Today Google and Cape Air announced that Cape Air has migrated its reservations and Passenger Name Records (PNRs) to a new computerized reservation system (CRS) provided by Google’s ITA Software division.
ITA Software was working on a CRS even before it was acquired by Google last year, but had appeared to lack a launch customer to fund the project after its original partner, Air Canada, backed out. In his first public statement last November after the Google acquisition was completed, Google Vice President and former ITA Software CEO Jeremy Wertheimer anticipated today’s announcement and said that with Google’s new backing, his division was “burning the midnight oil” to complete the project.
Cape Air, Google’s CRS launch customer, is a very small US airline that mainly flies 9-seat piston-engined propeller planes to small resort islands. Most of what might look like “international” destinations on their route map are actually US colonies. But Cape Air does serve some British colonies in the Caribbean, including Anguilla and Tortola. All reservations for those flights, as well as any reservations for Cape Air’s domestic US and other flights made through travel agencies, tour operators, or “interline” airline partners in the European Union, are subject to EU data protection laws.
So as of today Google should have in place an airline reservation system, including PNR hosting functionality, which fully complies with EU laws including in particular UK data protection law and the EU Code of Conduct for Computerized Reservation Systems.
We’re doubtful that Google (or Cape Air) have complied with these requirements of EU law. Cape Air’s privacy policy says, “CapeAir does not fly routes within Europe, so this Privacy Policy is not adapted to European laws.” It appears to be true that Cape Air doesn’t fly within Europe, but it does operate flights to and from UK territories that are legally part of the EU. Cape Air also says, “By agreeing to Cape Air’s Privacy Policy, you consent to Cape Air applying its Privacy Policy in place of data protections under your country’s law.” It’s not clear whether such a waiver of rights is valid. The “Privacy Policy” link on ITAsoftware.com goes directly to Google’s new global privacy policy, which appears to say that Google may merge information from all Google services, presumably including Google’s new PNR-hosting service.
At the same time, in accordance with the Advance Passenger Information System (APIS) and PNR regulations of US Customs and Border Protection (CBP, a division of the DHS), that also means that Google has connected its system to CBP’s Automated Targeting System (ATS). Whether Google has given CBP logins to “pull” data whenever CBP likes (as the other CRSs have done), or whether Google “pushes” PNR data to CBP, remains unknown until some Cape Air passenger requests their PNR data under EU law.
In accordance with the US Secure Flight rules, the Google CRS for Cape Air must also have a bi-directional connection to the US Transportation Security Administration to send passenger data to the TSA and receive permission-to-board (“cleared”) fly/no-fly messages in response.
This is, so far as we can tell, an unprecedented level of direct connection between Google’s databases and any government agency. Has Google complied with EU law? Probably not, but we can’t tell. We invite Google to allow independent verification of how it handles PNR data, and whether its CRS system and its connections to the US government comply with EU rules.
[It’s also important to note that the privacy and data protection practices of CRSs, including Google’s “ITA Software” division, are outside the jurisdiction of the Federal Trade Commission and subject to policing only by the do-nothing Department of Transportation.]
There are also interesting questions about what profiling and data mining capabilities are built into Google’s CRS system. “Legacy” CRSs store PNRs in flat files in which PNRs for different trips by the same traveler can be difficult to link. But a report on the new Google CRS in the online trade journal Tnooz says it “enables … call center agents ‘to see customers’ history,’ including past trips and upcoming flights, ‘right in front of them’.” Greater designed-in profiling and data mining capabilities are selling points of Google’s CRS compared to its “legacy” competitors.
EU oversight and enforcement bodies should have demanded answers as well. Last May the European Parliament approved a resolution calling on the European Commission to carry out, “an analysis of … PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” In November, shortly after Google’s announcment that they were moving forward with their CRS project, a Member of the European Parliament submitted written follow-up questions to the Commission as to whether the EC has conducted such an analysis, as well as whether the EC has “considered the technical or policy implications of potential new CRS providers such as Google, which may use different technology platforms from those of legacy CRS vendors?”
As we’ve noted, the “response” to these questions by Commission Cecilia Malmström said nothing about Google or other new CRS providers, contradicted the statements that have been made by European airlines, and largely ignored the issues raised by the European Parliament.
Cape Air is a small first step into the CRS industry by Google, but it won’t be the last. Everyone concerned with how PNR data is stored and processed, including data protection authorities in countries that (unlike the US) have such entities, should carefully scrutinize and demand satisfactory, verifiable answers as to what this means about Google’s relationship to US government agencies and the need for oversight and enforcement of privacy data protection rules applicable to all CRS companies.