A security researcher was headed to a privacy technology symposium and ran headlong into British Airways’ approach to data privacy in the process.
To most of us in the United States, GDPR (the EU’s General Data Protection Regulation) just means we get spammed by everyone we’ve ever given our email address to telling us they’ve updated their privacy policy.
For Europeans it means being able to ask companies what information they have on you, and asking to be removed from their database. Of course they need to verify you are who you say you are when asking to be removed, so the remove request requires asking you for personally identifying information. And they can continue to retain certain information about you anyway, to protect themselves from being sued.
There are obligations to protect sensitive information, and to only collect information that’s necessary. And the rules contain threats of substantial fines. Of course what every lawyer dealing with this area has told me is “we don’t really know what it means yet.” That’s because it’s new, and there’s little to go on in terms of what enforcement will look like — and no case law yet.
Still, the general idea is something like the opposite of British Airways insisting that GDPR rules require customers to publicly tweet them personal information in order to get customer service.
So British Airways is asking for people's personal data over social media "to comply with GDPR", and some people are even replying directly in the public feed.
uwotm8 pic.twitter.com/yUvCQ5Gti9
— Mustafa Al-Bassam (@musalbas) July 16, 2018
This may be broadly reflective of the British Airways approach to the data privacy, however.
The plot thickens. @British_Airways only lets you check-in online after you disable your adblocker, so that they can leak your booking details to tons of third party advertisers and trackers, including Twitter, LinkedIn and Google DoubleClick. https://t.co/mRb80OMLr1
— Mustafa Al-Bassam (@musalbas) July 17, 2018
British Airways, for its part, suggests that if you’re not comfortable sharing your personal information with myriad marketing firms on the internet then you don’t deserve to check in online.
If you not comfortable clearing the history and cookies, Mustafa, we can only recommend that you check in at the airport. ^Julie
— British Airways (@British_Airways) July 17, 2018
Hence the conclusion, British Airways “I think you’re doing GDPR wrong.”
So @British_Airways asks for people's personal details on social media "to comply with GDPR", yet they leak your booking details to tons of third parties when you check in online. I think you're doing GDPR wrong… pic.twitter.com/H8WWs7slYm
— Mustafa Al-Bassam (@musalbas) July 17, 2018
Yeah tell me. I am unable to retreive a BA PNR because they need to verify its me. The passport data has to be put inside first which, I can only do when I have the PNR.
They say “otherwise it doesnt pass GDPR”. Bullshit. Hasnt to do with that.
I have sent them a letter requestion ALL data they are holding on me and for what purpose. I have that right as per GDPR. So within 30 days (flight is in December) I should also have that PNR as its in my file 😀
Plus someone there has an hour or two work getting my info to me.
From the company that brought you the IT Disaster High Visibility Safety Vest