Sunday, 26 April 2015

Privacy Commissioner finds my complaint against Air Canada "well-founded"

The Office of the Privacy Commissioner of Canada has found that my complaint that Air Canada violated the Canadian "Personal Information and Electronic Documents Act" (PIPEDA) by failing to respond fully, properly, and in a timely manner to my request for what information Air Canada had about me, and what third parties that information had been disclosed to, was "well-founded".

Unfortunately, the Office of the Privacy Commissioner's Report of Findings (file PIPEDA-031664) upholds my complaint only with respect to the least significant of Air Canada's violations of PIPEDA: Air Canada failed to provide any response to my request within the time limit established by PIPEDA.

The Privacy Commissioner's report finds that other than being too late, Air Canada's responses to my request "satisfy Air Canada's obligations under PIPEDA".

That erroneous finding by the Office of the Privacy Commissioner is based on an improper narrowing of the scope of my request and my complaint, on misunderstandings and misstatements of the facts (probably based in part on technical ignorance and in part on overly credulous reliance on false claims by Air Canada), on a fundamental mistake of law regarding the difference between an "agent" and an "independent contractor" or "service provider", and on failure to apply the plain language of PIPEDA as it relates to accounting for disclosures of personal information to third parties.

The result was that the Privacy Commissioner found no violation of PIPEDA in Air Canada's failure to provide me with any accounting of any of the data about me collected and held on Air Canada's behalf through its agents, or in Air Canada having provided only a few examples of third parties who might have accessed my data (not including entire categories of such third parties), rather than the comprehensive list of such third parties required by PIPEDA.

If I didn't already know better, both Air Canada's response to my request and the Privacy Commissioner's "findings" would have left me completely unaware that multiple copies of my reservations had been stored in a global cloud of computerized reservations systems, and that those PNRs can be retrieved, viewed, printed, or passed on to other third parties by any office anywhere in the world of the travel agency that made my reservations for Air Canada, Air Canada itself or an unknown number of other airlines, or those CRS/GDS companies (including through unsecured and publicly-accessible itinerary-viewing Web sites), without any geographic or purpose limitations or access logging.

The details are necessarily technical -- you've been warned! -- but here's what the Office of the Privacy Commissioner got wrong:

I've previously reported ("Air Canada lies about government access to reservations") on my request to Air Canada for its records about me, and its response. You can read my complaint to the Privacy Commissioner here. (Please forgive the typing errors, as it had to be entered hurriedly through an awkward Web form that kept timing out on me.)

The Privacy Commissioner's Report of Findings begins by misstating the scope of my request as having been for information "all relating to his air travel with Air Canada". In fact, the information I requested was all related to a ticket I purchased from Air Canada, but was not limited to information about travel on Air Canada flights.

The ticket I purchased from Air Canada constituted a contract with Air Canada for transportation, portions of which were to be provided by Air Canada and portions of which were to be provided by Swiss International and by Adria (the national airline of Slovenia).

This distinction is significant because Air Canada never provided any response whatsoever to my request with respect to those flights on other airlines for which Air Canada had sold me a ticket, even though it was Air Canada that issued the ticket, received full payment from me for it, and passed on to the other airlines both revenue shares (calculated according to its interline agreements with those airlines) and some or all of the information in its PNRs.

The misstatement of the scope of my request and complaint isn't just an error in the initial "overview" in the Privacy Commission's report. It is repeated in the first paragraph of the "Summary of Investigation": "The complainant had purchased his ticket for the entire journey from an online travel agency."

While that statement might seem superficially correct, it is not true. I did not purchase my ticket "from" an online travel agency. I purchased my ticket from Air Canada through an online travel agency.

The agency clearly, explicitly, and correctly identified itself as acting solely as an agent of the airline. I provided information, including credit card details and charge authorization, to that agency solely in its capacity as an agent of Air Canada -- just as I might have done with an individual airline employee acting as an agent of the airline. The credit card charge appeared on my statement as having been made by the airline. The electronic ticket record plainly indicated that the ticket was "issued by" Air Canada, along with an indication of the "issuing agent".

