This week Travelport — the holding company that owns two of the big four Computerized Reservation Systems (CRSs) or Global Distribution Systems (GDSs) — announced that it has “certified” that it complies with “Safe Harbor” privacy and data protection principles for companies that want to be eligible to receive transfers to the US of personal data collected in the EU or Switzerland.
As travel industry technology news site Tnooz reports, quoting Identity Project consultant Edward Hasbrouck:
Travelport’s headline on its press release about the issue, “Travelport is First GDS Provider to be Safe Harbor Certified,’ may be true, but can easily be misconstrued because Safe Harbor is a self-certification process.
Privacy expert Edward Hasbrouck, who has written extensively about the issue, notes that what Travelport’s Safe Harbor designation “means is that Travelport has made a formal claim … that Travelport complies with certain Safe Harbor principles. That claim has not been vetted, audited or verified by anyone.”…
“None of the GDS companies comply with EU data protection law, or have made any effort even to pay lip service to it until now,” Hasbrouck says. …
Hasbrouck, a consultant to the Identity Project, says a prime function of self-certification would be to provide safeguards for Travelport GDS suppliers and travel agencies.
“An agency or airline that subscribes to Travelport might be able to argue, in mitigation of damages or fines, that it relied in good faith on Travelport’s self-certification, and therefore believed that it was legal to subscribe to Travelport and legal to store its customer data on Travelport servers in the U.S.,” Hasbrouck says.
It’s illegal under EU law for a business that collects data in the EU (including a US business that collects data in the EU, although US businesses that operate in the EU generally ignore this) to transfer personal data about customers (or anyone else) to another country that hasn’t been certified by the EU to have “adequate” data protection. The US in general hasn’t been so certified, quite properly, since it has no data protection law at all for commercial travel data. But the EU has certified that if a US company actually complies with the Safe Harbor principles, that provides “adequate” protection for data transferred to them.
What’s required is actual compliance, not mere self-certification. While self-certification might reduce the amount of liability of Travelport customers, it provides no immunity from the law. Travelport itself and its agency subscribers and hosting customers in the EU remain at just as much risk of enforcement action as any other CRS/GDS under the EU data protection directive, EU members’ national laws, and the EU Code of Conduct for CRS’s.
Travelport doesn’t actually comply with Safe Harbor, and doesn’t yet have the technical ability (because it doesn’t keep access logs in PNR’s, so it can’t provide data subjects with the required accounting of disclosures) or legal ability (because it can’t prevent or control US government access to data, once it is transferred from the EU to servers in the USA, and can be ordered to keep that US government access secret from data subjects and Travelport’s own European staff) to comply with the Safe Harbor principles.
In 2006, for example, when the (illegal) Automated Targeting System in the USA was first revealed, we asked Travelport whether PNR data collected in the EU has been made available to the DHS through the ATS. Gordon Wilson, President and CEO of Travelport’s EMEA division including Galileo operations in Europe, told us that “there were some talks with the DHS” on access to PNRs, but that “nothing came of it…. It would have crossed my desk if it had included any PNRs from Galileo travel agencies in Europe. But so far as I know, no Galileo PNRs were provided to the U.S. government.”
This wasn’t true. When travelers requested their ATS records from the DHS, they found that they included Galileo PNRs. Once the data was stored in the USA — as is all Galileo data, including data collected in Europe — the DHS could obtain that data without the approval or even the knowledge of the company’s most senior management in Europe. If Wilson was telling us the truth, that’s exactly what did happen. The DHS could even have ordered Galileo to keep this secret from its European customers.
(Travelport’s Wilson also claimed that Galileo identifies the “country of origin” of the PNR, based on the “place of creation”, but a single PNR can contain data collected in multiple jurisdictions and added at different times after it is created. To comply with Safe Harbor, a company must treat all data as subject to EU data protection standards, or must keep track of the data protection jurisdiction applicable to each item of data. Neither Travelport’s Galileo or Worldspan, nor any any of the other major CRS’s, yet does this.)
So far as we know, there has not yet been any enforcement action in either the EU or the US against any travel company for making a false self-certification claim to Safe Harbor compliance, no matter how flagrant the actual non-compliance. EU privacy authorities have admitted to us, in private, that they lack the technical expertise to evaluate claims made by CRSs/GDSs or the issues raised in our submissions to EU regulatory authorities, and in the USA CRSs/GDSs fall through cracks in enforcement jurisdiction between the FTC and the DOT. Despite chronic Safe Harbor violations by companies of all types, there has been only one Safe Harbor enforcement action, and that was by the FTC against a non-travel company.)
All that could change, however, if CRSs and their commercial transfers of PNR data from the EU to the US attract the attention of EU authorities and the European public during the forthcoming debate in the European Parliament over PNR data transfers to government agencies in the US
Travelport is privately owned and operates the the US-based Galileo/Apollo and Worldspan CRSs/GDSs. Travelport backed off from a planned planned public offering on the London Stock Exchange — which would have subjected all of its operations worldwide to UK and EU data protection jurisdiction — just before its announcement of Safe Harbor self-certification. Its major competitors are Amadeus and Sabre, both also owned by private equity groups.
Because Amadeus is a European company, all of its operations and subsidiaries worldwide are subject to EU law. But Amadeus has given root access to all its PNRs to the US DHS, and its operations in the US include the PNR aggregator and data miner formerly known as Airline Automation, Inc. Even within the EU, Amadeus doesn’t begin to comply with EU law: In response to our access requests, European airlines hosted in Amadeus, including KLM and Air France, have told us that Amadeus doesn’t maintain the logs of PNR access that would be required to comply with the law (which requires disclosure, on request of a data subject, of an accounting of all disclosures of their data).
Sabre, the fourth major CRS/GDS, is based in the US, and told Tnooz that it doesn’t “have any plans to pursue this certification,” despite routinely transferring PNR and customer profile data collected by its thousands of European travel agency and airline subscribers for storage on its servers in Dallas/Ft. Worth and Tulsa.
The big change would be if and when one of the major GDS’s decides that it will actually make the investment in modifying its systems to comply with EU data protection law. That would be expensive, but create great competitive pressure on the others to do likewise. The question is whether any of GDS companies will decide to make this move preemptively, or whether it will have to wait until one of them gets his with a legal judgment or enforcement action.