Sunday, 19 September 2004
USA Dept. of Transportation dismisses complaint against Northwest Airlines for breach of privacy and lying
In an order of 10 September 2004, the USA Department of Transportation (DOT) has dismissed a complaint and request for enforcement action brought by the Electronic Privacy Information Center against Northwest Airlines (IATA airline code "NW").
According to the complaint, NW:
has engaged in an unfair and deceptive practice by disclosing consumer personal information to the National Aeronautics and Space Administration ("NASA"), in violation of 49 U.S.C. [Section] 41712. [NW] engaged in this activity without the knowledge or consent of the affected consumers, and in contravention of public assurances that the personal information it collects would not be shared with third parties without individuals' consent.
The decision should not be taken as a vindication of NW's practices: the allegations that NW had given customers' personal information to DOT without their knowledge and consent, and had lied about it, were not in question. "The facts central to this case are for the most part undisputed," DOT found.
Instead, the DOT essentially upheld NW's contention that passengers have no reasonable expectation of privacy, no matter what the airline tells them. According to the DOT decision:
(EPIC's Web page on the case includes links to the complete legal filings for and against the complaint.)
In my previous analysis of NW's rebuttal to the complaint, and in many other incidents, I've noted DOT's consistently abysmal record of willful nonfeasance as the sole agency in the USA -- under the terms of Federal preemption of airline law enforcement by the Airline Deregulation Act of 1978 -- with the power to hold airlines to any standard of truth in advertising. For those who've been following the case, and DOT (non)policy of privacy and consumer protection (non)enforcement, the latest decision is no surprise.
Several details, however, should be noted.
Both the categories of data and the agency in question (NASA) in this complaint were different from anything the government is authorized by law to demand, and no one claimed that there was any demand anyway. More importantly, the DOT decision completely misses the essential distinction between voluntary and compelled disclosures. A party to any contract is, implicitly, permitted to comply with a valid and binding government order, even if compliance requires them to take actions that are contrary to the contract. But that doesn't authorize them to do so in the absence of a government order, and it doesn't mean that a clause in the contract forbidding such actions is unenforceable against voluntary acts not compelled by the government.
Second, the DOT found, as quoted above, "no evidence of actual or likely harm" from NW's breach of promise, sufficient to provide a basis for enforcement action.
The DOT decision was made by DOT Assistant General Counsel for Aviation Enforcement and Proceedings Samuel Podberesky -- the same DOT offiicial who told the European Commission in an official letter in 2000:
My office investigates and prosecutes cases under 49 U.S.C. 41712. I would point out that the failure by a carrier to maintain the privacy of information obtained from passengers would not be a per se violation of section 41712. However, once a carrier formally and publicly commits to the "safe harbor" principles of providing privacy to the consumer information it obtains, then the Department would be empowered to use the statutory powers of section 41712 to ensure compliance with those principles. Therefore, once a passenger provides information to a carrier that has committed to honoring the "safe harbor" principles, any failure to do so would likely cause consumer harm and be a violation of section 41712. My office would give the investigation of any such alleged activity and the prosecution of any case evidencing such activity a high priority. We will also advise the Department of Commerce of the outcome of any such case. [emphasis added]
When the European Commission determined that personal data transferred to the USA was assured of adequate protection under the "safe harbor" arrangement, this letter from Podberesky was one of the fundamental assurances from the USA that was explictly relied on as the basis for the EC decision, and it was included in full as Annex VI in the decision itself.
Most of the debate about the EC finding that the "safe harbor" arrangement was "adequate" focused on the policies established by the Federal Trade Commission (FTC). But under the Airline Deregulation Act, the FTC has no jurisdiction over the airlines, so the only possible source of adequate privacy protection for airline data in the USA would be Podboresky's enforcement office in the DOT.
Podberesky's decision on the EPIC complaint against NW, by finding that nonconsensual disclosure of confidential personal data, in violation of a promise to consumers and in the absence of government compulsion, caused no harm, is directly contrary to his prior written assurance to the EC that such action "would likely cause consumer harm". Whether his earlier statement was inaccurate, or his office's policy has changed, the EC now has compelling reason to reconsider, in light of this decision, whether the protection afforded to airline data held by commercial entities in the USA can still be considered "adequate" to satisfy the requirements of EU law. And if NW hasn't committed itself to comply with the "safe harbor" arrangement, than it remains vulnerable to direct enforcement action by EU national data protection authorities, and such should promptly be initiated.
Finally, this decision should cause both travellers and the Congress to ask whether, if lying to the public about secret disclosures of travellers' personal information to the government really isn't illegal, then "there about to be a law". If you agree, let your Representatives and Senators know that you want them to pass a Federal law to protect the privacy of travel data.Link | Posted by Edward on Sunday, 19 September 2004, 20:00 ( 8:00 PM) | TrackBack (1)