BEFORE THE DEPARTMENT OF TRANSPORTATION ADVISORY COMMITTEE ON AVIATION CONSUMER PROTECTION

Similar documents
Amerisearch Background Alliance Privacy Policy

ARTICLE 29 Data Protection Working Party

PRIVACY POLICY 3. What categories of data we process 1. Administrator of personal data 2. How we collect your data

International Civil Aviation Organization HIGH-LEVEL CONFERENCE ON AVIATION SECURITY (HLCAS) Montréal, 12 to 14 September 2012

Information security supplier rules. Information security supplier rules

Shuttle Membership Agreement

PRIVACY POLICY KEY DEFINITIONS. Aquapark Wrocław Wrocławski Park Wodny S.A. with the registered office in Wrocław, ul. Borowska 99, Wrocław.

Official Journal of the European Union L 7/3

(each the Supplier or, in respect of a Licensable Transaction, the Principal ATOL holder ); and

CODE OF CONDUCT. Corporate Compliance 10.9 Effective: 12/17/13 Reviewed: 1/04/17 Revised: 1/04/17

GENERAL TERMS AND CONDITIONS FOR ONLINE TICKETING

COMMISSION IMPLEMENTING REGULATION (EU)

Privacy. Newcrest means Newcrest Mining Limited (ACN ) and each of its subsidiaries; and

Marine Stewardship Council. Privacy Notice for Job Applicants

NIAGARA MOHAWK POWER CORPORATION. Procedural Requirements

AMERICAN EXPRESS QANTAS BUSINESS REWARDS CARD POINTS TERMS AND CONDITIONS

RE: Docket Number DOT-OST ; RIN: 2105-AD66 Notice of proposed rulemaking, Enhanced Consumer Protections for Charter Air Transportation

Revenue Recognition Implementation Issue 2.11 NOTICE

BAB Membership / Association Guidelines for Data Protection

PRIVATE AGREEMENT BETWEEN

AFRICAN AIR TRANSPORT AND THE PROTECTON OF THE CONSUMER

COMMISSION OF THE EUROPEAN COMMUNITIES. Draft. COMMISSION REGULATION (EU) No /2010

1. General Provisions 1. Parties. These Terms & Conditions regulate the legal relationship between us, Skypicker.com s.r.o., ID No.

Applicant: EUROWINGS LUFTVERKEHRS AG (Eurowings) Date Filed: July 16, 2014

MANUAL FREEDOM OF INFORMATION ACTS 1997 TO 2003

Exhibitor ticket portal 2018 prices

General Terms and Prony Conditions of Use of the Relais & Châteaux Club 5C Programme

Safety Regulatory Oversight of Commercial Operations Conducted Offshore

THE DIFFERENCE BETWEEN CANCELLATION AND LONG DELAY UNDER EU REGULATION 261/2004

AUDIT COMMITTEE CHARTER

UNITED STATES OF AMERICA DEPARTMENT OF TRANSPORTATION OFFICE OF THE SECRETARY WASHINGTON, D.C.

CIVIL AVIATION REQUIREMENT SECTION 3 AIR TRANSPORT SERIES X PART I 1 June, 2008 Effective : FORTHWITH

AIRLINE FAMILY ASSISTANCE PLAN

AGREEMENT APPOINTING [NAME OF AGENT] AS THE AGENT OF THE UK HOLIDAY GROUP LIMITED ATOL 5024 PURSUANT TO ATOL REGULATIONS 12 AND 22

Act on Aviation Emissions Trading (34/2010; amendments up to 37/2015 included)

Advice for brokers about the ATOL Regulations and the ATOL scheme

REGULATION (EC) No 1107/2006 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 5 July 2006

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 1 August /08 LIMITE CRIMORG 124 AVIATION 162 DATAPROTECT 55

EASTERN MILES MEMBERSHIP TERMS AND CONDITIONS

The Future of Aviation in Northern Europe

Any variations from the Terms and Conditions of Contract will only come into effect after written confirmation by ProAir Aviation GmbH

ADM Policy Ticketing Audit Scope Including But Not Limited To

BEFORE THE. U.S. DEPARTMENT OF TRANSPORTATION ( Department ) WASHINGTON, D.C. IN THE MATTER OF

myjet2 Terms & Conditions myjet2 Jet2.com

Code of Conduct and ADR Annual Report 2017/2018

Official Journal of the European Union L 59/1. (Non-legislative acts) REGULATIONS

