AirAsia’s data monetisation plan raises concerns

The standard practice of information collection by an airline is for flight booking and not meant for unauthorised parties, says CyberSecurity


MONETISATION of personal data by AirAsia Group Bhd’s digital asset will violate Malaysia’s Personal Data Protection Act (PDPA) 2010 if the transaction involves the exchange of its customers’ personal information gathered through its array of businesses.

CyberSecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab said the standard practice of information collection by an airline is done for the purpose of flight booking and not legally meant for unauthorised parties to access.

“Generally, the initial consent, for example, the information given by the customers was based on the requirement for booking purposes which cannot be given to others in whatever manner unless there is a clear statement from AirAsia stated that customer data will also be used and processed by others and requires customers’ consent to do so,” he told The Malaysian Reserve (TMR).

Last week, AirAsia CEO Tan Sri Dr Tony Fernandes said the group is looking to exchange its digital asset it has accumulated over the years for a US$1 billion (RM4.15 billion) loan from an American firm.

The airline refused to divulge more information when approached by TMR regarding the types of digital assets involved in the business transaction.

According to AirAsia’s privacy statement, information collected in their services includes customers’ personally identifiable information (PII), contact details, payment information, travel history and technical information such as the customer’s Internet protocol address.

The airline said its PII involves customers’ name, photo, facial features, gender, date of birth, nationality, passport and identification card number, passport expiry date, passport issuing country and the country of residence.

In a statement yesterday, the Department of Personal Data Protection said it found no issues of disclosure and breach of personal data in the transaction based on the explanation and justification provided by the airline to the government agency.

“The department is satisfied with AirAsia’s explanation on the transaction,” it said.

However, it added that any sales involving personal data are an offence categorised under Section 130 of the PDPA 2010 and will be fined RM500,000 or three years’ imprisonment, or both, if found guilty.

Amirudin said, referring to PDPA, if the purpose of collecting customer information contradicts with the initial purpose of flight booking, it will eventually violate personal data protection and privacy.

Under the PDPA, organisation must ask customers’ consent if their information is being used or processed for other services aside from the one they have given their consent to. For AirAsia, the initial consent is given to process for flight booking only.

“An organisation must implement necessary security controls, such as data encryption and two-factor authentication, to ensure confidentiality and integrity of data is preserved.

“If the organisation adheres to the ‘Seven Principles Personal Data Protection’ prescribed by PDPA, there should be no issues with the protection of data privacy during the processing of data involving data in use, data at rest and data in motion,” he said.

Amirudin said AirAsia should also consider relevant acts and regulations equivalent to the PDPA in other countries due to the group’s wide range of customer base.

He added that the airline has to be aware of the cross-border jurisdiction issues in data transfer should any cases of data leakages and unauthorised access occur during the transaction.

“If customer data of AirAsia is hosted in Malaysia, AirAsia is bonded with Malaysia’s PDPA. However, if AirAsia hosts its data outside Malaysia, AirAsia should ensure the country, or countries, implements an adequate level of privacy protection to protect customer data.

“In case of data leakages or unauthorised access during the transaction of data and involve court cases across countries, AirAsia must be aware of the crossborder and jurisdiction issues of data transfer because there is an involvement of a foreign country,” he said.

Bar Council Intellectual Property Committee co-chairperson Foong Cheng Leong said monetisation of digital data is a common practice for companies barring any breach or concerns of unauthorised access to personal information which could be traced back to an individual.

“As long as the data is kept within AirAsia’s group of companies, they can use the data that they have accumulated for years.

“In respect of personal data, care may need to be taken to ensure that there is no breach of the PDPA.

“This includes ensuring that any processing of personal data outside the purpose of which it was collected has the necessary consent or is lawful to be used,” he said.

The group is also reportedly seeking to raise RM2.5 billion by the end of the year as it tries to navigate severe business slump caused by the pandemic.