DOT Advisory Committee on Consumer Protection to consider privacy of travel data

In the first formal public consideration ever by the U.S. government of the privacy issues posed by airline reservations and other personal information used by the air travel industry, the U.S. Department of Transportation’s Advisory Committee for Aviation Consumer Protection will devote much of its next quarterly all-day meeting in Washington on 21 May 2013 to travel data privacy issues:

The meeting will also address privacy of personally identifiable information collected in connection with the purchase of air travel from airlines and travel agents. Issues to be addressed are: what information is collected and by whom; who retains information (airlines, travel agents, including on-line travel agents (OTAs), and global distribution systems (GDSs)); what privacy policies are in place and is information used consistent with those policies; and what security measures are in place to protect against unauthorized access? We plan on hearing from government representatives, as well as speakers from the airline and travel agent industry, including GDSs, online travel agents, and consumer groups on the privacy issue.

The notice of the meeting published today in the Federal Register gives little additional information about the format of the meeting. However, here are some important general notes about meetings of the advisory committee:

1. “The meeting will be held in the Federal Aviation Administration’s auditorium on the 3rd floor of the FAA Headquarters building at 800 Independence Avenue SW., Washington, DC 20591. [closest Metro station: L’Enfant Plaza - EH] Attendance is open to the public up to the room’s capacity; however, since access to the FAA headquarters building is controlled for security purposes, any member of the general public who plans to attend this meeting must notify the Department contact identifed below [a private contractor, actually - EH] at least five (5) calendar days prior to the meeting date…. To register to attend the meeting, please contact Jessica Payne, Principal Research Analyst, (703) 894-6560, or Amanda Stokes, Associate Research Analyst (703) 894-6529, Centra Technology, Inc., ACACP@centratechnology.com.”
   
   
2. “[T]he meeting will be open to the public, and written and, time permitting, oral comments by members of the public are invited. Members of the public may present written comments at any time. The docket number referenced above (OST-2012-0087, available at https://www.regulations.gov) has been established for committee documents including any written comments that may be filed.
   
   
3. “At the discretion of the Chairperson and time permitting, after completion of the planned agenda, individual members of the public may provide oral comments. Any oral comments presented must be limited to the objectives of the committee and will be limited to five (5) minutes per person. Individual members of the public who wish to present oral comments must notify the Department contact noted above via email that they wish to present oral comments at least five (5) calendar days prior to the meeting…. (i.e., by May 16).”

As a part of a major overhaul of the FAA last year, Congress ordered the Department of Transportation to create the Advisory Committee for Aviation Consumer Protection (ACACP) as a token concession to consumer advocates. To limit the likelihood that the advisory committee would recommend any changes that are opposed by the travel industry, Congress mandated that the committee consist of two representatives of the travel industry (one representing airlines and one representing airports), one representing state and local governments with expertise in consumer protection (who in general have no jurisdiction over airlines), and one representative of a nonprofit public interest group with an interest in consumer protection matters.

As I said at the time, “An enormous amount will depend on who is appointed to represent consumers on this committee.” I was very pleased that Charlie Leocha, Director of the Consumer Travel Alliance (with which I work as a volunteer policy analyst and advisor) was appointed as the lone consumer representative on the ACACP.

The Consumer Travel Alliance joined me and other privacy and consumer groups in comments submitted to the FTC Privacy Roundtables in 2009, outlining the jurisdictional and enforcement gaps between departments and agencies in relation to the privacy of personal information about travellers. Unfortunately, nothing seems to have come of those suggestions for interdepartmental coordination and action, presumably because of continued Department of Transportation (DOT) foot-dragging on consumer protection in general and privacy in particular.

Unlike the DOT, the FTC has taken substantial initiative during the Obama Administration to address consumer privacy issues. But like state consumer protection agencies, the FTC is limited by the law granting the DOT “exclusive” jurisdiction over most airline activities.

The DOT has publicly committed itself to the investigation and prosecution of airlines that violate privacy promises, including promises to abide by the US-EU “Safe Harbor” agreement for data collected in Europe. But in practice, even though no airline that flies between the US and the EU complies with the “Safe Harbor” framework — and even though a lack of access logs and geographic access controls in CRS functionality makes it impossible for any airline to comply, even if it wanted to — the DOT has never taken any publicly-disclosed action to investigate airlines for any breaches of “Safe Harbor” or any other privacy promises or policies.

The ACACP may or may not also be taking up some of the privacy issues related to airlines’ pending application for DOT approval of IATA Resolution 787 outlining plans for “personalized pricing” of airline tickets.

What should you say if you submit written comments or come to the ACACP meeting in Washington on May 21st to speak in person? I’ll be posting more details and my own comments once I know more details about the meeting. But what’s needed remains the same as what I told Business Week in this interview a decade ago (although I no longer have much of the optimism I had then about the prospects for positive Congressional action).

Tell the ACACP to recommend that Congress enact a Federal travel privacy law — or, preferably, a general privacy law for personal information held by private entities — applicable at minimum to airlines, travel agencies and agents, and their technology providers, vendors, and contractors including CRSs/GDSs.

Tell the ACACP to recommend that DOT categorically prohibit airlines and other travel companies from making any use for their own purposes of information (including identifying information) which travellers are required by the government to provide. Use of information provided by government mandate should be limited to use by the government for government purposes. the government shouldn’t force travellers to provide personal information to travel companies and then give those companies free use of that information.

And tell the ACACP to ask DOT to report publicly on what (if anything) it is doing, and what it will commit to doing in the future, to enforce existing laws against making false and deceptive claims in privacy “policies” that don’t correspond to privacy practices, including false claims of compliance with the US-EU “Safe Harbor” framework.

Privacy is, of course, only one of the important travel-related consumer issues for Congress and the DOT, if you want to remind the ACACP of some of the others while you are at it.

I look forward to seeing some of you in Washington, DC, on May 21st, following my trip to Portland, OR, for John Brennan’s hearing before the TSA for allegedly “interfering with screening” by taking off his clothes at a TSA checkpoint. (And if you don’t like the way you are treated at these checkpoints, tell the TSA what you think.)

[Follow-up: Consumer Privacy and Air Travel: Recommendations to the U.S. Dept. of Transportation]