Europe reconsidering rules for reservation systems

The European Commission (the executive branch of the European Union) has opened a two-month public consultation on possible revision or repeal of the EU Code of Conduct for Computerized Reservation Systems (CRS’s).

The outcome of this obscure and technical-seeming regulatory proceeding could have important effects worldwide — not just or even primarily within the EU — on oligopoly control of travel information, consumer protection, and the privacy of travel data.

More details, why you should care, and what you can do below:

What are CRS’s, and what do they do?

CRS’s (also known as “Global Distribution Systems” or GDS’s) are used by airlines, railroads, and other travel services providers and travel agencies. CRS’s are the central players in the global infrastructure of travel reservation data. CRS’s store Passenger Name Records (PNRs) and profiles as providers of outsourced database hosting services for airlines, travel agencies, and travel Web sites and mediate most communications between travel companies and between travellers and airlines , even when travellers make reservations and buy tickets “directly” from the airline.

For airlines or travel agencies that want comprehensive connectivity to other travel companies, there are only four major CRS’s to choose between: Amadeus, Sabre, Galileo/Apollo, and Worldspan. All four were originally developed by individual airlines or airline consortia for their internal use, and only later offered to other airlines and travel agencies.

Why were CRS’s regulated? What did the regulations require?

Both the oligopoly by the big four CRS’s and their ownership by certain airlines led to well-founded fears by other airlines that the airlines that CRS-owning airlines might bias their displays and their responses to travel agencies queries to favor their owners’ flights over those of competing airlines.

Regulation of CRS’s by governments in the USA, Canada, and the EU developed as an expression of anti-monopoly (anti-trust) or competition law, to protect other airlines against unfair use by CRS’s owners of their oligopoly power. Protection of travel agencies was only a secondary goal, and protection of consumers — who have the least lobbying power — was in practice distinctly tertiary in the development of CRS regulations.

The common feature of the CRS regulations in the USA, Canada, and the EU was a requirement that travel agencies that subscribed to any of the CRS’s would be guaranteed equal access to information about the flights and fares of that CRS’s owner(s) and other, competing airlines. There are strong parallels between this requirement for CRS neutrality and proposed “net neutrality” requirements for Internet access providers to provide their subscribers with equal access to their own or their partners’ “content” (data) and content from their competitors. The idea is to require them — as both a natural and de facto oligopoly — to function as a provider of connectivity services rather than a provider of a controlled feed of selected information only.

The USA rules only protected airlines and travel agencies, but the Canadian and EU CRS regulations also protected individual travellers against abuse of oligopoly power by CRS’s.

Travellers and consumers have never had access to the information or the query tools that CRS’s provide to travel agents. Web gateways to CRS-derived data provide only a small subset of the query options and response details available from the line- command interfaces and displays used by travel agents. Under the CRS rules in the USA, travel agents were always free to choose which information to pass on to their customers (subject only to their rarely-enforced obligations to their customers, under the law of agency, if they charged them service fees). But the EU Code of Conduct for CRS’s requires that travel agents as well as CRS’s themselves serve as neutral information connectivity sources, provide travellers with nondiscriminatory information about different airlines’ flights and schedules, and allow consumers, on request, to see and print the same displays that the agent uses.

As I’ve often pointed out, there are no legal protections for the privacy of travel data in the USA. CRS regulations in both Canada and the EU, however, recognized the sensitivity of travel data and the special role of the CRS’s as aggregators of travel data (analogous to that of credit bureaus for financial data) by imposing additional protections for the privacy of reservation data, beyond the general requirements of Canada’s Personal Information Protection and Electronic Documents Act and the EU Data Protection Directive.

Article 9a of the EU Code of Conduct also requires CRS “subscribers” (travel agencies and agents) to “inform the consumer of the name and address of the system vendor [CRS], the purposes of the processing, the duration of the retention of individual data and the means available to the data subject of exercising his access rights.” That would be an important prerequisite for travellers’ exercise of their rights, if it were complied with: One reason CRS’s data retention and access practices haven’t been the subject of closer scrutiny is that most travellers are only dimly, if at all, aware of their existence, and have no way to know in which CRS their reservations are stored.

Unfortunately, the privacy clauses of the EU regulations have been ignored by CRS’s, the travel industry, and the European Commission (which is charged with enforcement of the CRS code). As an exercise, I invite readers to try to find the required disclosures of which CRS are used, their data retention practices (not those of the travel agency), and their mechanisms for access to CRS data by travellers, for Expedia.co.uk, Opodo.co.uk (the airline-owned European online travel agency analogous to Orbitz.com), or eBookers.com. Or any other major EU travel agency. Violation of the privacy clauses of the EU regulations is near-universal and completely ignored by the EC.

