Home
Blog
Newsletter
Search
Twitter
More

Wednesday, 17 June 2020

Who owns the records of your travel?

Do you want all the details of your past airline travel sold to a data mining company? Did you ask for a Kosher or a Halal meal? Which countries or airports did you travel to? Who did you sit next to? What emergency contact information did you provide? Should that information be for sale to the highest bidder -- without your consent?

To put it another way, should airlines be allowed to pawn our personal data to cover the cash-flow problems they have caused for themselves by paying dividends and/or buying back stock rather than keeping past profits in reserve for downturns in the cyclical airline business?

United Airlines thinks it should -- and that other airlines will imitate them in mortgaging their customer data archives.

In a filing with the Securities and Exchange Commission, United Airlines has disclosed that it has agreed to a US$5 billion loan from a consortium of banks, as a condition of which the airline has committed to:

  1. Transfer "ownership" of United Airlines and MileagePlus customer data to a subsidiary company, "MileagePlus Intellectual Property Assets, Ltd." (MIPA), and
  2. Pledge this data as collateral to secure the US$5 billion loan.

If this had not been done, and if the airline eventually had eventually gone bankrupt (as it and many other airlines might), personal data including reservation records would have been included in an eventual auction of the airline's assets.

But the terms of the new secured loan mean that if the airline defaults on the loan (as it may), even if the airline keeps flying and doesn't go bankrupt, the creditor banks will be able to seize the personal data about travellers and ticket purchasers held by United (or held on its behalf by contractors), and auction that data to the highest-bidding data broker to satisfy the airline's debt.

If you can't pay your bills any other way, you take whatever you have to the pawnshop. Apparently, United thinks that the information it has about travellers is its most valuable remaining unencumbered asset.

Twenty years ago, while researching The Practical Nomad Guide to the Online Travel Marketplace, I got off-the-record estimates from travel marketing executives of a minimum of several hundred million U.S. dollars for the value of a major airline's customer data including both frequent flyer program records and historical reservation records. But that was at a time when the cost of storage limited the length of time for which airlines found it profitable to retain PNR data. The amount of the latest loan to United suggests that banks put the value of the data pledged as collateral an order of magnitude higher today than the estimates I got in 2000. This increase reflects both the larger amount of personal data held by airlines today, including longer-term and more detailed historical reservation data, and more sophisticated tools for mining and extracting value from that data trove.

As collateral for loans, banks are valuing United's customer data at US$5 billion, which is 10% more than the $4.5 billion valuation being placed on the airline's landing and takeoff slots, gates, and routes as collateral for other loans. Airplanes might seem more obvious tangible assets for an airline to pledge as collateral for loans. But planes are often owned by leasing companies, not airlines, or have already been pledged as collateral to secure earlier loans.

United Airlines executives reportedly told journalists that they expect other airlines to follow United's example and mortgage their customer data archives.

Spinning off a frequent flyer program as a separate business from the airline that created it wouldn't be unprecedented. The Air Canada holding company, for example, divested itself of all of its holdings in the "Aeroplan" program, previously a wholly owned subsidiary, in 2008 when it needed cash -- but then bought it back in 2018 when it felt more flush. But pledging personal data owned (at least under U.S. law) by a travel corporation as collateral for a loan is a first, so far as I can tell.

I've long advocated for enactment of a U.S. Federal consumer privacy law applicable to PNR data and other records about travel. More than a decade ago, in a formal submission to the U.S. Federal Trade Commission joined by Travelers United (then called the Consumer Travel Alliance) and the Consumer Federation of America, I pointed out the need to include protection for travel data in airline bankruptcies:

The issue of whether data about me is "my data", or is actually owned by commercial entities that have collected or obtained it, is most important when such a company goes bankrupt.

No consumer actually intends to agree, when they provide personal information to a business, that if the company goes bankrupt, that personal information not only can but should and must be sold to the highest bidder for the sole benefit of the company's creditors, not the individuals to whom that data pertains. In assuming this, the bankruptcy laws flagrantly violate any reasonable or likely understanding of consumers' actual expectations.

The possibility of a bankruptcy auction of a personal data archive about consumers is not limited, of course, to the possibility of bankruptcy of a travel company. But there are few, if any, industries that combine the frequency of bankruptcies of even the largest companies with the volume and sensitivity of personal information and consumer profiles that are held by travel companies such as airlines and hotels. Airlines are routinely in and out of bankruptcy, and in the last year large numbers of hotel owners have gone bankrupt.

