Intelligent Airports and Data: The legal impact of new IT at airports1. ā
online check-in is common, and now
airlines can check in passengers using
mobile devices, freeing check-in agents
from their fixed terminals ā gate staff
and airside staff will be equipped with
mobile devices and hundreds of handheld
terminals will requireWiFi at each airport;
ā
biometric technology enables airports
to operate e-gates and other āintelligentā
IT infrastructure;
ā
passenger tracking technology enables
airports to become more efficient;
ā
pilots and air crew are being equipped
with iPads and other tablets for electronic
flight bags and delivery of mission-
critical data via WiFi;
Ā© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173ā178 SPRING 2013 173
Stephen Baird,
SITA,
26 Chemin de Joinville,
1216 Cointrin,
Switzerland
E-mail: stephen.baird@sita.aero
Twitter:@stephenhbaird
Legal review
Intelligent airports and data: The
legal impact of new IT at airports
Received (in revised form): 26th January, 2013
STEPHEN BAIRD
is Legal Director at SITA based in Geneva. He is qualified as a lawyer in England and Wales and Australia and has
worked at SITA for over ten years, with global responsibilities for intellectual property and major transactions
relating to SITAās lines of business serving airports and airlines with IT and telecommunications services. Prior to
SITA, Stephen was a legal counsel for Thomson Reuters, a Federal Court of Australia Judgeās associate (clerk), and
a barrister and solicitor in private practice specialising in intellectual property, commercial law and litigation.
Abstract
This paper is intended as a starting point for policy makers considering the strategic, legal and security
issues created in the areas of new passenger data, wireless networking and common-use information
technology (IT) equipment at airports. It recommends that airports be mindful of various practical legal
solutions and protective measures from the outset, because new IT systems can give rise to complex
legal issues that will influence day-to-day operations. In many areas new IT is changing how airports
operate and data flows between stakeholders are more important than ever.Airport managers must
understand the opportunities and also the risks created by the new technologies. Issues, once identified,
can be addressed by airports taking measures internally, and in airport supplier and partner contracts.
Keywords
airport law, data privacy, personal data, passenger tracking, smartphone apps, CUTE, CUPPS, CLUB
INTRODUCTION
In many areas,new information technology
(IT) is changing how airports operate and,
to enable new and secure IT deployment,
airport managers must understand the
opportunities and also the risks created by
these new technologies.Legal issues created
by new IT at airports comprise one
such area of risk that can create challenges
for airports, but these can be addressed in
various practical ways at policy and
strategic levels, as explained in this
paper.
Consider the ways in which new technology
is changing how airports,airlines and passen-
gers interact:
Stephen Baird
JAM262.qxd 3/22/13 3:06 PM Page 173
2. BAIRD
174 Ā© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173ā178 SPRING 2013
ā
next-generation aircraft require upload
and download of increasing amounts of
data; and
ā
passengers seek smartphone apps that
provide streamlined airport information,
car-parking assistance, retail and car-hire
information, flight status, bag-tracking
and flight-booking capability, creating
social media and direct marketing oppor-
tunities (eg the iTravel app by SITA).
This paper explores the legal aspects of
these technologies affecting airport policy
in three specific areas:
ā
airports using passenger data and cloud;
ā
wireless networks at airports; and
ā
common-use IT equipment and infra-
structure, from the viewpoint of
European Union (EU) and US legal
jurisdictions.
AIRPORTS USING PASSENGER DATA
AND CLOUD ā LEGAL ISSUES
Passenger data can provide airports with
the means to operate more efficiently and
better serve passengers. Passenger tracking
is a new technology that measures passen-
ger dwell time, flow and ābottlenecksā in
real time. This can be done either āpas-
sivelyā, by anonymous tracking of bodies
or smartphone signals, or āactivelyā, by
actual geo-location of known individuals
(as done by many smartphone apps
already).Anonymous tracking can be per-
formed using smartphone 3G/4G signals,
WiFi, Bluetooth (anonymised), or laser,
video or thermal technology (WiFi has
25ā50 per cent passenger penetration and
growing; Bluetooth is accurate to Ļ®5 per
cent with passenger penetration of 8ā15
per cent and a range of 10m; while
laser/video/thermal is accurate to Ļ®2ā3
per cent).
When the passengerās personal data and
individual identity are known, more pos-
sibilities arise (the term āpersonal dataā
includes anything capable of identifying a
person as an individual, either on its own
or by reference to other information,
including name, address, physical charac-
teristics etc). Such data can be valuable to
car-parking concessionaires, airlines (geo-
location for boarding) and retailers (for
marketing), although consent and data
security are essential. If passengers explic-
itly consent to the sharing of their data by
an airport with partners for these pur-
poses, value can be generated. Not only
can the passenger be provided with auto-
matic validation for access to secure areas,
but they can also be contacted directly
with āpush notificationsā offering person-
alised advice about parking, queues and
aircraft boarding as well as for marketing
purposes etc.