Both my request and my complaint were explicit and unambiguous that I was requesting information related to this ticket purchase from Air Canada. But having improperly narrowed the scope of my request and my complaint to just the flights operated by Air Canada, the Privacy Commissioner's report ignores all the issues related to the ticket issued by Air Canada or the flights on other airlines for which Air Canada issued a ticket, and considers only issues related to flights operated by Air Canada.

The Privacy Commissioner's report next errs in its description of Air Canada's response to my request in Section 5.1. of its "Summary of Investigation": "Air Canada provided his PNRs for the two flights on October 14, 2011." In fact, Air Canada provided only some of those PNRs, specifically, those PNRs held in Air Canada's own "host" system (and none of the PNRs for the ticket or the other airlines' flights that ticket included.). But I had specifically requested all such PNRs.

Whenever a travel agency uses a different CRS/GDS than the one used by the airline as its host system, PNRs for the same reservation for the same passenger(s) or flight(s) are created in both systems. While these systems exchange AIRIMP and other messages to keep the PNRs for the same reservation in each system at least partially in sync, it's normal for each of the PNRs to contain some information that is not contained in the others. The same is true whenever a single PNR includes flights operated by airlines that use different host systems, or if there are codeshare "partner" airlines for any of the flights in the itinerary that use different host systems.

It's not clear whether the Office of the Privacy Commissioner didn't realize that there could be more than one PNR, containing different data, for the the same itinerary segment (e.g. a flight) for the same passenger; whether the Privacy Commissioner ignored this issue because he assumed that Air Canada had no control over any other PNRs such as those of Air Canada's agents; or whether the Privacy Commissioner relied on Air Canada's own false claims to have provided me with the PNRs for those flights, when in fact Air Canada had provided me with only some of those PNRs. An accurate report of the investigation would be that Air Canada made such a claim, and would then go on to report on the investigation of whether that claim was true.

Other false claims made by Air Canada both to me and to the Office of the Privacy Commissioner appear not to of been investigated. In particular, Air Canada claimed that it "does not have access to other airlines PNRs or information held by the online travel agency that the complainant booked with", which is certainly false with respect to actions taken by the agency as an agent of, and in the name of, Air Canada, and might be false with respect to the other airlines providing transportation pursuant to the ticket issued by Air Canada.

In part on the basis of these factual errors, and in part on the basis of additional legal errors, the Privacy Commissioner's report also errs in its "Findings".

According to Section 21-22 of the Privacy Commissioner's report, "Our Office has determined previously that these third-party service providers to which an organization has contracted out particular services are considered to be under the control of the organization.... However, Air Canada explained to the complainant and to our Office that while certain other external third parties involved in the handling of the complainant's personal information in this case may be associated with Air Canada's operations, they are not under its control."

Air Canada may have so claimed, but this claim isn't true. Diligent investigation of what control Air Canada has over the travel agents it appoints to issue tickets in its name would have begun with a review of the text of the agency appointment agreement between Air Canada and the agency. That agreement makes clear that when it acts as an agent of the airline, the travel agency is subject to the control of the airline. Airlines can and do impose whatever conditions they wish on their agents, as a condition of agency appointment. Agencies that don't want to accept to those conditions don't have to accept appointment as agents of the airline. It would make no sense for an airline to be compelled to allow agents to act in its name, and to take actions for which the airline would be solely liable as the principal to the contract, but not to provide for the airline to have control over the actions of its agents.

When a travel agency acts as an agent of Air Canada, Air Canada is the principal in the transaction. Since it is acting and issuing tickets in the name of Air Canada, the agency is required to comply with Canadian law including PIPEDA. That would be true regardless of whether PIPEDA is explicitly mentioned in the agency appointment agreement

Air Canada's hypocrisy, and the deficiency in the Privacy Commissioner's investigation and analysis, is made clear from section 28 of the report, in which Air Canada claims that transfers of personal information to its ground handling agent did not constitute transfers to a third-party because the ground handler was acting "on the airline's behalf and ... Such information remains under the control of Air Canada". While that might be true, it is as true of Air Canada's reservation and ticketing agents as of its ground handling agents.

There's no indication in the report as to why the Privacy Commissioner accepted at face value Air Canada's claim that its ground handler was an agent, not a third-party independent contractor, but dismissed out of hand my claim that the travel agent that made the reservations and issued the ticket on Air Canada's behalf was an agent, not a third-party independent contractor.

