Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
6 ACRP LRD 42 Section XI reviews the payment card industry data secu- rity standard (PCI DSS). Understanding and complying with PCI DSS is important for airports that wish to process credit card transactions. PCI DSS is not a federal statutory require- ment, though some states have legislation referencing the PCI DSS. Rather, the standard is set by the major credit card com- panies through the Payment Card Industry Security Standards Council. PCI DSS regulates the security of credit card informa- tion and the systems used to process that information. The pur- pose of the PCI DSS is to reduce the likelihood of credit card fraud. Section XII overviews international data protection efforts. Worldwide there is a growing body of legal activity addressing data privacy. As entities integrally involved in a global travel business, airports must be sensitive to international trends with respect to the management of personal data. Section XIII explores contractual and policy issues for data collection and usage. As airports collect and exchange data with a range of stakeholders, issues like data ownership, access storage, use, dissemination, and destruction will need to be ad- dressed in contractual agreements. Additionally, the develop- ment and implementation of proper governance structures and programs is of critical importance for airports to ensure airports have proper practices in place to protect privacy, ensure secu- rity, and promote transparency. Section XIV provides a resource guide to assist users in assess ing the risk and requirements for different types of data collection and retention. Section XV offers some concluding thoughts about the chal- lenges and the opportunities presented by the new digital envi- ronment and uses of data by airports and airport stakeholders II. LITERATURE REVIEW Data collection at airports presents novel privacy concerns as data collection processes and systems rely on new technologies that test the boundaries of personal privacy. These technologies collect data in many ways and can generate conclusions about personal actions. Some identify people whereas others track personal things, such as vehicles or electronic devices. But these objects may, or may not, be directly tied to specific individuals. Therefore, we must ask how and where privacy principles apply. This section examines the founding principles of privacy and current trends to assist with analysis of privacy for airport appli- cations.10 The literature reviewed here is augmented by case law, legislation, and legal commentary in the various sections of this report. This literature review strives to provide general insights and focus on current issues confronting the aviation sector. A. New TechnologyâNew Concerns Samuel Warren and Justice Louis Brandeisâ The Right to Privacy examines the nature and extent of individual privacy 10 See Daniel J. Solove, A Brief History of Information Privacy Law, GW Law Scholarly Commons (2006), https://scholarship.law.gwu. edu/cgi/viewcontent.cgi?article=2076&context=faculty_publications. protections.11 Warren and Brandeis were concerned with news- papers and recent photography innovations like instantaneous photographs. They distinguished potential common law privacy protections such as intellectual property, contract, and fiduciary obligations and found a proper remedy in the broader âright to be let alone.â Warren and Brandeis argued that although privacy is as old as common law, it is necessary from time to time to assess the nature of the right as it applies to current political, social, and economic demands. This revolutionary view of privacy was not adopted at that time, but it became a foundational under- current of privacy law over the last century. Portions of the concept of privacy constructed in the article were eventually adopted in the First Restatement of Torts, which defines privacy as an âunreasonabl[e] and serious interference with anotherâs interest in not having his affairs known to others or his likeness exhibited to the public . . . .â12 B. Adapting to Technology Change and Developing Considerations William Prosserâs 1960 article Privacy discusses the develop- ment of privacy law in the wake of Warren and Brandeisâ The Right to Privacy.13 Prosser discusses four distinct invasions of a personâs interest: intrusion into seclusion or solitude, disclosure of secrets, false publication, and appropriation of identity. The Second Restatement of Torts adopted Prosserâs four invasions of privacy.14 In Privacy, Prosser argues that the mere act of photograph- ing a person in public does not invade privacy because this amounts to nothing more than a public record. He compares the photo graph to a written description of a public sight that anyone present would be free to see. This approach reflects societyâs familiarity with photography and its use. By 1960, people under stood how cameras worked, that they are portable, and how pictures may be taken and used. As a result, seventy years after the introduction of the portable camera, the publicâs perspective on privacy shifted. These shifts can be seen in the Supreme Courtâs discussions of privacy from the 1970s onward. C. Statutory and Regulatory Move Toward Prevention The development of computing in the 1960s and 1970s like- wise caused a change in privacy law. Before the 1970s, tort law remedied harm to individuals; after the 1970s, Congress enacted statutes to prevent harm.15 At the time, the government created electronic records that resulted in massive data sets. Privacy ad- 11 See Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890). 12 Restatement (First) of Torts Â§ 867 (1938). 13 See William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 384-85 (1960). 14 See Restatement (Second) of Torts Â§ 652B (1977). 15 Paul Ohm, Broken Promises of Privacy: Responding to the Surpris- ing Failure of Anonymization, 57 UCLA L. Rev. 1701 (2010).
