Airline Commercial Use of EU Personal Data in the Context of the GDPR, British Airways and Schrems II

19 Colorado Technology Law Journal 377 (2021)

52 Pages Posted: 7 Oct 2020 Last revised: 3 Nov 2021

See all articles by W. Gregory Voss

W. Gregory Voss

TBS Business School; Toulouse Business School; University of Toulouse - Toulouse Business School

Date Written: September 10, 2021

Abstract

This study, which focuses on the commercial use of personal data by U.S. airlines, uses actual cases to help analyze the application of the EU General Data Protection Regulation (GDPR) to the airline industry. It is one of the first studies to do so, and as such contributes to the literature. It begins by highlighting the British Airways GDPR penalty case, in which the UK regulator publicized its notice of intention to issue the highest administrative fine to-date under the GDPR.

When the GDPR applies to them, airlines should become fully aware of key provisions of the GDPR, starting with those related to its scope and its underlying data protection principles, discussed in this study. In addition, airlines must have a legal basis to process personal data under the GDPR and, as this study shows, must have adequately prepared for data subject requests to exercise rights and potential data breaches.

Several examples of the first GDPR sanctions in the airline industry are detailed, and lessons drawn. In this context, security of data is a key element. Finally, the recent Schrems II decision invalidating the EU-U.S. Privacy Shield Decision is examined, and its potential impact on the transfer of personal data from the European Union to the United States by airlines is studied, following an analysis of their privacy policies available on the Internet in the European Union.

Keywords: airlines, personal data, GDPR, general data protection regulation, Privacy Shield, Schrems, Schrems II, cross-border data flows, data flows, data transfers, British Airways, GDPR sanctions

JEL Classification: K2, K23, K42, K33, L93

Suggested Citation

Voss, W. Gregory, Airline Commercial Use of EU Personal Data in the Context of the GDPR, British Airways and Schrems II (September 10, 2021). 19 Colorado Technology Law Journal 377 (2021), Available at SSRN: https://ssrn.com/abstract=3702223

W. Gregory Voss (Contact Author)

TBS Business School ( email )

1 Place Alphonse Jourdain
CS 66810
Toulouse Cedex 7, Occitanie 31068
France

Toulouse Business School ( email )

20, bd Lascrosses
Toulouse, 31068
France

University of Toulouse - Toulouse Business School ( email )

20, bd Lascrosses
BP 7010
Toulouse, 31068
France

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
427
Abstract Views
2,031
Rank
129,380
PlumX Metrics