Wednesday, 21 January 2004

Passengers sue. Airlines circle the wagons.

The first consumer class action lawsuit against Northwest Airlines by a passenger was filed Tuesday, 20 January 2004, in U.S. District Court in St. Paul, Minnesota, the Federal judicial district that includes NW's headquarters, the Minneapolis Star Tribune reports . The plaintiff's attorney, Shawn Raiter , "said he expects other class-action lawsuits to be filed across the United States in other court jurisdictions."

Today's Washington Post says that, in response to the Northwest Airlines (NW) scandal, the Air Transportation Association (ATA), the lobbying association of USA-based airlines, "will meet in Washington this week to discuss the development of an industry-wide privacy policy to protect consumers."

A more accurate statement might be, "... to protect airlines against legal liability." Almost every ATA member (and more than 100 other airlines around the world) has an interline ticketing agreeement permitting them and their agents to make reservations for journeys including NW flights. They have collected perosnal information from passengers and third parties, and passed it on to NW, without having any contractual commitment from NW, or any operational protocols, to ensure that it wouldn't be further "shared" -- as, in fact, it was, with NASA and who knows how many others.

Virtually all passenger name records (PNR's) contain data from mulitple sources that has been transferred between different compnaies through the network of reservations systems .

The holding of ATA's first-ever meeting on privacy policy and personal data sharing is thus a damning admission that the airline industry has no standards, agreements, or procedures in place to protect the privacy of travel data when it is passed between travel companies such as airlines, travel agencies, tour operators, and CRS's.

But the place to determine global public policy on issues like privacy is in the legislature or another public forum, not a private conference of corporate executives who have in common only their business -- not public -- interests and their demonstrated historical lack of concern for the impact on their customers of their data interchange procedures.

In the USA, the most obvious objection to the ATA meeting is its apparent violation of anti-trust law. Congress has given airlines a limited exemption from anti-trust law to participate in IATA "traffic conferences" (international price-fixing meetings). But that exemption extends neither to ATA meetings, nor to collusion on contract terms, such as privacy policies and conditions of carriage.

Concern for possible anti-consumer airline collusion on conditions of carriage is well-founded: almost all ATA member airlines already have suspiciously similar language in their conditions of carriage requiring passengers to "consent" to submit to search and provide government-issued documentary evidence of their identity.

Left to their own devices, USA-based airlines would probably all agree to require passengers to "consent" to personal data sharing, with few if any meaningful constraints, as a condition of air transportation. Such an agreed-upon united front by the airlines would leave would-be air travellers no meaningful alternative -- other than to walk or bicycle across the country -- and render their so-called "consent" meaningless.

In the European Union, Canada, and other countries where airlines (including those from the USA) have promised to abide by legal privacy protection codes, the absence of privacy protocols or formal agreements governing current transfers of personal data within the industry raises more serious issues of lack of legal compliance, and breach of the promises made to those countries' authorities.

Wired News says EPIC's European representative, Cedric Laurant, expects a "heated discussion in the European Parliament" when the debate on passenger data transfers to the USA, originally scheduled for today but now pushed down on the agenda , resumes Thursday in Brussels.

As it becomes more and more evident that airlines aren't complying with existing EU privacy laws, it becomes ever less likely that EU agencies will approve demands by the USA for even greater mandatory collection, government access, wider dissemination, and free sharing with travel companies in the USA of travel data collected in other countries, for CAPPS-II and other surveillance and monitoring programs.

Thta's not a problem ATA, or any private or national organization, can resolve. What's needed is a comprehensive international dialogue and privacy impact assessment of travel reservation data, to include CRS's, airlines (represented internationally through IATA, not just ATA), other travel copmpnaies (travel agencies, tour operators, reservation software companies, etc.), national and regional (e.g. EU) data protection authorities, and consumer and privacy advocates and NGO's.

In the meantime, as long as USA-based airlines and their European and worldwide partners are in such manifest vioaltion of the EU data protection directive, without even the pretense of privacy commitments from their data interchnage "partners", the EU should close the door -- promptly and firmly -- to any continued sharing with the USA government of data collected in the EU by airlines, CRS's, travel agencies, or tour operators.

And the EU should set a firm deadline -- 90 days, perhaps -- for airlines and travel companies that want to collect personal data in the EU, and pass it on to CRS's or other airlines and travel companies in the USA, to complete the first phase of the privacy impact assessement I've just described. If they don't, enforcement action to prohibit commercial sharing of travel data betweeen the EU and the USA, and suspension of the right to operate in the EU for companies that fail to comply, is long past due.

Link | Posted by Edward on Wednesday, 21 January 2004, 08:00 ( 8:00 AM) | TrackBack (1)
Comments

Great and interesting article.
____________________________
David

Posted by: david fernandis, 29 July 2008, 00:16 (12:16 AM)
Post a comment









Save personal info as cookie?