This piece has been authored by Tanuj Agarwal, a third year B.Com.LL.B (Hons.) student at Institute of Law, Nirma University, Ahmedabad.

Introduction to GDPR

In the contemporary world, there is a substantial advancement of digital economy in business transactions. Such advancement of digital economy is indispensable for the betterment of industry. However, it also faces serious concerns regarding the data protection of individual and businesses who are involved in digital economy. Consequently, the General Data Protection Regulation (hereafter “GDPR”) was introduced to simplify and provide the regulatory mechanism for data protection, so that the individuals can be effectively benefitted from the digital economy. The GDPR came into effect in European Union (hereafter “EU”) on May 25, 2018.[i] The fundamental feature of GDPR is to impart numerous rights to EU citizens to safeguard their personal information and imposes limitations on companies regarding data protection. The GDPR imposes two level fines on controllers and processors for the personal data breach. Controllers determine the means and purposes of processing personal data[ii] where Processors affianced in processing personal data on controllers’ instruction[iii].

How does GDPR affect Indian Aviation Industry?

As discussed, GDPR is introduced to safeguard the personal information of EU Citizens. It raises question as to how the law made in Europe affects the Indian Aviation Industry. With that regard, it is pertinent to note that GDPR has an extra-territorial reach.[iv] The GDPR mandates its compliance for any entity that controls or processes the personal data of a natural person in the EU irrespective of whether such an entity is located it in the EU or elsewhere. The Indian airlines may have EU citizens as their customers. Consequently, the Indian airlines controls and processes data such as contact details, payment and passport details in relation to their customers in EU. Hence, the Indian airline company while providing services to EU residents are bound by GDPR even if they centred outside the EU.

Furthermore, the Indian data protection regime will also have some modification to make it in consonance with GDPR. For that, Justice BN Srikrishna committee proposed draft legislation titled “Personal Data Protection Bill, 2018”.[v] The draft contains certain principles such as right to be forgotten, right to portability, right to access and correction, etc. which is inspired by GDPR. Therefore, the Indian Aviation Industry would necessarily need to comply the national applicable data protection law which will be more or less based on the GDPR principles.

Impacts of GDPR on Indian Aviation Industry

GDPR imposes several compliance requirements for data protection which must be followed by the Indian aviation industry since it extensively handles the personal data of its customers, employees, officers, etc. The major provisions which substantially affect the Indian aviation industry are as follows:

Difficult to obtain consent:

As per GDPR, the airline needs to demonstrate that it has obtained the consent for specific purpose rather than general consent even if the information is possessed lawfully. Moreover, the grounds for processing “sensitive personal data” necessitates explicit consent for a specified purpose. Sensitive personal data is data involving biometric data, trade union membership, racial or ethnic origin, religious beliefs, data concerning health, etc.[vi] Aviation industry manages huge volume of sensitive personal data such as passengers’ meal choice, health assistance requirements (whether required wheelchair or condition of pregnancy), security data (passport details & biometric) and ethnic monitoring of employees data which in turn imposes greater onuses on airlines.

Expeditious reporting of data breaches:

In case of security breaches, GDPR requires that the airlines must report the competent national authority of personal data security breaches without unnecessary delay, and where reasonable, within 72 hours.[vii] Further, if the breach is expected to cause an extraordinary danger, the airlines are compelled to communicate data breaches to concerned persons.[viii]

Individual rights under GDPR:

GDPR bestows an individual with a right to access,[ix] and a right to be forgotten[x] with respect to the personal data an airline has on them. Airlines must expedite the implementation of such rights within a month[xi] without charging any fee.[xii] Airlines should preserve their internal processes under examination to safeguard unremitting compliance of such requirements.

Determination of controller while sharing customer data:

Airline shares personal data of its customer with several entities such as agents, governments, code-sharing agreements,[xiii] airports, hotels, other airlines, etc. Airlines mostly share personal data with these entities as per their privacy policy. Every such relationship involves explicit GDPR and privacy concerns. This sharing raises important considerations as to the determination of controller. Thereby, the airline must confirm that they have an insight of all relationships where they share personal data of customer and warrant that proper contractual terms administer such sharing.

