ASATA has submitted a statement to Iata this week asking for the postponement of changes made to Resolution 830d, saying that data protection laws do not apply to most South African travel agents and that these requirements invade the privacy of travellers. The new resolution, which came into effect on June 1, requires agents to ask clients for consent to share contact details with airlines. If the client does not give consent, the agent must insert this refusal into the PNR. According to Asata, the changes assume that all Iata-accredited agents
are currently subject to European data protection laws. However, in its opinion, the majority of South African travel agents in the outbound market do not have to comply with EU data
protection laws and that POPI (the South African Protection of Personal Information Act) is not yet in effect as law. The statement says, even when South African agents are subject to the EU GDPR laws or when POPI comes into effect, it is Asata’s view
that Regulation 830d is not compliant with either law. It argues that both EU GDPR and POPI include the principle of “data minimisation”, which says that a travel agent should do the bare minimum amount of processing to achieve the purpose for which the passenger provided their information. As liaising with the airline on behalf of the passenger (including for the purpose of operational disruptions) is part of the service provided by the travel agent, it is less invasive for the airline to contact the travel agent with flight disruptions and for the travel agent to then liaise with clients. It is therefore inconsistent with both the EU GDPR and POPI Acts to share client personal information with airlines, as there is a less invasive way to achieve this purpose, says Asata. “Even if South Africanaccredited agents were subject to these laws, the resolution will actually invade the privacy of travellers,” it adds. The statement also accuses the resolution of being impractical, onerous and therefore unreasonable, explaining that travel management companies will often not have access
to travellers and will not have an opportunity to ask for consent without making significant changes to booking procedures. While the legality of the resolution is being debated, Asata still recommends that agents take reasonable steps to share passengers’ personal information with airlines according to the existing recommended guidelines. Head of sales and distribution of FlySafair, Kirby Gordon, says while he understands that agents are frustrated that the carpet has been pulled out from under them with the immediate
effectiveness of the resolution changes, companies cannot ignore that the POPI Act is coming. “All South African businesses should be working toward full compliance with this Act,” he warns. He also explains that airlines are required to follow EU GDPR guidelines in all markets where they operate, due to the service agreements they must sign with international clients requiring compliance with these laws. Iata is preparing a statement with advice and clarification on this matter.