ACRP LRD 42 7 While the FIPPs are designed to address personal informa- tion given in relation to consumer practices, for example credit card purchases, these core principles provide an evaluative tool that can be applied to data collected by airports. The FIPPs offers a good starting point for evaluation of any system where data is being collected or retained. a. Notice/Awareness This principle, described as the âmost fundamental one,â23 addresses the need for organizations involved in information collection to advise the subjects of data collection regarding its occurrence and the purposes to which data collected will be ap- plied. Information available to the public should include iden- tity of the âentity collecting data,â âuses to which the data will be put,â identity of âany potential recipients of the data,â nature of the data collected and means of doing so, whether compliance is voluntary and the means of assuring confidentiality and quality of the data.24 The notice provisions may also include providing information as to procedures for individual access to the data as well as redress and correction procedures. b. Choice/Consent This principle of the FIPPs means âgiving consumers op- tions as to how any personal information collected by them will be used.â25 Applying this principle requires that a data subject understands the collection and use of the data and voluntarily agrees to that collection and use. The choice/consent addressed by the FIPPs frequently concerns the secondary use of con- sumer information. For example, an individual who presents a credit card and the attendant information associated with it to make a purchase is not consenting to the secondary market research purposes that a vendor may have for the information. Choice for data subjects is often accomplished through âopt-in or opt-outâ provisions. Challenges to the application of opt-in and opt-out arise in several contexts. Data collectors must consider the default if an election is not made by the individual. Consideration needs to be given to whether the individual is being coerced into surren- dering consent. Additionally, consent can be something other than a binary choice, with an individual allowed to âtailorâ in- formation provided.26 With respect to choice/consent, the FTC notes that â[i]n order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to ex- ercise their choice.â27 c. Access/Participation This principle concerns the right of the individual to under- stand the nature of data gathered concerning him or her by ex- amining it. It allows the individual to ensure that data collected about oneâs self is accurate and is being held in accordance with 23 Id. at 7. 24 Id. at 7-8. 25 Id. at 8. 26 Id. 27 Id. vocates rallied against government data collection because of the fear of privacy invasions. 1. Theoretical Underpinnings There is a wealth of literature on the issue of privacy theory and its influence on American jurisprudence. Emanuel Gross, in his article The Struggle of a Democracy Against Terrorismâ Protection of Human Rights: The Right to Privacy Versus the National Interestâthe Proper Balance,16 provides an excellent survey of the literature defining privacy. This literature offers an important context for legal developments seeking to protect indi vidual privacy rights. Alan Westinâs work, Privacy and Freedom, exploring individ- ual privacy at the dawn of the computer age was, perhaps one of the most influential in shaping early privacy protections.17 Privacy and Freedom defines privacy as an individualâs, groupâs, or institutionâs control over how and to what extent information about them will be communicated to others. Further, the work established a framework to assess privacy interests, finding that privacy: involves the voluntary and temporary withdrawal from general society; can occur through either physical or psycho- logical means; and can take many forms, such as solitude or seeking anonymity18 in a larger group.19 The work also addresses the concept of reserve. Reserve is the notion that an individual holds back information about himself or herself to protect the public perception of who the individual really is.20 The work of Westin is important to an understanding of the early privacy protections developed by the U.S. government as it sought to address privacy in the modern area of data. 2. The Fair Information Practice Principles The U.S. Department of Health and Human Services (HHS) formed an advisory committee to address data collection privacy concerns. The committee recommended congressional adoption of a code of âFair Information Practiceâ scheme in- volving notice and consent, access, data integrity, enforcement, and remedies.21 Those core principles evolved into the Fair Infor mation Practice Principles (FIPPs) which have influenced much of the current thought about privacy and data protection in the United States and around the globe.22 16 Emanuel Gross, The Struggle of a Democracy Against Terrorismâ Protection of Human Rights: The Right to Privacy Versus the National InterestâThe Proper Balance, 37 Cornell Intâl L. J. 27 (2004). 17 See Alan F. Westin, Privacy and Freedom (1970). 18 The right to preserve anonymity has not yet gained full protec- tions in the United States, but it has gained more full acceptance in other influential data protection frameworks elsewhere. 19 Alan F. Westin, Privacy and Freedom 7 (1970). 20 Id. 21 Computers and the Rights of Citizens, U.S. Depât Health, Educ., & Welfare (1973), https://www.justice.gov/opcl/docs/rec-com-rights. pdf. 22 See Privacy Online: Report to Congress, F.T.C. (1998), at 48, n. 27, https://www.ftc.gov/sites/default/files/documents/reports/privacy- online-report-congress/priv-23a.pdf.
