Legal Implications of Data Collection at Airports (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42   3 LEGAL IMPLICATIONS OF DATA COLLECTION AT AIRPORTS Donald R. Zoufal, CrowZ Nest Consulting, Inc., Chicago, IL; Sean Cusson, Del Ray Solutions LLC, Alexandria, VA; Diane J. Larsen (Ret.), Circ. Ct. of Cook County, State of Illinois, Chicago, IL; Tobias Person, Von Oxon, LLC, Los Angeles, CA; Daniel Hantman, ­Chicago, IL; and E. Austin Maliszewski, Austin, TX I. INTRODUCTION their staff coordinate these implementations within the spaces that belong to them, and at times are beneficiaries of some of the A. Background of the Research data produced by those systems. The model is also instructive of As technology evolves, airports and their partners collect the type of data being collected and shared among airport stake- more data from passengers, employees, tenants, concessionaires, holders. More direct airport involvement in data collection and airlines, and others. This data is used in many ways, including sharing programs occurs in the developing areas that enhance for facility management, security, ground transportation, mar- the passenger experience. This collection and sharing involves keting, understanding passenger preferences, and enhancing data from personalized information and wayfinding through the travel experience. Similarly, airports and their tenants have websites, apps, kiosks, chat bots, and even roaming information considered whether and how they can collect data. A wide range service robots; from loyalty programs for parking, concessions of functions within the airport environment will use this data, and other support services; as well as from passenger path- including management, operations, marketing, external affairs, way analytics (from video and other sensors), from automated concessions, and planning and development. Those seeking to ­license plate recognition for transportation and parking man- gather information may not consider or be aware of the appli- agement, and from other emerging capabilities. cable legal requirements governing data collection and use, let Operational data sharing between airport stakeholders can alone the far-reaching implications associated with compliance. enhance airport operations. For example, sharing of passenger Implications include generating, preserving, and storing public load counts and airline operational data can significantly assist records and financial data; complying with data privacy statutes airports in short-term and long-term planning. Enhanced data and regulations; and creating infrastructure to prevent and re- sharing can also provide significant efficiencies and enhance- spond to data breaches. ments for facilities, planning, and maintenance; airfield, termi- Over the last two decades, the aviation sector increasingly nal, and landside operations; safety and security; and so on. That employed sensor systems, data collection, and information pro- sharing can include both anonymized and privacy data, but also cessing to facilitate the passenger journey. Especially since the involves significant proprietary concerns on the part of the air- advent of smartphones and the digitization of virtually every- lines and other commercial operators. thing in recent years, data is generated from almost every aspect Another area of growing data concern is increased data col- of the passenger journey. Data can be produced and collected lection, or the potential of collection, by security operations in from a passenger’s device; it can be captured by systems owned airports. Often this data collection involves the use of CCTV and operated by the airport or its partners; it can be collected systems operated in connection with airport security programs. by third-party businesses; or it can be collected by federal agen- Security providers, however, are not the only CCTV users. Other cies. In most cases, data services are trending toward a complex actors in the airport context recognize the operational value of partnership of various parties collaborating to support the pas- CCTV to enhance airport operations or customer engagement. senger journey more seamlessly. In many instances, despite capability for image sharing, separate For example, the 2019 publication of the Transportation stovepipe systems are created. The proliferation of continually ­Security Administration’s (TSA) TSA Biometric Roadmap1 en- advancing CCTV creates large pools of data at airports. capsulates a vision for data collection and use, including bio- Further, as the use of CCTV grows, biometric analytic tech- metric data, to facilitate passenger movement across the passen- nologies, such as facial recognition, continue to develop. These ger experience. TSA’s Biometric Roadmap involves data sharing analytic tools are increasingly available to leverage existing sys- between air carriers, TSA, and Customs and Border Patrol tems, such as CCTV or other camera systems. However, this (CBP) to address commercial, operational, and security mea- growing ability raises additional privacy concerns. While the sures essential to travel. use of such technologies has been primarily in the retail sector, While TSA’s vison of the passenger journey does not specifi- currently most of the biometric use with respect to passengers cally address airport participation in the program, airports and is limited to security and passenger processing programs man- aged by TSA or CBP along with the airlines. The advancement of biometrics has also seen increasing use in connection with 1  U.S. Dep’t of Homeland Sec., Transp. Sec. Admin., TSA Bio­ metrics Roadmap: For Aviation Security and the Passenger Experience, 18 (2018), available at https://www.tsa.gov/sites/default/ files/tsa_biometrics_roadmap.pdf. 

