British Airways shows everyone how not to GDPR


Let’s all take a minute to appreciate the view in the British Airways social media cockpit, where staffers at the coalface of the airline’s Twitter account have presided over a wildly unusual ‘interpretation’ of Europe’s new data protection rules.

One that, er, suggests quite the opposite of GDPR compliance… Given the company’s social media staff have been caught encouraging customers to post personal data such as their address and passport number into a public forum — and here’s the anti-privacy cherry! — claiming it’s necessary for GDPR compliance!

Insert your own [facepalm of choice]…

Mustafa Al-Bassam, the UCL information security PhD student who flagged the company’s social media fail in the above Twitter thread has since filed his own data protection complaint against British Airways — after finding its check-in page was leaking his personal data to a bunch of third parties for ad targeting purposes.

Now that could be okay — say if the company asked for and gained consent for sharing his data. Or if it had another valid legal basis for collecting data, i.e. other than consent. Though it’s pretty hard to imagine what might legally justify an airline sharing paying customers’ personal information and travel data with advertisers without their express consent…

Well, Al-Bassam says he was not asked for consent to share his information with advertisers. And if you’re processing data by consent — as British Airways’ privacy policy appears to suggest is what the company thinks it’s doing here — then GDPR does in fact require you to actually ask for and actually obtain consent first.

tl;dr: Consent by default is not consent. So again the company appears to be suffering from some form of regulatory delusion syndrome where whatever it thinks GDPR compliance means is what GDPR compliance means. Say like embedding a catch-all ‘consent’ in the depths of a privacy policy. Or just saying the word ‘GDPR’ out loud three times while looking in the mirror.

Hint: Nope! Not compliance! No!

We reached out to British Airways to discuss its approach to GDPR compliance but at the time of writing the company had not responded to a request for comment.

Asked if it could give the company any GDPR guidance, a spokesperson for the UK’s data protection watchdog told us: “Any personal information that an organisation asks for must be limited to what’s necessary for that purpose. Any processing of that information must be secure and take appropriate technical and organisational precautions.”

Of course the airline is by no means the only company failing entirely to grok GDPR. The regulation is still pretty new (having come into force on May 25) and there are clearly A LOT of privacy dents still to be ironed out all around the online place.

Some of these are accidental and/or idiotic kinks. While others look much more like an intentional deforming of the rules (hi Facebook!). But given the GDPR regime also supports punitive fines for compliance breaches (hello lawsuits!) it’s to be hoped that none of these privacy fails — accidental, spectacularly stupid, intentionally hostile or otherwise — will be around for too long.

Europe – TechCrunch