8 ACRP LRD 42 rather than prescriptive.â30 The FIPPs note that compliance can come from self-regulation or be externally imposed in the form of civil actions or civil and criminal penalties through govern- ment action. While the FIPPs principles do not apply where data is not individuated or cannot be linked to an individualâs identity, the growth of databases and analytic tools makes it increasingly possible to identify individuals by aggregating data without identifiers. D. International Distinctions Differences regarding data laws and regulations around the world provide interesting insights into societal focuses on pri- vacy and the dynamic environments that technology companies must navigate to build scalable data collection products and ser- vices. Companies seeking to deploy their systems around the world will find substantially different requirements and focuses on data collection. Determannâs Field Guide to Data Privacy Law: International Corporate Compliance, details data privacy concepts around the world, and more specifically compares European and U.S. regulations.31 For example, U.S. laws and regulations focus on the privacy intrusion caused by data collection and use whereas EUâs GDPR protects individuals by restricting and limiting automated pro- cessing and storage of an individualâs personal data. U.S. statutes tend to focus privacy concerns on narrowly defined personally identifiable information (PII) tailored to the context and pur- pose of the data collection. In contrast, the EU applies a slid- ing scale to determine if personal data can be linked to an indi- vidual. Similarly, the United States and EU perceive sensitive data that require higher standards of protection differently. For example, the United States focuses on social security numbers and credit card information because of the risk of theft. The EUâs focus on sensitive information includes political opinion, affilia- tions, medical history, racial and ethnic origins, religious beliefs, sexual orientation, and criminal records. One concept that has won broad international acceptance for protection of privacy is that of âprivacy by designâ (PbD). PbD was introduced in the mid-1990s by the Privacy Commissioner of Ontario, Canada who contended that a simple compliance- based strategy was inadequate to address growing threats to privacy in the digital age. The essential tenet of PbD is to intro- duce measures so that âprivacy assurance must ideally become an organization default mode of operation.â32 The introduction of PbD was supported by seven principles for implementation. These principles infuse measures to prioritize privacy protec- tion in organizational processes. 30 Id. 31 Lother Determann, Determannâs Field Guide to Data Privacy Law: International Corporate Compliance (3rd ed. 2017). 32 Ann Cavoukian, Privacy by Design, Information & Privacy Commissioner (Jan. 2011), https://www.ipc.on.ca/wp-content/uploads/ Resources/7foundationalprinciples.pdf. system requirements. The FIPPs notes that this principle re- quires simple, timely, inexpensive procedures to access and con- test inaccuracy.28 While affording individual access can serve as a check against government abuse, providing access presents several technical problems. Where the data has already been segregated, providing access might be easy. Affording individuals access to data, especially when it is indi viduated and categorized, is important to privacy interests of anonymity and reserve. It is important for individuals to under- stand exactly what type of information is being maintained about them. Accessing this information allows indi viduals some understanding of the degree to which their privacy interests may be compromised. d. Integrity and Security Integrity and Security ensures that the data collected is un- compromised and accurate. It also provides assurance that the data will only be used for authorized purposes that supported its collection and maintenance. Physical and logical security measures, including cyber security measures, are critical. Ap- plication of both âmanagerial and technologicalâ measures are important measures.29 As measures for Integrity and Security are being developed, thought must be given to external processes like requirements imposed by legal process (court orders, subpoenas, and admin- istrative mandates like open records requests). Unless specific statutory relief is provided, local governments may be compelled by open records laws or court procedures to provide informa- tion to third parties completely or in some redacted form. Integrity and Security also impacts data retention. The es- tablishment of a retention schedule