USA and Canada open talks on airline data

Just over three full years after the Canadian Personal Information Protection and Electronic Documents Act took effect for airlines that do business in Canada on 1 January 2001 , the Canadian government has finally begun negotiations with the USA regarding the conflict between the Canadian law and USA government demands for access to airline reservations, according to reports of a joint news conference in Washington with USA and Canadian officials from the Globe and Mail , GovExec.com , and AP .

As with the European Union’s consideration of airline reservation data transfers to the USA, the key question is whether the Canadian authorities will limit their concern to future USA government uses of travel data, or whether they will also address past and ongoing violations of the rights of Canadian travellers, including those by commercial users of reservation data as well governments.

I expected travel businesses in the USA to disregard EU data protection law — especially once they could claim, albeit falsely, that the so-called “safe harbor” agreement had “resolved” the issue with the EU — and to postpone compliance with the Canadian law as long as possible. But I thought that both the scale of transborder air travel between the USA and Canada, and Canadian enforcement efforts, would eventually, grudingly, force USA travel companies into at least a show of compliance, as the price of continuing to do business in and with Canada.

No such luck. Call me cynical if you like, but I’ve been genuinely shocked at how long, and how systematically, airlines, CRS’s, and travel agencies have continued simply to ignore their obligations to respect Canadians’ rights, and have continued to treat Canadian data as cavalierly as data collected in the USA (where there are no privacy rules except those that businesses voluntarily adopt for themselves). Under the Canadian law, personal infomation isn’t supposed to be transferred to third parties — as it is between travel agencies, CRS’s, and airlines almost every time a reservaion is made — without a commitment from the recipient to respect the conditions (on notice, access, disclosure, and purpose of use) under which the data was originally collected. Those agreements simply don’t exist, and that fact is, or should be, a major scandal across Canada.

In part because of the absence of these agreements or any measures to give them effect, it’s impossible to identify which passenger name records (PNRs) associated with a particular flight in the USA contain data that was collected in Canada. I myself couldn’t tell with certainty, at the travel agency where I work , which reservations were made by our agents in the USA and which by our agents in Canada . Any sample of USA airline reservation data of significant size will include personal information about Canadians, collected in Canada, protected by Canadian law.

If — as now appears to have been admitted by both USA and Canadian officials — CAPPS-II is contrary to current Canadian law, that means the previous CAPPS-II tests with real reservations violated Canadian law, and no future CAPPS-II tests can be conducted legally unless and until Canadian law is changed. “Homeland Security Department Secretary Tom Ridge said an agreement is ‘by no means automatic’ and will require ‘lengthy’ negotiations.” That’s a major setback to the previuously-announced CAPPS-II testing schedule, and gives the DHS no excuse for issuing a directive commandeering data for CAPPS-II tests unless and until an agreement to permit such tests can be concluded with Canada.

The first Privacy Commisisoner of Canada took a strong stand against earlier proposals for government access to airline reservation data, but it remains to be seen how the current Commissioner will address the issue.

One of the previous Privacy Commissioner’s major enforcement actions, in fact, was against Air Canada for its handling of its frequent flyer program database . It’s worth re-reading, even outside Canada, for its findings against the airline — especially with US Airways (US) again in serious danger of being unable to meet its 30 June 2004 deadline for repayment of US$1 billion of USA government-guaranteed loans . US is already putting its most valuable assets up for bid, and if it goes bankrupt again, it will probably be liquidated. That means the US frequent flyer and PNR databases would be up for auction to the highest-bidding consortium of direct marketers and data miners. (For more on what you can do to protect yourself, see my FAQ about Airline Bancruptcies .) The possibility of a US liquidation lends considerable urgency to the need for Congress to enact a federal travel privacy law soon, before a bankruptcy court has to supervise the auction of a major airline reservation and customer database.

EU national data protection commissioners (the “Article 29 Working Group”) were scheduled to meet yesterday to discuss the draft agreement on CAPPS-II testiong and passenger data transfers to the USA proposed by the European Commission, according to the French national data protection commission (CNIL) Web site.

In addition to the previous ruling in Belgium and the pending investigation in Spain of complaints against PNR data transfers to the USA, both the French (en français) and German (in German; report in English from Reuters ) data protection authorities have issued statements that the current transfers (and implicitly, CAPPS-II testing or deployment) are contrary to the laws of their countries and the EU. But there’s been no word yet on what transpired at yesterday’s meeting.