On June 24, 2008, the Article 29 Working Party revised and updated its 2007 guidelines on the information that airlines, travel agents, and other travel organizations should provide to passengers flying to or from the United States.
The revision was triggered by the Agreement of July 2007 between the EU and the U.S., which replaced the 2006 Interim Agreement and introduced a new legal framework for transferring Passenger Name Record (PNR) information to U.S. authorities. U.S. authorities have imposed an obligation on airlines to give the U.S. Department of Homeland Security (DHS) electronic access to personal data contained in PNRs with regard to flights to, from, or through the United States. Airlines that refuse to supply this information face heavy sanctions, including fines, possible loss of landing rights, and substantial delays at U.S. airports.
In the opinion of the Article 29 Working Party — which is composed of national data protection authorities — airlines, travel agents, and computer reservation systems are still not providing EU passengers on transatlantic flights with consistent and satisfactory information about the collection and transfer of their PNRs.
The Working Party’s 2007 guidelines included model passenger information notices (a “short” version and a “longer” version) that are in compliance with Data Protection Directive 95/46/EC and implementing EU Member State law. The Working Party has now added a third, “very short” version which should be read out to passengers that are booking their tickets via telephone. The very short notice can also be printed on airline tickets. In addition, airlines, travel agents, or other travel organizations should indicate where passengers can view the longer and more detailed information notice online or how they can obtain a paper version of the longer notice.
The short notice, which is intended to be used vis-à-vis passengers that are booking their tickets at a travel agency or through the Internet, has been completely revamped by the latest guidelines: the short notice now emphasizes, for example, that U.S. authorities will retain the information for 15 years or even longer (in a specific case or investigation, until the case or investigation is archived).
Amendments to the new longer version of the passenger information notice are less radical. Still in the form of Frequently Asked Questions (FAQs), the new longer version now mentions that “sensitive” PNR data (revealing, for instance, a passenger’s racial or ethnic origin, religion, or health status) may be used by U.S. authorities in exceptional cases, such as “where the life of an individual could be imperiled or is in serious danger.”
However, the description of the complaint procedure before DHS set out in the 2007 version has been removed from the new longer version of the passenger information notice. It appears that the 2008 longer notice encourages passengers to seek the assistance of their national data protection authority if they have PNR concerns, complaints, or correction requests. Whether the national data protection authorities will be eager to provide such assistance each time they are contacted by concerned passengers remains to be seen.
Airlines, (online) travel agents, and other travel organizations that collect personal information from U.S.-bound passengers in the EU should make sure to update their passenger information notices in accordance with the Working Party’s latest guidelines. Failure to inform passengers properly could be viewed by data protection authorities and courts throughout the EU as a violation of the “fair processing” principle, which could lead to the imposition of fines, private damages actions, and reputational harm.
TAKE A LOOK BACK
The U.S. and EU have been debating airline passenger data for years. See Privacy Update here.