and the elimination of data at the conclusion of retention are universally accepted require- ments. Also accepted is the notion that retention beyond the schedule may be appropriate for certain data (i.e., data to be used as evidence in a criminal proceeding). The setting of reten- tion schedules can vary widely and may in some circumstances be controlled externally by state or local records retention laws or ordinances. The Integrity and Security of the system is of critical impor- tance to the concept of reserve as described by Westin. While the individual may feel discomfort in knowing that information is in the possession of the government, an understanding of the rules for release of the information and the fact that it will not generally be released to others allows for some restoration of the sense of reserve. e. Enforcement and Redress The final FIPP principle is for there to be some mechanism for Enforcement and Redress to be incorporated into the sys- tem. The reasoning behind these provisions is that they will en- sure that entities collect data according to their own rules. With- out them there is concern that regulations will be â[s]uggestive 28 Id. at 9. 29 Id. at 10.
ACRP LRD 42 9 statutes focus on PII. Yet Ohm identifies multiple studies show- ing how even non-PII data can effectively identify a person and invade their privacy. Additionally, he contends that the current regulatory frameworks fail because new data fields will always emerge that effectively invade privacy, and these inherently re- active regulatory regimes always lag behind perpetually unfold- ing technological development. This work suggests that privacy protection efforts should place greater attention on collection, use, and retention of data because anonymization strategies have proven to have limited use. Over the years, the Federal Trade Commission (FTC) has devoted substantial effort to regulating data privacy. This work includes both the development of influential reports and en- forcement activity. For example, the FTC issued a data pri- vacy report in 2012 recommending that companies follow the FIPPs.39 Additionally, the FTC recommended sector specific codes of conduct, privacy by design, and clear and standardized transparency. The report distinguishes between collecting data consistent with a companyâs interaction with a consumer and data collection that is inconsistent with typical customer inter- action. The FTC report concludes that a company does not need to disclose data collection where the collection is consistent with business interactions, but should provide customers a choice re- garding their data when the collection does not rationally ad- here to the business interaction. The FTC has also enforced numerous privacy related cases. Daniel Solove and Woodrow Hartzog argue in their 2013 article, The FTC and the New Common Law of Privacy, that the FTC has created common law like regulatory regime because of its consistent applications of rules in its complaints and orders.40 According to Solove and Hartzog, the FCC has sought to pro- tect privacy interests through enforcement actions related to de- ception, unfairness, statutory violations, or violations of inter- national agreements.41 The fact that airports in the United States are governmental entities adds additional complexity and nuance in this context. As governmental entities, airport authorities often must com- ply with record retention and record dissemination measures. Natural tension exists between governmental transparency and protecting privacy and proprietary data.42 Just as the literature points to the need for a multi- jurisdictional analysis within the United States to understand the full requirements of privacy protection, international influ- ences require consideration as well. Commentators have noted the development of data protection regulatory regimes in the 39 Protecting Consumer Privacy in an Era of Rapid Changes, Recom- mendations for Business and Policy Makers F.T.C., (Mar. 2012), https:// www.ftc.gov/sites/default/files/documents/reports/federal-trade- commission-report-protecting-consumer-privacy-era-rapid-change- recommendations/120326privacyreport.pdf. 40 Daniel Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia L. Rev. 583, 620-21 (2014). 41 Id. at 627-66. 