4    ACRP LRD 42 airport employee security, credentialing, and access control sys- data. In these cases, the company usually attempts to reserve the tems. These uses also raise privacy issues.2 rights to sell that data to third parties. Understanding who owns Arrayed against the growing availability and use case for data the data, and the rights of all parties with respect to the data, is with privacy implications is a growing body of law devoted to essential for safeguarding privacy. protecting privacy. Unlike some foreign jurisdictions that have The COVID-19 pandemic in 2020 offers an example of how developed more comprehensive programs of data protection, technology developers and aviation industry stakeholders, as the U.S. system remains a patchwork of somewhat independent- well as other industries, can rapidly develop sensors, data col- ly evolving protections. Thus, capturing a snapshot of various lection strategies, and information processing techniques to federal, state, and local protections would be both difficult and address new challenges. In response to the new realities cre- likely unhelpful in the long run. A more productive approach ated by this public health crisis, monitoring health conditions, would be to focus on legal trends in privacy protection. In addi- social distance monitoring, and contact tracing and movement tion to looking at governmental enforcement actions as a part of tracking have become national and even global priorities. More the legal trends, this research will also examine the nongovern- specifically, innovative software solutions have been deployed mental solutions of pay card industry data security standards. on existing and new enhanced camera systems to perform In addition to focusing on legal protections for privacy, there temperature and social monitoring in public spaces, including is a need to understand developments and trends in laws govern- airports.4 Similarly, shortly after the early 2020 COVID-19 out- ing public records, specifically addressing issues like data reten- break in the United States, Google and Apple collaborated to tion and dissemination. These statutes addressing public records develop a phone application to trace and track voluntary par- are often in tension with privacy protection policy. Expansive re- ticipants.5 The application traced the movement of the partici- cords retention statutes that exist in some states can conflict with pants’ phones in relation to the phones of other participants. If data minimization requirements. Similarly, broad open records a participant was diagnosed with COVID-19, the other phones or freedom of information statutes can make the protection of that met established contact criteria6 were sent an automated private and proprietary data difficult. This has significant impli- notification. The identity of phone owners is not shared. Only cations for the sharing of data with commercial value. the determination of proximity to a device of someone who was In whatever arrangements are made to collect or share data, diagnosed COVID-19 positive is shared. airport operators, airlines, and tenants must employ appropri- Thus, collection of biometric health-related information and ate contractual language. Airports must consider what data they largescale tracking of individual movement have raised novel own, how and under what circumstances they can collect data, concerns previously unaddressed by U.S. law. Responding to what can be done with that data, how the data will be safeguard- those concerns, Congress has considered several bills address­ing ed, and what they will have to pay for accessing and using data. privacy.7 The United States was, however, not alone in ­looking In structuring contractual arrangements regarding data collec- to adapt its legal system in the face of technology develop­ments tion and use, those airports receiving funding through the Fed- to respond to COVID-19. EU countries, interfacing with the eral Aviation Administration (FAA) (or other federal sources) ­General Data Protection Regulation (GDPR),8 looked to adapt must ensure that data arrangements are consistent with grant that comprehensive system to allow government to use the new assurances.3 For example, if an airport were found to be using tools to fight the pandemic.9 data in a discriminatory fashion, perhaps thorough application of a racially-biased artificial intelligence application, several 4   Hugo Martin, Airports are Testing Thermal Cameras and Other Grant Assurances (for instance 1, 22, and 30) could be impli- Technology to Screen Travelers, L.A. Times, May 13, 2020, https://www. cated. Concerns over potential misuse of data extend not only latimes.com/business/story/2020-05-13/airports-test-technology- to the airport, but also to third-party contractors who may be screen-covid-19. involved in data collection and processing. 5   Russell Brandon & Adi Roberson, Apple and Google are Building a Some third-party companies have offered to install their Coronavirus Tracking System into iOS and Android, The Verge, Apr. 10, technology in airports at “no cost” and provide the airport with 2020, https://www.theverge.com/2020/4/10/21216484/google-apple- coronavirus-contract-tracing-bluetooth-location-tracking-data-app. 6   Extended time within the proximity of the phone of the COVID- 2   The use of facial recognition presents challenges beyond the issue of 19 positive individual. privacy. Concerns have been raised regarding racial and ethnic bias in 7   See The COVID-19 Consumer Data Protection Act, S. 3663, artificial intelligence applications that power facial recognition software. 116th Cong. § 2 (2020); The Public Health Emergency Privacy Act, S. There also is the concern of false negative and false positive rates under- 3749, 116th Cong. § 2 (2020). mining the utility of these technologies. See e.g., Natasha Stringer & Cade 8    Gen. Data Protection Reg., 2016/679 (EU). Metz, Many Facial Recognition Systems are Biased, U.S. Study, N.Y. Times, 9   See Statement on the Processing of Personal Data in the Context of the Dec. 19, 2019, https://www.nytimes.com/2019/12/19/­technology/facial- COVID-19 Epidemic, European Data Protection Board (Mar. 19, recognition-bias.html?auth=login-email&login=email. These factors 2020), https://edpb.europa.eu/our-work-tools/our-documents/other/ along with privacy are important considerations in the decision to use statement-processing-personal-data-context-covid-19-­outbreak_en; and how to use facial recognition technology. Guidelines 04/2020 on the Use of Location Data and Tracing Tools in the 3   Airport Sponsor Assurances, FAA. (Feb. 2, 2020), https://www.faa. Context of the COVID-19 Outbreak, European Data Protection Board, gov/airports/aip/grant_assurances/media/airport-sponsor-assurances- Apr. 21, 2020, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_ aip-2020.pdf. guidelines_20200420_contact_tracing_covid_with_annex_en.pdf. 

