Some Privacy, Please: Securing the Future of Passenger Data


Image: Nicolas Venturelli

APEX Insight: Gathering personal data to tailor the passenger experience creates a valuable but fragile relationship between brand and customer. We’ve gathered industry experts to discuss how IT, design and empathy can pave the way toward a more secure future.

The personal information being shared online nearly every second of every day is a prized commodity. And as the Internet’s role in its users’ lives increases, so does their data’s value – when acted upon internally by a company or when sold to (or stolen by) a third party.

Even if the specter of a customer data breach isn’t looming large in the minds of every C-suite, the threat of massive fines for violating Europe’s freshly implemented General Data Protection Regulation (GDPR) will be. Given Europe’s huge population and global interconnectivity, non-European companies are scrambling to cover their bases, too, driving tangible data-protection action across the board.

Customers are still usually willing to give away their private data in exchange for free online services, but they’d prefer maintaining some degree of control and knowing how that data is being used. “An airline can make targeted offers as long as it has the positive consent of the passenger,” says Ann Cavoukian, distinguished expert-in-residence at Toronto’s Ryerson University Privacy by Design Centre of Excellence, whose work directly informed elements of the GDPR. “Privacy by Design doesn’t say no to marketing or targeting – it’s pro choice. Privacy is all about personal control over the use of your personal information.”

Cavoukian and her team worked closely with Vision-Box as it developed its Orchestra platform for multi-source data management in analyzing passenger flow. “They … were with us throughout the entire process, making certain that Orchestra’s development process occurred according to best-practice standards respecting the principles of personal data privacy,” Vision-Box CEO Miguel Leitmann says. “The need for enhanced biometric security and personal information protection don’t have to be mutually exclusive. Our mission, as an innovative and human-centric company, is to develop technology that respects both needs and achieves symmetry between them.”

If you want to trade private data for better ticket prices or more personalized services, that should be up to you, Cavoukian says; what’s wrong, on the other hand, is when a company just appropriates your private information for purposes beyond what you initially agreed upon.

“Data privacy and cybersecurity are intersecting circles; that’s how we think of it.” €” Fred Schreiner, Thales Avionics

Implementing a meaningful cybersecurity strategy is like running a marathon, says Brennan Wall, director of Legal and Contracts, Thales Avionics: “Doing it takes more than mere desire.” Pointing to his close working relationship with the company’s chief technology officer, Fred Schreiner, Wall says, “I can talk about it all day long, but without Fred backing me up, there’s not a lot there!” Schreiner adds that Thales stakes its reputation on how seriously it takes data privacy: “Data privacy and cybersecurity are intersecting circles; that’s how we think of it.”

Recent high-profile data breaches will light a fire under most companies’ hindquarters, Cavoukian says, pointing to data encryption as the logical first step – the harder your data is to use by a hacker, the less attractive a target it makes. She adds that companies should let their customers know that as soon as their data is received, it gets encrypted. There’s been a lot of work on data privacy in the industry, Schreiner notes, but the GDPR put an exclamation point on it.

The spate of hacks in recent years has provided screeching wake-up calls to airline industry players and travelers alike, and at the end of the line are some teaching points. “Among the things that the aviation industry can learn is that, regrettably, nobody is immune,” Wall says. “If nobody’s immune, we should be thinking of ways to prepare for these unfortunate incidents.” Schreiner adds that monitoring other industries is key to keeping up with the ever-changing threatscape, as is working with vendors that have the ability to morph their resources to match the threats that do arise.

“Your customers will be driven away by hacks,” Cavoukian says. “In this day and age of massive cyberattacks, if you don’t have a strong foundation of security from end to end, with full life-cycle protection, you won’t have privacy. You have to strengthen security as much as you can, and that’s what every airline should be doing to resist hacks.”

“When negative incidents occur, the brand takes an instant hit.” €” Miguel Leitmann, Vision-Box

In the event of a data breach where personal information is exposed, word spreads like wildfire, Leitmann says. “When negative incidents occur, the brand takes an instant hit,” he explains. Wall adds that you have to make sure your customers know that you’re taking data protection seriously: “Good privacy management is transparent.”

Schreiner points to the recent Equifax hack as a particularly noteworthy learning opportunity. His own team’s plan is rapid detection, immediate threat containment and communication – as opposed to the near month it took Equifax to tell senior management that anything went wrong – and mobilization of the appropriate incident response plan. As Wall puts it, “Let’s hope for the best, but let’s prepare for the worst.”

There are reasons, though, to approach the issue of data privacy as the carrot, too, and not just the stick. “Carriers should recognize that privacy is not just a regulatory requirement, but rather it’s an opportunity for competitive differentiation,” Wall says, “because a key aspect of privacy is a fundamental respect for people, and airlines are in the people business.” To this end, he suggests airlines actively partner with their suppliers to make sure that data privacy is being diligently pursued.

“Passengers should be the center of all operations, a key stakeholder involved in the decision-making process,” Leitmann says. “They have some simple and fair needs: to feel in control, respected and rewarded for the value they generate. This includes having control of their journey, but also deciding what services they want to benefit from.”

Cavoukian says that responsible data management can actively enhance an airline’s brand: “Tell your customers the lengths you’re going to to protect their privacy, how much you respect them. Don’t keep quiet about it! Shout it from the rooftops!” She found that when customers trust a company, they’re more inclined to share their data. “It’s when [companies] don’t engage their customers, that’s when the walls go up,” she says. With more than 20 years’ experience in the privacy game, Cavoukian is seeing privacy concerns reaching an all-time high. “Ninety to 92 percent of people are concerned with privacy – that’s what all the public-opinion polls are coming in at.”

“Tell your customers the lengths you’re going to to protect their privacy. Don’t keep quiet about it! Shout it from the rooftops!” €” Ann Cavoukian, Ryerson University, Privacy by Design Centre of Excellence

So, what does good passenger data look and feel like? Vision-Box approached the Privacy by Design Centre of Excellence, Cavoukian says, because Privacy by Design is incorporated into the GDPR. It was her first time working with an airline-industry client, and she was pleased with Vision-Box’s approach. “I’m hoping that others in the travel industry will look at their operations and do the same thing,” she says.

Schreiner says that it’s important to make passengers aware of any data that is being used for the purpose of enhancing the experience: “Something that’s curated or more personalized can create additional value, but give the user the option to opt in or out. That’s all in the spirit of transparency.”

“Fundamentally, it’s their data,” Wall says. “That means good privacy notices that, and explains what we’re collecting, why we’re collecting it, what their rights are and how they can contact us.” Quoting from the theme song of Ghostbusters, he adds, “‘Who you gonna call?’ What that really means is, Who you gonna trust?”

Government regulation, agreed-upon best practices and customer revolt in the event of a breach can all influence how seriously the airline industry takes privacy management. Schreiner says that government regulations tend to be more generic, since those wheels grind more slowly than the pace of threat evolution.

You’re going to see the continued evolution of regulations in this area, but that’s not the end of it, Wall says. If carriers or suppliers don’t treat personal data with the care it deserves, he adds, “there’s going to be a backlash against that. Which carriers are viewed as the carriers that care about people?”

“Some Privacy, Please” was originally published in the 8.4 September/October issue of APEX Experience magazine.