42 See, e.g., Keith W. Rizzardi, Sunburned: How Misuse of the Public Records Laws Creates an Overburdened. More Expensive, and Less Trans- parent Government, 44 Stetson L. Rev. 425 (2015). PbD principles require organizations to take a proactive look at their systems to ensure privacy protection at all points from collection to disposal. These principles also focus on privacy protection in both technology systems as well as organizational policies and procedures. Key goals are a secure and transparent use of data that places protection of privacy at the forefront. The importance of the PbD concept to both the U.S. efforts to enforce privacy protection by the FTC, as well as inter national adoption in the GDPR, is well established.33 Adoption of the PbD concept is thought to strongly advance individual privacy interests. The National Institute of Standards and Technology (NIST) Privacy Framework34 specifically calls out the support of PbD as one of the key benefits of its approach. E. Present Day Challenges in Defining Privacy and Enforcement Practice Moving to the present day, with the increasingly rapid devel- opment of technology, legal scholars, lawmakers, and the pub- lic struggle to define privacy. Privacy law expert, Daniel Solove concluded in his 2008 book Understanding Privacy that privacy is a concept in disarray that is difficult to articulate.35 Solove challenges existing narrow views of privacy when assessing whether an activity may infringe upon a personâs privacy inter- est. He contends that this results in the conflation of distinct privacy issues or a failure to recognize that an issue even exists. Solove argues that privacy consists of many things and requires a mapping to account for full situational context.36 Soloveâs A Model of Privacy Protection addresses structural concerns over how the United States regulates privacy through a sectoral rather than a comprehensive statutory approach.37 Contrasted with the EUâs omnibus approach to privacy and data protection, concern exists that the United Statesâ more piecemeal approach leaves significant gaps. For example, a more balkanized approach to privacy and data protection requires a more diligent examination of several differing federal and state measures rather than an easier analysis of a single comprehen- sive statutory framework. In addition to the challenges caused by the lack of a com- prehensive privacy approach, there are further challenges posed by the increase in technological ability to circumvent privacy protection. Paul Ohm argues anonymization strategies no lon- ger work given the ability to identify people through various data sets.38 Many statutes categorize data risk and prevent prac- tices that would collect or combine such data. Most often these 33 See Stuart Pardau & Blake Edwards, The FTC, the Unfairness Doc- trine and Privacy by Design, New Legal Frontiers in Cybersecurity, 12 J. Bus & Tech. L. 227, 264-66 (2017). 34 NIST Privacy Framework. 35 Daniel Solove, Understanding Privacy (2008). 36 Id. at 10. 37 See Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Privacy Protection (Version 3.0), 2006 Univ. of Ill. L. Rev. 357, (2006), https://ssrn.com/abstract=881294. 38 Paul Ohm, Broken Promises of Privacy: Responding to the Surpris- ing Failure of Anonymization, 57 UCLA L. Rev. 1701 (2010).
10 ACRP LRD 42 The U.S. Chief Technology Officer announced the United Statesâ artificial intelligence (AI) strategy on January 7, 2020.47 The strategy calls for federal agencies to consider rulemaking processes before deploying AI systems. Additionally, it calls on federal agencies to consider fairness, transparency, safety, and security in developing AI programs. G. Growing Discussions of Airport Data Use Cases in the Literature All aspects of an airportâs operation can involve some form of privacy data collection, used in processing a transaction, facili- tating the flow of a passenger or their luggage, tracking people volumes and movement within an area of the airport, screen- ing to identify security threats, and so on. A review of indus- try forums such as Airports Council International (ACI)48 and Future Travel Experience (FTE)49 offers a glimpse into trends in technology adaptation and data use in airports. Over the past few years, top technology topics covered at annual conferences include biometrics, blockchain, AI and machine learning (ML), robotics, RFID in baggage, chatbots and translation technolo- gies, personalized wayfinding through augmented reality, vir- tual reality and immersive experiences, mobile app ordering and delivery, internet of things (IOT), 5G cellphone service, and cyber security.50 All these advancements change the way data is collected about people and create potential privacy implications. Most importantly from a privacy perspective, the develop- ment and use of biometrics, an immutable digital identity at- tribute, across the entire passenger experience, highlights the importance of airport competency in privacy data collection, use, sharing, and protection. For