The General Data Protection Regulation (GDPR) came into effect on May 25, 2018. This legislation introduced a number of new obligations on organisations that handle personal data. Airlines (both within and outside of the European Union (the EU)) have spent a significant amount of time and effort over the past few years familiarising themselves, and working towards compliance, with these new and enhanced data handling rules. However, the GDPR is not the end of legislative reform in the area of data protection. Following behind is the next phase in the EU’s Digital Single Market Strategy, namely the ePrivacy Regulation.
At this stage it is not possible to answer the question of whether or how the ePrivacy Regulation will apply in the United Kingdom in light of Brexit. However, we consider that airlines operating in the UK need to be aware of it because: (i) the UK is likely to reflect all European data protection-related laws into national laws to increase the likelihood of the Commission finding that the UK laws adequately protect personal data; and (ii) the wide territorial application of the ePrivacy Regulation which we explain below.
What is the ePrivacy Regulation?
Much as the GDPR aimed to harmonise the different data protection laws across European member states, the ePrivacy Regulation is designed to harmonise the European laws on the confidentiality of electronic communications data including machine-to-machine communications, email and online marketing and the online tracking of individuals. For commercial airlines that use sophisticated methods for communicating with, and advertising to, their passengers and loyalty club members, these rules will be particularly relevant. Many other stakeholders in the aviation industry will also be impacted, due to their use of online tracking technology and the business-to-business advertising that they undertake.
Originally scheduled for a similar implementation date as the GDPR, the ePrivacy Regulation remains in draft form and is currently working its way through the EU legislative process. It is still unclear when it will come into effect. Due to a number of contentious issues remaining open, most commentators are of the view that the regulation will not be agreed until 2019 or possibly even later. Assuming a reasonable implementation period, this may mean that it does not come into effect until 2020 at the earliest.
Regardless of when it finally comes into force, airlines should be aware now of what the ePrivacy Regulation is likely to mean for them. In particular, they should assess the possible impact of the rules as they develop when designing marketing strategies, to consider how they stay connected to their passengers and loyalty customers and track website visitors online.
Who will the ePrivacy Regulation apply to?
The ePrivacy Regulation will apply to any organisations that collect information from the devices of individuals in the EU, for example, via cookies or other tracking technology and who send direct marketing to individuals in the EU, regardless of where the relevant organisation is based and whether the data is processed in the EU or not.
This means that airlines based outside of the EU are likely to be caught by this legislation in much the same way as they are caught by the GDPR if they market to or track individuals in the EU. Indeed, as a rule of thumb, airlines should work on the basis that if the GDPR applies to it because of its wide territorial application, it is likely that they will be subject to the ePrivacy Regulation too. Airlines based outside of the EU who are affected will need to appoint a representative in the EU, who can be addressed by supervisory authorities and data subjects on issues related to compliance with the regulation.
Key points to be aware of
The ePrivacy Regulation covers a wide range of activities. Those that will be most relevant to the majority of the aviation industry are summarised below, based on the latest draft of the full regulation published by the Bulgarian presidency on May 4, 2018 and the updates to Articles 6, 8 and 10 published by the Austrian presidency on July 10, 2018 and 20 September 20, 2018.
Electronic direct marketing
As the ePrivacy Regulation is intended to be technology-neutral, the activities falling within the scope of direct marketing communications will be broader under the ePrivacy Regulation than under current law and will include in-app advertisements, marketing via instant messaging applications and other new communication channels. However, early suggestions that advertising shown on a website might constitute direct marketing, seem to have been dropped in the latest draft although this does not get around the cookies and online tracking requirements mentioned below.
Whilst the general requirements remain broadly the same, airlines that send marketing via electronic means or telephone should be aware of the following changes that look set to be introduced by the ePrivacy Regulation
- Consent for marketing has to be “GDPR-level” consent, namely freely given by way of affirmative action (i.e. not implied), using language that is clear, specific, granular and distinguishable from other information and tells the individuals what they are consenting to and that they can opt-out in the future.
- The reliance on “soft opt-in”,i.e. where opt-out consent can be relied on in certain limited circumstances, no longer applies to where personal data is collected in the context of a “negotiation” for a sale (as currently applies in the UK, but not in other European jurisdictions). Instead, it must relate to an actual sale.
- Member states are given the option to limit the time period within which “soft opt-in” can be relied on.
