Air Canada lies about government access to reservations

Airlines should have defended their customers against government demands for information. Instead, they have chosen to collaborate with governments not just in surveillance and violation of the rights of their customers, but in the cover-up of those practices and the attempt to keep travellers from realizing their extent.

I got a letter from Air Canada today informing me that, “Your personal information was not disclosed to a government agency with respect to the flights mentioned in your Request…”

If I didn’t know better, this would be reassuring. But it’s not true.

As it happens, I had gotten another letter earlier this week from the Canadian Border Services Administration (CBSA), containing portions of its records of Passenger Name Record (PNR) and Advance Passenger Information (API) data about my flights on Air Canada, which CBSA had obtained from computerized reservation systems and Air Canada’s Departure Control System (DCS):

[Excerpt from Air Canada API and PNR data from the CBSA “Air Targeting” system]

The information in the CBSA Air Targeting files includes both PNR and API data for Air Canada flights, despite the claim that, “Air Canada is not in a position to provide you with APIs records and logs for the flights listed in your Request since no such APIs records were created.”

And earlier this year, in the last batch of information disclosed by US Customs and Border Protection in response to my Privacy Act and FOIA lawsuit for records from the CBP Automated Targeting System, I received copies of two PNRs that CBP had obtained from different reservation systems for those same Air Canada flights:

[Excerpt from Air Canada PNR from the USCBP Automated Targeting System]

[Excerpt from Air Canada & Swiss International PNR from the USCBP Automated Targeting System]

I’ve been travelling regularly to Brussels in recent years, but there are nonstop flights to Brussels from relatively few airports in North America. From San Francisco and many other western cities, the fastest routes to Brussels are via flights to Paris or Amsterdam, and high-speed rail connections from there.

From Boston and many other eastern and midwestern cities, the fastest connections to Brussels are via Montréal. That shouldn’t be surprising: All great circle routes between the USA and Europe pass over Canada. Air Canada often offers cheap through prices between the USA and Europe, sometimes even lower in competitive USA-originating markets than its prices for essentially captive Canadian-originating passengers. It’s an especially good route out of Boston, where you would otherwise have to fly 200 miles south and west to New York to make connections north and east, and where Air Canada is one of only two airlines at Logan Airport (the other is Virgin America) with a dedicated TSA checkpoint for only two gates.

Transit passengers have to clear Canadian customs and immigration to change planes at any Canadian airport, but for US citizens the formalities are usually quick and perfunctory.

My airline tickets for my trip to Europe last fall were fairly typical of the confusion and complexity fostered by airline alliances and codesharing.

Air Canada issued a single electronic ticket for my entire journey, including outbound flights from Boston to Montréal to Brussels with Air Canada flight numbers (one of which was actually operated by the Air Canada “Jazz” division), and return flights from Ljubljana to Zürich to San Francisco with Swiss International flight numbers (one of which was actually operated by the Slovenian national airline, Adria).

I took some other flights within Europe, but those were separately booked and ticketed, and wouldn’t have showed up in any of the same PNRs as any of the flights ticketed by Air Canada.

I bought my tickets from Air Canada through the Vayama.com Web site (a/k/a Airtrade International), which is operated by a large Netherlands-based travel agency, Travix International, itself a subsidiary of the still larger Dutch travel conglomerate BCD Holdings. To the extent that my dealings with Air Canada were carried out through Vayama.com, my personal information is protected by Dutch as well as Canadian law.

In making my reservations and issuing tickets, Vayama.com/Airtrade/Travix acted solely as an agent of the airlines by which it had been appointed — in this case, Air Canada. My ticket correctly shows that it was issued by Air Canada. Air Canada was the principal in my contract of carriage, with the travel agency acting as the airline’s agent.

Air Canada’s claims in its letter to me that it has no control over its agents, and that its agents are “independent”, are entirely untrue. Each airline has complete control over whether to appoint agents (some airlines such as Ryanair don’t appoint any agents), what authority to give those agents to act on behalf of the airline, and what conditions to place on agents’ exercise of their delegated authority to act on behalf of the airline. Airlines can and routinely do revoke the appointments of agencies’ that violate the conditions of their appointments.

