Insight: Air Transport and Data Protection
The Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) published an Investigation Report dated 6 June 2019 on the unauthorised access to personal data of passengers of an airline company and its subsidiary (the “Report”).
According to the Report, approximately 9.4 million data subjects from over 260 countries were affected by the data breach. The data involved the name, flight number, title, email address, membership number, address, phone number.
The PCPD specifically addressed the legal issues on data security and data retention (i.e. Data Protection Principles (DPP) 2 and 4, Schedule 1 of the Personal Data (Privacy) Ordinance, Cap. 486 (“PDPO”)).
In terms of data security, the PCPD stated that the airline did not take all reasonably practicable steps to protect the data subjects in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4 of Schedule 1 of the PDPO.
In terms of data retention, the PCPD found that the airline did not take all reasonably practicable steps to ensure that the HKID card numbers were not kept longer than was necessary for the fulfilment of the defunct verification purpose, contravening DPP 2(2) of Schedule 1 of the PDPO.
The PCPD served an Enforcement Notice under s.50(1) of the PDPO to the airline to remedy the contraventions.
Air Transport Licensing Regulations and Guidelines
Under the amended Air Transport (Licensing of Air Services) Regulations (Cap. 448A) (the “Regulations”), any person using an aircraft registered in Hong Kong to operate scheduled air services between Hong Kong and any point in the world must hold a valid licence granted under the Regulations.
According to the Procedural Guide for Applying for a Licence to Operate Scheduled Services under the Air Transport (Licensing of Air Services) Regulations (Cap. 448A) published by the Air Transport Licensing Authority (ATLA) (April 2013) (the “Procedural Guide”), the ATLA shall have regard to the development of air services with the object of providing effective service to the public and the interests of the public.
There is no express requirement under the Transport (Licensing of Air Services) Regulations (Cap. 448A) nor the Procedural Guide, that the applicant needs to show that the applicant has complied with the PDPO and/or other related data protection regulations.
The Procedural Guide and the Regulations merely require the applicant to provide information in relation to business plan, which includes business activities, business strategy, other financial interests, shareholding, aircraft financing, operational and revenue forecasts, cash flow forecast and statement of financial position and projects.
The Procedural Guide does mention about ‘risk analysis’ being part of the information that is required to be provided in the applicant’s business plan. However, the risk analysis seems to be focussing more on the major changes to key business assumptions, and not on cybersecurity and data protection.
Having said that, the ATLA does have power to request specific information and details from a licence holder if there are events or circumstances that have significant bearing on the financial performance and/or conditions of the business, or external events which may significantly disrupt the airlines normal operations and revenue stream.
Moreover, the ATLA does have the power to revoke or suspend a licence if the holder of the licence has failed to comply with any condition subject to which the licence was granted, under Regulation 16 of the Regulations. However, it is not known whether data protection and maintaining effective cybersecurity system will be a licensing condition.
In light of the recent data breach incident happened to one of the biggest airline services in Hong Kong, the ATLA should consider whether it is appropriate to revise their Procedural Guide in terms of its licensing assessment criteria or to make recommendations to the Government to amend the Regulations so to acknowledge the importance of maintaining an effective data protection and cybersecurity framework.
For more info please email us at firstname.lastname@example.org