What does Air France do with reservation data?

Air France and KLM Royal Dutch Airlines present quite different “corporate cultures”, despite being owned by the same French parent corporation , the Air France-KLM Group . Unfortunately, my latest experiments have shown that these two airlines have in common a disregard for the privacy and data protection laws applicable to their respective jurisdictions under common principles mandated by the 1995 European Union Data Protection Directive.

I’ve posted previously about my (unsuccessful) year-long effort to get KLM to tell me what records the have about me and my travels, who else they’ve allowed to see them, and what they’ve done with them.

In the extended article below, I describe my more recent attempts to get the same information from Air France, with links to my correspondence including the partial copies of my passenger name records (PNRs) that they eventually sent me. I’ve posted the story in some detail because it shows the lengths to which travel companies will go to avoid complying with privacy and data disclosure and access rules: they give easy access to personal information to everyone except the data subjects. But that’s also why it’s so important for travellers to make these requests.

Air France ignored my written request until after the legal deadline, then lied to me about what they had done and the reasons for the delay. They gave me a written response only after I told them I was on my way to their headquarters in person. When I attempted — with ample advance notice — to inspect their records about me and get an explanation of what they meant “sur place” at their head office in Paris, I was turned away at the entrance, and told they never allow anyone to exercise their right of access on site (despite the requirements of French data protection law and regulations). No responsible or identifiable person would speak to me.

The letter they eventually gave me was late and incomplete, and some of the data was in proprietary codes which they refused to explain. Many of my questions, and many of the categories of data which they have about me, and which I had requested, were simply ignored. They didn’t even give me a complete copy of my ticket (which exists in electronic form solely in their systems) or a breakdown of the fare, taxes, “fees”, and “charges” I had paid. Like KLM, they would tell me nothing about what their agents or contractors had done with my data.

Perhaps worst of all, they admitted that they don’t know who accessed my data, and that it might have been retrieved by any of a hundred thousand or more travel agents and contractors in countries around the world. The systems in which reservations are stored have neither fine-grained access controls nor any built-in access logging:

[T]he reservation file, for the period of its validity, was accessible, in respect of yourself by … Air France, … All travel agencies, provided they were in possession of the exact file number and your name, [and the] Amadeus help desk.

Finally, they admitted that some of the information I had requested was destroyed by Air France contractors and third-party recipients while my request was pending, despite my specific request that Air France immediately notify them of my request, and take steps to preserve the responsive data.

I would welcome any Francophone legal or translation volunteers to assist me in pursuing my complaint with CNIL or, if necessary, through litigation in France.

The sometimes surreal details:

Two years ago, I went to Brussels to participate in discussions by the European Union on the handling of personal information contained in airline reservations.

After my trip, I took advantage of the opportunity to ask KLM to show me their records about me, and to tell me how they had processed my data and who else (including commercial as well as governmental entities) they had allowed to access my data. I’ve posted sample request letters for the UK, which can be adapted for other EU member countries. Because all EU members must implement the EU Data Protection Directive, their laws are similar and give members of the public similar access rights.

Since I had travelled on KLM Royal Dutch Airlines, my request was made under Dutch and EU law. More than a year later, after an unsuccessful attempt at mediation by the Dutch Data Protection Authority, KLM gave me their final answer: they claimed that they didn’t know who had seen my data, and that KLM isn’t responsible for what their agents and contractors (including Northwest Airlines) did with my data. The PNR from the Amadeus CRS that KLM sent me showed that there were also PNRs for my trip, created by KLM’s agents, in both the Sabre and Worldspan CRS’s. But KLM didn’t give me any records from Sabre, Worldspan, Northwest Airlines, or any of KLM’s other agents or contractors.

KLM’s claim not to have a record of who accessed my data was probably true, but it was also illegal. A PNR contains a change log, but not an access log. Transaction logs are stored separately from PNRs, and aren’t normally retained for more than a few days. (This is similar to the way Web server logs are stored separately from the files on a Web server that contain the Web pages being served.) I presume that KLM never told the CRS’s to preserve their transaction logs while my request was pending, and those logs were probably (illegally) destroyed long before KLM responded to my request.

In order to comply with the EU Data Protection Directive, which requires them to keep records of disclosures of personal data, airlines and CRS’s should have added access logging to CRS functionality years ago when the 1995 Data Protection Directive and national laws to implement it took effect. It would be a significant, but a straightforward, change to add an entry to the PNR “history” each time the PNR was retrieved, logging the unique user sine-in ID and the date, time, and office or agency and terminal address (the CRS analogue of an IP address).

