Monday, 20 October 2003
Business travel convention discusses CAPPS-II and EU privacy rules
The privacy of business travel records, and the diplomatic dispute between the European Union and the USA over the lack of a travel privacy law in the USA, was a major topic of discussion at the [USA] Association of Corporate Travel Executives convention last week in Dublin, Ireland.
According to this report in TravelAgent magazine, ACTE has asked for a moratorium on enforcement action against airlines by either the USA or the EU -- in order to avoid an interruption of trans-Atlantic flights -- pending resolution of the diplomatic dispute.
But, "The majority of ACTE members... call[ed] the U.S. data requirements "excessive."" At a minimum, that's an indication that travel execs take the prospect of EU action, even to the extent of suspenstion of operating rights in Europe, very seriously, and don't expect the EU to capitulate to demands from the USA.
As reported in Business Travel news, "On the equally controversial, second generation Computer Assisted Passenger Prescreening System, known as CAPPS II, being planned for flights originating in the United States, [US State Dept. representative] Fennerty said: "My thoughts are let's take one crisis at a time. We are trying to resolve the E.U. issue first.""
The problem with this is that:
- The USA still hasn't begun to talk with the EU about CAPPS-II (the current discussions relate to the narrower demands for passenger data, limited to international flights, of the Bureau of Customs and Border Protection).
- The State Department apparently believes (or is pretending to believe) that CAPPS-II is a purely domestic program that doesn't raise any concerns about compliance with other countries' laws.
But people make reservations in Europe (and throughout the world) for domestic flights within the USA. Any sample of "historical" reservations -- such as the USA says they intend to use (as as has actually been used already) for CAPPS-II testing, will inevitably include data collected in the EU under promises to abide by EU privacy rules.
It isn't possible to determine from the content of reservations whether they contain data originally collected in the EU under EU rules. And even if it were, there isn't enough information in most PNR's (Passenger Name Records) to contact the data subjects to give them notice and obtain their consent.
So any use of "historical" PNR's for purposes of CAPPS-II testing -- a purpose that wasn't disclosed or consented to when the data was collected -- will inevitably contravene the EU Data Protection Directive (and, if the data was obtained through a Computerized reservation System, the EU regulations governing CRS's).
The real CAPPS-II scandal will be when EU authorities and the European travelling public realize that probably tens of thousands of reservations from the EU have already been used for CAPPS-II testing, in flagrant violation of EU law. Once that happens, there's little if any chance that the USA will be able to persuade Europeans that existing privacy protections (not) in the USA are "adequate" to satisfy global norms or EU standards.Link | Posted by Edward on Monday, 20 October 2003, 21:36 ( 9:36 PM)