When the European Union (EU) General Data Protection Regulation (GDPR) was coming into force in 2018, some U.S.-based business aviation clients pushed back, according to Universal Weather and Aviation Senior Corporate Attorney Jessica Rivera-Rudak, on the premise that they did not operate to or in Europe. (They could potentially still be liable if they carried any EU citizens as passengers in the U.S., however.) Now, GDPR-like regulations are being implemented in California and New York, as well as in Brazil.
“The approach that we’ve taken is to apply the European standard worldwide,” said Rivera-Rudak. “The rest of the world is beginning to follow.”
The GDPR strengthens individual privacy rights and calls for potentially large fines for non-compliance (up to 4% of a company’s prior-year global revenue). A company can be held responsible even if a data breach is by another company that it gave the information to.
“If one of our clients gives us information and we lose the data, or handle it inappropriately, our client could be held liable for our breach,” said Rivera-Rudak. “It’s very important to take these laws seriously.”
The GDPR “requires clear consent by the person whose data you are entrusted with and the ability to withdraw that consent,” noted Rick Snider, manager of regulatory support for Collins Aerospace. You must also be able to demonstrate that consent is for a specific purpose, not generic.
“The European Union General Data Protection Regulation 'requires clear consent by the person whose data you are entrusted with and the ability to withdraw that consent.'”
Rick Snider Manager of Regulatory Support, Collins Aerospace
The GDPR covers anything that can directly or indirectly identify someone. It prohibits processing special categories of data, such as an individual’s racial or ethnic origin, religious beliefs, sexuality, political opinions, trade union memberships, or health.
Compliance for Part 91 operators, which have a smaller pool of passengers, may seem less challenging than for Part 135 charter operators. But both types of operators should make sure their data is secure. They also should develop a data-privacy policy that includes limiting personal-data access to only those employees who need it, suggests Sarah Wolf, CAM, NBAA’s senior manager of security and facilitation.
Rivera-Rudak added, “The GDPR is really difficult to comply with, especially for small businesses. I wish that the law had been more carefully crafted. We had to forge our own path as to how it applied to business aviation, and it was a real struggle.”
Adding to the difficulty is that the laws keep changing. The European Commission is expected to evaluate whether the regulation needs to be modified.
In a related development, the California Consumer Protection Act (CCPA), which went into effect in January, was modified in February and again in March. Businesses are expected to be compliant by July 1.
The data security elements of New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD) went into effect on March 21, and it broadens the definition of a “breach” to include unauthorized access to private information.
Like the GDPR’s “extraterritorial” provision, the CCPA and SHIELD regulations extend beyond the borders of California and New York, applying to any organization with information about any resident from those states. In addition, Texas, Nevada and Washington are reportedly considering similar laws, as are Canada, Australia and India.
International Business Aviation Council Ltd.