Luckily, most recently bankrupt airlines have been reorganized or have had their assets including their data archives bought by other airlines. There is no guarantee that this luck will hold. It is only a matter of time before a major airline or hotel chain is a liquidated, and the bankruptcy court is required by current law to auction its records of years or decades of consumers' travels to the highest bidder. Based on discussions of this issue with travel database marketing professionals, we think it highly unlikely that in such an auction any other airline could match the bids of data brokers, data aggregators, data miners, and direct marketers.

Reform of the bankruptcy laws is urgently needed to protect personal information about consumers, which they provided to a particular company for a particular purpose, from being sold at bankruptcy auction to an unrelated third party, most likely a data mining or direct marketing company, without the consent of the individuals to whom this data pertains. And the potential bankruptcy liquidation of a travel company is clearly the paradigmatic case of the danger posed by the current lack of protection in bankruptcy law for personal information.

It would also be possible to address part of this problem, without directly changing U.S. bankruptcy laws, by requiring airlines make contractual commitments to travellers that remove personal data from the class of "assets" subject to sale or transfer. This could be included in pandemic legislation as a condition of any Federal loans, bailouts, or concessions, or it could be enacted as freestansding legislation applicable to all airlines, regardless of whether they take pandemic loans or any of the many other government subsidies to airlines.

Would a sale of passenger data, or a seizure to satisfy a loan for which it had been pledged as collateral, be permitted by United's privacy policy and tariff? Possibly. Here's what United Airlines says in its conditions of carriage about the sale or transfer of personal data:

Rule 30 Consent to use of Personal Data

Upon booking a ticket for transportation, purchasing other services, or participating in any UA program or service such as MileagePlus or the United Club, you hereby authorize UA and its affiliates and authorized agents to (i) collect, process, retain and use, and (ii) transfer to third parties, including, but not limited to, subcontractors, agents, affiliates, marketing partners, other carriers, and government agencies, for their use, processing and retention, any and all personal data you provide when UA believes in good faith that ... disclosure is otherwise ... advisable or as UA deems necessary to carry out any and all business purposes related to the program or services being requested and/or in the promotion of other information, goods, and services that may be of interest to you, including, but not limited to, the following purposes: ... promotions for UA and/ or its affiliates goods and services and third party goods and services; statistical analysis; [or] developing and tailoring current and future services....

If a passenger wants to learn more about UA's Privacy Policy, it may be viewed at www.united.com. This policy is merely a statement of administrative protocol; it is not a contract, nor is it made, or intended to be made, a part of this Contract of Carriage, nor does it create any contractual or legal rights.

The U.S. Department of Transportation already has statutory and regulatory authority to take enforcement action against "unfair or deceptive practices" by airlines. The DOT could and should issue guidance clarifying that for an airline to describe something as a privacy "policy" when that "policy" creates no legal rights and isn't incorporated into the airline's contractual conditions of carriage is an unfair and deceptive practice. If the DOT won't do this, Congress could and should write this into the statute. Some legal scholars have also argued that, even outside the airline context, mortgaging personal data without explicit prior disclosure of this possibility is an unfair and deceptive practice.

United Airlines operates and collects data from and about individuals in many countries, of course, not all of which treat personal data ownership the same way the U.S. does. Whether the latest move by United complies with the data protection laws applicable to data collected in some of those other countries seems questionable. But with the U.S. exceptionalism that characterizes U.S.-based corporations as well as the U.S. government, United probably assumes that it isn't subject to any law except that of the U.S., or at least that it has de facto impunity from foreign sanctions. Those assumptions might prove fatally mistaken if foreign data protection authorities take an interest in United's latest actions to mortgage customer data as an asset owned by the airline which it can use or dispose of as it chooses.

Link | Posted by Edward on Wednesday, 17 June 2020, 09:40 ( 9:40 AM) | TrackBack (0)
Comments

Reprinted by Travelers United:

https://www.travelersunited.org/who-owns-the-records-of-your-travel/

Posted by: Edward Hasbrouck, 19 June 2020, 10:12 (10:12 AM)
Post a comment









Save personal info as cookie?








RSS 2.0 feed of this blog
RSS 2.0 feed of this blog
Powered by
Movable Type Open Source
Movable Type Open Source 5.2.13

Pegasus Mail
Pegasus Mail by David Harris
Notices
Disclosures & Disclaimers
All advice and recommendations are the personal opinions of Edward Hasbrouck, and do not necessarily represent the views of my publishers, employers, or clients.