Business Aviation Insider nameplate

Flight Crews: Complying with Personal Data-Protection Rules

When the European Union (EU) General Data Protection Regulation (GDPR) was coming into force in 2018, some U.S.-based business aviation clients pushed back, according to Universal Weather and Aviation Senior Corporate Attorney Jessica Rivera-Rudak, on the premise that they did not operate to or in Europe. (They could potentially still be liable if they carried any EU citizens as passengers in the U.S., however.) Now, GDPR-like regulations are being implemented in California and New York, as well as in Brazil.

“The approach that we’ve taken is to apply the European standard worldwide,” said Rivera-Rudak. “The rest of the world is beginning to follow.”

The GDPR strengthens individual privacy rights and calls for potentially large fines for non-compliance (up to 4% of a company’s prior-year global revenue). A company can be held responsible even if a data breach is by another company that it gave the information to.

“If one of our clients gives us information and we lose the data, or handle it inappropriately, our client could be held liable for our breach,” said Rivera-Rudak. “It’s very important to take these laws seriously.”

The GDPR “requires clear consent by the person whose data you are entrusted with and the ability to withdraw that consent,” noted Rick Snider, manager of regulatory support for Collins Aerospace. You must also be able to demonstrate that consent is for a specific purpose, not generic.

“The European Union General Data Protection Regulation 'requires clear consent by the person whose data you are entrusted with and the ability to withdraw that consent.'”

Rick Snider Manager of Regulatory Support, Collins Aerospace

The GDPR covers anything that can directly or indirectly identify someone. It prohibits processing special categories of data, such as an individual’s racial or ethnic origin, religious beliefs, sexuality, political opinions, trade union memberships, or health.

Compliance for Part 91 operators, which have a smaller pool of passengers, may seem less challenging than for Part 135 charter operators. But both types of operators should make sure their data is secure. They also should develop a data-privacy policy that includes limiting personal-data access to only those employees who need it, suggests Sarah Wolf, CAM, NBAA’s senior manager of security and facilitation.

Rivera-Rudak added, “The GDPR is really difficult to comply with, especially for small businesses. I wish that the law had been more carefully crafted. We had to forge our own path as to how it applied to business aviation, and it was a real struggle.”
Adding to the difficulty is that the laws keep changing. The European Commission is expected to evaluate whether the regulation needs to be modified.

In a related development, the California Consumer Protection Act (CCPA), which went into effect in January, was modified in February and again in March. Businesses are expected to be compliant by July 1.

The data security elements of New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD) went into effect on March 21, and it broadens the definition of a “breach” to include unauthorized access to private information.

Like the GDPR’s “extraterritorial” provision, the CCPA and SHIELD regulations extend beyond the borders of California and New York, applying to any organization with information about any resident from those states. In addition, Texas, Nevada and Washington are reportedly considering similar laws, as are Canada, Australia and India.

August 11, 2020

NBAA Advocates for Responsible Use of Airport Funds at HTO

NBAA is disappointed with a recent FAA decision that allows the town of East Hampton, NY to use airport funds to pay for legal fees stemming from its unsuccessful effort to impose access restrictions at East Hampton Airport (HTO).
Read More

August 6, 2020

NBAA, AOPA Express Concerns Over FAA’s Pilot Records Database NPRM

NBAA and AOPA have sent a letter to FAA Administrator Steve Dickson expressing concern with the agency's proposed rulemaking regarding the Pilots Records Database (PRD).
Read More

August 4, 2020

NBAA Requests Improved Access to Treasury Loan Program

NBAA has joined a coalition of industry groups seeking flexibility in the eligibility criteria for a loan program created by the CARES Act that will ensure pivotal sectors of aviation continue to serve the national interest during the COVID-19 pandemic.
Read More

August 4, 2020

FAA’s Dickson Addresses SFAR 118 Extensions, Other Industry Concerns in NBAA Town Hall

FAA Administrator Steve Dickson joined NBAA President and CEO Ed Bolen Aug. 4, 2020, for a first-ever Virtual Business Aviation Town Hall.
Read More