European Commission rejects my complaint against CRSs

Just over four years after finally agreeing to consider my complaint that the lack of passwords and lack of logs of access to Passenger Name Records (PNRs) constitutes a violation of the privacy and data protection provisions (currently under review) of the European Union’s Code of Conduct for Computerized Reservations Systems (CRSs), the European Commission has decided to reject my complaint without any investigation of the facts.

In an initial response two years ago (and two years after finally docketing my complaint), the EC said it was contemplating dismissing my complaint on the basis (1) that the Code of Conduct for CRSs does not impose any privacy or data protection requirements, and (2) that if it does, any complaint of violations of those requirements would have to be made first, through a different procedure, to a different enforcement agency, under the provisions of the General Data Protection Regulations (GDPR).

These initial claims by the EC were completely specious, clearly contradicted by the plain language of the Code of Conduct for CRSs, and made in patently bad faith in an effort to evade having to deal with the substance of my complaint. After I responded to the notice of contemplated dismissal of my complaint, the EC abandoned these arguments entirely — they aren’t even mentioned in its final decision. But still struggling valiantly to avoid any investigation or decision on the merits of my complaint, the EC came up with an entirely new set of reasons to reject my complaint.

The new basis for the EC’s rejection of my complaint is, in essence, a finding that the the “privacy” and “data protection” provisions of the Code of Conduct for CRSs are not intended to protect travellers’ privacy, but are intended solely to protect airlines and travel agencies that outsource storage of personal data about travellers to CRSs against having this data improperly disclosed to their competitors: “that provision has to be seen as a whole… whose (single) aim is to reinforce ‘the Chinese wall between CRS and hosting activities’.”

Travel agencies’ and airlines’ exclusive “ownership” of personal data about travellers matters to the EC. Travellers’ privacy doesn’t.

The reason for this “wall between CRS and hosting activities” is, in part, to allow airlines and travel agencies to outsource storage of data about their customers to CRSs owned by (other) airlines, with the assurance that CRS-owning airlines won’t make use of it for their own competitive purposes. But that’s only one of the reasons for some of the privacy and data protection provisions of the Code of Conduct. There’s no basis at all for the claim that this is the sole purpose of all of those provisions, or that the authority of the EC to investigate complaints and impose sanctions for violations of those provisions is limited to cases in which the competitive interests of travel agencies or non-CRS-owning airlines have been adversely affected by violations of individuals’ rights. Indeed, paragraph 21 of the preamble to the Code of Conduct for CRSs explicitly states that it is intended to “particularise and complement” the “protection of individuals with regard to the processing of personal data”, a purpose having nothing to do with the competitive interests of CRS-subscriber airlines and travel agencies.

To be clear, the EC did not find that my complaint was not well-founded, or make any factual findings at all. The EC decided that, even if a CRS makes no attempt to protect the privacy and security of personal information about travellers, that doesn’t violate the privacy and data protection provisions of the Code of Conduct for CRSs. This decision would effectively void the Code of Conduct for CRSs as a guarantee or source of redress for violations of travellers’ privacy and data protection rights, frustrating the intent of the European Parliament in enacting the Code of Conduct, with its protections for travellers’ rights, as EU legislation.

The EC’s refusal to investigate my complaint leaves me the option of submitting a new complaint or complaints, years after the fact, under different procedures, to different national enforcement bodies (if I can identify which those are in the cloud of multi-national CRS operators), pursuant to the GDPR, or suing the EC in the General Court of the EU. According to the notice of the ECs decision to reject my complaint without investigation:

In view of the above, you may consider launching a complaint pursuant to Article 77 of the GDPR to a competent supervisory authority….

In accordance with Article 263 TFEU, an action against this Decision to reject your complaint may be brought before the General Court of the European Union.

I will be considering my options, and would welcome advice or offers of assistance from anyone more familiar with these procedures.