Let's all take a minute to appreciate the view in the British Airways social media cockpit, where staffers at the coalface of the airline's Twitter account have presided over a wildly unusual 'interpretation' of Europe's new data protection rules.
One that, er, suggests quite the opposite of GDPR compliance... Given the company's social media staff have been caught encouraging customers to post personal data such as their address and passport number into a public forum -- and here's the anti-privacy cherry! -- claiming it's necessary for GDPR compliance!
Insert your own [facepalm of choice]...
So British Airways is asking for people's personal data over social media "to comply with GDPR", and some people are even replying directly in the public feed.
— Mustafa Al-Bassam (@musalbas) July 16, 2018
Mustafa Al-Bassam, the UCL information security PhD student who flagged the company's social media fail in the above Twitter thread has since filed his own data protection complaint against British Airways -- after finding its check-in page was leaking his personal data to a bunch of third parties for ad targeting purposes.
Now that could be okay -- say if the company asked for and gained consent for sharing his data. Or if it had another valid legal basis for collecting data, i.e. other than consent. Though it's pretty hard to imagine what might legally justify an airline sharing paying customers' personal information and travel data with advertisers without their express consent...
Hint: Nope! Not compliance! No!
I've sent the following complaint to British Airways, feel free to do the same if you're also a British Airways customers: https://t.co/NXMd6AMF4F
They'll have a month to resolve the situation and comply with privacy regulations before the ICO gets involved. pic.twitter.com/dIztpmgd7A
— Mustafa Al-Bassam (@musalbas) July 19, 2018
We reached out to British Airways to discuss its approach to GDPR compliance but at the time of writing the company had not responded to a request for comment.
Asked if it could give the company any GDPR guidance, a spokesperson for the UK's data protection watchdog told us: "Any personal information that an organisation asks for must be limited to what’s necessary for that purpose. Any processing of that information must be secure and take appropriate technical and organisational precautions."
Of course the airline is by no means the only company failing entirely to grok GDPR. The regulation is still pretty new (having come into force on May 25) and there are clearly A LOT of privacy dents still to be ironed out all around the online place.
Some of these are accidental and/or idiotic kinks. While others look much more like an intentional deforming of the rules (hi Facebook!). But given the GDPR regime also supports punitive fines for compliance breaches (hello lawsuits) it's to be hoped that none of these privacy fails -- accidental, spectacularly stupid, intentionally hostile or otherwise -- will be around for too long.
- This article originally appeared on TechCrunch.