Let’s all take a minute to appreciate the view in the British Airways social media cockpit, where staffers at the coalface of the airline’s Twitter account have presided over a wildly unusual ‘interpretation’ of Europe’s new data protection rules.
One that, er, suggests quite the opposite of GDPR compliance… Given the company’s social media staff have been caught encouraging customers to post personal data such as their address and passport number into a public forum — and here’s the anti-privacy cherry! — claiming it’s necessary for GDPR compliance!
Insert your own [facepalm of choice]…
So British Airways is asking for people's personal data over social media “to comply with GDPR”, and some people are even replying directly in the public feed.
— Mustafa Al-Bassam (@musalbas) July 16, 2018
Mustafa Al-Bassam, the UCL information security PhD student who flagged the company’s social media fail in the above Twitter thread has since filed his own data protection complaint against British Airways — after finding its check-in page was leaking his personal data to a bunch of third parties for ad targeting purposes.
Now that could be okay — say if the company asked for and gained consent for sharing his data. Or if it had another valid legal basis for collecting data, i.e. other than consent. Though it’s pretty hard to imagine what might legally justify an airline sharing paying customers’ personal information and travel data with advertisers without their express consent…
tl;dr: Consent by default is not consent. So again the company appears to be suffering from some form of regulatory delusion syndrome whe..