Wednesday, 8 August 2007

KLM claims it doesn't know what happens with passengers' data

In March of this year, I flew on KLM Royal Dutch Airlines (one of the subsidiaries of the merged Air France KLM Group) from San Francisco to a hearing in Brussels before the European Parliament and a meeting of privacy and data protection supervisors of European Union (EU) member countries.

Since I travelled on an airline based in the EU, my personal information should have been protected by EU law. So when I got home, I made what should have been a routine request for my records from KLM. I expected to get copies of my PNR's from the various CRS's used by KLM and its agents; a list of the third parties, agents, contractors, etc. to whom my data had been provided; and logs of who accessed which data, when, and from where.

Klaas Bruin, KLM's Privacy Officer, tells me mine is, so far as he knows, the first such request received by any European airline, and has already been the subject of discussion with his counterparts at other airlines.

KLM first sent me only part of one of my PNR's, despite my specific request for all of their records about me. They included the "history" (audit trail) of incoming messages with data entered into the PNR, which gives some information about the sources form which some of the data was received. But they didn't provide the logs of requests to retrieve the PNR data, or any other information about the outgoing messages sent from the PNR to KLM agents or contractors, government agencies, or other third parties with the ability to make such queries.

Despite Dutch law requiring a response to such requests within 30 days, it took KLM more then 3 months to provide any more of an answer.

Finally, last week I got an outrageous letter from KLM stating that because they have contracted out all of their ticketing and ground handling in North America to their "code-share" partner Northwest Airlines, they don't know what information about me was collected, don't know what was forwarded to the government of the USA or to anyone else or any other entity, and have no responsibility to find out or disclose to me anything done by their contractors.

Agents and contractors "are not the responsibility of KLM", Bruin told me in a lengthy follow-up conversation today, although he promised to review my request again with lawyers for Northwest and KLM, and to advise me whether KLM would provide any of the other information I requested.

Of course, as a company based in the USA, Northwest Airlines can (and probably would) claim that they don't have any responsibility either to comply with Dutch or EU law. And once the information is in the hands of Northwest, a CRS in the USA, or any other commercial entity in the USA, the government of the USA can obtain it, secretly, through a "National Security Letter" or simply by "voluntary" disclosure of the commercial entity which, under USA law, is now considered to "own" the data about me. And the USA entity can be ordered not to tell KLM, or me, that they have disclosed my data.

In effect, KLM is claiming that "outsourcing" data processing to a company in the USA provides them with a complete exemption from the requirements of Dutch and EU privacy and data protection law.

It's exactly the problem I pointed out in my previous testimony to the European Parliament and the Article 29 Working Group, and that I raised during my previous visit to Brussels and in articles writtten in conjunction with NGO's in Europe.

I've responded to KLM to remind them of their legal responsibility for the actions of their agents and contractors, and am considering my next steps.

In the meantime, EU citizens and residents should request their own records to see if they have similarly been outsourced around EU privacy laws.

[Updates to this entry are listed below, in chronological order.]

  • 10 August 2007: KLM has sent me a further and apparently final answer that "Your e-mail/fax of 1 August 2007 does not give any reason to change our reply, nor to disclose additional information, as this will be out of the scope of our responsibility as data controller."

  • 14 August 2007: In order to try all available means to get KLM to respond to my request without the need of a lawsuit or formal complaint, today I sent a request for mediation to the to the Dutch Data Protection Authority .

  • 23 August 2007: See the comments in response to this blog article for the questions KLM has started asking travellers who ask for their data.

  • 1 October 2007: The Dutch Data Protection Authority has agreed to mediate with KLM. The mediation process will be in writing, and could take several months. Both KLM and the Dutch DPA have kindly agreed to conduct the mediation in English. The first issue to be addressed will be my unanswered request that KLM at least ensure the preservation of the data I have requested (particularly the system-level logs of access to my PNR's maintained by the CRS's) while my request is pending. In the meantime, I've received copies of the records about me received by the USA Department of Homeland Security. These include two copies of KLM's PNR from the Amadeus CRS -- one for my flight on KLM from San Francisco to Amsterdam, and another for my return flight from Amsterdam to San Francisco -- and no PNR's from Northwest Airlines or the Worldspan CRS in which Northwest PNR's are hosted. This appears to contradict KLM's claim that it was Northwest, and not KLM, which provided the DHS with information about one of these flights. I have forwarded this information both to KLM and to the Dutch DPA, for consideration during the mediation.

  • 5 October 2007: Letter from the Dutch Data Protection Authority to KLM listing the initial questions to be addressed by the DPA's mediation.

  • 24 December 2007: Letter from KLM to the Dutch DPA promising further "investigation" and response.

  • 5 February 2008: Letter from KLM to the Dutch DPA stating that Amadeus has claimed to KLM that they do not know what queries are made by the USA Department of Homeland Security (contrary to logs of these queries that I have been provided by a confidential source at Amadeus) and promising still more "investigation" of the relationship between KLM and Northwest Airlines (which probably refers to closed-door negotiations between KLM and Northwest's lawyers regarding liability for compliance with Dutch law, which Northwest doesn't want to concede).

