Business Aviation Insider nameplate

Flight Crews: Complying with Personal Data-Protection Rules

When the European Union (EU) General Data Protection Regulation (GDPR) was coming into force in 2018, some U.S.-based business aviation clients pushed back, according to Universal Weather and Aviation Senior Corporate Attorney Jessica Rivera-Rudak, on the premise that they did not operate to or in Europe. (They could potentially still be liable if they carried any EU citizens as passengers in the U.S., however.) Now, GDPR-like regulations are being implemented in California and New York, as well as in Brazil.

“The approach that we’ve taken is to apply the European standard worldwide,” said Rivera-Rudak. “The rest of the world is beginning to follow.”

The GDPR strengthens individual privacy rights and calls for potentially large fines for non-compliance (up to 4% of a company’s prior-year global revenue). A company can be held responsible even if a data breach is by another company that it gave the information to.

“If one of our clients gives us information and we lose the data, or handle it inappropriately, our client could be held liable for our breach,” said Rivera-Rudak. “It’s very important to take these laws seriously.”

The GDPR “requires clear consent by the person whose data you are entrusted with and the ability to withdraw that consent,” noted Rick Snider, manager of regulatory support for Collins Aerospace. You must also be able to demonstrate that consent is for a specific purpose, not generic.

“The European Union General Data Protection Regulation 'requires clear consent by the person whose data you are entrusted with and the ability to withdraw that consent.'”

Rick Snider Manager of Regulatory Support, Collins Aerospace

The GDPR covers anything that can directly or indirectly identify someone. It prohibits processing special categories of data, such as an individual’s racial or ethnic origin, religious beliefs, sexuality, political opinions, trade union memberships, or health.

Compliance for Part 91 operators, which have a smaller pool of passengers, may seem less challenging than for Part 135 charter operators. But both types of operators should make sure their data is secure. They also should develop a data-privacy policy that includes limiting personal-data access to only those employees who need it, suggests Sarah Wolf, CAM, NBAA’s senior manager of security and facilitation.

Rivera-Rudak added, “The GDPR is really difficult to comply with, especially for small businesses. I wish that the law had been more carefully crafted. We had to forge our own path as to how it applied to business aviation, and it was a real struggle.”
Adding to the difficulty is that the laws keep changing. The European Commission is expected to evaluate whether the regulation needs to be modified.

In a related development, the California Consumer Protection Act (CCPA), which went into effect in January, was modified in February and again in March. Businesses are expected to be compliant by July 1.

The data security elements of New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD) went into effect on March 21, and it broadens the definition of a “breach” to include unauthorized access to private information.

Like the GDPR’s “extraterritorial” provision, the CCPA and SHIELD regulations extend beyond the borders of California and New York, applying to any organization with information about any resident from those states. In addition, Texas, Nevada and Washington are reportedly considering similar laws, as are Canada, Australia and India.

September 23, 2022

NBAA Responds to Bloomberg Story Containing Airline Jab at Bizav as Part of ATC Funding Debate

When Bloomberg News published a Sept. 20, 2022, article with renewed accusations over whether business aviation pays appropriately for its use of the aviation system, NBAA was quick to respond.
Read More

September 22, 2022

FAA’s Nolen, EASA’s Ky to Speak at NBAA-BACE Opening Day Keynote

Billy Nolen, acting administrator for the FAA and Patrick Ky, executive director of EASA, will kick off the opening day of the 2022 NBAA Business Aviation Convention & Exhibition.
Read More

September 22, 2022

Expanded NBAA-BACE Safety Program Hosts Government, Industry Leaders

Building a preventative safety culture through best operating practices and diligent analysis of past errors will be a central focus at the 2022 NBAA Business Aviation Convention & Exhibition in Orlando, FL.
Read More

September 13, 2022

Legendary Pilot, Aviation Advocate and Author Tammie Jo Shults to Speak at 2022 NBAA-BACE

Tammie Jo Shults, who heroically landed Southwest Airlines Flight 1380 after an inflight engine failure crippled a Boeing 737, will be a keynote speaker on day two at the 2022 National Business Aviation Association Business Aviation Convention & Exhibition in Orlando, FL.
Read More