Sunday, 10 December 2017

"No airline adheres to the Privacy Shield"

The U.S. Department of Transportation has consistently failed to protect consumers against deceptive advertising and opaque pricing by airlines that frustrates comparison shopping, while blocking any enforcement against airline of any rules promulgated by other Federal agencies or of the state and local truth-in-advertising and other consumer protection laws that apply to other businesses.

As I discussed in an article here last week in response to the latest outrage, I've been complaining about this for years.

DOT's dereliction of its duty to protect consumers extends to privacy protection as well, an issue highlighted by a report and staff working document released last week by the working party of data protection authorities of the European Union and EU members.

Airlines' privacy obligations under U.S. Federal law are limited: Under U.S. law, airlines can legally violate consumers' privacy, as long as they don't lie about what they do. But DOT has made no attempt whether airlines are truthfully disclosing their privacy practices, and has brushed off complaints that airlines violated their own privacy policies and lied about their practices.

Whether most other U.S. businesses comply with their professed privacy policies is subject to the jurisdiction of the Federal Trade Commissionn. But the DOT has zealously defended the exclusivity of its jurisdiction over airlines against any regulation of airline practices, with respect to privacy or anything else, by the FTC, any other Federal agency, or state or local consumer protection or law enforcement authorities.

I've complained about this in testimony to both the FTC and the DOT, as have other consumer advocates and state Attorneys General (2000 letter, 2006 letter).

Laws in Canada, the European Union, and some other countries restrict transfers of personal information from those countries to countries where personal data isn't adequately protected by law. Without adequate privacy protections and enforcement mechanisms in the U.S., it wouldn't be legal for businesses in those countries to transfer data to the U.S. about customers, travellers, or other individuals.

Because DOT and only DOT has jurisdiction over airlines, the U.S. government has had to pay lip service to DOT's commitment to policing airlines' compliance with their privacy policies when the U.S. has tried to persuade other countries that the U.S. provide adequate legal protection for personal information.

A bogus claim by the DOT that it would take action against any airline that lied about its privacy practices was an essential element in the so-called "Safe Harbor" framework negotiated to provide a legal fig leaf for businesses transferring personal data from the EU to the US.

After the highest EU court determined (unsurprisingly) that the Safe Harbor framework failed to satisfy the adequacy requirements of EU law, a similar and equally bogus claim by the DOT about its commitment to enforcement of airline compliance with published privacy policies was an element of the Privacy Shield (Safe Harbor 2.0) negotiated to provide businesses with a renewed legal fig leaf for transfers of personal data from the EU to the U.S.

So how many airlines claim that they comply with the Privacy Shield? To date, none.

And what has DOT done about this? To date, nothing.

We know this not from DOT but from documents released by European participants in the first annual joint US-EU review of compliance with the Privacy Shield.

According to the report by the Article 29 Working Party on the US-EU meetings:

The DoT made a presentation of its jurisdiction (over airline agencies and ticket agencies on the basis of the Unfair and deceptive practices Act) and of its activities. It has the authority to enforce civil penalties (up to 22 100 dollars for each violation).

No airline company currently adheres to the Privacy Shield, and initially 27 entities identified DoT as regulator (some by mistake). In total, 13 Privacy Shield companies are registered under the DoT's jurisdiction . For 10 of them, DoT's jurisdiction has been validated, while the jurisdiction issue of the other 3 is being examined. All of these 3 companies nevertheless appear on the Privacy Shield list.

Questioned on this, the DoT, the DoC and the FTC indicated that the allocation of jurisdiction between the DoT and the FTC did not stop the self-certification process as the DoT and the FTC have concurrent jurisdiction.

It would be a good thing if the FTC had such concurrent jurisdiction over airline practices with respect to privacy and other consumer issues. But the DOT has consistently claimed that its jurisdiction over airlines is exclusive, and it has used that claim of exclusive jurisdiction to discourage or prevent the FTC from getting involved in any investigation or enforcement of violations of privacy policies by airlines.

In litigation, DOT has argued ever since the Airline Deregulation Act of 1978 that has exclusive jurisdiction over airlines. And that's still the claim made on the US government's official Privacy Shield Web site, as noted in the staff working document prepared for the Article 29 Working Party in preparation for its report on the Privacy Shield review:

A company may only certify if it is subject to the investigatory and enforcement powers of the FTC or the DoT. The FTC and DoT's respective jurisdictions are described on the Privacy Shield website as follows: "...The DOT has exclusive jurisdiction over U.S. and foreign air carriers...."

No airline company had certified under the Privacy Shield at the time of the Annual Joint Review.

Like its predecessor "Safe Harbor", the "Privacy Shield" is a sham. Its name is Newspeak.

Europeans and Americans alike need to recognize that the DOT does not adequately protect air travellers' privacy. Airlines will stop making false claims about respect for their passengers' privacy only when European, Canadian, and/or other non-U.S. privacy and data protection authorities impose sufficiently severe financial penalties on airlines and computerized reservation systems to motivate them to change their typically undisclosed and systematically insecure and privacy-invasive practices.

[Correction: The article above has been corrected to remove an erroneous statement in the original version that the FTC is part of the Department of Commerce. The FTC is a quasi-independent regulatory agency, not part of the Department of Commerce.]

Link | Posted by Edward on Sunday, 10 December 2017, 17:01 ( 5:01 PM) | TrackBack (0)
Comments
Post a comment









Save personal info as cookie?