It's also unclear if the Privacy Commissioner actually investigated what control Air Canada has over information stored in CRSs by appointed agents of Air Canada, or passed on by Air Canada to codeshare "partner" airlines or other airlines providing transportation as part of an "interline" itinerary. Such an investigation should have started with a review of Air Canada's codeshare agreements with all those airlines with codeshares on the flights in my itinerary (including United Airlines, Lufthansa, and others), Air Canada's interline ticketing agreements with the other transporting airlines (Swiss International and Adria), and the contracts between Air Canada, each of the agencies involved, and the various CRS they used.

The other, and in some ways the most problematic, of the legal errors in the Privacy Commissioner's report is its finding in sections 25-30 that Air Canada had satisfied its obligation to "provide a list of organizations to which it might have disclosed information" by providing me with "examples of other circumstances where personal information may be disclosed".

PIPEDA is clear: "In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual." Air Canada did neither.

According to the Privacy Commissioner's report, "Air Canada advised that its system does not track consultations of a PNR record, only actual transactions are recorded". This is true: All CRSs have change logs (called PNR "histories"), but none of the major CRSs includes access logging (or geographic or purpose limitations on access). Any honest airline must admit -- and should disclose in its privacy policy -- that it does not know to whom, where, or for what purposes PNR data has been transferred.

There is obviously a difference between the requirement of PIPEDA to provide, on request, a "list" of all those entities to which information "might" have been disclosed, and a nonexhaustive set of examples of some such entities.

Since Air Canada does not know to whom information about me has been disclosed, its duty under PIPEDA was to provide me with a "list of organizations to which it might have disclosed information".

The only reasonable reading of this section of PIPEDA, with respect to information stored in a database (especially a shared, multi-customer, global cloud like the network of CRSs), is that the required list is a list of all those entities with user privileges which would have allowed them to retrieve the data in question. That would include, inter alia, any office of the travel agencies involved (I only dealt with one directly, but there may have been, and often are, others with access rights to the same PNRs), any office of any of the airlines involved in the itinerary (possibly including codeshare airlines), and any office of any of the CRS companies holding these PNRs, and any other system user to which any of these had given access rights to those PNRs. None of these were disclosed or listed by Air Canada.

The guide to the investigation process on the Privacy Commissioner's Web site says that "Complaints for investigation will be handled by one or more investigators who will:... determine whether there is a basis for making findings and recommendations [and] if so, contact the parties with the preliminary findings and provide an opportunity for further representation." However, I was not contacted with any preliminary findings, or given any opportunity for further representation, such as the analysis above of the legal and factual errors in the Privacy Commissioner's findings.

It will be particularly unfortunate if the Privacy Commissioner's misunderstandings and mistaken findings influence the current debate in the Canadian Parliament about proposed amendments to PIPEDA to allow even wider "sharing" and usage for other "precrime" purposes of PNR data.

Even when the Privacy Commissioner finds that a complaint is "well-founded", the Commissioner has no authority to compel compliance with PIPEDA, impose sanctions for noncompliance with PIPEDA, or initiate court proceedings for the award of damages to the complainant. As it happens, that issue was decided by the Canadian Federal Court in 2010 in a lawsuit brought by the Privacy Commissioner against Air Canada.

The Office of the Privacy Commissioner can only investigate a PIPEDA complaint and issue a report finding the compliant either "well-founded" or "not well-founded". Following that finding, a complainant can petition the Canadian Federal Court for further action. I am currently consulting legal counsel in Canada and other experts on PIPEDA regarding my legal options going forward. If you might be able to help, or know someone who might be, please get in touch.

Link | Posted by Edward on Sunday, 26 April 2015, 23:11 (11:11 PM) | TrackBack (0)
Comments

I've received the following follow-up message from the Office of the Privacy Commissioner:

"Yes you are correct that not all reports are published on our website. As for the preliminary reports -- our Office only issues those when we have recommendations to make to the respondent. This allows the organization to advise us how it will respond to the recommendations in order to bring itself in compliance with PIPEDA. In this matter there were no recommendations and therefore a preliminary report was not issued."

Posted by: Edward Hasbrouck, 1 May 2015, 09:20 ( 9:20 AM)
Post a comment









Save personal info as cookie?