by
Barbara Bressolles
This
paper compares the online privacy statements of four Canadian airlines
in light of the Article 29 Data Protection Working Party Opinion on the
level of protection ensured in Canada for the transmission of Passenger
Name Record (PNR) and Advance Passenger Information (API) from
airlines[36], and
the requirements of the PIPED Act.
Introduction
The Article 29 Data Protection Working Party
("Working Party") is an independent advisory body on data protection
and privacy.[37]
On January 19, 2005 the Working Party adopted Opinion 1/2005 on the
level of protection ensured in Canada for the transmission of PNR and
API from airlines ("Opinion"). The opinions of the Working Party are of
important significance given the European Commission's policy of
prohibiting the transfer of personal information to nations that fail
to ensure an adequate level of personal data protection.[38]
The opinions more generally provide valuable insights into European
data protection law and policy, which provided the international
context in which Canadian data protection legislation such as the PIPED
Act was born.[39]
This paper examines the online privacy statements of Air Canada,
WestJet, CanJet and Jetsgo in view of the conclusions reached in the
Opinion. It also considers the extent to which the statements
demonstrate the airlines' compliance with the PIPED Act.
The Working Party Opinion on Protection for the Transmission
of API/PNR from Airlines
The
adoption of the Opinion follows negotiations between the European
Commission and Canada, which sought to resolve problems highlighted by
the Working Party in the opinion it issued on 11 February 2004,[40]
in which the Working Party concluded that compliance with the Canadian
requirements by the airlines at that time raised concerns in respect of
the Data Protection Directive 95/46/EC. As a result of these
negotiations, the Working Party received a document dated January 18,
2005 containing Commitments by the Canada Border Services Agency
("CBSA") relating to the application of its PNR program.[41] The Opinion was
adopted in light of these Commitments.
In
the Opinion, the Working Party analyses the level of protection ensured
by Canada once airlines have transmitted API and PNR data relating to
their passengers and crew members to the CBSA. Under Canadian law, all
commercial carriers are required to provide the CBSA with API/PNR data
relating to all persons on board commercial conveyances bound for
Canada.[42]
API is basic information and includes the traveller's name, date of
birth, citizenship or nationality and passport or other travel document
data.[43]
PNR data is more detailed information, which includes the travel
itinerary, address and check-in information and is gathered by airlines
in their reservation, check-in and departure control systems.[44]
API/PNR data is used by the CBSA to identify persons who may be subject
to closer questioning or examination on arrival in Canada because of
their potential ties with terrorism. Based on its analysis, the Working
Party concluded that Canada ensures an adequate level of protection
with regard to the processing of API and PNR data transferred from
airlines to the CBSA in relation to flights concerning any person on
board a conveyance arriving in Canada.[45]
In reaching this conclusion, the Working Party identified several
components of the Commitments that reflect the European Commission's
policy that the legitimate requirements of air transport security and
internal security in Canada should not contradict fundamental rights of
privacy and data protection.[46]
Specific Commitments Endorsed by the
Working Party
·
The
Working Party welcomed section 7 of the Commitments, which states that
the Canadian Passenger Information System PAXIS has been configured to
receive API and PNR data ‘pushed' from a carrier rather than
transferred through a ‘pull' system. The Commitments also defined
narrowly the purposes for processing API/PNR data so as to maintain
balance in the approach to be taken in respect of fighting
terrorism.[47]
·
The
Working Party commended the Commitments insofar as they reduced the
number of data elements to be transferred to the Canadian authorities
from 38 (which the Working Party previously considered as going well
beyond what could be considered adequate, relevant and not excessive
for the purposes for which data is collected and/or further
processed),[48]
to 25, none of which contain sensitive personal data such as personal
information revealing racial or ethnic origin, and data concerning
health or sex life.[49]
·
The
Commitments provided for the required retention period for data to be
reduced from 6 years to 3.5 years, and for the information to be
increasingly de-personalized during the 3.5 year period.[50]
·
The
Commitments only allow for transfers of a minimum amount of data in
specific cases directly related to terrorism or terrorism-related
crimes, and in the case of transfers to other countries, the level of
data protection granted by the receiving country figures as one of the
criteria to be taken into account. [51]
In addition, only countries having received an adequacy finding under
the Directive, as well as EU Member States, are eligible to receive API
and PNR data retained in PAXIS (being data held on passengers who are
not the subject of an investigation in Canada).