Consent for using and sharing
personal data
When passengersā personal data are being
gathered, stored and used, data protection
laws require passenger consent for each
type of use. For example, airlines that have
gathered passenger data for flights cannot
provide the data to third parties for mar-
keting purposes without passenger con-
sent. The same applies to passenger data
gathered for frequent flyer programmes
ā consent from the data owner (the pas-
senger) for all types of use is needed.
(Airlines provide in their legal conditions
for flight sales that they can provide per-
sonal data to airports and subcontractors
for operational or security reasons,but not
for other reasons.)
Airports that choose to launch smart-
phone apps for passengers could seek pas-
senger consent (via legal conditions and a
privacy policy in the app) to share passen-
JAM262.qxd 3/22/13 3:06 PM Page 174
3. INTELLIGENT AIRPORTS AND DATA
Ā© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173ā178 SPRING 2013 175
ger data with selected āpartnersā or third
parties (some jurisdictions, such as
California,require the privacy policy to be
actually in the app itself, not just on a
website). One major airline app does this
now, stating that the airline intends to
share user information with āpromotional
partnersā, meaning that the user may
receive selected promotional e-mails,
although the passenger (by law) always has
the right to opt out later. The app of a
major airport states that the airport may
share personal data with partners āwho are
responsible for implementing (particular
aspects of) certain servicesā. These kinds
of provisions establish user consent to var-
ious degrees of data sharing with partners/
suppliers.
Partners/suppliers: āControlā and
cloud storage
As well as consent for scope of use and
personal data sharing, if the app owner
wishes to use cloud storage or data pro-
cessing services in foreign jurisdictions,
specific consent should be sought from
the user. In service contracts, the app
owner (ie the airport) should ensure that
suppliers/partners agree to protect per-
sonal data, by (in summary):
ā
not allowing public access or disclo-
sure ā implementing physical and vir-
tual security in accordance with best
industry standards;
ā
not allowing use other than within the
original consent provided by the user;
ā
deleting data when use is completed or
when requested by the user; and
ā
ensuring that ācontrolā of the data stays
with the contracting app owner; control
can be demonstrated by having a con-
tract that gives the app owner rights to
retrieve data, inspect access logs, enforce
deletion and cause security upgrades,
among other rights.
Generally, if a supplier/processor fails to
keep the data secure, primary liability for
the breach will fall on the data controller
(ie the app owner) even if the
supplier/processor agrees to indemnify the
data controller. Supplier/processor indem-
nities in favour of customers in this area
are common and should always be
demanded. Suppliers/processors should be
financially solid so that such indemnities
are backed up with assets. Specialist legal
advice on contractual liabilities, indemni-
ties and contract wording always should be
sought.
Opt-out right
Passengers must always be allowed to
withdraw consent to the use of their data
and opt out ā and they will do so if push
notifications become annoying to them at
any time. As such, push contact that is
over-used or used insensitively will be
counter-productive and could damage
reputations.This is why some existing air-
port and airline apps today state explicitly
that user personal data will not be shared
with any third parties at all.
WIRELESS NETWORKS AT AIRPORTS ā
LEGAL ISSUES
Mobility is changing how people work
and pay for services. Accordingly, use of
wireless networks at airports will become
ever-more important, both from an oper-
ations and a commercial point of view.
Multiple wireless technologies are in use
at airports today, including WiFi, 3G, 4G
(WiMax, including and long-term evolu-
tion (LTE) and near-field communication
(NFC).Smartphone NFC boarding is cur-
rently undergoing trials at Toulouse-
JAM262.qxd 3/22/13 3:06 PM Page 175
4. BAIRD
176 Ā© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173ā178 SPRING 2013
Blagnac Airport, where it also is allowing
parking and lounge access. (NFC is a
smartphone (or chip) radio communica-
tions technology, used for example, in
swiping for access and boarding with a
5cm range.) The airport wireless infra-
structure (WLAN) will soon be linked to
airline mobile devices (airside and non-
airside), passenger devices, next-genera-
tion aircraft, and pilot, air crew and
ground staff devices. In the next three
years, over 3,000 aircraft with new, heavy,
wireless networking requirements will be
airborne (namely: B777, B787, B747-8,
A380 and A350 plus retrofits). Many
thousands of SIM cards and devices will
transfer many thousands of gigabytes on a
daily basis, and part of these data will be
mission-critical.
Wireless security
Airlines are likely to value common
approaches between airports for security
and technology. The Payment Card
Industry Data Security Standard (PCI
DSS) should be aimed for, providing the
highest industry standard.
