EU's New General Data Protection Regulation Will Impact U.S. Travel Agencies

by Paul Ruden
EU's New General Data Protection Regulation Will Impact U.S. Travel Agencies


On May 25, the new European Union General Data Protection Regulation (GDPR) will take effect. The stated purpose of the regulation, which has the force of law in the EU, is to protect the data of “natural persons,” meaning humans as opposed to legal entities like corporations.

The real difficulties arise because the rules, intended to create equal rights in all EU member countries, apply to everyone regardless of their nationality or residence and all of their covered data regardless of where it is processed and whether the processing is automated or manual. Despite that goal, however, the regime created by the GDPR allows individual EU states to adopt separate rules in some circumstances.

Individuals will retain the right to access their data, demand correction of factual errors and have their data deleted. An individual can transfer personal data from one social platform to another on demand.

There is an exemption from the record keeping rules for firms with less than 250 employees and the member states are encouraged to “take account of the specific needs of micro, small and medium-sized enterprises” when applying the GDPR. The exemption is, however, subject to multiple exceptions. When applicable, the exemption appears to largely undermine the core principles of the GDPR. The rules also state that “files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.” Many other subparts of the regulation have their own exceptions and limitations and are generally overridden by the giving of the data subject’s consent. Overall, then, it is impossible to be certain of the circumstances under which the GDPR will apply to specific small businesses in the U.S.

The GDPR also contains a provision allowing data collection when in the firm’s “legitimate interest,” a term with unclear boundaries. Hopefully, the application of the “legitimate interest” concept will be elaborated in the near future.

The potential penalties for violation of the GDPR are life-threatening to many businesses; the upper limit is 4 percent of a company’s global sales (or $20 million, whichever is larger).

The GDRP creates many issues. I will identify some of the key ones here but cannot in the context of an article like this, attempt to address them all.

Enforceable if not physically present in the EU?
One central question is to what extent the courts in the U.S. will enforce EU regulations in circumstances where the regulatory violation claim relates to conduct by a U.S.-resident person who was never physically present in the EU for purposes of making a transaction involving the processing of personal data of an EU resident. The outcome may differ depending on whether the U.S.-based person overtly offered her services in the EU or whether the EU person merely reached out to the U.S. person for assistance.

The GDPR addresses this issue to some extent but is not conclusive or even helpful. One of the tests for the application of the rules is whether the data processor is, “offering … services to data subjects who are in the Union.” To decide whether services are being “offered,” the GDPR says it must be “apparent” that the data processor “envisages offering” such services. Merely having a website accessible in the EU, or a generally accessible email address is not sufficient. However, “use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

What about monitoring behavior online?
If that were not bad enough, the GDPR says that if personal data is used to “monitor the behavior” of data subjects in the EU, then that entity is covered by the regulation. Monitoring includes whether data subjects are, “tracked on the Internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing [sic] or predicting her or his personal preferences, behaviours [sic] and attitudes.” [emphasis added]

Taken at face value, that provision seems to address the airlines’ use of the New Distribution Capability (NDC) to make “personalized individualized offers” to consumers. The processing of the data involved in that will primarily lie with the airlines and perhaps the GDSs or other data intermediaries, but it may also involve travel agencies passing such offers to customers and processing or storing data arising from such transactions.

The issue of consent
Finally, for the limited purposes of this article, there is the matter of “consent” by the data subject to the processing of her personal data. The GDPR provides that:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an Internet website … or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.” [emphasis added]

Even though one of the apparent purposes of the GDPR is to eliminate the long, legalese-infused Terms & Conditions that everyone “accepts” without reading or understanding, the vague language and lengthy requirements seem certain to produce the opposite result.

The GDPR goes further:

“Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”

There is much more, but I will not further belabor it. The GDPR seems inevitably destined to yield more rather than less verbiage in Terms & Conditions that few, if any, customers will actually read. The rules may become a trap for the unwary, however, as individuals or groups focused on privacy monitor the GDPR compliance of firms.

Worth doing business with EU residents?
Every travel agency must decide for itself whether the rules are so costly to implement that the agency is better off declining to do business with travelers who reside in the EU. It seems unlikely that the EU would actually seek to aggressively enforce against a small agency in the U.S. that was not itself overtly soliciting business in the EU, but the possibility of “demonstration cases” always exists just to make the point that the EU takes the GDPR seriously. The risk of becoming an enforcement target is small, but probably not zero. Larger agencies with active sales in the EU are at much greater risk.

Here are a couple of websites with useful outlines of some of the GDPR requirements: EUGDPR Academy;; Digital Guardian; EU Website. For those who want to read the actual 261 pages of the GDPR, you can find it here. Finally, for those who want to further investigate the roots of all this, the EU Directive of 2000 is here.

TMR Recommendations
Top Stories
The Travel Corporation Launches New Multi-Brand Loyalty Program

The program helps agents reward loyal customers with a 5% discount on all of the TTC brands — Trafalgar, Costsaver, Insight, Luxury Gold, Uniworld, U River Cruises, and Contiki.

AmaWaterways Rolls Out New Webinar Series for Travel Advisors

Webinar Wednesdays are designed to provide advisors with essential knowledge about its cruise products and tips on attracting new-to-river-cruise luxury clients.

Bahamas' Warwick Resort Offers Agents Third Night Free

Agent rates at the all-inclusive resort start from $280 per room per night.

Amadeus Launches Updated Version of Web Service with NDC

The company’s latest version of its web services solution, Amadeus Travel API, will provide travel agencies with worldwide access to new content and fares through NDC.

Travel Institute Aims to Streamline Education Standards

New digital credentials tool offers third-party confirmation of CTA, CTC, and CTIE certifications for travel agent course graduates.

American Airlines Expands Support Team for Travel Advisors

The airline announced it will increase staffing for its dedicated sales support team by 50% to provide better service for travel professionals.

News Briefs
Tip of the Day

As travel advisors, we have to be curious. Curiosity leads to impactful connections that pave our road to success. - Jenn Lee, VP of Sales and Marketing, Travel Planners International

Daily Top List

Tips for Reaching $1 Million in Sales

1. Be consistent in your marketing.

2. Create systems and follow them.

3. Use your consortium’s marketing services.

4. Listen for personal details and use them.

5. Leverage your CRM.

Source: TMR

TMR Outlooks
Advertiser's Voice
AmaWaterways - Christmas Markets