Air Canada’s disclaimer of responsibility for the actions of its agents, its claim that “travel agencies… are independent from Air Canada”, and its repeated references to “your travel agency” (i.e my travel agency), when the agency acted as Air Canada’s agent and not as my agent, stand the law of agency on its head.

Legally, what is done by a duly appointed agent is considered to have been done by the principal. The principal is responsible for the acts of its agents, whether those agents are employees at a ticket counter or corporations appointed by the airline to act as its agents in making reservations, accepting payments, and issuing tickets in the name of the airline.

If it were true that Air Canada had no control over its agents, that would be a flagrant violation of both PIPEDA (the Personal Information Protection and Electronic Documents Act, the basic Canadian privacy law for commercial data) and Air Canada’s published privacy policy, which claims that Air Canada has contracts with its contractors requiring them to comply with its privacy policy including its provisions for access by individuals to information about ourselves.

I was working as a travel agent when PIPEDA first came into effect for airlines, and thus for their agents. I expected that we and all other travel agencies would be receiving notice of our new obligations, whenever we acted as an agent for Air Canada, to comply with PIPEDA.

So far as I know, that never happened. But Air Canada has just as much of a duty to ensure that corporations that act as its agents accept and are conversant with their obligations under PIPEDA, before Air Canada appoints them to act as its agents, as Air Canada has to ensure that its employees accept and are conversant with their obligations under PIPEDA before those employees are authorized to start handling personal information subject to PIPEDA on Air Canada’s behalf.

Air Canada also claims that it isn’t responsible for, and is unable to obtain data from, its contractors including CRSs and the other airlines for which it issued tickets. Once again, this is probably untrue, but if true would indicate a failure to comply with PIPEDA and Air Canada’s own privacy policy.

Air Canada’s further claim that records associated with a unique ticket number “are not personal information per PIPEDA” flies in the face of the law’s definitions of such information.

Another major problem revealed by Air Canada’s letter to me is the admission that no record is kept of incoming or outgoing interline messages and that “the system used by Air Canada does not track consultations of a PNR record. Only accesses resulting in a transaction are recorded.”

This is true, and makes it impossible for Air Canada or any other airline which uses these systems to comply with the law. Both Canadian and Dutch privacy and data protection law requires a business to disclose, on request, the third parties and third countries to which personal information has been transmitted. It is thus a clear violation of both Canadian and Dutch law for Air Canada and its Dutch agent Vayama.com to use systems that lack access logs.

In practice, governments have been given root access to the computerized reservation systems used by airlines and their agents. These government departments including CBP can pull any PNR. Without access logs it’s impossible to know which PNRs have been retrieved by which governments.

You can see this in the two PNRs for this trip which CBP had in their ATS database. The first, #10 in their list, shows only the Air Canada flights, and presumably was obtained from Air Canada’s host system or host partition in a CRS. The second PNR, #11 in the CBP list, is labeled as an “LX” (Swiss International Airlines) PNR, but includes both the flights with Swiss flight numbers and the Air Canada flights.

In the absence of some bilateral or multilateral (Star Alliance?) codesharing or data sharing agreement, Swiss wouldn’t have been able to see the Air Canada flights in this PNR. What this suggests is that, when CBP retrieved what it considered the “Swiss” PNR, it had root user privileges to pull the entire multi-airline PNR created in the CRS by the travel agency.

To date, none of the airlines from which I have requested records of what they have done with my reservations, and to whom they have disclosed them — KLM, Air France, Lufthansa, and now Air Canada — has complied with their legal obligations. Air Canada has proven to be even worse than the others, not just failing to keep records of disclosures and withholding information it was required to provide, but denying that known disclosures to both the Canadian and US governments had occurred.

I will be pursuing these issues — the lies, the misinterpretations of the law, and the admissions of failures to comply with the law — with Air Canada, its agent Travix International, Amadeus (the source of the references in the PNRs to “1A” for Amadeus, and “MUC” and “MUCRM1A” for the Amadeus data center or “Reservations Mainframe” near Munich in Erding, Germany) and other reservation systems, the Privacy Commissioner of Canada, and data protection authorities in the Netherlands (Travix International) and Spain (Amadeus).