Tuesday, 20 January 2004
EPIC files complaint against Northwest Airlines; EFF calls for Congressional hearings
The Electronic Privacy Information Center (EPIC) filed a complaint today with the USA Department of Transportation (DOT), asking DOT to take action against Northwest Airlines (IATA code "NW") for turning over 3 months of passenger name records (PNR's) to NASA for use in development and testing of passenger-profiling schemes .
Reuters says the DOT immediately issued a statement which, "noted that airlines are not prohibited by law from providing or selling passenger information such as passenger lists."
I'm not surprised by the DOT's lack of enthusiasm for pursuing the case: enforcement of consumer protection laws, especially on privacy and Internet issues, has had the lowest possible priority for the DOT's tiny enforcement division.
DOT has been the in the forefront of deregulation, from the Airline Deregulation Act of 1978 (the first major deregulation legislation before the Reagan Administration) to its decision on New Year's Eve of 2003 to entirely eliminate the 20-year-old regulations that have protected consumers agianst anti-trust collusion by the computerized reservation system (CRS) oligopoly (more on that story in the future, I promise). The limited DOT enforcment staff has focused on safety and pricing issues, not data protection.
The difficulty of getting a reluctant and understaffed DOT to act on a complaint like EPIC's latest against NW is exacerbated by a gap between the relevant agencies' conception of their jursidiction, as I learned while researching The Practical Nomad Guide to the Online Travel Marketplace (see pp. 254-262).
Senior DOT enforcement attorneys told me that the DOT and the Federal Trade Commisison (FTC) had "concurrent" jurisdiction over privacy protection, truth in advertising, and other consumer protection issues involving airlines. But since the FTC takes the lead on such issues for other industries, especially when the Internet is involved, it knows more about them, and the DOT leaves them to the FTC. DOT attorneys were horrified -- both on laissez-faire principle and because of the extra work it would entail -- at my suggestion that they had any significant responsibility for policing deceptive advertising and privacy practices by the airlines, especially on the Internet.
FTC staffers, on the other hand, told me that the DOT has primary, if not exclusive, jurisdiction over anything related to the airlines, including privacy and consumer fruuad. So the FTC has never initiated an enforcement action against an airline on any of these issues.
The end result is that sales of airline tickets -- by far the largest single category of e-commerce -- have almost completely fallen through the cracks of Federal enforcement of basic truth-in-advertising and consumer fraud rules, and have never taken their rightful place at center stage in debates about Internet privacy and consumer protection.
The DOT has brought a token few enforcement actions against out-and-out scams involving airline ticket sales on the Internet, but so far as I can tell, an action against NW for breach of privacy promises would be the first privacy action ever for the DOT.
The only visible protest against this sorry situation for travel consumers has come from state consumer protection authorities. In 2000, 43 state attorneys general sent a joint letter to Congress urging the repeal of Federal preemption to permit enforcement of "state laws prohibiting unfair or deceptive business practices or unfair methods of competition with respect to air transportation or the advertisement and sale of air transportation services." But Congress has, to date, shown no interest in restoring even limited state jurisdiction over fraud by airlines.
EPIC's complaint cites the promise made to the European Union by the DOT that the EU can rely on the DOT to police the data protection practices of airlines and travel companies in the USA, and points to the "virtual certainty that ... European citizens' personal information comprised part of what was disclosed to NASA" by NW (and KLM).
EU authorities will no doubt be watching closely to see if the DOT keeps its word, since the willingness of USA authorities to enforce voluntary pledges of compliance with privacy codes is the keystone of the so-called "Safe Harbor" scheme negotiated by the USA to permit personal data transfers from the EU to the USA in spite of the lack of adequate (by EU and international standards) privacy law in the USA.
NW hasn't certfied itself as being in compliance with the "Safe Harbor" rules. Indeed, the only airline on the Safe Harbor self-certification list is Continental Airlines (CO). But CO has had a code-share agreement with NW since 1998, meaning that some CO flight numbers are and were actually operated by NW.
So "system-wide" NW data provided to NASA would have included data on flights booked and ticketed in the EU, by EU citizens, as CO flight numbers, under a "safe harbor" pledge.
And this is nothing exceptional. "Airlines and government agencies have routinely exchanged passenger information for decades," concludes Minnesota Public Radio (transcript ; audio ) after inteviewing industry experts.
Not surprisingly, questions are already being raised in Europe as to whether, in light of the latest NW scandal, the USA can be counted on to keep its promises to the EU about the use and dissemination of PNR data optained under other programs such as APIS (the subject of recent negotiations), US-VISIT, or CAPPS-II . And we still don't know the full extent of what data was disclosed, to whom, or who still has copies of it.
What is to be done? The Electronic Frontier Foundation (EFF) is calling for a Congressional investigation and hearings (statement ; fax and e-mail forms ). The Business Travel Coalition, after a survey showing widespread concern by corporate travel executives, has called on NW to apologize to passengers for the breach of privacy and for trying to deny it.Link | Posted by Edward on Tuesday, 20 January 2004, 21:32 ( 9:32 PM)