Keywords: commercial space flight, data protection, space territory, privacy, cybersecurity, international airspace.
Overview of Space Tourism
The Space Tourism Guide defines space tourism as any commercial activity related to space, including traveling to space as a tourist. Generally, traveling to space entails flying above an altitude of 100 kilometers or 62 miles above sea level, crossing the Karman line, which marks the boundary between Earth and outer space.
Companies including Virgin Galactic, Blue Origin, SpaceX, Boeing, Axiom Space and Space Perspective are currently championing the commercialization of the space tourism sector. A trip to space with these companies can cost anywhere from $125,000 for a 6-hour suborbital flight (reaching space but lacking the necessary velocity for orbit) to a staggering $55 million for a 10-day orbital journey (attaining orbital velocity for sustained orbiting). The space tourism market is expected to increase from US$851.7 million in 2024 to over US$5.19 billion in 2034.
As more individuals embark on this celestial voyage, the amount of data collected and processed in the space tourism industry increases accordingly. This article examines issues surrounding data collection and protection in the context of space tourism.
Personal Data Collection
Before embarking on space travel, while still grounded on Earth and prior to securing a spot in the program, companies may request the collection (see e.g., Blue Origin) of the following pieces of information: personal identity, financial details, physical and mental health data, and at times, a “personal statement,” which may include personal details. Upon selection, applicants may need to undergo readiness training, including adapting to zero gravity and responding to specific incidents, with potential continuous monitoring and analysis of their physical fitness.
Once in outer space, real-time surveillance measures through CCTV cameras, like on airplanes, and microphones can be expected for safety and security reasons—or even for future analytics in service improvement. Information monitored in this extraterrestrial environment may encompass physical movements and conditions (e.g., heartbeats), interactions, conversations, and expressions, some of which can be personal and intimate to the space tourists. The amount of data collected while in outer space thus warrants careful discussion of the privacy and security of the collected data.
Data Protection in Outer Space
Collecting personal data comes with the legal obligation to protect it. Generally, the governing domestic law is determined by the geolocation of the residence of data subjects (i.e., the persons whose personal data is being collected). For instance, the EU General Data Protection Regulation (GDPR) is triggered when a data controller (individual or company) collects personal data from a data subject residing in the EU. Similarly, the California Consumer Privacy Act (CCPA) is in effect when a business collects personal data from California residents.
Thus, personal data collected on Earth (e.g., credit card information, health training data) is likely to be protected by the data protection or information privacy law of the jurisdiction where the tourist resides at the time of collection. But for the personal data that is collected in outer space, which jurisdiction’s laws will apply?
By way of analogy, in air commerce, several countries can have jurisdiction while an aircraft is in flight. Suppose an American registered airplane is flying to England. Once the aircraft enters international airspace, the Tokyo Convention suggests that the law of the country of the aircraft’s registration (i.e., U.S.) applies. However, laws of the destination (i.e., U.K.) can also apply if related to air safety. In addition, when the aircraft is flying in the airspace of a country where alcohol consumption is illegal (such as Iran), alcohol may not be served until the aircraft leaves the country’s airspace.
For outer space specifically, although the Outer Space Treaty (OST) provides that no nation can appropriate space by any means or claim sovereignty over any space territory, there can be jurisdiction on spaceships. Article VIII of the OST expressly grants jurisdiction on the spacecraft’s state of registry. The Article provides: “A state Party to the Treaty on whose registry an object launched into outer space is carried shall retain jurisdiction and control over such object, and over any personnel thereof, while in outer space or on a celestial body.”
Under the Tokyo Convention and the OST, the country registration of the vehicle thus appears to be a common indicator of applicable laws. Using this framework to determine the applicable domestic data protection laws, most space tourism programs would likely be subject to those of the U.S., as most active and open programs are based there. But with the absence of comprehensive federal legislation in the field, there will likely be complexity in determining which specific state’s law will govern.
Also, there is ambiguity whether the OST’s registration jurisdiction rule applies to commercial spaceflight. A 2022 law review article argues that it is unclear whether the OST will apply. While the OST is widely recognized, it leaves important commercial spaceflight regulations up to member states, and commercial passengers might not fit within the definition of “astronauts” under the OST. As such, scholars in the field have proposed a self-regulation and contractual regime for commercial space flights for legal certainty.
But will companies be willing to create fair rules to regulate themselves in the interests of consumers? If there is one lesson to take from the history of data protection and privacy, it is that self-regulation rarely works. However, polycentric governance, which refers to a system where regulation and oversight come from more than one center of authority, could present a viable opportunity. This approach would involve space tourism companies collaborating with cybersecurity experts, data privacy advocates, and government agencies such as the National Aeronautics and Space Administration (NASA) to jointly develop regulations and accountability mechanisms for data protection in the space tourism industry.
Conclusion
As the number of space tourists and the corresponding collection of their data increases, greater privacy protection in outer space is urgently required. At present, there is no clear direction on which law or regulation should apply to data collected in outer space. Thus, encouraging greater international cooperation in space is crucial. Nation-states and international organizations should engage in discussions to implement rules akin to those outlined in the Tokyo Convention and the OST. This effort could help to ease the ambiguity surrounding the specification of applicable data privacy laws for commercial space flights. The long-overdue consensus on modern global data protection presents an opportune moment to advocate for such measures.
Authors: Uduak Ekott (LL.M. Candidate at Indiana University Maurer School of Law) & Attamongkol Tantratian (S.J.D. Candidate at Indiana University Maurer School of Law)