Why and how are CRS regulations changing?

The original impetus for regulation of CRS’s was their ownership by a small number of airlines, and the oligopoly power to control access to fare, schedule, and seat availability information wielded by the owners of the few major CRS’s.

CRS ownership structures have changed. In the last five years, three of the big four CRS’s have ceased to have any direct airline ownership, while airlines control only a minority of the fourth (Amadeus). The new owners of CRS’s — holders of stock in public companies, and private equity investors — think that they could make more money if they were allowed to prioritize which fares and flights to list first, or to list at all, according to which were willing to pay the most for display presence and positioning. (Just as ISP’s think they could make more money if they could control which data their subscribers can access, and charge extra for packet prioritization.)

CRS’s new owners have used the decline in control of CRS’s by airline owners as a rationale for CRS deregulation — ignoring the continuing global oligopoly over fare and flight data by just four CRS’s.

In the USA, they were successful (in the absence of any significant consumer awareness or opposition) in getting the former CRS regulations entirely rescinded in 2004.

Also in 2004, the Canadian CRS regulations were revised to eliminate many of their previous provisions and consumer protections, although some of the neutrality rules were retained. Perhaps most significantly, the former privacy clause of the Canadian CRS Regulations was entirely removed, ostensibly on the theory that it had been rendered unnecessary by the entry into force of Canada’s general-purpose data protection law, PIPEDA. In fact, because it had no exceptions whatsoever, even for government and law enforcement, the consent requirement of the Canadian CRS regulations — essentially identical to the one which remains in the EU CRS regulations — gave air travellers substantially greater privacy protection, especially against governments, than PIPEDA or the EU Data Protection Directive.

Since 2004 many of the same CRS owners, backed by the government of the USA with its slavish devotion (when it suits its political agenda) to deregulation and “free” (even if oligopolistic) markets, have been pressuring the EU to follow the USA and Canada in eliminating or reducing the scope of its Code of Conduct for CRS’s. The public consultation going on from now through 27 April 2007 is the next step in this process.

Do the European regulations matter only in Europe?

No. The EU Code of Conduct for CRS’s applies to “any computerised reservation system … offered for use or used in the territory of the [European] Community, irrespective of: the status or nationality of the system vendor, the source of the information used or the location of the relevant central data processing unit, [or] the geographical location of the airports between which air carriage takes place.”

The USA CRS regulations have been repealed entirely, and never included any privacy protections. The privacy provisions of the Canadian regulations have been repealed. And the privacy clause of the EU CRS regulations provides significantly greater protection for travellers than the general EU Data Protection Directive. As a result, the EU Code of Conduct for CRS’s sets the global standard for privacy protection of PNR data, and is the single most important privacy regulation in the world for travel data.

Because it is impossible to determine from a PNR in which jurisdiction(s) the data in that PNR were collected, CRS’s that actually wanted to comply with the privacy provisions of the EU regulations would have to apply them to all PNRs they handle worldwide.

Similarly, because the USA and Canadian CRS regulations never included any requirement for neutrality in the information provided to consumers (only for what data CRS’s provide travel agencies), the consumer neutrality requirement in the EU Code of Conduct is the only rule anywhere in the world guaranteeing any consumers access to airline flight information free of deliberate bias.

What will happen next?

It appears from the European Commission’s consultation paper that in considering revision or repeal of the Code of Conduct for CRS’s the Commission is thinking mainly about airline ownership of CRS’s, and perhaps a little bit about oligopoly power. Impacts on consumers (rather than airlines and travel agents) are given short shrift, and the privacy and clauses of the current regulations (or the potential impact of repealing them, as was done in Canada) aren’t considered at all. Most of the lobbying of the Commission also focuses on power struggles between industry players, rather than the interests of consumers or the travelling public.

As exemplified by its recent negotiations with the USA Department of Homeland Security on transfers of PNR data to the USA government, the European Commission has tended to ignore other European Union bodies with an interest in the travel data and information technology.

Before the Code of Conduct for CRS’s was last revised in 1999, the Article 29 Working Party of national data protection directors (acting on the recommendation of its Subgroup on CRS’s) issued formal recommendations to the European Commission for substantial strengthening of the privacy provisions of the Code of Conduct. In addition, a 1998 Working Document on Transfers of Personal Data to Third Countries produced by the Article 29 Working Party used the standard operating procedures of CRS’s and airlines, which remain in practice today, as its example of the sort of cross-border data transfers that are supposed to be prohibited by the EU Data Protection Directive.

