General Data Protection Regulation (GDPR): It’s A European Thing. Or Not.

Nov. 21, 2018

At first review, the GDPR seems like a good thing for personal privacy: it’s a new EU-wide regulation (May 2018) regarding privacy and data protection, giving individuals control over their personal information and is fully enforceable in all EU member states. It also addresses export of personal data outside the EU. That could mean you or your business, if you work or travel into or out of the EU, because it applies to any enterprise in the EU—regardless of its location and the data subjects' citizenship—that is processing the personal data of people inside the EU. Controllers of personal data must put in place appropriate technical and organizational measures to implement the data protection principles.

“So what?”, I heard someone say. Thanks for asking. As an international traveler, US airlines and CBP know more about you than your mother does: name, home and business contacts, passport number and photo, biometrics, credit cards, travel itinerary/history, and probably your business class meal and wine preferences and your favorite hotels. Further, your data is continually being re-transmitted among the airlines taking you to the next 28 EU countries’ 347 airports as you keep moving on.

Perhaps more worrisome – note the issue cited above: regardless of its location and the data subjects' citizenship. I read that as saying not just travelers, but any employee of an EU company working in pretty much any country, including the US. I assume that includes a lot of foreign airline and airport employees serving most international airports in the US. I further assume most affected companies (but perhaps not all individuals) are aware of the regulation and its apparent potentially universal impacts. I’ve not seen these issues discussed yet, so I’m only asking questions, not providing answers. US airlines and airports collect a great deal more data for US regulatory use, but US airline employees at foreign airports are deployed among a few hundred airports throughout the EU, each of which may handle data collection and its privacy requirements differently. Subjects have the right to request a “portable” copy of the data in a common format, a concept to protect users from having their data stored in incompatible formats which, in turn, requires common technical standards to promote interoperability. Let me state from personal AvSec experience that common technical standards are hard to come by.

If you thought this was an inconsequential issue for international travel businesses, GDPR is a regulation which does not require national governments to pass any enabling legislation; violator entities may be fined up to €20 million or up to 4% of the annual worldwide turnover of its preceding financial year, whichever is greater.

What are the odds that all 28 EU countries and an undetermined number of other international entities will find agreement among their laws and regulations? I’m not a lawyer, but at least theoretically, a lot of unintended consequences are likely to ensue.