ACRP LRD 42   5 This cycle of technology development and legal reaction cases can help inform judgments with respect to common chal- evidenced in the pandemic response, both in strengthening lenges and opportunities. It also informs judgments regarding and loosening protections, is instructive. Aviation professionals the range of stakeholders, both public and private, involved in should be mindful that scrutiny over data use and legal develop- data usage and the limits and restrictions imposed on disparate ments that govern data use will continue as the ability to collect stakeholders. and analyze data becomes more sophisticated and powerful. Section IV covers developments in federal constitutional These legal policy changes may occur rapidly and require the protections. The U.S. Supreme Court has considered multiple modification of data collection practices. privacy related data collection cases since the 1970s. Both con- The rapid technological adaptation and development of servative and liberal justices have expressed concern over the new data sets and assessments to address evolving challenges effects of technology on privacy. The issues raised by the Court like those seen in the pandemic response showcases the need to and legal analysis offered in the decisions offer valuable insights understand the legal principles that govern data collection and into the use of data gathered through systems like CCTV. use. This research focuses on identifying those principles to help Section V discusses several federal statutory provisions that airport lawyers better understand the implications of new data may potentially impact risk assessment and policy develop- collection activities and technologies in their airports. ments for various aspects of data collection, storage, access, and dissemination. B. Objective of the Research Section VI explores federal government enforcement and This digest provides a survey of applicable law; consider- other activities. This includes executive branch actions and the ations for the collection and safekeeping of data; and a review activities of Congress in developing future legislation. of the issues that arise related to data collection among airports, Section VII overviews state constitutional privacy protec- their tenants, and other users. It also offers an understanding of tions. Similar to federal constitutional protections, state con­ the expansion in law around data collection and use. The analy- stitutions afford protections for civil liberties. In some instances, sis includes federal, state, local and international legal develop- state protections may even exceed federal protections. For in- ments as well as the respective compliance requirements and stance, twelve states have specific constitutional provisions re- penalties. lated to privacy, while others have generalized provisions. Section VIII addresses state statutory privacy protections C. How to Use the Digest and trends. State measures have addressed both government and private use of data. The types of data addressed by state reg- Outlined below is a summary of the content of this work by ulations are also expanding to private consumer data. ­Analyzing section. However, reading this digest from beginning to end these state law developments will both discern the mandatory may not be the most effective way to use it. Practitioners may compliance requirements for airports within those states as wish to focus initially on the use cases outlined in Section III and well as serve as a potential guide for airports in states lacking the summaries of contractual and policy issues in Section XIII. robust regulatory regimes. While it is impractical to examine Then, the reader may take a deeper dive into legal issues in other every state law addressing this topic, understanding the types of sections that address specific concerns. The use cases in Section regulatory schemes developed within various states will assist in III and contract and policy summaries in Section XIII are de- determining trends that may control this perpetually unfolding signed to orient practitioners to process and substantive consid- airport policy. erations with respect to data collection and use. These sections Section IX discusses developing state and local law related to will help to paint the “big picture” for airports and airport stake- biometric usage. With the growing usage of facial recognition holders to consider in dealing with data collection and use. technology and the development of governmental programs to apply this and similar technologies to the traveler screening pro- D. Summary of Section Content cess, there is growing airport focus on biometrics in general, and Section II provides a literature review addressing the de- facial recognition in particular. Outside of the airport industry velopment of privacy concepts and the impact of technology there is also significant court and legislative activity addressing develop­ments on privacy. Additionally, the literature review the collection, storage, and use of facial recognition and other looks at government responses to data collection activities and biometric identifiers. identifies aviation industry trends. Section X looks at the interplay of privacy and open govern- Section III outlines airport data use cases and examines ment records. The existence of measures to ensure open gov- shared areas of concerns for airports in data management. The ernment has interesting intersections with the issue of privacy. discussion covers current and prospective airport data use cases. While some advocacy organizations lament government access While data collection and storage systems may be common or to private personal data, they simultaneously seek liberal access segregated for a range of uses, there are often differing rules and to governmental records. The requirement for government to restrictions for using data across categories. As can be seen from retain data it collects in accordance with defined retention re- examining passenger journey use cases, sometimes a single use quirements, combined with public access laws, can prove to be case can implicate multiple categories. This section also explores a challenging exercise. common airport data sharing issues. The examination of uses