Demands for ID credentials from hotel guests are once again in the public eye, with commenters in travel journalist Christopher Elliott’s blog weighing in with opinions on his recent article about an Orlando hotel, Hotel shows customer the door after he refuses to show ID — can it do that?
This sort of thing doesn’t happen only in the land of Disney World, though. Coincidentally, one of the final public acts of the outgoing Chief Privacy Officer of the DHS last month was to release a lengthy analysis of European laws and practices for requiring hotel guests to identify themselves, and for government access to those records: Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data.
The report reveals what appears to be its real purpose in an introductory statement that it was issued “to enforce the provisions of … the 2007 Passenger Name Records (PNR) Agreement”. The report suggests that European government requirements for identification and surveillance of guests at hotels, and U.S. government requirements for identification and surveillance of passengers on airlines or ships, are merely the expression in different political cultures of a common agenda. That begs the question, of course, of whether they should be reciprocally tolerated — or reciprocally condemned. Are we to settle for the lowest common denominator of surveillance, or will we demand the highest standard of human rights wherever we go? We can only read the statement that the report’s purpose was to “enforce” the US mandates as an indication that its author’s preferred solution was that of a “race to the bottom” for travelers’ freedom.
The DHS Privacy Officer says that, “Americans should submit complaints to the appropriate DPA, the Article 29 Working Party, or the European Data Protection Supervisor” about government demands for access to hotel records, and conveniently provides contact information for making those complaints. But the report ignores the equal need for both Americans and Europeans to submit similar complaints about government demands for access to their airline reservations. Similarly, the report notes the role of outsourced, offshore hotel reservation hosting companies, but fails to note the similar offshore outsourcing of European airline reservations to Computerized Reservation Systems (CRSs) based in the USA and vulnerable to secret demands for their records (incluidng European records) by the U.S. govenrment through National Security Letters, entirely outside the framework of the DHS-EU PNR agreement.
The DHS Privacy Office report gives details of the laws in many European countries that require hotels to require guests to identify themsleves, to record the details of their ID documents, and to turn those records over to government agencies or maintain them for government inspection on demand. But what’s the law in the USA? Just as airlines, railroads, etc. are defined by U.S. law as “common carriers” required to accept all passengers willing to pay the fare in their published tariff, state “innkeeper’s laws” (with their roots in centuries-old English laws for the protection of travelers) classify hotels as “places of public accommodation” (the source of the British term “pub”) and require them to accept all guests complying with their posted rates and rules. In many states, both rules and the maximum allowable rate must be posted in every hotel room.
In the absence of a specific, valid, Constitutional state or local law requiring guests to show ID, or a valid rule properly disclosed to guests (it’s unclear if any such rule would withstand Constitutional or statutory scrutiny), a hotel in the U.S. that turned away a prospective guest solely for refusal to show ID would almost certainly be in violation of their state’s inkeeper’s law. The only likely loophole is that a hotel can set almost any conditions it wants for a “discounted” price, so a hotel might be able to get away with charging the posted “rack” rate to a walk-in guest who refused to show ID, or requiring ID as a condition of a discounted rate booked in advance if that condition were disclosed before booking.
In addition to its survey of European hotel guest ID and record-keeping laws, the DHS Privacy Office report contains an extensive, irrelevant, and misleading appendix that purports to describe U.S. requirements for identification and reporting of passengers on international common carriers. Of the many errors in this section, two are most significant:
First, the report errs in characterizing current U.S. government passenger manifest rules for airlines and vessels as “reporting” requirements comparable to those of earlier times in U.S. history. In fact, the so-called “Advance Passenger Information System” (APIS) rules are fundamentally different from earlier rules requiring vessels to provide passenger manifests on arrival at U.S. ports. The APIS rules have had an explicit permisison requirement added to their information-reporting component, and they purport to impose requirements at the time and place of departure, rather than on arrival at a U.S. port of entry.
Second, the report claims, with respect to the “life cyle” of PNR data, “At 15 years from receipt date/time given in the record, PNR will be deleted, with the exception of the PNR related to a specific enforcement action, which will be available for the life of the enforcement record.” In fact, no U.S. law imposes any such requirement on the airlines, CRSs, or data aggregators who store PNR data. Nor does this describe their actual practices. Travel companies keep PNR data forevever, as a valuable business asset. They are free under U.S. law to retain it, use it sell it, or tranfer it to anyone else or any other country in the world, in perpetuity, without notice or consent of the data subjects — even when information about them was obtained under government coercion.