Infrastructure investment in airport
WiFi networks often will be necessary to
achieve PCI DSS compliance. Where this
investment is made, greater use of the
WLAN can occur and hence the airport
(if owner/operator of the WLAN) can
benefit. In this sense, security is a basic
value-enhancer. Greater security can also
allow the airport or WLAN owner to
adopt a different risk/reward profile that
flows intoWLAN use agreements with air-
lines and other users. Higher security can
justify higher airport fees and, for mission-
critical services, very low liability dis-
claimers are not always appropriate if
best-in-class security is present. A robust,
standardised and secure wireless service
will support heavier use by the thousands
of next-generation aircraft and devices
(iPads and others) soon to come online at
airports.
COMMON-USE IT INFRASTRUCTURE
AT AIRPORTS ā LEGAL ISSUES
Common-use infrastructure at airports,
also known as CUTE (the acronym for
ācommon use terminal equipmentā), is an
operational model where the airport
grants a concession to an IT supplier, and
the IT supplier contracts with all airlines
and ground-handling agents (GHAs) that
wish to share use of certain installed
equipment/infrastructure owned and
operated by the IT supplier. CUTE is
now being replaced by CUPPS (the
acronym for ācommon use passenger
processing systemā). The common-use
model was created by SITA and first
introduced at Los Angeles International
Airport in 1984.Today, SITA has 30,000
CUTE systems and 3,300 networked
check-in kiosks in use worldwide.
In this model, the airport is not in the
chain of supply for the actual common-
use IT infrastructure. The model is
attractive to some airports because it
enables the airport to avoid responsibility
and liability for various IT systems being
operated and supplied direct to airlines
and GHAs. Many types of IT infrastruc-
ture can be supplied on a common-use
basis, for example check-in desks and
peripherals, kiosks, mobile devices, auto-
mated āintelligentā security gates, self-
boarding gates, self-service bag-drop
machines etc.
Models for common use
As shown in Figure 1, there are three
alternative legal models available for the
supply of IT infrastructure at airports:
JAM262.qxd 3/22/13 3:06 PM Page 176
5. INTELLIGENT AIRPORTS AND DATA
Ā© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173ā178 SPRING 2013 177
ā
the common-use CUTE model men-
tioned above ā also known as the
āCLUB modelā (CLUB is the acronym
for āCUTE local usersā boardā).
ā
the airport sources directly and resells to
airlines/GHAs (ādirect modelā); or
ā
the āhybrid modelā, combining elements
of both the above.
Note that in the first model, a CLUB is
not a legal entity but rather an informal
structure governed by agreed contractual
rules and processes.The CLUB is the air-
port-specific joint airline/GHA gover-
nance body for the installed
common-use equipment, and it exercises
control over the supply. The āhybridā
model is relatively new in global deploy-
ment terms, but should be considered by
airports seeking flexibility
without being in the centre of a chain of
supply. The hybrid model provides
benefits without the responsibilities, lia-
bilities and resources that the direct
model usually entails. In the hybrid
model, airlines and GHAs establish a
CLUB model but the airport joins the
CLUB and participates in the governance
process for the common-use equipment.
In this manner, the airport gains visibil-
ity and the ability to influence and par-
ticipate directly in decisions affecting
equipment and infrastructure at the air-
port.A disadvantage of the hybrid model
is that the airport does not have full con-
trol over the IT infrastructure, as it would
have under the direct model. On the
other hand, it can gain revenue from its
IT concession, and avoid liability for any
IT service outages ā the IT supplier
remains responsible to the airlines
and GHAs for all relevant operational
aspects. CLUBs and common-use
IT infrastructure at airports have been
around for decades because the model
is convenient and efficient. As new
āintelligentā IT infrastructure is launched,
airports can choose the most beneficial
Figure 1 Three legal models for shared-use supply
JAM262.qxd 3/22/13 3:06 PM Page 177
6. BAIRD
178 Ā© HENRY STEWART PUBLICATIONS 1750-1938 AIRPORT MANAGEMENT VOL. 7, NO. 2, 173ā178 SPRING 2013
model for shared IT infrastructure for all
stakeholders.
CONCLUSION
Airports today have opportunities to
leverage new technology in secure ways to
the benefit of all stakeholders. Intelligent
airports in coming years will:
ā
create useful apps for passengers and
become knowledgeable in personal data
laws and cloud data storage security
issues ā consent, control and security
of data are essential;
ā
build secure wireless networks that
enhance efficiency while creating value
for the airport; and
ā
consider hybrid shared-use models for
new IT equipment to ensure future
stakeholder collaborative decision
making.
Note
This paper is based on a presentation
made by the author to the Worldwide
Airport Law Conference on 27th April,
2012 in Amsterdam, hosted by the
Worldwide Airports Lawyers Association
(WALA). Any opinions in this paper are
the authorās own and do not necessarily
reflect the opinions, views or strategy
of SITA.The trademarks SITAĀ®
, iTravelĀ®
and CUTEĀ®
are the property of SITA
with all rights reserved to SITA. This
paper is not intended as legal advice.
In all situations every party must obtain
its own independent legal advice based
on its own specific circumstances and
jurisdiction.
JAM262.qxd 3/22/13 3:06 PM Page 178