  • 28 March 2008: Letter from KLM to the Dutch DPA describing the distinction between the validating ("marketing") airline and the transporting ("operating") airline, and contradicting itself by claiming that my contract was with Northwest, not KLM (and thus that KLM was not responsible for my data), but that my contract with Northwest was governed by KLM's contractual conditions of carriage (?).

  • 14 April 2008: My letter to KLM and the Dutch DPA pointing out that KLM has failed to provide any information regarding the use of my data by its contractors and agents, or to respond to my argument concerning KLM's responsibility for Northwest as an agent of KLM.

  • 17 April 2008: Letters from the Dutch DPA to me and to KLM and concluding their "mediation" without saying a word about the relationship of Northwest and KLM as principal and agent or the responsibility of KLM for its agents and contractors, and leaving me no redress unless I had been able to bring a lawsuit, in Dutch, in Dutch court, which of course I was unable to do. In the end, the Dutch DPA simply repeated whatever KLM claimed, most likely because the DPA staff felt they lacked technical competence to evaluate the truth of those claims (even when they were claims about legal, not factual matters, and were clearly erroneous and/or unresponsive to my request and complaint.)

  • 10 May 2009: Response by Air France to a similar request under French data protection law.
Link | Posted by Edward on Wednesday, 8 August 2007, 16:38 ( 4:38 PM) | TrackBack (0)
Comments

I am an American citizen living in The Netherlands. I travel frequently both within and outside the EU. Due to the strength of KLM in Amsterdam most of these flights are KLM flights.

I read the saga of your personal data request from KLM with interest and have picked a recent flight to the US as a sample. Checking the details however I see that although I purchased the ticket from a local travel agent, and the paper ticket was issued by KLM, that all the flights happen to have NW flight numbers even though soem of the
legs were KLM operated.

Checking my EMail today I also had a response from KLM:

##########################################################################

Thank you for your message. Unfortunately I am not allowed to fulfill your information request without your proof of identity. I would therefore like to ask you to repeat this request in writing, to be accompanied by an official proof of identity (e.g. copy of your passport). My address is mentioned below.

To be able to decide whether or not KLM is the proper organization to handle your request, I would also like to receive the following information:

a.. How, when and where did you make a reservation for your journey.

b.. With which travel parties did you have direct contact regarding your journey (when and why).

c.. How did you pay for your journey.

d.. Can you please supply me with a copy of your ticket(s) or at least the concerned ticket number(s).

e.. What is the reason to believe that your data is subject to an aggregation and analysis services (why are these specific parties mentioned).

f.. What is your reason to believe that a PNR processing system is involved (why is the specific party mentioned).

g.. What is your motivation for this information request.

h.. Do you have any suspicion that parties involved at your journey did not handle your personal data properly (if yes, which party and why).

i.. Did you make a similar information request regarding this journey to any other party (if yes, which party, when and why).

j.. Is there any other party involved regarding this information request (if yes, which party and why).

k.. Any other information regarding this request KLM must be aware of.

With kind regards,

Klaas Bruin
Corporate Privacy Officer

KLM Royal Dutch Airlines
Privacy Office - AMSPI
P.O. Box 7700
1117 ZL Schiphol Airport
The Netherlands

Posted by: Anonymous, 23 August 2007, 14:12 ( 2:12 PM)

hi

This was interesting to read. I work for an airline in europe as a reservation agent.

I dont understand why you think KLM would provide you with the Sabre and worldspan information. Maybe i am missing something but as KLM is an amadeus user, they would receive incoming messages from the issuing agents CRS, but would not have a copy of all these PNRs to give you,


Posted by: tom, 31 January 2008, 01:56 ( 1:56 AM)

"I dont understand why you think KLM would provide you with the Sabre and Worldspan information."

The Sabre and Worldspan PNR's were created by KLM's agents. Under the law of agency, the principal (KLM) is responsible for the actions of its agents, just as it is responsible for the actions of its employees. KLM might or might not have copies of those PNR's created by its agents, but it has a responsibility to obtain them from its agents and disclose them on request. And KLM's contracts with its agents should require those agents to comply with Dutch law when they are acting as agents of KLM.

As I pointed out to Mr. Bruin when we met, and as he is surely aware, KLM outsources most of its data entry and processing to its agents around the world (including other airlines, especially Northwest), and outsources the storage of most of this date to Amadeus and other CRS's. As a result, the largest and most important responsibility of KLM's Privacy Office is oversight of the practices of Amadeus, Northwest Airlines, other CRS's and airlines, and KLM's agents when they are acting on behalf of KLM.

Posted by: Edward Hasbrouck, 12 May 2009, 14:45 ( 2:45 PM)
Post a comment









Save personal info as cookie?