Out-Law News 4 min. read

British Airways could make 'legitimate interests' justification of image checks, says expert


British Airways (BA) may not need passengers' consent in order to identify them using images available on the internet, an expert has said.

Data protection law specialist Danielle van der Merwe of Pinsent Masons, the law firm behind Out-Law.com, said that the company could argue that it is in its legitimate interests to process online images of passengers that have booked with them.

Last week BA announced plans to engage in more personalised interaction with customers through its 'Know Me' customer service program. Staff at the airline will use iPads and a special 'app' to search 'Google Images' for a photo of individual passengers to enable them to recognise and greet them at airports. Other information, such as whether passengers have experienced delays on previous flights, will also be available to crew via the devices, according to media reports. 

Nick Pickles of privacy watchdog Big Brother Watch said that BA needs passengers' consent to justify them processing their online images, according to a report by the London Evening Standard. However, van der Merwe said there may be other ways in which  the company could justify its activity as being compliant with data protection laws.

"There are a number of routes available under the Data Protection Act that one can take in order to justify the arrangement under the Act, the most appropriate of those would be to notify passengers about the possible processing and asking them for their consent at the time they book a flight," she said. "This can be achieved in the company's terms and conditions which are brought to the attention of a passenger when booking a flight. However, consent can always be withdrawn at a later stage by a passenger and the company needs to have procedures in place to deal with an opt-out by those individuals. "

"There are however other routes available to BA under the Data Protection Act other than through gaining the passenger's consent. BA could argue  that the processing is in its legitimate interests because it wants to offer the best experience to its customers possible," van der Merwe added. 

Under the Data Protection Act (DPA) personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes only. 

Organisations must meet at least one of the "legitimising conditions" under the DPA in order to process an individuals' personal data, such as having obtained individuals' consent to do so. Other lawful grounds for processing that do not require consent include where it is necessary for the performance of a contract, necessary in order to protect the "vital interests of the data subject" or where it is necessary "for the administration of justice".

Van der Merwe said that whilst BA could rely on consent where it had been given, it was unlikely that it could justify its Google Image checks on the other lawful grounds listed, other than if it could claim the processing was in its 'legitimate interests' and not overridden by the rights of passengers.

Under the DPA organisations can process personal data if it is "necessary for the purposes of the legitimate interests" they are pursuing, as long as that processing is not "unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

The subjective nature of that provision means BA should hold documentary evidence of its consideration of data protection matters in order to justify its processing activities if required to do so van der Merwe said.

"Companies need to be able to show that they are taking the privacy of their customers' personal data seriously and that data protection is something that is considered before a company engages in an activity involving their customers' personal data" she said. "Companies unable to do so are more likely to face enforcement action from the Information Commissioner."

A BA spokesman said that the company complies with the DPA and that it aims to "send 4,500 personal recognition messages a day by the end of the year," according to the Evening Standard report.

"We are entirely compliant with the UK Data Protection Act and would never breach that," the spokesman said. "Know Me is simply another tool to enable us to offer good customer service, similar to the recognition that high street loyalty scheme members expect. The Google Images search app helps our customer service team to recognise high profile travellers such as captains of industry who would be using our First class facilities enabling us to give a more personalised service."

Jo Boswell, head of customer analysis at BA, said the personalisation program was just at the "start" and that it had a "myriad of possibilities for the future." However, van der Merwe said that it may be harder for the company to justify more intrusive processing activities without passenger consent.

"Whilst some passengers may be delighted at being addressed on personal terms after airline staff have cross-referenced them with available images online, others may be uncomfortable with the idea and consider that their privacy has been invaded and take real offence," she said. "BA could argue that this activity is within their legitimate interests as they are offering customers a better service and therefore making their airline more popular with customers."

"BA would be less likely to be able to justify further personalising its customer service by checking other personal data online, such as that which is available on social network sites. For example, it is likely that the company would need the consent of passengers to look at their activities on Facebook or LinkedIn etc for the purposes of proactively engaging those individuals in conversation about their social or professional interests" van der Merwe said.

Out-Law.com asked BA to explain its future plans for delivering more personalised customer service but the company did not respond to our queries.

The UK's data protection watchdog, the Information Commissioner's Office (ICO), said that BA, among other requirements under the DPA, must make sure that "passengers’ information is stored securely and is not kept for longer than is necessary." It added that "looking after individuals’ data correctly" was not just a legal requirement but that it "plays an important role in maintaining consumer confidence."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.