Mark Pestronk
Q: I have been reading about the EU's new General Data Protection Regulation (GDPR) that takes effect on May 25. I am trying to ascertain how or even whether it affects my U.S. travel agency, but the rules seem very complicated. Can you explain the extent to which the rules apply to us? If they apply, what do we have to do to comply? What will happen if we don't comply?
A: The GDPR will apply to U.S. travel agencies and other travel businesses if two requirements are met:
First, the rules apply if you have client travelers who are in any of the 28 countries of the EU. I use the words "are in" because the rules apply not only to people who live in the EU but also to U.S. travelers whose data is collected while they are traveling in the EU.
Second, individuals in the EU must be the target of your marketing efforts. For example, if you are marketing U.S. tours to Italian citizens via a website written in Italian, the rules apply. However, if you have just one website in English that is designed to target anyone anywhere, the rules don't apply to you, even if an EU individual signs up.
In corporate travel, if you have a U.S.-based, multinational client and you are trying to get the employees of your client's French subsidiary to come into your travel management program via a website aimed at them, the GDPR will apply because you are targeting EU residents. On the other hand, if the client sends a worldwide mandate requiring all its employees to sign up with you, the rules don't apply because you are targeting everyone.
Corporate travel agencies that network with EU-based travel management companies (TMC) will need to implement systems and procedures that mirror those in the EU. Otherwise, the EU TMCs will be legally unable to share data with you, as the rules require that companies that send data must ensure that those who receive data can comply with the data-protection requirements.
The basic mandate of the GDPR is to protect "personal information," which is defined much more broadly than any U.S. privacy law, as it even includes names and addresses and much more. So, anything that a travel business collects about a traveler will be "personal information."
You can collect personal information only if you meet several requirements, including obtaining express, informed consent from the traveler to collection and dissemination to suppliers; maintaining records about when you collected each piece of information; protecting transfer of data by making sure that data processors such as travel suppliers also follow the rules; and safeguarding data.
A good rundown of those requirements can be found here.
The rules contain a "right to be forgotten," requiring you to delete all information about a person on request. Similarly, if a person asks, you must provide a copy of the personal data that you have.
Data-protection authorities in EU countries have the power to impose large fines on noncompliant companies, but it is unclear how they will be able to prosecute U.S. travel companies other than barring them from operating in the EU.
The countries in the EU take data privacy much more seriously than we do in the U.S. As stated in the preamble to the new rules, "The principles of, and rules on, the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data."