Data protection and the aviation industry

The scope of the Data Protection Act 1988 is more certain than the effect, internationally, of differing standards of European legislation on a global industry such as aviation, let alone the implication to that industry's insurers. A more detailed note below assesses the potential effects of data transfer within a contract for carriage by air and the need for both airlines and insurers to consider data protection legislation when arranging cover ******************

On 1st March 2000, the Data Protection Act 1998 entered into force in the UK. Successor to the 1984 Act, it implements the EU Data Protection Directive's requirement that national legislation regulate processing of personal data. The Act's scope, however, (see e.g. Insurance Day 8.2.00) is more certain than the effect, internationally, of differing standards of European legislation on a global industry such as aviation, let alone the implications to that industry's Insurers.

The Directive operates a basic premise: that "Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their rights to privacy with respect to personal data."

Yet whilst the Directive required all 18 EC/EEA Member States to have put in place satisfactory measures by 24th October 1998, the European Commission is currently pursuing infringement cases against 6 Member States (France, Germany, The Netherlands, Luxembourg, Ireland and Denmark). Where legislation has been introduced, the Directive's flexibility has resulted in each individual State's data protection laws differing from the next. For an airline processing data in various States, compliance with local laws is vital, coupled with an awareness of the far-reaching scope of the Directive itself. So what in the broadest terms is required of an airline in its role as data controller ?

Data must be processed fairly and lawfully, be accurate, up to date, and kept for no longer than necessary. It may only be processed if either unambiguous consent has been obtained, if necessary for contractual performance or a legal obligation, or to protect an individual's vital interest. In addition, "sensitive personal data" such as race, political or religious beliefs, or that relating to health is more stringently protected, so that explicit, unambiguous consent of the individual becomes central. Perhaps most importantly, data can only be transferred to a country outside the EU where the European Commission is satisfied an adequate data protection framework exists.

The effect is perhaps best illustrated by example. Manuel, a Spanish national, purchases tickets in a Bilbao travel agency for himself and his elderly diabetic mother to travel Madrid/Lisbon/Rio on a Brazilian airline. On booking, Manuel advises the agent of his back condition. The booking information is entered on a computer reservation system (CRS) in order to provide adequate facilities during the two flights, but also in order to offer a tailored service in the future. Transfer of data onto the CRS is broadly permissible as necessary for the performance of the contract of carriage. However, continued retention of the data (notably sensitive data as to both passengers' health) is unlikely to be justifiable on those grounds alone, particularly if the levels of data processing in Brazil are deemed inadequate by the EU.

The preferable option, therefore, is for the Airline to obtain specific consent from Manuel to such retention. Yet whilst this might be feasible of Manuel, what of his mother on whose behalf he purchased the ticket ? The only workable (though untested) solution is assumption of an agency role by Manuel. Nevertheless, consent will still need to be obtained from him by the Bilbao travel agency, on the airline's behalf. The likelihood of data being retained in Brazil should also be explained to Manuel as should the fact that transfer and retention of data in the airline's database are not necessary for performance of the contract.

Of course, legislation is only as strong as the penalty which underlies it, and it is this area that is of concern to Insurers. On a broad level, Member States are required to ensure individuals' rights are protected through the implementation of sanctions which will operate in the event of infringement. The power of the individual to complain to authorities such as the UK's Data Protection Commissioner can lead to compensation for any proven damage suffered. Under the 1998 Act it is also a criminal offence to process data without consent (unless certain exceptions apply), and company directors even run the risk of personal liability (with imprisonment the harshest penalty).

In the case of Manuel and his mother, it is difficult to identify what loss they could suffer through retention of data as to their health (although that in itself would not necessarily remove the risk of penalty) - but if, on transfer to Brazil, the data were corrupted, there would be clear cause for complaint and the responsibility for compensation would lie with the airline. In this instance, the Spanish interpretation of the EU Directive would operate, although potentially Portuguese law would be relevant if this was where the data was transferred from.

One further issue which should be considered is the application of data protection laws to booking directly with airlines through their websites. Had Manuel chosen to purchase his tickets on-line, the airline would have to set out the data protection position clearly and provide suitable facilities to allow him to consent to processing explicitly. If, a few months later, however, Manuel again visits the airline's website, it is possible that "cookies" used to collect information about the user would allow the airline to identify Manuel. Unless the use of cookies had been made clear and Manuel was able to identify precisely how his data was being processed, there would be a potential breach of the Directive's requirements (as implemented by the applicable local legislation). Once again, if Manuel were able to establish damage or loss as a result, a compensation payment could follow.

Would coverage under a standard aircraft liabilities policy extend to a compensation payment for breach of applicable data protection laws ? Arguably, it is unlikely - unless the breach directly relates to performance of the contract of carriage, and results in, for example, personal injury, loss or delay, in which case there would be a distinct cause of action in any case (i.e. inter alia Warsaw Convention carriage as amended per EC Regulation 2027/97). Nevertheless, this is something that both the Insurer and the Insured should be aware of; coverage should be agreed during renewal negotiations and accurately reflected in the policy documentation. The wording to achieve this is outside the scope of this article but nonetheless will be the subject of ongoing review.

Recognition of the effect of the EU Directive is vital in situations where data can, through frequent flyer schemes and global airline alliances, change hands many times in connection with one simple transaction. Whilst an individual person establishing proven loss may be difficult, the possibility of an airline, albeit unwittingly, falling foul of the varied requirements can only serve to emphasise the need for Insurers to take the lead.

For further information please contact Alex Stovold on 020 7367 3463 (e-mail [email protected]).

(This first appeared in Insurance Day on 22nd March 2000).