Intelligent Airports and Data: The legal impact of new IT at airports

1,531 views
1,478 views

Published on

Journal of Airport Management article, Spring 2013.
SITA copyright and trademarks reserved.
This paper is intended as a starting point for policy makers considering the strategic, legal and security issues created in the areas of new passenger data, wireless networking and common-use information technology (IT) equipment at airports. It recommends that airports be mindful of various practical legal solutions and protective measures from the outset, because new IT systems can give rise to complex legal issues that will influence day-to-day operations. In many areas new IT is changing how airports operate and data flows between stakeholders are more important than ever. Airport managers must understand the opportunities and also the risks created by the new technologies. Issues, once identified, can be addressed by airports taking measures internally, and in airport supplier and partner contracts.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,531
On SlideShare
0
From Embeds
0
Number of Embeds
34
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Intelligent Airports and Data: The legal impact of new IT at airports

  1. 1. ●online check-in is common, and nowairlines can check in passengers usingmobile devices, freeing check-in agentsfrom their fixed terminals — gate staffand airside staff will be equipped withmobile devices and hundreds of handheldterminals will requireWiFi at each airport;●biometric technology enables airportsto operate e-gates and other ‘intelligent’IT infrastructure;●passenger tracking technology enablesairports to become more efficient;●pilots and air crew are being equippedwith iPads and other tablets for electronicflight bags and delivery of mission-critical data via WiFi;© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173–178 SPRING 2013 173Stephen Baird,SITA,26 Chemin de Joinville,1216 Cointrin,SwitzerlandE-mail: stephen.baird@sita.aeroTwitter:@stephenhbairdLegal reviewIntelligent airports and data: Thelegal impact of new IT at airportsReceived (in revised form): 26th January, 2013STEPHEN BAIRDis Legal Director at SITA based in Geneva. He is qualified as a lawyer in England and Wales and Australia and hasworked at SITA for over ten years, with global responsibilities for intellectual property and major transactionsrelating to SITA’s lines of business serving airports and airlines with IT and telecommunications services. Prior toSITA, Stephen was a legal counsel for Thomson Reuters, a Federal Court of Australia Judge’s associate (clerk), anda barrister and solicitor in private practice specialising in intellectual property, commercial law and litigation.AbstractThis paper is intended as a starting point for policy makers considering the strategic, legal and securityissues created in the areas of new passenger data, wireless networking and common-use informationtechnology (IT) equipment at airports. It recommends that airports be mindful of various practical legalsolutions and protective measures from the outset, because new IT systems can give rise to complexlegal issues that will influence day-to-day operations. In many areas new IT is changing how airportsoperate and data flows between stakeholders are more important than ever.Airport managers mustunderstand the opportunities and also the risks created by the new technologies. Issues, once identified,can be addressed by airports taking measures internally, and in airport supplier and partner contracts.Keywordsairport law, data privacy, personal data, passenger tracking, smartphone apps, CUTE, CUPPS, CLUBINTRODUCTIONIn many areas,new information technology(IT) is changing how airports operate and,to enable new and secure IT deployment,airport managers must understand theopportunities and also the risks created bythese new technologies.Legal issues createdby new IT at airports comprise onesuch area of risk that can create challengesfor airports, but these can be addressed invarious practical ways at policy andstrategic levels, as explained in thispaper.Consider the ways in which new technologyis changing how airports,airlines and passen-gers interact:Stephen BairdJAM262.qxd 3/22/13 3:06 PM Page 173
  2. 2. BAIRD174 © HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173–178 SPRING 2013●next-generation aircraft require uploadand download of increasing amounts ofdata; and●passengers seek smartphone apps thatprovide streamlined airport information,car-parking assistance, retail and car-hireinformation, flight status, bag-trackingand flight-booking capability, creatingsocial media and direct marketing oppor-tunities (eg the iTravel app by SITA).This paper explores the legal aspects ofthese technologies affecting airport policyin three specific areas:●airports using passenger data and cloud;●wireless networks at airports; and●common-use IT equipment and infra-structure, from the viewpoint ofEuropean Union (EU) and US legaljurisdictions.AIRPORTS USING PASSENGER DATAAND CLOUD — LEGAL ISSUESPassenger data can provide airports withthe means to operate more efficiently andbetter serve passengers. Passenger trackingis a new technology that measures passen-ger dwell time, flow and ‘bottlenecks’ inreal time. This can be done either ‘pas-sively’, by anonymous tracking of bodiesor smartphone signals, or ‘actively’, byactual geo-location of known individuals(as done by many smartphone appsalready).Anonymous tracking can be per-formed using smartphone 3G/4G signals,WiFi, Bluetooth (anonymised), or laser,video or thermal technology (WiFi has25–50 per cent passenger penetration andgrowing; Bluetooth is accurate to Ϯ5 percent with passenger penetration of 8–15per cent and a