Instead, airlines and CRS’s have ignored the law, and left their systems uncharged, so that are unable to provide the information required by law when someone likes me asks for it. My only recourse would have been to bring a lawsuit in Dutch court, within just 6 weeks after the Data Protection Authority concluded its failed attempt at mediation. I was travelling in Africa at the time, and unable to file a lawsuit from abroad, in a foreign language, that quickly.

In January of this year, I flew to Brussels again , this time on Air France. It would be a time-consuming nuisance to avoid the Air France-KLM Group on this route, since Air France and KLM have the two best sets of connections from San Francisco to Brussels. Once again I made a formal request to the airline (by registered mail, since they provided no e-mail or telephone contact information for such requests), immediately after my trip, for all of my data and an accounting of who had accessed it and how it had been used.

I know that Air France received my letter, since I got back the signed receipt for one of the copies sent by snail-mail, and they acknowledged the copy sent through their Web site with an e-mail message on February 26th from their French customer service department: “We forward your message to the person in charge of such requests”. My repeated requests for contact information for the responsible person or office were ignored. The only response was a later phone call from someone in a different Air France USA customer service center in Florida. They had no idea who (if anyone) in the company might be able to provide the information I wanted, and they’d never heard of data protection. The records (pp. 16-17) I later received showed that they closed my file at the direction of one of Air France’s lawyers in New York: “FILE TRANSFERRED TO NYC.AJ/CLOS PER JOAN GABEL…. Date de clôture 04MAR2009. Clôture définitive sans réponse.”

There’s no good reason for an airline to assign information access requests to their legal department. Data protection is a legal obligation, but so are many other aspects of the operation of any corporation. Lawyers, even on the staff of an airline, are extremely unlikely to have the technical knowledge required to identify, retrive, or explain all the records their companies keep. This is a technical, operational, and primarily a database management function, not a legal one. On the KLM side of the Air France-KLM Group, for example, the “Privacy Office” is a separate office, and the people I met with at KLM headquarters to discuss my data were the privacy and security directors, not (so far as I know) lawyers.

I tried repeatedly to contact Air France’s data controller (whomever that might be) by telephone. But the only contact information in the Air France privacy policy is the mailing address of their corporate headquarters (“siège social”), a complex of several buildings with thousands of employees.

Without a name, title, department, or specific office location, the switchboard operators (who had obviously not been trained in where to direct access requests for personal information) had no idea what to do with me. Eventually they transferred me to someone in “security”, who told me that Air France would release no information to data subjects themselves, and that if I wanted to know what information Air France had about me I should talk to the police! Perhaps it was merely a miscommunication — my French is quite limited — coupled with a lack of training on their part in data protection law, but it wasn’t encouraging.

French data protection law allows a request for access to personal data to be made either in writing or in person, on site (“sur place”), and requires a data controller to respond to written requests within two months. Having gotten no answer to my letter, and having gotten nowhere on the phone, my only remaining option (short of a lawsuit) was to complain to the French authorities and/or to try to exercise my rights “sur place”. I did both.

By coincidence, I was planning another trip to Europe just a couple of weeks after the expiration of the two-month time limit. I had already written the Commission Nationale de l’Informatique et des Libert&’s (CNIL), France’s data protection authority, with whom all data controllers in France are required to register, and I sent them a follow-up fax advising them of Air France’s failure to respond. The CNIL had no name, e-mail address, phone number, or office location for the responsible person at Air France, but they confirmed my right to exercise my rights “sur place”, and they were able to tell me the name of the responsible department (the “Service Juridique”) and their fax number. The CNIL also told me that they had notified Air France of my complaint, although I don’t know exactly what they said.

I rearranged my trip to stop over in Paris, and sent Air France’s lawyers a fax in French to Paris, and a copy with a more detailed explanation in English by e-mail to Ms. Gabel in their legal office in New York, to let them know when I would be there and what information I wanted to inspect, as well as to ask for more precise information on their location and hours.

The day after I had told Air France I would be leaving for Europe, Ms. Gabel sent me a letter entirely ignoring my request for information about the location and hours of the responsible office at the headquarters, instead claiming that Air France would respond in writing “shortly”. I didn’t yet know, nor did she mention, that she had been consulted about my request weeks earlier, and had directed that my file be transferred to her. Instead, she claimed that the customer service office in Florida (to which one of the copies of my letter was erroneously forwarded within the company) had erroneously sent my letter back to Paris, and that she had never seen it before. She made no mention of the copy of my request I sent from Paris the morning of my flight home, or the copy I sent electronically — and had gotten acknowledged — through the Air France Web site.