·
Finally,
s. 21 of the Commitments provides that the CBSA will provide
information to passengers relating to the collection of data and that
the CBSA is committed to administratively extending certain rights
under the Privacy Act to citizens who are not present in Canada,
including rights of access, correction and notation with regard to
personal information.[52]
Such an extension of the Privacy Act would bring the Act in line with
the international scheme of privacy protection that reaches over
borders. Indeed, the PIPED Act was implemented in light of threatened
restrictions on cross border-border data flows caused by the European
Directive.
The above elements of the Canadian
API/PNR
program, as endorsed by the Working Party, may be taken to constitute
indicators of a balanced approach to information collection and sharing
for national security purposes. It is useful to consider these
components in assessing the privacy policies and practices of airlines
more generally. Whether or not airlines deal with personal information
in a manner consistent with the above Commitments commended in the
Working Party's opinion, will now be considered.
Airline Compliance with CBSA Commitments
To
establish whether privacy policy and practice in the airline industry
is consistent with the Working Party's Opinion the web site privacy
policies of four Canadian based airlines: WestJet, CanJet, Air Canada,
and Jetsgo were reviewed.[53]
The Issue of ‘Push' and ‘Pull'
A
‘pull' system for transferring data is a system whereby airline
passengers' data are directly accessed by the authorities concerned on
a continuous basis. A ‘push' system, as adopted in the CBSA's
Commitments and welcomed by the Working Party, is a system whereby only
information submitted by the collecting airline may be received by the
CBSA. Under a ‘push' system, access to personal data by Canadian
authorities is limited to only that which is necessary for the purpose
of fighting acts of terrorism. A ‘push' system reflects the Working
Party's policy that the purposes for processing API/PNR data must bear
a clear relationship with fighting acts of terrorism, and that data
transferred must be adequate, relevant and not excessive. This policy
finds expression in Canadian law through s. 5(3), and Principles 4 and
5 of Schedule 1, of the PIPED Act.
Section 5(3) of
the PIPED Act provides that airlines may only collect, use, or disclose
personal information for purposes that a reasonable person would
consider appropriate in the circumstances.
What
is appropriate depends on consumer expectations of privacy in the air
travel industry. Increased security measures in the airline industry
since September 11 have arguably reduced air travellers' expectations
of privacy. However, it is equally arguable that any collection, use,
and disclosure of personal information by an airline is appropriate if
it is necessary to facilitate the provision of air travel and other
services requested by the consumer, such as customer loyalty program
membership and marketing offers.
While
the collection of personal information, such as name, address and other
contact details, is necessary for the purpose of facilitating air
travel and related requested services, the collection of particulars of
an individual's computer through "cookies" is arguably not. "Personal
information", as defined in s. 2 of the PIPED Act, would appear to
include particulars of an individual's computer collected through the
use of "cookies". Cookies are small snippets of text code that are
placed on a user's computer by a website's server. They allow for a
greater personalization of a user's experience on the Internet. Air
Canada, CanJet, and WestJet acknowledge the use of cookies to observe
user preferences and track traffic patterns on their websites. Air
Canada also provides in its policy that it uses advanced "cookie"
technology in the form of "Conversion Beacons" (small, simple snippets
of HTML code) to track the activity of its subscribers and measure the
effectiveness of ads. Moreover, Air Canada's policy suggests that it
may be more difficult for consumers to book flights online if their
Internet security is set not to accept cookies. The extent to which the
collection of information about an individual's computer is necessary
for the purposes of facilitating air travel and other requested
services is questionable and arguably contrary to the reasonable
purpose requirement of s. 5(3) and the policy of the ‘push'
system
reflected in the CBSA's Commitments.
Under
Principle 4 of Schedule 1 of the PIPED Act, organizations may only
collect personal information for the purposes identified, and should
avoid any blanket collection of information. Both WestJet and Air
Canada state in their policies that they limit collection of personal
information to that which is necessary to fulfil the stated purposes
for which the information is required. Jetsgo also specifies in its
policy that it "does not gather any personal information for purposes
other than those expressly stipulated." In contrast, CanJet's policy
does not include any statement to the effect that collection is limited
to the purposes identified. It is therefore not certain from CanJet's
policy whether its information collection practices are limited to the
purposes stated.