range of 10m; whilelaser/video/thermal is accurate to Ϯ2–3per cent).When the passenger’s personal data andindividual identity are known, more pos-sibilities arise (the term ‘personal data’includes anything capable of identifying aperson as an individual, either on its ownor by reference to other information,including name, address, physical charac-teristics etc). Such data can be valuable tocar-parking concessionaires, airlines (geo-location for boarding) and retailers (formarketing), although consent and datasecurity are essential. If passengers explic-itly consent to the sharing of their data byan airport with partners for these pur-poses, value can be generated. Not onlycan the passenger be provided with auto-matic validation for access to secure areas,but they can also be contacted directlywith ‘push notifications’ offering person-alised advice about parking, queues andaircraft boarding as well as for marketingpurposes etc.Consent for using and sharingpersonal dataWhen passengers’ personal data are beinggathered, stored and used, data protectionlaws require passenger consent for eachtype of use. For example, airlines that havegathered passenger data for flights cannotprovide the data to third parties for mar-keting purposes without passenger con-sent. The same applies to passenger datagathered for frequent flyer programmes— consent from the data owner (the pas-senger) for all types of use is needed.(Airlines provide in their legal conditionsfor flight sales that they can provide per-sonal data to airports and subcontractorsfor operational or security reasons,but notfor other reasons.)Airports that choose to launch smart-phone apps for passengers could seek pas-senger consent (via legal conditions and aprivacy policy in the app) to share passen-JAM262.qxd 3/22/13 3:06 PM Page 174
  3. 3. INTELLIGENT AIRPORTS AND DATA© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173–178 SPRING 2013 175ger data with selected ‘partners’ or thirdparties (some jurisdictions, such asCalifornia,require the privacy policy to beactually in the app itself, not just on awebsite). One major airline app does thisnow, stating that the airline intends toshare user information with ‘promotionalpartners’, meaning that the user mayreceive selected promotional e-mails,although the passenger (by law) always hasthe right to opt out later. The app of amajor airport states that the airport mayshare personal data with partners ‘who areresponsible for implementing (particularaspects of) certain services’. These kindsof provisions establish user consent to var-ious degrees of data sharing with partners/suppliers.Partners/suppliers: ‘Control’ andcloud storageAs well as consent for scope of use andpersonal data sharing, if the app ownerwishes to use cloud storage or data pro-cessing services in foreign jurisdictions,specific consent should be sought fromthe user. In service contracts, the appowner (ie the airport) should ensure thatsuppliers/partners agree to protect per-sonal data, by (in summary):●not allowing public access or disclo-sure — implementing physical and vir-tual security in accordance with bestindustry standards;●not allowing use other than within theoriginal consent provided by the user;●deleting data when use is completed orwhen requested by the user; and●ensuring that ‘control’ of the data stayswith the contracting app owner; controlcan be demonstrated by having a con-tract that gives the app owner rights toretrieve data, inspect access logs, enforcedeletion and cause security upgrades,among other rights.Generally, if a supplier/processor fails tokeep the data secure, primary liability forthe breach will fall on the data controller(ie the app owner) even if thesupplier/processor agrees to indemnify thedata controller. Supplier/processor indem-nities in favour of customers in this areaare common and should always bedemanded. Suppliers/processors should befinancially solid so that such indemnitiesare backed up with assets. Specialist legaladvice on contractual liabilities, indemni-ties and contract wording always should besought.Opt-out rightPassengers must always be allowed towithdraw consent to the use of their dataand opt out — and they will do so if pushnotifications become annoying to them atany time. As such, push contact that isover-used or used insensitively will becounter-productive and could damagereputations.This is why some existing air-port and airline apps today state explicitlythat user personal data will not be sharedwith any third parties at all.WIRELESS NETWORKS AT AIRPORTS —LEGAL ISSUESMobility is changing how people workand pay for services. Accordingly, use ofwireless networks at airports will becomeever-more important, both from an oper-ations and a commercial point of view.Multiple wireless technologies are in useat airports today, including WiFi, 3G, 4G(WiMax, including and long-term evolu-tion (LTE) and near-field communication(NFC).Smartphone NFC boarding is cur-rently undergoing trials at Toulouse-JAM262.qxd 3/22/13 3:06 PM Page 175
