Commercial and regulatory lawyer, Lucy England of Fox Williams, spoke at the BTA conference
Personalised fare and product offers must comply with GDPR
Travel companies using generative AI to make personalised offers to customers need to treat the output as ‘personal data’ under the General Data Protection Regulation (GDPR) and inform clients.
That is according to commercial and regulatory lawyer Lucy England of Fox Williams, who told the Business Travel Association (BTA) conference in London: “A lot of travel management companies [TMCs] are using generative AI for personalised offers [and] that is a hot one for GDPR compliance.”
She warned: “If what goes in are personal preferences, what comes out will be classed as personal data. You need to treat anything to do with [customer] preferences as personal data.”
England noted: “Different types of [AI] technology lead to different results. Machine learning technology analyses data. Generative AI produces new content that can be used as data.”
She told the BTA: “Generative AI is different because of the amount of data and because it’s so powerful. You need to be aware of personal data going into the technology and personal data coming out. Is it sanitised data? Is it policed? Does content go back out to the internet?”
England warned uses of ChatGPT “don’t put personal data into that” and said: “Let customers know ‘We’re using AI as part of this service’.”
She cited a recent legal case involving Air Canada where an airline chatbot provided passenger information which differed from the carrier’s stated policy and noted the airline “tried to argue it had no liability” saying: “The court trashed that.”
Travlaw senior partner Matt Gatenby agreed “you need a policy” for AI use, noting: “If you produce something that causes harm, you’re going to be responsible for it. You’ve got to have a process in place. If you’re using data, it can go of the rails if an employee does something daft.”
Sheena Varma, American Express Global Business Travel chief privacy officer and senior counsel, said: “You read all the time of things gone wrong.
“Understand what you’re trying to achieve and what data is required to achieve that. Then figure out the risks. You need the right level of safeguards and a holistic view of provider contracts.”
She added: “There is no point having AI if you can’t use data with it. [But] have you the protocols in place that the data will be kept safe?”