Under
Principle 5, personal information must only be used, disclosed and
retained to the extent necessary to fulfil the identified purposes.
This principle mirrors the CBSA requirement to only allow for transfers
of a minimum amount of data in terrorism‑related cases. Air Canada
purports to comply with this policy by stating in its notice that "Air
Canada will not use or disclose your personal information for purposes
other than those for which it was collected without your explicit
consent or as required by law." WestJet similarly purports to comply by
stating in its notice that its general policy is to limit the
collection, use and disclosure of personal information to the purposes
identified. Both WestJet and Air Canada qualify their policies by
informing consumers that personal information may be required by
security laws to be disclosed to legal authorities without consent. The
statements of CanJet and Jetsgo however, do not provide that use and
disclosure are limited to particular purposes.
Data Retention Time
The
retention policy of the CBSA, as outlined in ss. 8 and 9 of the
Commitments, requires data to be retained for 3.5 years and
increasingly anonymized. This policy is reflected in Principle 5 of the
PIPED Act, which requires personal information to be retained only to
the extent necessary to fulfil the identified purposes, and to be
destroyed, erased, or made anonymous once the need for it expires.
Air
Canada and WestJet provide in their policies that personal information
collected by them is retained only for the period necessary to fulfil
the purposes for which it was collected. These statements differ
significantly from those of CanJet and Jetsgo, which do not provide
that retention of personal information is limited to particular
purposes and therefore do not clearly delineate the airlines' retention
practices. WestJet's policy was the only one to provide that when
personal information is no longer needed, it is securely destroyed or
made anonymous. The policies of Air Canada, Jetsgo, and CanJet failed
to mention procedures for the destruction of information that is no
longer required, leading one to question the existence of such
procedures.
Data Disclosure/Onward
Transfers
The
CBSA's onward transfer policy, which requires the level of data
protection granted by the receiving country to be one of the criteria
to be taken into account in deciding whether to disclose data to other
agencies, is also reflected in Principle 1 of the PIPED Act's Schedule
1. Principle 1 dictates that when an organization discloses personal
information to a third party, it must employ contractual or other means
to ensure that the privacy of the information is protected. Personal
information collected by airlines is regularly disclosed to third
parties, such as the CBSA and air travel service providers, all of whom
require passenger information to facilitate air travel services.
However, the existence of contractual arrangements to ensure the
continued protection of personal information transferred to such third
parties was only evident in Air Canada's policy. Air Canada's privacy
policy is Principle 1-compliant insofar as it specifies that it uses
"contractual and other means to ensure that your personal information
is afforded protection that meets the requirements of the PIPED Act
whenever a third party agent is used to complete some or all of the
stages of processing necessary to complete your travel transaction or
for research or survey purposes."[54]
In contrast, WestJet does not refer to the existence or otherwise of
contractual arrangements with third parties to ensure the continued
protection of personal information transferred to them. Neither
CanJet[55] nor
Jetsgo[56]
referred to third party recipients of personal information, let alone
the means by which transferred information is protected in accordance
with the PIPED Act.
A
Passenger's Right to Information
Section
21 of the Commitments, which states that the CBSA will provide
information to the travelling public regarding its information handling
policy and practice, finds is closely aligned with the "openness"
principle of the PIPED Act. Airlines are required under Principle 8 to
make information about their policies and procedures regarding personal
information readily available to individuals. There was significant
variation in the extent to which the airlines appeared to comply with
this requirement. While Air Canada and WestJet both provide reasonably
comprehensive and specific information about their privacy practices
and policies, CanJet and Jetsgo maintain policies that provide only
general information about their privacy practices. For example,
Jetsgo's policy states that personal information is collected for the
purpose of accurately processing flight bookings, but it does not
specify who the information may or may not be disclosed to, nor does it
specify how long the information may be held for. It thereby fails to
fully inform customers what they can expect to happen to their
information.
