Cathay Pacific’s new privacy policy is brutally honest or very creepy. Or perhaps it is both as Cathay becomes the latest airline to straddle personalisation and privacy while complying with growing regulatory oversight. British Airways in July received a GBP 183 million fine for a data breach last year.
The Hong Kong carrier's new policy, announced last Thursday night, says Cathay will “collect and process” personal information from passengers including images from onboard aircraft, use of the in-flight entertainment system, hobbies, and activity at airports. There is no explicit timeframe for retaining this data, with Cathay saying it keeps information “for as long as is necessary.”
In response to questions about the policy, Cathay told me that it needed two weeks to provide more details.
The policy appears to be in response to an order from Hong Kong’s privacy commissioner for Cathay to implement a data retention policy. That was one of eight actions in a June enforcement notice served on Cathay, which is the middle of a three-year restructuring, in response to a data breach affecting 9.4 million Cathay customers. Cathay wrote in an e-mail to passengers the policy is “part of our ongoing commitment to transparency.”
Much of the policy details information Cathay would be expected to retain or which passengers opt to have the airline save, such as by creating a profile that includes passport details and meal preference or a frequent flyer account that records travel history.
Other sections show a wider scope, raising questions as to how Cathay obtains the information and why it is needed, such as “your activity at airport departure and arrival halls.” Already airport duty free transactions require boarding pass details, but this is usually for regulatory and shop owner commercial purposes – not information traditionally shared with airlines.
The policy also mentions collection of “your images captured via CCTV in our airport lounges and aircraft.” Cathay could not explain its CCTV system on aircraft, if this was extended to lavatories, and if any in-flight entertainment system had an activated embedded camera. Earlier this year carriers including Singapore Airlines rushed to say cameras in their entertainment system were deactivated. Emirates intentionally put a camera in a first class controller so passengers can video call cabin crew to request service items.
Entertainment and on-board wifi usage is recorded, the policy says without further explanation. Data cross-over is not necessarily nefarious; Air New Zealand’s entertainment system has a home screen welcoming passengers by their first name. The industry has thought IFE usage could be analysed to create suggestions, like Netflix or other streaming services.
The policy says Cathay could collect information about a passenger’s hobbies, but does not say how that may be acquired. Cathay acquires “photographs and other images” without detailing what other images those are, how they are acquired and why they are kept.
Data harvesting extends beyond passenger interactions with the company. “We may also collect information about you that is publicly available online, including your social media profiles,” the policy says.
A passenger booking for others has the onus of sharing the airline's privacy policy. “If you provide us with information about other individuals, you must tell those individuals and let them know where they can find a copy of this Privacy Policy.”
The policy provides few details or examples, and those supplied are usually straight-forward and passenger-friendly, such as sharing data so there can be “liaising with airport authorities to arrange wheelchair assistance” or “providing your details to our staff and cabin crew so they can greet you personally and acknowledging your loyalty.”
The e-mail announcement to customers said, “We want you to know that your personal information is secure.” However, the policy warns that “No data transmission…can be guaranteed to be secure” and that Cathay’s safeguards are “commercially reasonable.”
Transparency and commitment efforts appear undermined by offering further guarantees to passengers in certain markets rather than make those terms available to all. There are supplementary privacy guarantees for passengers from nine jurisdictions, including mainland China, the US and Japan. There is also an appendix for the European Economic Area.
US residents “may have the right to direct us to stop selling your personal information,” the policy says. The European appendix notes some transaction details will be kept for six to ten years whereas the general policy has no specific retention period.
While the general policy allows passengers “to access certain personal data” Cathay has collected on them, consumers in mainland China can request “a copy of your personal data” with no stated exclusions. Residents of the US state of California can request what information Cathay shares with third-parties and who those third-parties are. The appendix for Korea specifies the names and purposes of Cathay’s 28 third-party data processing providers.
Hong Kong’s enforcement notice did not explicitly require Cathay to publicly disclose its data policy. It did require Cathay to “devise a clear data retention policy to specify the retention period(s) of passengers’ data stored in each and every system” but Cathay's policy offers no such timeframe.
Topics in the privacy policy were not included in the airline’s 35-page conditions for carriage, last updated in 2016.
