Aviation Regulatory Update – March 2021

March 31, 2021


On March 2, 2021, the U.S. Centers for Disease Control and Prevention (CDC) and the U.S. Department of Homeland Security (DHS) issued orders on EVD Contact Tracing for airlines (available at this link) and funneling requirements for passengers (available at this link) due to recent new outbreaks of EVD in the Republic of Guinea (“Guinea”) and the Democratic Republic of Congo (“DRC”).

An important note: the U.S. government plans to expand contact tracing data requirements to all passengers entering the U.S.  As of this newsletter, the date of a CDC Order providing for global contact tracing data reporting has not been announced, but it may be issued within the coming weeks.  Once the expanded global requirement is issued, carriers will have a transition period of up to 100 days to update relevant systems for compliance, but carriers should begin preparations as soon as practicable.

At this time, the CDC’s contact tracing data transmission requirement applies only to two countries.  Effective at 11:59pm U.S. Eastern Time on March 4, 2021, carriers who are transporting into the U.S. any passenger who was physically present in either Guinea or DRC within the past 21 days (a “covered passenger”) must meet two requirements:

  1. Land covered passengers only at designated airports. Covered passengers may only arrive into the U.S. at one of six designated airports where CDC will conduct additional screening.  If necessary, carriers should re-route covered passengers to arrive on flights landing at an approved point.  The designated airports are:
      • John F. Kennedy International Airport (JFK)

      • Chicago O’Hare International Airport (ORD)

      • Hartsfield-Jackson Atlanta International Airport (ATL)

      • Washington-Dulles International Airport (IAD)

      • Newark Liberty International Airport (EWR)

      • Los Angeles International Airport (LAX)

  1. Collect and transmit contact tracing data for each covered passenger. Before boarding a covered passenger, airlines must collect contact tracing data pertaining to each individual and transmit these data to the U.S. government via APIS, JSON, or PNRGOV.  Carriers should make best efforts to collect each data element, if it exists, for each individual passenger.  Carriers are not required to deny boarding if a covered passenger is unable to supply each data element.  (Though carriers can remind passengers that providing this information is a U.S. government requirement.)  Required data elements are:
      • Full name (last, first, and if available, middle or suffix)

      • Address while in the U.S. (including number and street, city, state/territory, zip code)

      • Primary phone number at which the passenger can be contacted while in the U.S. (including country and area code)

      • Second phone number at which the passenger can be contacted while in the U.S. (including country and area code)

      • Email address that the passenger will routinely check while in the U.S.

Aircraft operators who are not providing scheduled airline or public charter service (e.g., private charter or on-demand operations under Part 135) must also follow the above requirements if carrying a covered passenger into the U.S.  These operators may elect to transmit contact tracing data via eAPIS.

All-cargo operations are outside the scope of the EVD Order as they do not carry any passengers.  For crew of passenger flights, carriers are not required to transmit contact tracing data in advance.  If needed due to an exposure risk, CDC will ask carriers for crew contact tracing information for a specific flight, which carriers must promptly provide (i.e., within 24 hours).  Failure by airlines or individual passengers to comply with the Order’s requirements could result in criminal penalties.

We recommend you review this Order text carefully and please let us know if we can answer any questions.



On March 23, 2021, the National Transportation Safety Board held a public board meeting during which they asked the FAA to issue additional safety requirements for certain revenue passenger-carrying flight operations that are currently conducted as general aviation flights under Part 91.  Typically, revenue passenger-carrying flight operations, such as traditional commercial, commuter, and on-demand operations, require an FAA certificate and compliance with the specific maintenance, training, and safety regulations of Parts 121, 135, and 298.  However, certain revenue passenger-carrying operations, such as adventure flights, skydiving, and hot air balloons, are exempted from the stricter requirements and allowed to operate under the general aviation rules of Part 91.

At the board meeting, the NTSB claimed that the lack of FAA oversight, structured pilot training, and adequate maintenance for these Part 91 passenger operations has led to a number of avoidable accidents.  As examples, the NTSB pointed to: a 2016 crash of a commercial hot air balloon near Lockhart, Texas, which killed the pilot and all 15 passengers; a 2018 helicopter aerial photography flight accident in New York City which killed all five passengers; and a 2019 crash of a World War II-era Boeing B-17G on a “living history flight experience” flight which resulted in seven deaths and five serious injuries.  The NTSB took further issue with the fact members of the general public are likely unaware that these types of Part 91 revenue operations are not subject to the same safety regulations as other revenue generating passenger operations.

The NTSB made six new recommendations to the FAA, which included developing equivalent regulations for specific revenue passenger-carrying operations, identifying shortcomings in current regulations, and requiring safety management systems for all revenue passenger-carrying operations currently conducted under Part 91.



On March 13, 2021, the U.S. Customs and Border Protection Bureau issued an interim final rule, Mandatory Advance Electronic Information for International Mail Shipments.  The interim rule was issued to implement the requirements of the Synthetics Trafficking and Overdose Prevention Act of 2018 (STOP Act) in an effort to address the threat of synthetic opioids and other dangerous items shipped to the United States.  The rule requires the United States Postal Service (USPS) to transmit certain advance electronic data (AED) for certain inbound international mail shipments, within specified time frames.  The interim rule also sets certain remedial actions that must be taken by USPS when the AED requirements are not met.

