Wednesday, 8 August 2007
KLM claims it doesn't know what happens with passengers' data
In March of this year, I flew on KLM Royal Dutch Airlines (one of the subsidiaries of the merged Air France KLM Group) from San Francisco to a hearing in Brussels before the European Parliament and a meeting of privacy and data protection supervisors of European Union (EU) member countries.
Since I travelled on an airline based in the EU, my personal information should have been protected by EU law. So when I got home, I made what should have been a routine request for my records from KLM. I expected to get copies of my PNR's from the various CRS's used by KLM and its agents; a list of the third parties, agents, contractors, etc. to whom my data had been provided; and logs of who accessed which data, when, and from where.
Klaas Bruin, KLM's Privacy Officer, tells me mine is, so far as he knows, the first such request received by any European airline, and has already been the subject of discussion with his counterparts at other airlines.
KLM first sent me only part of one of my PNR's, despite my specific request for all of their records about me. They included the "history" (audit trail) of incoming messages with data entered into the PNR, which gives some information about the sources form which some of the data was received. But they didn't provide the logs of requests to retrieve the PNR data, or any other information about the outgoing messages sent from the PNR to KLM agents or contractors, government agencies, or other third parties with the ability to make such queries.
Despite Dutch law requiring a response to such requests within 30 days, it took KLM more then 3 months to provide any more of an answer.
Finally, last week I got an outrageous letter from KLM stating that because they have contracted out all of their ticketing and ground handling in North America to their "code-share" partner Northwest Airlines, they don't know what information about me was collected, don't know what was forwarded to the government of the USA or to anyone else or any other entity, and have no responsibility to find out or disclose to me anything done by their contractors.
Agents and contractors "are not the responsibility of KLM", Bruin told me in a lengthy follow-up conversation today, although he promised to review my request again with lawyers for Northwest and KLM, and to advise me whether KLM would provide any of the other information I requested.
Of course, as a company based in the USA, Northwest Airlines can (and probably would) claim that they don't have any responsibility either to comply with Dutch or EU law. And once the information is in the hands of Northwest, a CRS in the USA, or any other commercial entity in the USA, the government of the USA can obtain it, secretly, through a "National Security Letter" or simply by "voluntary" disclosure of the commercial entity which, under USA law, is now considered to "own" the data about me. And the USA entity can be ordered not to tell KLM, or me, that they have disclosed my data.
In effect, KLM is claiming that "outsourcing" data processing to a company in the USA provides them with a complete exemption from the requirements of Dutch and EU privacy and data protection law.
It's exactly the problem I pointed out in my previous testimony to the European Parliament and the Article 29 Working Group, and that I raised during my previous visit to Brussels and in articles writtten in conjunction with NGO's in Europe.
I've responded to KLM to remind them of their legal responsibility for the actions of their agents and contractors, and am considering my next steps.
In the meantime, EU citizens and residents should request their own records to see if they have similarly been outsourced around EU privacy laws.
[Updates to this entry are listed below, in chronological order.]
- 10 August 2007: KLM has sent me a further and apparently final answer that "Your e-mail/fax of 1 August 2007 does not give any reason to change our reply, nor to disclose additional information, as this will be out of the scope of our responsibility as data controller."
- 14 August 2007: In order to try all available means to get KLM to respond to my request without the need of a lawsuit or formal complaint, today I sent a request for mediation to the to the Dutch Data Protection Authority .
- 23 August 2007: See the comments in response to this blog article for the questions KLM has started asking travellers who ask for their data.
- 1 October 2007: The Dutch Data Protection Authority has agreed to mediate with KLM. The mediation process will be in writing, and could take several months. Both KLM and the Dutch DPA have kindly agreed to conduct the mediation in English. The first issue to be addressed will be my unanswered request that KLM at least ensure the preservation of the data I have requested (particularly the system-level logs of access to my PNR's maintained by the CRS's) while my request is pending. In the meantime, I've received copies of the records about me received by the USA Department of Homeland Security. These include two copies of KLM's PNR from the Amadeus CRS -- one for my flight on KLM from San Francisco to Amsterdam, and another for my return flight from Amsterdam to San Francisco -- and no PNR's from Northwest Airlines or the Worldspan CRS in which Northwest PNR's are hosted. This appears to contradict KLM's claim that it was Northwest, and not KLM, which provided the DHS with information about one of these flights. I have forwarded this information both to KLM and to the Dutch DPA, for consideration during the mediation.
- 5 October 2007: Letter from the Dutch Data Protection Authority to KLM listing the initial questions to be addressed by the DPA's mediation.
- 24 December 2007: Letter from KLM to the Dutch DPA promising further "investigation" and response.
- 5 February 2008: Letter from KLM to the Dutch DPA stating that Amadeus has claimed to KLM that they do not know what queries are made by the USA Department of Homeland Security (contrary to logs of these queries that I have been provided by a confidential source at Amadeus) and promising still more "investigation" of the relationship between KLM and Northwest Airlines (which probably refers to closed-door negotiations between KLM and Northwest's lawyers regarding liability for compliance with Dutch law, which Northwest doesn't want to concede).
- 28 March 2008: Letter from KLM to the Dutch DPA describing the distinction between the validating ("marketing") airline and the transporting ("operating") airline, and contradicting itself by claiming that my contract was with Northwest, not KLM (and thus that KLM was not responsible for my data), but that my contract with Northwest was governed by KLM's contractual conditions of carriage (?).
- 14 April 2008: My letter to KLM and the Dutch DPA pointing out that KLM has failed to provide any information regarding the use of my data by its contractors and agents, or to respond to my argument concerning KLM's responsibility for Northwest as an agent of KLM.
- 17 April 2008: Letters from the Dutch DPA to me and to KLM and concluding their "mediation" without saying a word about the relationship of Northwest and KLM as principal and agent or the responsibility of KLM for its agents and contractors, and leaving me no redress unless I had been able to bring a lawsuit, in Dutch, in Dutch court, which of course I was unable to do. In the end, the Dutch DPA simply repeated whatever KLM claimed, most likely because the DPA staff felt they lacked technical competence to evaluate the truth of those claims (even when they were claims about legal, not factual matters, and were clearly erroneous and/or unresponsive to my request and complaint.)
- 10 May 2009: Response by Air France to a similar request under French data protection law.