Abstract: In the aviation transport industry, the processing of personal information involves multiple actors and is closely related to national security. Meanwhile, personal information provided by passengers to airlines may be transferred across borders and may include sensitive personal information. For domestic flights, when passengers purchase tickets, airlines should fully inform passengers that they may be required by law to provide passengers' personal information to public authorities. Airlines should also inform passengers of potential personal information processors and their processing activities and purposes, the results of personal information protection impact assessments for relevant processing activities, guidelines for the protection of passengers' rights to their personal information, and the designated person responsible for personal information protection. In addition, the application of automated decision-making technology and facial recognition technology should be subject to restrictions. In terms of the cross-border transfer of passengers' personal information, international rules should be developed. One possible approach is to add an annex to bilateral air service agreements for the cross-border transfer of passengers' personal information. In the absence of international rules, such cross-border transfers should be constrained by the principles of lawfulness, legitimacy, and necessity.