Sunday, 19 September 2004

USA Dept. of Transportation dismisses complaint against Northwest Airlines for breach of privacy and lying

In an order of 10 September 2004, the USA Department of Transportation (DOT) has dismissed a complaint and request for enforcement action brought by the Electronic Privacy Information Center against Northwest Airlines (IATA airline code "NW").

According to the complaint, NW:

has engaged in an unfair and deceptive practice by disclosing consumer personal information to the National Aeronautics and Space Administration ("NASA"), in violation of 49 U.S.C. [Section] 41712. [NW] engaged in this activity without the knowledge or consent of the affected consumers, and in contravention of public assurances that the personal information it collects would not be shared with third parties without individuals' consent.

The decision should not be taken as a vindication of NW's practices: the allegations that NW had given customers' personal information to DOT without their knowledge and consent, and had lied about it, were not in question. "The facts central to this case are for the most part undisputed," DOT found.

Instead, the DOT essentially upheld NW's contention that passengers have no reasonable expectation of privacy, no matter what the airline tells them. According to the DOT decision:

Specifically, we find that Northwest's privacy policy did not unambiguously preclude it from sharing data with the federal government; that, even if it did, such a promise would be unenforceable as against public policy, as Northwest is required by law to make such records available to the Department and to other federal agencies "upon demand"; and that, in this case, the record contains no evidence of actual or likely harm to those passengers who provided Northwest with the data that it shared.

(EPIC's Web page on the case includes links to the complete legal filings for and against the complaint.)

In my previous analysis of NW's rebuttal to the complaint, and in many other incidents, I've noted DOT's consistently abysmal record of willful nonfeasance as the sole agency in the USA -- under the terms of Federal preemption of airline law enforcement by the Airline Deregulation Act of 1978 -- with the power to hold airlines to any standard of truth in advertising. For those who've been following the case, and DOT (non)policy of privacy and consumer protection (non)enforcement, the latest decision is no surprise.

Several details, however, should be noted.

First is the legal idiocy of claiming that, because the law allows the government (in other circumstances not even arguably applicable to the facts of this complaint) to compel an airline to turn over passenger data to some government agencies, NW's privacy policy couldn't possibly be interpreted to forbid NW from voluntarily turning over passenger data, even when not ordered.

Both the categories of data and the agency in question (NASA) in this complaint were different from anything the government is authorized by law to demand, and no one claimed that there was any demand anyway. More importantly, the DOT decision completely misses the essential distinction between voluntary and compelled disclosures. A party to any contract is, implicitly, permitted to comply with a valid and binding government order, even if compliance requires them to take actions that are contrary to the contract. But that doesn't authorize them to do so in the absence of a government order, and it doesn't mean that a clause in the contract forbidding such actions is unenforceable against voluntary acts not compelled by the government.

Second, the DOT found, as quoted above, "no evidence of actual or likely harm" from NW's breach of promise, sufficient to provide a basis for enforcement action.

The DOT decision was made by DOT Assistant General Counsel for Aviation Enforcement and Proceedings Samuel Podberesky -- the same DOT offiicial who told the European Commission in an official letter in 2000:

My office investigates and prosecutes cases under 49 U.S.C. 41712. I would point out that the failure by a carrier to maintain the privacy of information obtained from passengers would not be a per se violation of section 41712. However, once a carrier formally and publicly commits to the "safe harbor" principles of providing privacy to the consumer information it obtains, then the Department would be empowered to use the statutory powers of section 41712 to ensure compliance with those principles. Therefore, once a passenger provides information to a carrier that has committed to honoring the "safe harbor" principles, any failure to do so would likely cause consumer harm and be a violation of section 41712. My office would give the investigation of any such alleged activity and the prosecution of any case evidencing such activity a high priority. We will also advise the Department of Commerce of the outcome of any such case. [emphasis added]

When the European Commission determined that personal data transferred to the USA was assured of adequate protection under the "safe harbor" arrangement, this letter from Podberesky was one of the fundamental assurances from the USA that was explictly relied on as the basis for the EC decision, and it was included in full as Annex VI in the decision itself.

Most of the debate about the EC finding that the "safe harbor" arrangement was "adequate" focused on the policies established by the Federal Trade Commission (FTC). But under the Airline Deregulation Act, the FTC has no jurisdiction over the airlines, so the only possible source of adequate privacy protection for airline data in the USA would be Podboresky's enforcement office in the DOT.

Podberesky's decision on the EPIC complaint against NW, by finding that nonconsensual disclosure of confidential personal data, in violation of a promise to consumers and in the absence of government compulsion, caused no harm, is directly contrary to his prior written assurance to the EC that such action "would likely cause consumer harm". Whether his earlier statement was inaccurate, or his office's policy has changed, the EC now has compelling reason to reconsider, in light of this decision, whether the protection afforded to airline data held by commercial entities in the USA can still be considered "adequate" to satisfy the requirements of EU law. And if NW hasn't committed itself to comply with the "safe harbor" arrangement, than it remains vulnerable to direct enforcement action by EU national data protection authorities, and such should promptly be initiated.

Finally, this decision should cause both travellers and the Congress to ask whether, if lying to the public about secret disclosures of travellers' personal information to the government really isn't illegal, then "there about to be a law". If you agree, let your Representatives and Senators know that you want them to pass a Federal law to protect the privacy of travel data.

Link | Posted by Edward on Sunday, 19 September 2004, 20:00 ( 8:00 PM) | TrackBack (1)
Comments

***** Airline passenger privacy policy will always subvene to governmental dictation as this industry's "life-blood" is dependent upon favorable coorperative stance solicited, or not by a governmental agency such as NASA; irregardless of the Safe Harbor arrangements under the Airline Deregulation Act of 1978.

As far The DOT's General Councel for Aviation Enforcement, Samuel PodBeresky, he is just another example of a bureaucratic liar. He needs to be delt with in severe, covert methods by those he has helped the airline industry to violate through his ignominious behavior.

I deal with such men by assassinating their character in publications (Is Flying Risky Business?) through presenting fact as to who they are, and how they desecrate public trust in governmental agencies that are expected to uphold law against corporate violators.

Mr. Anthony Allbright

Posted by: Anthony Allbright, 24 November 2007, 06:20 ( 6:20 AM)
Post a comment









Save personal info as cookie?