  4. 4. BAIRD176 © HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173–178 SPRING 2013Blagnac Airport, where it also is allowingparking and lounge access. (NFC is asmartphone (or chip) radio communica-tions technology, used for example, inswiping for access and boarding with a5cm range.) The airport wireless infra-structure (WLAN) will soon be linked toairline mobile devices (airside and non-airside), passenger devices, next-genera-tion aircraft, and pilot, air crew andground staff devices. In the next threeyears, over 3,000 aircraft with new, heavy,wireless networking requirements will beairborne (namely: B777, B787, B747-8,A380 and A350 plus retrofits). Manythousands of SIM cards and devices willtransfer many thousands of gigabytes on adaily basis, and part of these data will bemission-critical.Wireless securityAirlines are likely to value commonapproaches between airports for securityand technology. The Payment CardIndustry Data Security Standard (PCIDSS) should be aimed for, providing thehighest industry standard.Infrastructure investment in airportWiFi networks often will be necessary toachieve PCI DSS compliance. Where thisinvestment is made, greater use of theWLAN can occur and hence the airport(if owner/operator of the WLAN) canbenefit. In this sense, security is a basicvalue-enhancer. Greater security can alsoallow the airport or WLAN owner toadopt a different risk/reward profile thatflows intoWLAN use agreements with air-lines and other users. Higher security canjustify higher airport fees and, for mission-critical services, very low liability dis-claimers are not always appropriate ifbest-in-class security is present. A robust,standardised and secure wireless servicewill support heavier use by the thousandsof next-generation aircraft and devices(iPads and others) soon to come online atairports.COMMON-USE IT INFRASTRUCTUREAT AIRPORTS — LEGAL ISSUESCommon-use infrastructure at airports,also known as CUTE (the acronym for‘common use terminal equipment’), is anoperational model where the airportgrants a concession to an IT supplier, andthe IT supplier contracts with all airlinesand ground-handling agents (GHAs) thatwish to share use of certain installedequipment/infrastructure owned andoperated by the IT supplier. CUTE isnow being replaced by CUPPS (theacronym for ‘common use passengerprocessing system’). The common-usemodel was created by SITA and firstintroduced at Los Angeles InternationalAirport in 1984.Today, SITA has 30,000CUTE systems and 3,300 networkedcheck-in kiosks in use worldwide.In this model, the airport is not in thechain of supply for the actual common-use IT infrastructure. The model isattractive to some airports because itenables the airport to avoid responsibilityand liability for various IT systems beingoperated and supplied direct to airlinesand GHAs. Many types of IT infrastruc-ture can be supplied on a common-usebasis, for example check-in desks andperipherals, kiosks, mobile devices, auto-mated ‘intelligent’ security gates, self-boarding gates, self-service bag-dropmachines etc.Models for common useAs shown in Figure 1, there are threealternative legal models available for thesupply of IT infrastructure at airports:JAM262.qxd 3/22/13 3:06 PM Page 176
  5. 5. INTELLIGENT AIRPORTS AND DATA© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173–178 SPRING 2013 177●the common-use CUTE model men-tioned above — also known as the‘CLUB model’ (CLUB is the acronymfor ‘CUTE local users’ board’).●the airport sources directly and resells toairlines/GHAs (‘direct model’); or●the ‘hybrid model’, combining elementsof both the above.Note that in the first model, a CLUB isnot a legal entity but rather an informalstructure governed by agreed contractualrules and processes.The CLUB is the air-port-specific joint airline/GHA gover-nance body for the installedcommon-use equipment, and it exercisescontrol over the supply. The ‘hybrid’model is relatively new in global deploy-ment terms, but should be considered byairports seeking flexibilitywithout being in the centre of a chain ofsupply. The hybrid model providesbenefits without the responsibilities, lia-bilities and resources that the directmodel usually entails. In the hybridmodel, airlines and GHAs establish aCLUB model but the airport joins theCLUB and participates in the governanceprocess for the common-use equipment.In this manner, the airport gains visibil-ity and the ability to influence and par-ticipate directly in decisions affectingequipment and infrastructure at the air-port.A disadvantage of the hybrid modelis that the airport does not have full con-trol over the IT infrastructure, as it wouldhave under the direct model. On theother hand, it can gain revenue from itsIT concession, and avoid liability for anyIT service outages — the IT supplierremains responsible to the airlinesand GHAs for all relevant operationalaspects. CLUBs and common-useIT infrastructure at airports have beenaround for decades because the modelis convenient and efficient. As new‘intelligent’ IT infrastructure is launched,airports can choose the most beneficialFigure 1 Three legal models for shared-use supplyJAM262.qxd 3/22/13 3:06 PM Page 177
  6. 6. BAIRD178 © HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173–178 SPRING 2013model for shared IT infrastructure for allstakeholders.CONCLUSIONAirports today have opportunities toleverage new technology in secure ways tothe benefit of all stakeholders. Intelligentairports in coming years will:●create useful apps for passengers andbecome knowledgeable in personal datalaws and cloud data storage securityissues — consent, control and securityof data are essential;●build secure wireless networks thatenhance efficiency while creating valuefor the airport; and●consider hybrid shared-use models fornew IT equipment to ensure futurestakeholder collaborative decisionmaking.NoteThis paper is based on a presentationmade by the author to the WorldwideAirport Law Conference on 27th April,2012 in Amsterdam, hosted by theWorldwide Airports Lawyers Association(WALA). Any opinions in this paper arethe author’s own and do not necessarilyreflect the opinions, views or strategyof SITA.The trademarks SITA®, iTravel®and CUTE®are the property of SITAwith all rights reserved to SITA. Thispaper is not intended as legal advice.In all situations every party must obtainits own independent legal advice basedon its own specific circumstances andjurisdiction.JAM262.qxd 3/22/13 3:06 PM Page 178

×