While the interim rule does not specifically apply to, or create new obligations for, airlines, there are concerns that airlines could be affected in situations where USPS fails to correctly submit the required AED to CBP on time, as USPS is required to refuse the shipment in these situations.  The International Air Transport Association (IATA) and Airlines for America (A4A) plan to submit a joint comment on the interim rule.  Other interested parties may submit comments until May 14, 2021.



On March 2, 2021, the Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (“VCDPA”), available here, which will become effective January 1, 2023.  This follows the EU’s General Data Protection Regulation (GDPR) passed in 2018 and the California Consumer Privacy Act (“CCPA”) which became effective in January of 2020, both enacted to provide additional protection for consumers by limiting how business can use and must protect consumer’s personal data.  The following are some of the key features of this law:

  • The VCDPA only applies to businesses (referred to as “Controllers”) that either: i) control or process Personal Data of at least 100,000 “Consumers”; or ii) derive over 50% of gross revenue from the sale of Personal Data and control or process Personal Data of at least 25,000 Consumers;

  • Controllers must provide Consumers with at least one secure, reliable method to invoke the consumer rights, which includes confirmation of, access to, and deletion of personal data in certain circumstances, and the ability to opt out of certain processing of their Personal Data;

  • Controllers must limit the collection of consumer personal data to only that which is “adequate, relevant and reasonably necessary” for the disclosed processing purposes, and must establish a process for Consumers to appeal a denial of a rights request;

  • Controllers must provide consumers with a privacy notice addressing the categories and purposes of personal data collected by the Controller, how Consumers may exercise their rights, and what personal data shared is with third parties;

  • Controllers must conduct and document Data Protection Assessments when performing certain types of processing;

  • Controllers must enter into agreements with data “Processors” that clearly set forth instructions for processing Personal Data;

  • Controllers must obtain Consumers’ consent before processing “Sensitive Data;”

Businesses will have 30 days to cure any violation after notice from the VA Attorney General, after which they could be subject to a $7,500 penalty for each violation.  Finally, businesses should understand that compliance with the GDPR and CCPA will not ensure compliance with the VCDPA.  While all three have many similar provisions, they are not identical, so special care must be taken to ensure proper compliance with the provisions of each.



On March 24, 2021, DOT issued a final rule on Administrative Rulemaking, Guidance, and Enforcement Procedures that largely revoked the Trump Administration DOT’s so-called “Rule on Rules” (84 Fed. Reg. 71,714), which had consolidated DOT’s administrative procedural rules into a single part of the Code of Federal Regulations (49 C.F.R. Part 5) in late 2019.  DOT issued the repeal in response to a White House Executive Order in January 2021, E.O. 13992, that cancelled Trump-era regulatory reform task forces and directed federal agencies to delete procedural restrictions imposed by Trump-era regulatory reform orders.  While DOT’s repeal was a technical adjustment of procedures for its staff – without immediate impact on regulated entities and thus finalized without notice and public comment – the change was a notable move to repudiate the Trump DOT’s approach to regulatory reform.  The previous Administration had viewed new regulations with suspicion and sought to impose heightened discipline around cost benefit analyses in rulemaking and use of guidance documents in investigations.  In contrast, the Biden Administration is expected to issue increased amounts of guidance and to press more aggressive positions in enforcement proceedings.



On March 16, 2021, FAA Administrator Steve Dickson issued a statement, available here, indefinitely extending FAA’s new unruly passenger rule, which was set to expire March 30, 2021. The rule, adopted on January 13, 2021, provided for a special emphasis enforcement program applicable to passengers who assault, threaten, intimidate, or interfere with a crewmember in the performance of a crewmember’s duties.  Under the rule, the FAA has already issued multiple civil penalties against passengers alleged to have interfered with, or assaulting, crewmembers, ranging from $12,500 up to $20,000.



On January 27, 2021, the Bureau of Economic Analysis (BEA) at the U.S. Department of Commerce, filed a notice in the Federal Register, available here, informing the public that it is conducting the mandatory survey titled Quarterly Survey of Foreign Airline Operators’ Revenues and Expenses in the United States (BE-9 Survey). The BE-9 Survey measures U.S. trade in transport services and analyzes the impact of U.S. trade on U.S. and foreign economies, by collecting information on foreign airline operators’ revenues and expenses in the U.S.

Reports are required from U.S. offices, agents, or other representatives of foreign airline operators that had total reportable revenues or total reportable expenses that were $5 million or more during the prior year, or are expected to be $5 million or more during the current year.  However, it is important to note that entities required to report will be contacted individually by BEA. For this reason, no reporting is required if BEA fails to contact an entity.  Reports are due to BEA 45 days after the end of each calendar quarter.

Click here to view a downloadable PDF of the legal update.

This Aviation Regulatory Update is intended to keep readers current on developments in the law. It is not intended to be legal advice. If you have any questions, please contact author Evelyn Sahr at 202.659.6622 or esahr@eckertseamans.com; Drew Derco at 202-659-6665 or dderco@eckertseamans.com; or Andy Orr at 202-659-6625 or aorr@eckertsemans.com or any other attorney at Eckert Seamans with whom you have been working.

Share This Post


Evelyn D. Sahr Photo Washington, D.C.

Evelyn D. Sahr

Member - Washington, D.C.

See full bio
Drew M. Derco Photo Washington, D.C.

Drew M. Derco

Member-in-Charge - Washington, D.C.

See full bio
Andrew P. Orr Photo Washington, D.C.

Andrew P. Orr

Associate - Washington, D.C.

See full bio