for airports in data management. The discussion covers current and prospective airport data use cases. While data collection and storage systems may be common or segregated for a range of uses, there are often differing rules and restrictions for using data across categories. As can be seen from examining passenger journey use cases, sometimes a single use case can implicate multiple categories. This section also explores common airport data sharing issues. The examination of uses