Feb 11 2009

ID checks and government logs of hotel guests

Demands for ID credentials from hotel guests are once again in the public eye, with commenters in travel journalist Christopher Elliott’s blog weighing in with opinions on his recent article about an Orlando hotel, Hotel shows customer the door after he refuses to show ID — can it do that?

This sort of thing doesn’t happen only in the land of Disney World, though. Coincidentally, one of the final public acts of the outgoing Chief Privacy Officer of the DHS last month was to release a lengthy analysis of European laws and practices for requiring hotel guests to identify themselves, and for government access to those records: Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data.

The report reveals what appears to be its real purpose in an introductory statement that it was issued “to enforce the provisions of … the 2007 Passenger Name Records (PNR) Agreement”.  The report suggests that European government requirements for identification and surveillance of guests at hotels, and U.S. government requirements for identification and surveillance of passengers on airlines or ships, are merely the expression in different political cultures of a common agenda.  That begs the question, of course, of whether they should be reciprocally tolerated — or reciprocally condemned.  Are we to settle for the lowest common denominator of surveillance, or will we demand the highest standard of human rights wherever we go?  We can only read the statement that the report’s purpose was to “enforce” the US mandates as an indication that its author’s preferred solution was that of a “race to the bottom” for travelers’ freedom.

The DHS Privacy Officer says that, “Americans should submit complaints to the appropriate DPA, the Article 29 Working Party, or the European Data Protection Supervisor” about government demands for access to hotel records, and conveniently provides contact information for making those complaints.  But the report ignores the equal need for both Americans and Europeans to submit similar complaints about government demands for access to their airline reservations.   Similarly, the report notes the role of outsourced, offshore hotel reservation hosting companies, but fails to note the similar offshore outsourcing of European airline reservations to Computerized Reservation Systems (CRSs) based in the USA and vulnerable to secret demands for their records (incluidng European records) by the U.S. govenrment through National Security Letters, entirely outside the framework of the DHS-EU PNR agreement.

The DHS Privacy Office report gives details of the laws in many European countries that require hotels to require guests to identify themsleves, to record the details of their ID documents, and to turn those records over to government agencies or maintain them for government inspection on demand.  But what’s the law in the USA?  Just as airlines, railroads, etc. are defined by U.S. law as “common carriers” required to accept all passengers willing to pay the fare in their published tariff, state “innkeeper’s laws” (with their roots in centuries-old English laws for the protection of travelers) classify hotels as “places of public accommodation” (the source of the British term “pub”) and require them to accept all guests complying with their posted rates and rules.  In many states, both rules and the maximum allowable rate must be posted in every hotel room.

In the absence of a specific, valid, Constitutional state or local law requiring guests to show ID, or a valid rule properly disclosed to guests (it’s unclear if any such rule would withstand Constitutional or statutory scrutiny), a hotel in the U.S. that turned away a prospective guest solely for refusal to show ID would almost certainly be in violation of their state’s inkeeper’s law.  The only likely loophole is that a hotel can set almost any conditions it wants for a “discounted” price, so a hotel might be able to get away with charging the posted “rack” rate to a walk-in guest who refused to show ID, or requiring ID as a condition of a discounted rate booked in advance if that condition were disclosed before booking.

In addition to its survey of European hotel guest ID and record-keeping laws, the DHS Privacy Office report contains an extensive, irrelevant, and misleading appendix that purports to describe U.S. requirements for identification and reporting of passengers on international common carriers.  Of the many errors in this section, two are most significant:

First, the report errs in characterizing current U.S. government passenger manifest rules for airlines and vessels as “reporting” requirements comparable to those of earlier times in U.S. history.  In fact, the so-called “Advance Passenger Information System” (APIS) rules are fundamentally different from earlier rules requiring vessels to provide passenger manifests on arrival at U.S. ports.  The APIS rules have had an explicit permisison requirement added to their information-reporting component, and they purport to impose requirements at the time and place of departure, rather than on arrival at a U.S. port of entry.

Second, the report claims, with respect to the “life cyle” of PNR data, “At 15 years from receipt date/time given in the record, PNR will be deleted, with the exception of the PNR related to a specific enforcement action, which will be available for the life of the enforcement record.” In fact, no U.S. law imposes any such requirement on the airlines, CRSs, or data aggregators who store PNR data.  Nor does this describe their actual practices.  Travel companies keep PNR data forevever, as a valuable business asset.  They are free under U.S. law to retain it, use it sell it, or tranfer it to anyone else or any other country in the world, in perpetuity, without notice or consent of the data subjects — even when information about them was obtained under government coercion.

7 thoughts on “ID checks and government logs of hotel guests

  1. Pingback: travell logs » ID checks and government logs of hotel guests

  2. Pingback: Travel companies | Vacation Homes

  3. Are there any restrictions at all on travel companies and CRS’s with respect to selling or transferring travel information, especially personally identifiable information?

  4. Marc S asks, “Are there any restrictions at all on travel companies and CRS’s with respect to selling or transferring travel information, especially personally identifiable information?”

    The answer, in the USA, is no. There are no legal restrictions at all. In the US, travel information and other personal information provided in the course of commercial transactions is considered the property of the company, not the propoerty of the “data subject”. Unless there is an explicit provision to the contrary in your contract, US law assumes that when you provide information, you intend to give the compayy all rights to use, sell, retain or transfer it, in perpetuity, without further notice, consent, or compensation to you. If this isn’t what you mean to do, make sure that the contract spells out something different (keeping in mind that most privacy policies are not part of the contract).

    In practice, CRS’s and travel compnaies can’t tell where the data in their reservation recrods was collected, or which countries privacy and data protection laws apply to it. There is no field in a PNR to indicate in which jurisdiction the data was collected. So CRSs should be required to apply the highest standards to their entire database. But they don’t. Typically, they assume that all the data in their reservations for flights, hotels, etc. in the the US were made in the US, and subject only to US law — even though people in the EU, Canada, and other countries around the world make reservations, through offices and travel agencies in their countries, for US travel. The problems is that authorities in Canada, EU members, and other countries have failed to enforce their laws against outsourcing and offshoring personal data to companies in the US that don’t protect it in accordance with the legal obligations of compnaies in those countries where it was collected.

  5. Hey, interesting blog post. Just found your blog and I will bookmark it – keep up the good work.

  6. Is there any law in Manhattan about the ID requirements to check-in in a Hotel? I was denied to check in because I only had my credit card and my international driver’s license, but not my passport. They said that’s the law in NY.

Leave a Reply

Your email address will not be published. Required fields are marked *