In testimony before a Canadian parliamentary hearing last week by Assistant Commissioner Chantal Bernier, the office of the Privacy Commissioner of Canada raised questions (previously asked in the Canadian press) about the implications for Canadian travelers of the US Secure Flight program — questions that travelers in the US and other countries should share.
Asst. Privacy Commissioner Bernier noted that despite Canadian objections, the US continues to insist on applying the Secure Flight requirements (transmission of passenger data to the DHS, and receipt by the airline of affirmative DHS permission before each prospective passenger is allowed to board a flight) to flights that pass through US airspace to and from Canada, even if they never land in the USA. This includes most flights between Canada and Central America, South America, and the Caribbean. As Bernier pointed out to Members of Parliament, “This means that DHS will collect personal information of Canadian travelers. This is not without risk.”
It’s worth noting, although it wasn’t reported to have been mentioned at the hearing, that Canada imposes no comparable requirement for the vastly larger number of flights to and form the USA that pass through Canadian airspace. These include virtually all transatlantic flights to and from the USA, and transpacific flights to and from all points in the USA east of the West Coast. Nor does any other country through which flights routinely pass en route to and from the USA. Most flights between Miami and Latin America, for example, pass over Cuba. But American Airlines is required neither to provide the Cuban government with detailed information about each passenger on those flights, nor to obtain Cuban government permission before allowing them to board.
Important as they are, however, the concerns raised in last week’s testimony suggest that even the Office of the Privacy Commissioner of Canada still doesn’t fully appreciate the scope of the problem or of the violations of Canadian law.
Asst. Comm. Bernier’s statement was limited to flights to, from, or overflying the USA. We suspect that her office is unaware that the DHS already has ways to get access — without the knowledge or consent of anyone in Canada, including airlines and travel agencies — to information about passengers and reservations for flights within Canada and between Canada and other countries, regardless of whether they pass though US airspace.
Just like airlines, travel agencies, and websites in Europe, those in Canada routinely outsource the hosting of their reservation (PNR) databases to third-party Computerized Reservation Systems (CRSs), most of which are in the USA. When you make an airline reservation with a Canadian travel agency, even for a domestic flight within Canada, the first thing that generally happens is that a PNR is created in the database of a CRS in the USA.
Once the data is in the USA, there’s no way for anyone in Canada to know what happens to it.
Travel agencies, websites, and airlines almost never disclose or obtain permission from Canadian customers for this offshore outsourcing, in violations of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). And the lack of access logs in PNRs, as well as the ability of the DHS to obtain data from CRSs in the USA while forbidding the CRss form disclosing to airlines, travel agencies, or data subjects thta thye have done so, make it impossible for the CRSs or the travel companies that subscribe to them to comply with PIPEDA requests from data subjects who want to know who has had access to their data.
The Office of the Privacy Commissioner of Canada in Ottawa is also ideally situated to participate in Canada’s delegations to ICAO, most of whose meetings are nearby in Montreal and which is working (at the behest of Canada’s representatives as well as those of the USA) toward global aviation security standards to preempt national privacy laws like PIPEDA, and mandate measures modeled on “Secure Flight” as a new global norm.
We encourage readers in Canada concerned about these issues (including the Office of the Privacy Commissioner) to review our testimony last month at the European Parliament, all of which applies as much to travelers and travel companies in Canada as to those in Europe. We encourage Canadian travelers to request a full accounting of what has happened to their airline reservations from Canadian travel agencies (we’ll be happy to help interpret the responses), and to complain to the Office of the Privacy Commissioner if they don’t get the answers to which they are entitled or if the responses show that their data was sent to the USA without their knowledge or consent or without complying with PIPEDA. And we encourage the Office of the Privacy Commissioner to insist not just on “consultation” but on the inclusion of members of her staff in Canada’s delegations to ICAO and its working group on Machine Readable Travel Documents and related databases and procedures.