Airline Commercial Use of EU Personal Data in the Context of the GDPR, British Airways and Schrems II
19 Colorado Technology Law Journal 377 (2021)
52 Pages Posted: 7 Oct 2020 Last revised: 3 Nov 2021
Date Written: September 10, 2021
Abstract
This study, which focuses on the commercial use of personal data by U.S. airlines, uses actual cases to help analyze the application of the EU General Data Protection Regulation (GDPR) to the airline industry. It is one of the first studies to do so, and as such contributes to the literature. It begins by highlighting the British Airways GDPR penalty case, in which the UK regulator publicized its notice of intention to issue the highest administrative fine to-date under the GDPR.
When the GDPR applies to them, airlines should become fully aware of key provisions of the GDPR, starting with those related to its scope and its underlying data protection principles, discussed in this study. In addition, airlines must have a legal basis to process personal data under the GDPR and, as this study shows, must have adequately prepared for data subject requests to exercise rights and potential data breaches.
Several examples of the first GDPR sanctions in the airline industry are detailed, and lessons drawn. In this context, security of data is a key element. Finally, the recent Schrems II decision invalidating the EU-U.S. Privacy Shield Decision is examined, and its potential impact on the transfer of personal data from the European Union to the United States by airlines is studied, following an analysis of their privacy policies available on the Internet in the European Union.
Keywords: airlines, personal data, GDPR, general data protection regulation, Privacy Shield, Schrems, Schrems II, cross-border data flows, data flows, data transfers, British Airways, GDPR sanctions
JEL Classification: K2, K23, K42, K33, L93
Suggested Citation: Suggested Citation