ACLU letter to EU Commissioner Bolkestein - Northwest Airlines Privacy Violations



Barry Steinhardt, Director, Technology and Liberty Program of the American Civil Liberties Union has sent the following letter to EU Commissioner Bolkestein:

January 21, 2004

Re: Northwest Airlines Privacy Violations

Frits Bolkestein
European Commissioner for the Internal Market, Taxation and Customs Union
European Commission
B - 1049 Brussels (Belgium)

Dear Commissioner Bolketein:

We are writing to report what may have been a violation of Directive 95/46/EC of the European Parliament and the Council of 24 regarding the protection of individuals with regard to the processing of personal data.

Between the months of October and December of 2001, Northwest Airlines shared an undisclosed number of passenger records with the National Aeronautics and Space Administration (NASA) for the purpose of performing research connected to aviation security. (Sara Kehaulani Goo, NORTHWEST GAVE U.S. DATA ON PASSENGERS, Washington Post, Jan. 18, 2004, at A1.) Passenger records typically include passenger names, addresses, credit card numbers and telephone numbers. This disclosure is in direct violation of Northwest's privacy policy which explicitly states "when you reserve or purchase travel services through Northwest Airlines nwa.com Reservations, we provide only the relevant information required by the car rental agency, hotel, or other involved third party to ensure the successful fulfillment of your travel arrangements." (id.) NASA held this private passenger information until September 2003. (id.) In light of the fact that Northwestern has a partnership with the Royal Dutch Airlines (KLM) through which it provides "one-stop reservations and ticketing" (<http://www.nwa.com/corpinfo/allia>www.nwa.com/corpinfo/allia) it is almost certain that at least some of these improperly disclosed passenger records belonged to citizens of the European Union.

Northwest's acknowledgement of this set of facts appears on their web site at http://www.nwa.com/corpinfo/newsc/2004/pr011820041268.html.

The disclosure of this personal data is in clear violation of Articles 6 and 7 of Directive 95/46/EC. This data was processed in a manner that is inconsistent with the purpose for which it was collected (Article 6 (1)(b)) and no effort was made to assure the data's accuracy (Article 6 (1)(d)). Most importantly, no consent was either solicited or granted for the use of this private data (Article 7).

In light of what may have been serious and long term violations of Directive 95/46/EC we suggest that you may wish to conduct an investigation of Northwest's information collection and dissemination practices, full notification to all individuals effected by this disclosure and the imposition of all appropriate civil penalties.

We also believe that this latest revelation calls into question the ability of the US to honor any promises made regarding the transfer of air passenger data. Sadly, our privacy laws are rather primitive and the unrelated uses of private data are prohibited in Europe occur far too often.

Please don't hesitate to contact me if you require any additional information.

Sincerely,

Barry Steinhardt
Director
Technology and Liberty Program of the American Civil Liberties Union

Cc: Peter J. Hustinx


Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author.
Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.