Ailing Indian Aviation Industry and penalties in case of non-compliance of GDPR

In financial year 2019, the aggregate loss that the Indian aviation industry is likely to report is about Rs. 88 billion. Consequently, the industry is expected to require a capital infusion of Rs. 200 billion in the financial year 2019-21. Depreciation of rupee, high prices of aviation fuel, extreme parking and landing charges, heavy debt and fare wars, etc. makes the operation of industry challenging. When it comes to financial and operational performances, major Indian airlines such as SpiceJet, IndiGo, Air India and GoAir are struggling. Moreover, Jet Airways is facing its biggest financial disaster in history. In such turbulent time for the aviation industry, there is another mandate to comply with GDPR as non-compliance of it will lead to heavy fines. The GDPR imposes two-tier heavy administrative fines on controllers and processors. The fine prescribed is of €10 million or 2% of annual global turnover whichever is higher for infringements of certain articles[xiv] and in other cases, the fine is €20 million or 4% of annual global turnover whichever is higher.[xv] In India, similar to GDPR the draft of “Personal Data Protection Bill, 2018” prescribes penalty of higher amount of Rs. 5 crore or 2% of the global turnover of a company in the previous year.[xvi] Further, the penalties extend to higher amount of Rs. 15 crore or 4% of the global turnover for other infringements such as breach of provisions on cross-border transfers, grounds of processing, etc.[xvii]

Such provisions of penalties under GDPR were also enforced against airlines. On September 7, 2018 British Airways has reported a data breach of credit card details by cyber criminals. The regulators are scrutinizing the incident and the firm may bear a probable penalty of around £500 million.[xviii] Further on November 15, 2018, another data hack came to light where Cathay Pacific Airline may face stringent penalties. It was suffered from a prolonged hacking attack which affected personal data of millions of passengers.[xix]

Ways to control the turbulence spawned by GDPR

GDPR upturns loads of responsibilities on Indian aviation industry. However, it is necessary and inevitable for the protection of personal data of individual. There are various ways by which the airlines can effectively cope with the GDPR. Airlines should designate individuals who will be accountable for establishing parameters for making decisions pertaining to determine the extent of loss, the people affected, security arrangement, etc. Such individuals should measure the degree of breach and decide whether or not the breach is to be notified to the central authority or concerned people. Make sure that such an individual should have proficiency on Indian data protection law as well as on the GDPR. Taking into account the short time limits of reporting the data breach, the airlines should create a proper data security breach procedure to expedite the procedure governing breach. To comply with the consent requirements, airlines should verify that each individual on its databases has explicitly consented to accept electronic marketing. Airlines should make certain that their data protection policies are transparent and updated as per norms. Furthermore, airlines can opt for cyber insurance policy to reduce the potential damage in the event of a personal data breach.

[i] EUR-Lex, https://eur-lex.europa.eu/content/news/general-data-protection-regulation-GDPR-applies-from-25-May-2018.html (last visited June 7, 2019, 10:03 PM).

[ii] General Data Protection Regulation, (EU) 2016/679, (2018), art. 4(7).

[iii] Id., art. 4(8).

[iv] Id., art. 3.

[v] Siladitya Ray, Justice Srikrishna data protection draft bill is now public, highlights and what happens next, Medianama (July 27, 2018), https://www.medianama.com/2018/07/223-sri-krishna-bill-submitted/.

[vi] Supra note 2, art. 9.

[vii] Id., art. 33.

[viii] Id., art. 34.

[ix] Id., art. 15.

[x] Id., art. 17.

[xi] Id., art. 12(3).

[xii] Id., art. 12(5).

[xiii] Code sharing agreement is an arrangement through which the airlines place its designator code on a flight operated by another airline and sell tickets on behalf of that airline [Code Share Agreements: Meaning, Types And Benefits!, Fly Deal Fare (Sept. 16, 2017), https://blog.flydealfare.com/code-share-agreements-meaning-types-benefits/].

[xiv] Supra note 2, art. 83(4).

[xv] Id., art. 83(5).

[xvi] The Personal Data Protection Bill, § 69(1) (2018).

[xvii] Id., § 69(2).

[xviii] GDPR Fines and Penalties, Nathan Trust, https://www.nathantrust.com/gdpr-fines-penalties (last visited June 9, 2019, 9:24 PM).

[xix] Id.