Monday, 14 June 2010

Lufthansa says they aren't responsible for their agents and contractors

As I've mentioned in an earlier review of their service, I flew Lufthansa to Europe and back in April. As soon as I got home, I sent them a request for their records about my trip and an accounting of what they (and their agents, contractors, government agencies, etc.) had done with my data.

That should be the most routine sort of request for the privacy officer of a European company with large databases of customer records. Under the German Federal Data Protection Act and the similar laws in every other EU member, you have the right to see what information European companies have about you, and to know what they have done with it. (If you want to mmake similar requests of other European airlines or travel companies, I've posted sample request forms in terms of the relevant UK laws, which can easily be adapted for other European countries.)

Lufthansa's initial response to my request provided none of my information. Worse, it seems to espouse the idea that Lufthansa has no responsibility for the actions of its agents and contractors, even when their identities are unknown to consumers and they hold themselves out to the public as acting in the name of Lufthansa.

In making this claim, Lufthansa follows, but seems to go even further than, the precedent set by KLM and Air France in their excuses for refusing to provide me with a full accounting of which of their agents and contractors had accessed my data, and what they had done with it. (I'm still pursuing my complaint against Air France with the French data protection authority, CNIL, and looking for pro bono French legal counsel if the CNIL can't or won't make Air France follow the law.)

This is a shocking abdication of responsibility for any business, and should be of deep concern to consumers regardless of whether you care about the specific issue of what airlines, other travel companies, and governments do with their records of your travels.

As I explain in a follow-up e-mail message today reiterating my request, large, far-flung companies like Lufthansa typically interact with the public through a wide range of employees, agents, and contractors. In a deliberate effort to present a "seamless" service facade, they go out of their way not to disclose, often even if you ask, whether these people acting in their name are really their own employees.

If the company in whose name the service is offered and in whose name the charge appears on your credit card statement can't be held accountable for providing the contracted service in accordance with the applicability laws, putative consumer protections would become worthless.

I was intrigued to notice that Lufthansa's data protection director CC'd her message to me to Juergen Weber. I can only take it as a sign of their awareness of the illegality of their actions, and the extent of their potential liability for their ongoing systematic violation of German law, that she felt it necessary to send a copy of her response to what should be such a routine request to the Chairman of the Board of the corporation! [CORRECTION: Although Lufthansa's data protection director didn't identify to whom she had copied her message, or why, other than by e-mail address, and although this has been widely published elsewhere as the e-mail address of Lufthansa's chair, it turns out to be the address of a different Juergen Weber. See details in the comments.]

Stay tuned -- I'll post any updates as soon as I receive them.

UPDATE: In their response to my request, Lufthansa (1) refuses to disclose any of my PNR data, (2) fails to provide any information about who has accessed my data, or from where (probably because there are no access logs in PNR but PNR are retrievable by any LH office worldwide, so the airline doesn't know by whom or from where my PNR have been accessed), and (3) claims that LH is not legally responsible for any of the actions of their contractors and agents, including Amadeus (to whom LH has outsourced its PNR database) and travel agencies appointed by LH to represent and sell tickets for LH. I have made a formal complaint against Lufthansa (complaint with attachments, complaint without attachments) with the appropriate German state ("lander") data protection authority, the "Landesbeauftragter fur Datenschutz und Informationsfreiheit Nordrhein-Westfalen", LDI-NRW (Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia).

FURTHER UPDATE: The LDI-NRW has ordered Lufthansa to provide me with "all PNR elements which they have transferred to the US Department of Homeland Security concerning your person including data they transferred via Amadeus." In response, Lufthansa sent me only a portion of my PNR data which omits the "history" of the PNR, whichis an audit trail and change logs which shows from what users or other systems data in the PNR was received. The portion of my PNR provided to me by Lufthansa does, however, contain evidence that my PNR data was also provided to another travel agency, whose existence was not previously disclosed to me. (See the reference to TransAm Travel in lines 9 and 36-39 of the PNR.) This is quite normal: TransAm Travel is a wholesale consolidator to whom the retail agency (Airtrade International, d/b/a Vayama.com) released the PNR for ticketing in order to get a lower consolidator price. but this should have been disclosed to me in response to my initial request. I pointed this out to the LDI-NRW with a renewed request for full disclosure of my data by Lufthansa and its agents, and for sanctions against Lufthansa by the LDI-NRW.

FINAL (?) UPDATE: Lufthansa finally sent me the history (change log) portion of my PNR data but continues to claim that it isn't responsible for either its retail agent Vayama.com (who created the PNR as an agent of Lufthansa) or the wholesale consolidator Transam Travel (who issue the ticket as an agent of Lufthansa). The LDI-NRW upheld Lufthansa's false claim that it has no control over its agents, and is not responsible for their actions. This is both legally and factually incorrect, and leads me to suspect that the LDI-NRW believed whatever Lufthansa said without conducting an independent investigation of the facts or reviewing Lufthansa's "agency appointment agreements" with Vayama.com and TransAm Travel. The LDI-NRW also upheld Lufthansa's disclosure only of general categories of potential third-party recipients of my data in other countries, even though that response showed that my data could have been illegally transferred to countries without adequate data protection regimes. I am disappointed in the complete failure of the LDI-NRW to fulfill its responsibilities. My only further recourse is to bring a lawsuit against Lufthansa in German court. if anyone can offer pro bono legal assistance for that purpose, please contact me.

Link | Posted by Edward on Monday, 14 June 2010, 19:34 ( 7:34 PM) | TrackBack (1)
Comments

The comment about the Lufthansa CEO is total nonsense. The e-mail address belongs to me and I am part of Barbara Kirchberg-Lennartz's team Lufthansa Corporate Data Protection.

Posted by: Juergen Weber, 15 June 2010, 04:24 ( 4:24 AM)

Thank you for the correction. I have published your comment, and a correction, in my blog, and I apologize for any inconvenience caused.

I imagine it must be quite inconvenient to have the same name as the chairman of the corporation, even if it is a common name. I suppose you probably often get e-mail intended for him.

It did occur to me that "juergen.weber@dlh.de" might be a different Lufthansa employee. I checked the Lufthansa Web site, and was unable to find any corporate directory or listing of any e-mail address for the Chair of the Board or any of the officers. A search for "juergen.weber@dlh.de" shows that -- as you probably know from the misdirected mail it must produce for you! -- has been widely published by third parties as being the e-mail address of the Chair.

The problem could have been avoided either had Lufthansa published an official e-mail address for its Chair, or had Dr. Kirchberg-Lennartz given any indication, other than the e-mail address itself, of who she was copying on her message to me.

I'm pleased to know that you are following my blog, and I welcome your comments. (All comments are moderated to reduce comment spam, and there is a bug in the comment submission script that fails to give a proper comment submission page, so don't take it personally that your comment didn't appear immediately.)

Posted by: Edward Hasbrouck, 15 June 2010, 06:00 ( 6:00 AM)
Post a comment









Save personal info as cookie?