example, beyond existing U.S. CBP Traveler Verification System (TVS) used for security purposes, the International Air Transport Association (IATA) is working to create a biometric recognition program that will enable passengers to travel without documentation.51 IATA in- tends to use facial biometric technology to identify passengers at each airport touchpoint. IATAâs One ID will require coordi- nation between airports, airlines, and governments to become an interoperable system. One ID relies on four main elements: 47 Michael Kratsios, AI That Reflects Values, Bloomberg Opinion (Jan. 7, 2020), https://www.bloomberg.com/opinion/articles/2020-01-07/ ai-that-reflects-american-values?srnd=opinion. 48 Airports Council International, https://aci.aero/ (last visited Aug. 5, 2020). 49 Future Travel Experience, https://www.futuretravelexperience. com (last visited Aug. 5, 2020). 50 10 Technology Trends for Airlines and Airports in 2018, Future Travel Experience (Jan. 2018), https://www.futuretravelexperience. com/2018/01/10-technology-trends-airlines-airports-2018/; 10 Tech- nology Trends for Airlines and Airports in 2019, Future Travel Expe- rience (Jan. 2019), https://www.futuretravelexperience.com/2019/01/10- technology-trends-airlines-airports-2019/; 10 Technology Trends for Airlines and Airports in 2020, Future Travel Experience (Jan. 2020), https://www.futuretravelexperience.com/2020/01/12-technology- trends-for-airlines-and-airports-to-focus-on-in-2020/. 51 Adele Berti, One ID: inside IATAâs plan to end paper travel docu- ments, Airport Technology (Jan. 16, 2020), https://www.airport- technology.com/features/iata-one-id/. EU are influencing approaches across the globe.43 Understand- ing this influence is critical to understanding future privacy trends. To assist organizations in addressing the challenges of grow- ing data sources and the need for protections, experts are de- veloping hermeneutic tools to help develop more effective approaches to understanding privacy regulatory needs and implementation. In January 2020, NIST issued a privacy frame- work to organize and manage privacy risk.44 This framework recommends considering privacy during system design and de- ployment, communicating privacy practices, and encouraging cross-organizational workforce collaboration. It offers a struc- ture for the case study presentations and analysis offered in this work. F. New Technology Driven Privacy Frontiers As facial recognition began gaining prominence, the Inter- national Justice and Public Safety Network issued a report dis- cussing law enforcementâs use of facial recognition technolo- gies and its impact on the publicâs expectation of privacy.45 The report recognizes that data collection can have a chilling effect on an individualâs actions based on the type of information col- lected and how the data is used. It recommends limiting dis- tribution of the data and implementation of proper access and dissemination policies. Privacy Principles for Facial Recognition Technology in Com- mercial Applications establishes standards for privacy protec- tions where technology collects, creates, and maintains facial templates to identify individuals.46 This work argues that the creation or storage of a photo or video on its own does not in- herently implicate facial recognition privacy concerns. Nor do basic facial detection systems that do not create or collect per- sonalized information about an individual consumerâs image because it is not identifiable or linkable to the person. The standards discussed here include consent, context, transpar- ency, data security, privacy by design, integrity and access, and accountability. 43 See Paul M Schwartz, Symposium: Global Data Privacy the EU Way, 94 N.Y.U. L. Rev. 771 (2019). In this journal article the author surveys the literature examining the influence of the European Unionâs General Data Privacy Regulation, internationally, including in the United States. 44 NIST Privacy Framework: A tool for Improvising Privacy Through Enterprise Risk Management, Natâl Inst. of Standards & Tech., U.S. Depât of Commerce, (Jan. 16, 2020), https://www.nist.gov/system/ files/documents/2020/01/16/NIST%20Privacy%20Framework_ V1.0.pdf. 45 The International Justice and Public Safety Network: Privacy Impact Assessment Report for the Utilization of Facial Recognition Tech- nologies to Identify Subjects in the Field, Nlets â the International Justice and Public Safety Network, (June 30, 2011), https://www. eff.org/files/2013/11/07/09_-_facial_recognition_pia_report_final_ v2_2.pdf. 46 Future Privacy Forum, Privacy Principles for Facial Recognition Technology in Commercial Applications (2018).