Date: Mon, 14 Apr 2008 01:26:57 -0700 From: Edward Hasbrouck To: "Bruin, K.J. - AMSPI" Cc: "Nas, mw. drs. S. (CBP)" , gary.bunce@nwa.com Subject: Re: Answer KLM on remaining question Mediation Dear Mr. Bruin: I have received your message of 31 March 2008, and the attached letter. I apologize that because I was in Asmara, Eritrea, with very poor connectivity, it took a few days before I got to a place with a sufficiently fast Internet connection to enable me to download the attachment. Your discussion of the distinction between the "Validating Carrier" and the "Operating Carrier" is entirely irrelevant to KLM's obligations under the Dutch Data Protection Act and the European Union Code of Conduct for Computerized Reservation Systems, which were the basis for my enquiry. The relevant distinction is the distinction between the "principal" and the "agent". Under the law in the USA (where my contract was executed), and I believe under the law of the Netherlands, when one party acts as an agent of another, it is that other party that is the "principal". And it is the principal who is responsible for fulfilling the obligations of the contract -- including compliance with all applicable laws, including data protection laws. As I have pointed out to you earlier, Northwest Airlines' terms, conditions, and tariff filed with the governments of the USA and the Netherlands state that when NW issues a ticket for transportation on any other airline (such as KLM), NW "acts solely as agent for" that other airline. In accordance with the explicit terms of the tariff and contract of carriage, my contract for air transportation was solely with KLM as principal. Northwest Airlines and any other parties acted solely as your agents and sub-agents. You have explicitly appointed NW as your exclusive agent for the issuance of tickets in the USA and for the appointment of sub-agents in the USA. The KLM Web site, for example, automatically redirects all visitors from the USA to the NW Web site. You have authorized NW to act as your agent and to execute contracts for passenger air transportation on your behalf. You knew or reasonably should have known of the terms and conditions in NW's tariff, filed with governments around the world and printed and distributed to all their customers and passengers. By accepting my ticket and millions of other tickets issued on those terms, you "ratified" NW's authority to issue those tickets as your agent, and you ratified the terms of the contracts executed by NW on your behalf. You are bound by those terms, including the provision that NW acts *solely* as your agent. You have continued to accept tickets issued by NW, and to ratify NW's authority to act as your agent, even after I brought those terms of NW's tariff to your attention. By the terms of your contract with me (as executed by your agents), NW is forbidden to take any action except as your agent. If you have allowed NW to use, process, retain, or disclose any of my personal data on its own behalf -- as is suggested by your latest letter -- you have done so in violation of your contractual commitment to me that NW would act *solely* as your agent. Your appointment of agents and sub-agents authorized to execute contracts on your behalf, and your outsourcing of data processing to contractors and sub-contractors, do not eliminate your obligation to ensure that you *and* all of the employees, agents, sub-agents, contractors, and sub-contractors who process data on your behalf do so in accordance with the Dutch Data Protection Act. KLM's largest volume of personal data concerns, of course, your customers and passengers. KLM outsources most of the *collection* of this personal data to your agents and their sub-agents, particularly NW as your exclusive agent for the USA. And KLM outsources most of the *storage* and *processing* of this data to CRS's, primarily Amadeus but also others, and to their sub-contractors. KLM neither collects, nor stores, nor processes most of this data itself. The most important aspect of KLM's data handling practices is how data of KLM customers is handled by your agents and contractors -- especially NW, Amadeus, and other major CRS's. Your most important responsibility as KLM's Privacy Officer is the selection and oversight (including vetting of contracts for data protection commitments, ongoing monitoring of data handling procedures, and regular audits of actual data protection practices) of these agents and contractors -- especially NW, Amadeus, and other major CRS's. And the most important responsibility of KLM under the Dutch DPA, in responding to request from data subjects, is to priovide customers and passengers with a full accounting of how their data has been processed, and to whom and to what other countries it has been transferred, by those agents and contractors -- especially NW, Amadeus, and other major CRS's. In your latest latter, you quote from KLM policies that authorize certain disclosures and uses of personal data. But nothing in those policies, or any other policies, removes KLM's obligation to provide an accounting, in response to a request such as mine from a data subject, of what persons or entities have received their data, for what purposes, and in what countries outside the EU. You have not yet provided me with the required accounting of the handling of my data by your agents, sub-agents, contractors, and subcontractors. Your latest letter mentions Amadeus, which was not mentioned in your original list of third parties who received my data. You still have not provided any information as to what data Amadeus received, or to whom or to what countries outside the EU they transferred it. You claim that Amadeus does not know to whom or to what countries my data might have been transferred by them, in response to queries requesting retrieval of my PNR (or portions of it) by Amadeus users. If true, this indicates that Amadeus has not complied with the requirements of the Dutch DPA regarding records of transfers of personal data to third parties and countries outside the EU. If Amadeus is unable to comply with the Dutch DPA, KLM is forbidden to transfer personal data to Amadeus, and must either find another contractor or take these functions in-house. The same holds true for NW and the rest of KLM's agents and contractors. You have provided no information about any of the other CRS's (including Sabre and Worldspan) identifiable from the Amadeus PNR as having received my data from you or your agents and sub-agents. You have provided no information about other third parties that, in the ordinary course of business, would have received my reservation, ticketing, or other data from you or your agents and sub-agents, including but not limited to the Airlines Reporting Corporation. It is now more than a year after my initial request. Your response has been months late, and remains incomplete and insufficient to comply with the Dutch DPA. Your partial disclosures indicate that you are systematically outsourcing the processing of personal data to contractors and agents -- including ones outside the EU -- who do not comply with the Dutch DPA. You have provided no indication that you have made any changes to bring your practices or those of your agents and contractors into compliance with the Dutch DPA. I am copying this message to NW, and to the Dutch Data Protection Authority for their use in formulating their recommendations regarding this matter. Sincerely, Edward Hasbrouck (Hong Kong SAR, China) --= Edward Hasbrouck +1-415-824-0214 "The Practical Nomad: How to Travel Around the World" (4th edition 2007) "The Practical Nomad Guide to the Online Travel Marketplace"