Senator Probes Airline Privacy Policies

Rockefeller Scrutinizes How Carriers Safeguard Passenger Data
Senator Probes Airline Privacy Policies
Sen. Jay Rockefeller, D-W.Va.

With the clock ticking on the current legislative session, and with his retirement just over four months off, Sen. Jay Rockefeller is mulling whether Congress needs to enact legislation to regulate how airlines use and protect passengers' private information.

See Also: A Look at Processing Principles Under the GDPR, CCPA, and the EU-US DPF

Rockefeller, the West Virginia Democrat who chairs the Senate Commerce, Science and Transportation Committee, has sent a letter to 10 U.S. airlines, asking them about how they handle passengers' private information.

"No comprehensive federal privacy law currently applies to the collection, use and disclosure of consumer travel information," Rockefeller writes in the letter. "Consumer advocates have expressed concern that airline privacy policies can contain substantial caveats and that it is difficult for consumers to learn what information airlines and others in the travel sector are collecting, keeping and sharing about them."

Rockefeller wants to learn what information the airlines collect about passengers, either directly or through other parties, such as travel agents, and how long they retain specific types of data. He also seeks to determine how the airlines get the information and wants them to describe privacy and cybersecurity protections they provide for personal information they maintain.

The senator seeks to ascertain whether airlines give passengers the right to access the information they maintain about them and whether they can correct incorrect information. The airlines were asked to reveal whether they sell or share passenger information and, if they do, describe what information is shared and with whom and the purposes for which the information. He asked for a copy of each company's privacy policy and a description of how it's made available to passengers.

A Rockefeller Legacy

Though it's unlikely that Rockefeller could get the Senate to adopt legislation to regulate airline privacy if he chooses to do so - there are relatively few days left for Congress to legislate and most lawmakers express hostility to enacting new regulations on business - the information the senator culls from the airlines could be used by other legislators if they pursue this matter in the next Congress.

"Rockefeller is leaving but there will always be another member of Congress to pick up where he left off," says Jacob Olcott, a principal at Good Harbor Consulting and the former top cybersecurity staffer on Rockefeller's committee staff. "It can take years for policy to develop. Sometimes you need to act to establish a record, which can be revisited over the years."

Olcott says privacy is an issue the senator cares about, otherwise Rockefeller wouldn't be spending his remaining time working on it. He says that the senator's aim might not be enacting new regulation but to encourage policy changes that favor passengers' rights. "Regulation may not be necessary; all that may be needed here is government encouragement for airlines to review these policies and update as necessary," Olcott says.

DoT Enforcement Authority

A Department of Transportation spokesperson says the department has no rule relating to the privacy of the personal information of passengers. However, the spokesperson says DoT's Office of Aviation Enforcement and Proceedings considers it to be an unfair and deceptive practice if an airline or ticket agency violates the terms of the carrier's own privacy policy, discloses private information in a way that violates public policy or violates the Children's Online Privacy Act. "Our office has the authority to investigate and take enforcement action against airlines or ticket agents for privacy related violations," the spokesperson says.

According to DoT, the department conducted an investigation of a third-party complaint filed by the Electronic Privacy Information Center, and joined by the Minnesota Civil Liberties Union, that alleged Northwest Airlines violated its own privacy policy and committed an unfair and deceptive practice in violation of the law that governs airline commerce when it shared passenger names with NASA's Ames Research Center in the months immediately following the Sept. 11 terrorist attack.

DoT concluded that Northwest did not violate the express terms of its privacy policy. "We explained that the privacy policy must be read carefully and with understanding that airlines are at times legally required to share personal information with government [and] found that under the circumstances, disclosure was not immoral and was not likely to result in substantial injury to consumers," a DoT official says.

Airlines Use of Personal Info

Perry Flint, assistant director for corporate communications at the International Air Transport Association, a trade group, says that carriers have the same requirements and obligations regarding privacy as other industries. Simply, an airline must provide passengers with its privacy policy, including posting it online, and adhere to it.

An examination of privacy policies of several major carriers shows that they collect personal information, including passenger's name, credit card numbers, date of birth, addresses, passport number, travel destinations and travel companions, among other information. The PII is used to personalize travel services. Airlines also share the information with marketers who tailor advertisements and services aimed at passengers. Several airlines specifically state they do not sell PII to third parties.

But the privacy policies do not address how long personal information is retained. The privacy policy statements say the airlines take steps to secure the data but note that they can't guarantee the safety of the information used by other companies.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.