When I arrived at the entrance pavilion of the Air France complex adjoining the terminals at CDG Airport on April 2nd, a letter signed by Jean Marc Bardy, Air France’s chief lawyer and a member of the Board of Directors, was waiting for me at the reception desk along with several people in plainclothes who appeared to be “security” staff. Why was my request, which should have been entirely routine, being handled at such a level? I can only presume it was because Air France never bothered to develop standard procedures for handling such requests — probably because they made it so difficult to get such requests acknowledged and answered.

As I had feared, M. Bardy’s letter left many of my questions unanswered. But as I had also feared, the staff at the reception desk had no idea what to do with my request for access to my data on the spot (“sur place”), and refused to allow me to go through the turnstiles into the complex of buildings or to identify or allow me to speak with anyone in the responsible office. The most they would do was for one of them to go inside (while I waited at the entrance) and return with an unsigned letter from the legal department confirming that “Mr. Bardy has left the building”, and stating that they considered their response “complete”.

Was there any way to make a request for access or information “sur place”? Silence and shrugs.

Was anyone else from the legal department, or whatever department is responsible for data protection, available? Silence and shrugs.

When was M. Bardy expected to return? Might it be later that day? The next day? Silence and shrugs.

I told them I’d wait, and if necessary return the next day. I took a seat on one of the sofas in the lobby. At intervals, the receptionists phoned someone to let them know I was still waiting.

About two hours later, a man and a woman in more expensive looking suits than those of the security guards who had been dealing with me earlier appeared at my side. They had no visible badges, they showed me no business cards, and they wouldn’t tell me their names or titles. All they would say was that they were not the person(s) responsible for data protection, that no such person(s) would be available to speak to me no matter how long I waited, that no one would be available the next day either, and that Air France would never provide any access to personal data “sur place”. I showed them the CNIL brochure (see p. 2) describing this right, which seemed to surprise them, but still they shrugged and went back through the turnstiles into the Air France buildings.

At this point, I too shrugged and went home. My complaint to CNIL, and my request for the rest of my data and an explanation of it from Air France, are still pending.

If you want to try this yourself, you can use my request letter in France, or adapt the UK forms and instructions here for use in other EU countries. And anyone who has travelled to, from, or within the USA, regardless of citizenship, can also ask the DHS for their dossier about you.

[Update, 9 July 2009: My complaint to the CNIL, in English, with attachments.]

[Further update, 30 July 2009: French translation of my complaint to the CNIL, with attachments, with profound thanks to Patricia Poirier and the International Civil Liberties Monitoring Group / Coalition pour la surveillance internationale des libertes civiles for generously volunteering their time and expertise for such a lengthy and precise technical translation on short notice during what should have been their summer holidays. I’m continuing to solicit French pro bono legal counsel, in case I am unsuccessful in resolving this through the CNIL and need to consider bringing suit in France against Air France, under the provisions of the EU Data Protection Directive that guarantee a right of private enforcement action.]

[CNIL and its chairman Alex Turk are notorious for their ineffectiveness, and I have as yet received no response to my complaint or to a series of written inquiries (18 December 2009, 5 May 2010, 21 December 2010) as to the status of my complaint. My French is very limited, but if I understood correctly what I was told on the one occasion when I reached M. Delporte, the responsible person at CNIL, by phone, CNIL (1) closed their original dossier before they received my letter of 9 July 2009 (English) and 30 July 2009 (French translation) with the details of my complaint, and (2) has taken no action on my letters of complaint despite my request that, if they had closed my original file, they treat my subsequent letter as a new complaint. If anyone who speaks fluent French can get a clearer explanation from CNIL, please let me know what they say or how I can get my complaint considered and acted on. I will update this entry if I receive any communication from CNIL.]

[P.S.- This 2006 cable from the U.S. Embassy released by Wikileaks decribes how Air France told U.S. Embassy officials that they believed they would be allowed to send PNR data to the US, even without any legal basis. This cable also reveal that Air France hoped to avoid oversight of PNR data transfers by CNIL, and that Air France had been “informally” advised by the government of France (“GOF”) that AF didn’t need to notify the French government about no-fly orders from the U.S. — although this could be officially confirmed due to the affront to French sovereignty in allowing the U.S. to make no-fly decisions about flights from France. This other cable gives further bakcground on the French government’s efforts to avoid putting PNR data-sharing with the U.S. to a vote in the French parliament, and its efforts to find some other legal basis for it.]