Those recommendations have never been acted on. So far as I can tell, no enforcement action has ever been taken against a CRS, airline, or travel agency for transferring PNR and other personal data outside the EU to countries that don’t provide adequate protection for commercial travel data — even when, as is done routinely, they transfer their entire reservation and customer database to a CRS that hosts the data in the USA where it enjoys no legal protection at all. And there is no evidence that the EC is considering the recommendations of the Article 29 Working Party or has invited that body to participate in the Commission’s current review of the Code.

Similarly, the last time the Code was revised the European Parliament noted an interest in greater clarity and “strengthening protection of the traveller, especially in terms of the clarity of displays to which there is direct access, e.g. via the Internet.” But it’s hard to tell if these issues, or the European Parliament, will be part of the Commission’s current work.

Consumer protection, information neutrality, and privacy are at stake, but will probably continue to be ignored unless travellers, consumers, and privacy advocates make themselves heard.

What should be done?

The Code of Conduct for CRS’s should be (1) retained, (2) strengthened, and (3) enforced.

Why? The big four CRS’s still have anti-competitive oligopoly power, and continue to engage in systematic violations of the existing Code of Conduct for CRS’s as well as the Data Protection Directive, particularly with regard to transfers of data to commercial entities in the USA. (An issue distinct from the PNR transfers to USA government entities, which are much smaller in scale and impact but have gotten more attention.) Falling costs of data retention and rising government interest in travel reservation data make the privacy provisions of the EU Code of Conduct for CRS’s increasingly important. The elimination of CRS regulations in the USA, and their reduction in Canada, makes it more important than ever that the EU retain its constraints on the demonstrated propensity of global CRS companies to engage anti-consumer, anti-competitive, and privacy invasive actions.

The Article 29 Working Party of national data protection directors, the LIBE (civil liberties) Committee of the European Parliament, and consumer advocates and consumer and travel privacy experts — not just advocates for industry sectors — should be invited to participate in the Commission’s review of the current Code of Conduct for CRS’s.

With respect to privacy, Article 6 of the Code of Conduct should be strengthened by amending the requirement that “A system vendor shall not make personal information concerning a
passenger available to others not involved in the transaction without the consent of the passenger” to refer to “the data subject” instead of “the passenger”, in light of the fact that PNRs contain significant personal information about individuals other than passengers (including people paying for tickets for others, and travel industry personnel).

With respect to consumer protection, the display-neutrality rules in the Code of Conduct should be strengthened to require that “code-share” flights should be ranked in CRS’s displays according to the airline that actual operate those flights. In particular, connections between flights actually operated by different airlines should be displayed as though they were interline connections between different airlines (which they actually are) rather than as online connections. This would cut down on the use of code-sharing to “game” CRS displays, which is a major component of the fraud of code-sharing .

And the European Commission needs to begin enforcing the Code of Conduct against the CRS’s (and in most cases travel agencies, especially the largest online travel agencies that increasingly dominate the market) that systematically, routinely, and flagrantly ignore its privacy provisions as well as those of the EU Data Protection Directive.

Any “stakeholder”, including individual travellers, can submit comments to the commission through Friday, 27 April 2007 (Brussels time) by e-mail to TREN-CONSULTATION-CRS@ec.europa.eu . You don’t have to be a citizen or resident of the EU to submit comments or have them considered, and you can request that your comments be kept confidential and not be published on the EC Web site.

[Update, 26 April 2007: Comments filed by the Identity Project on the privacy, civil liberties, and human rights implications of revising or repealing the EU Code of Conduct for CRS’s.]

[Update: Next round of activity following the public consultation: European Commission staff Impact Assessement and review of comments (15 november 2007); EC proposal for an amended code of conduct for CRS’s (15 November 2007); Opinion of the European Economic and Social Committee on the EC Proposal (adopted 29 May 2008). In its consultation opinion, the European Economic and Social Committee adopts most of the arguments that had been made by the identity Project concerning the ongoing violations of the current data protection rules, and the need to strengthen and enforce them. The EC proposal was debated (3 September 2008) and approved with amendments (4 September 2008) by the European Parliament, under the procedures for an EC/EP codecision. The new code of conduct will enter into force on 29 March 2009.]