The extent to which the policies
described the uses
to which personal information may be put also varied. WestJet provided
a comprehensive description of the manner in which personal information
would be collected and used, and the purposes of such uses. Air
Canada's policy also describes how and why information is collected and
used for certain specified purposes, such as arranging travel for
unaccompanied minors or persons with special needs, earning points in
frequent flyer programs, and signing up for email offers. The policy
also clearly states that it may be required by security laws to give
border control authorities access to passenger data. Thus, airline
customers are clearly informed that their information may be disclosed
to customs and immigration authorities of any country in their
itineraries.
CanJet
and Jetsgo on the other hand specified in very basic terms the purposes
of information collection and the intended uses of such information.
CanJet's policy addresses disclosures required for national security
purposes by providing that information will not be disclosed without
the consent of the individual concerned, "unless required by law."
Jetsgo's policy fails altogether to mention that it may be legally
required to disclose personal information without the consent of the
individual concerned. Such policies do not fully inform consumers of
the possible uses to which their information may be
put.
Passenger's Right of
Access, Correction and Notation
Rights
of access, correction and notation with regard to personal information,
as provided in s. 29 of the Commitments, are similarly provided in
Principle 9 of the PIPED Act. Airlines are required by this principle
to inform an individual, on request, of the use, existence, or
disclosure of his or her personal information. An individual is
entitled to challenge the accuracy of information held by the airline,
and if the individual demonstrates the incorrectness or incompleteness
of his or her information, the airline must make the necessary
corrections.
The
four policies in question differed in the manner in, and extent to
which, they appeared to provide access to personal information in the
relevant airline's possession. WestJet provides contact information
through which an individual may obtain access to one's personal
information, an opportunity to update that information and an account
of the use that has been made of it. The policy provides that requests
for information may be required to be in writing and must be
accompanied by sufficient information to allow the company to locate
the relevant information. Air Canada similarly acknowledges that
individuals have a right to access their personal information held by
Air Canada and provides a link through which personal information may
be accessed on its web site home page. The Air Canada policy also
provides instructions on how to access personal information on travel
bookings through the Air Canada Call Centre.
In
contrast, CanJet provides no details in its policy about the procedure
for gaining access to and correction of personal information held by
it. A contact address is provided in the policy but no indication is
given as to the exact procedure (if any) for requesting and obtaining
access to personal information. Jetsgo appears to comply with this
requirement by expressly providing in its policy that customers have
the right to view any personal information it maintains as well as the
opportunity to change it or delete it "if appropriate." It then
provides contact information through which an individual can obtain a
copy of his or her personal information. The different degrees to which
these policies indicate the existence of procedures for gaining access
to personal information suggest differences in the actual existence of
such procedures.
Conclusion
Analysis
of airline privacy policy and practice, as evidenced from the online
privacy statements of four airlines, and as conducted in light of the
Article 29 Data Protection Working Party's Opinion, reveals an apparent
lack of uniformity in the approach taken by airlines to communicating
their information handling practices online. More specifically, the
online privacy statements of the two discount airlines (CanJet and
Jetsgo) fail to indicate the existence of procedures for handling
personal information, which is inconsistent with the balanced approach
to information collection and sharing required by the PIPED Act, and
reinforced in the Working Party's Opinion. Cultivating such a balanced
approach through the PIPED Act is difficult in view of the fact that
the Office of the Privacy Commissioner, which oversees the
implementation of the Act, has few traditional enforcement powers (such
as order-making powers and the ability to fine offenders).[57]
A
more accessible means of achieving this balance may be s. 18 of the
PIPED Act, which permits the Commissioner to audit businesses and
industries for systemic privacy violations. The Commissioner has yet to
conduct any such audit[58]
and given that the Commissioner has expressed little interest in
changing this position, consumer education through public education
initiatives is imperative to enforce airline compliance with the
policies reflected in the PIPED Act and the CBSA Commitments. If
consumers are informed by public education campaigns of their rights
under the PIPED Act, they will engage in communications with the
privacy officers of the companies they deal with. Such communication
will encourage airlines to self-audit, and to adopt a more balanced
approach to sharing API/PNR data, in a manner consistent with the
CBSA's Commitments and the Working Party's
Opinion.
Final Report 