- Member states may require organisations sending direct marketing calls to present a specific code/prefix identifying the fact that it is a marketing call.
In addition, it remains unclear whether member states will be permitted to retain their ability to allow B2B marketing without consent. Whilst the ePrivacy Regulation makes it clear that these rules apply to “end-users that are natural persons”, it remains unclear how this would apply when marketing to individuals acting in a professional capacity, for example, using a personalised corporate email address firstname.lastname@example.org.
What is clear from the electronic marketing rules in the proposed ePrivacy Regulation, however, is that the law in this area will still not be fully harmonised. Organisations that operate in multiple different European member states, as many airlines do, will continue to need to have regard to the different member states’ laws, thereby negating one of the key aims of the ePrivacy regulation in the first place.
Cookies and online tracking
The ePrivacy Regulation also introduces some helpful changes and clarification in this area. Firstly, it carves out more circumstances than exist under current law of when consent for cookies is not required. This list now includes cookies used for web audience measuring (i.e. certain analytics cookies), used to detect fraud or technical faults, and those used for certain security purposes, alongside the current exemption that applies to “strictly necessary” cookies. In addition, despite earlier drafts suggesting otherwise, it appears that “cookie walls” (i.e. where access to online services or content is made conditional upon the user agreeing to cookies) may be permitted in some circumstances.
Wi-Fi connection in airport lounges or in-flight
The ePrivacy Regulation clarifies that organisations can collect information emitted by terminal equipment, for example, phones or laptops, for the purposes of connecting to another device or to a network connection, provided that such collection of information is done exclusively, and for the time necessary, for the purpose of establishing or maintaining a connection.
This means that airlines will be able to continue offering WiFi, for example,in their lounges or in flight, but will need to ensure that any data collected to enable this is used and retained solely to the extent necessary for this connectivity purpose.
Tracking individuals’ physical movements through their devices
The ePrivacy Regulation recognises the potential benefits of tracking individuals’ physical movements based on the collection of certain device data, for example, the MAC address. This could be useful, for example, to ascertain the number of people in specific areas and the number of people waiting in line.
The ePrivacy Regulation permits this type of “statistical counting” which would not include collecting data from devices to send commercial messages to end-users, e.g. when they are walking around an airport, without the end user’s consent, provided that: (i) the relevant statistical counting is limited in time and space to the extent necessary for the purpose; (ii) appropriate security measures are put in place in relation to such use; and (iii) a prominent notice is given explaining the purpose of the tracking and how to minimize or stop the collection.
What happens if airlines get it wrong
The potential fines for non-compliance with the ePrivacy Regulation will be the same as the fining regime under the GDPR. This means that airlines will face fines of up to the greater of €10 million or 2 per cent of worldwide turnover for breach of the rules relating to the areas mentioned above. Other breaches under the ePrivacy Regulation may be subject to even higher fines of up to the greater of €20 million or 4 per cent of worldwide turnover.
What about laws outside of the EU?
As explained above, the ePrivacy Regulation will apply to many airlines that are based outside of the EU, but who are marketing or tracking users in the EU. These airlines will have to consider how they apply these rules alongside the equivalent rules in their jurisdictions.
For example, many Asian countries require organisations to collect consent before sending email marketing. In Hong Kong, for example, laws around consent for sending any direct marketing materials not limited to email marketing were introduced in 2012 and require organisations to provide specific information (e.g. the types of personal data that will be used in marketing and the list of marketing subjects) and obtain express consent from individuals prior to marketing to them.
Other jurisdictions, most notably the United States, do not have equivalent rules on the use of online tracking technology and consent for electronic marketing. For example, US federal law generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails, and the emails clearly explain how the recipient can opt out of receiving future emails. Airlines in these jurisdictions, who target EU passengers and other individuals, will therefore need to consider whether and how they implement the more onerous EU requirements only where required, whilst maintaining a more permissive regime elsewhere.
What should airlines be doing now?
Airlines should already be thinking about whether their email marketing and cookie consent language is GDPR-compliant. In relation to the other areas including whether the marketing rules will apply to B2B marketing, the exemptions to the cookie consent rules and the requirements relating to “statistical counting” using device data, airlines should track the development of the ePrivacy Regulation and consider its potential impact on any proposed new initiatives in this area.
For further information, sign up for our Data Protection Report blog.