EL AL Agent Debit Memo (ADM) Policy for Russian Travel Agents

COMMISSION DECISION 29/03/2005

AGENCY AGREEMENT PURSUANT TO ATOL REGULATIONS 12 AND 22

General Terms and Conditions (GTC) of LifeFlight GmbH & Co KG

PASSENGER DATA SYSTEM. Information for air carriers and stakeholders

AIRLINE SCHEME RULES. (Updated July 2017)

Criteria for an application for and grant of, or a variation to, an ATOL: fitness, competence and Accountable Person

(each the Supplier or, in respect of a Licensable Transaction, the Principal ATOL holder ); and

WORLDWIDE AIR TRANSPORT CONFERENCE: CHALLENGES AND OPPORTUNITIES OF LIBERALIZATION. Montreal, 24 to 29 March 2003

Policies and Procedures

AGREEMENT BETWEEN... AND SHEARINGS HOLIDAYS LIMITED/1666 APPOINTING... AS SHEARINGS HOLIDAYS AGENT PURSUANT TO ATOL REGULATIONS 12 AND 22

UNITED STATES OF AMERICA DEPARTMENT OF TRANSPORTATION OFFICE OF THE SECRETARY WASHINGTON, D.C.

Official Journal of the European Union L 146/7

luxaviation S.A. GENERAL TERMS AND CONDITIONS OF BUSINESS

MEMBERSHIP, ENTERING INTO AN AGREEMENT AND RESPONSIBILITIES OF THE COMPANY

BEFORE THE DEPARTMENT OF TRANSPORTATION OFFICE OF AVIATION ENFORCEMENT AND PROCEEDINGS WASHINGTON, D.C.

NEVADA UAS TEST SITE PRIVACY POLICY

L 342/20 Official Journal of the European Union

COMMISSION REGULATION (EU) No 255/2010 of 25 March 2010 laying down common rules on air traffic flow management

Bas Jacob Adriaan Krijgsman v Surinaamse Luchtvaart Maatschappij NV (Case C-302/16)

Code of Conduct Annual Report 2016/2017

General Authority of Civil Aviation (GACA) Customer Protection Rights Regulation

GOL Airline s Debit Memo Policy

BEFORE THE DEPARTMENT OF TRANSPORTATION WASHINGTON, D.C. COMMENTS OF FRONTIER AIRLINES, INC.

FINNAIR Corporate Programme Terms of agreement UNITED KINGDOM GENERAL

UAB Avion Express FAMILY ASSISTANCE PLAN

PRIVATE DEED BETWEEN. in ( ) ZIP code Adress No. phone fax. . provided with licence/exercise authorization No. issued by on IATA code

ACI EUROPE POSITION. A level playing field for European airports the need for revised guidelines on State Aid

UNITED STATES OF AMERICA DEPARTMENT OF TRANSPORTATION OFFICE OF THE SECRETARY WASHINGTON, D.C.

4 Rights and duties in connection with the conduct of petroleum activities

MINISTERIAL STATEMENT ON GIBRALTAR AIRPORT

Unfair terms in air transport contracts

Agen. Egyptair. policy. Nabil N. Meleka. Samir. Ahmed

The Commission states that there is a strong link between economic regulation and safety. 2

(Japanese Note) Excellency,

Aeroplane Noise Regulations (as amended and as applied to the Isle of Man)

Member Benefits Special Offer

Virgin Atlantic Airways Limited Global BSP Agency Debit Memo Policy

The Airport Charges Regulations 2011

California State University Long Beach Policy on Unmanned Aircraft Systems

APPLICATION FORM FOR APPROVAL AS AN IATA PASSENGER SALES AGENT

Foreign Air Carrier Family Support Act. August, 2011

AIRPORT NOISE AND CAPACITY ACT OF 1990

AIRCRAFT SALES & ACQUISITIONS

Technical Arrangement on Aircraft Maintenance between the Transport Canada Civil Aviation Directorate and the Civil Aviation Authority of New Zealand

Kenyon College. Policy Statement

We may retain and use the personal information that you transmit to us relating to yourself and members of your party for the purposes of:

Sr No Stage Guidelines Creation of RAOs for Passage.

Aeronautical Prices and Terms and Conditions

General Terms and Conditions (GTC) of Germania Fluggesellschaft mbh ("Germania")

CONFIRMATION OF ARRANGEMENTS BUCKS COUNTY WOMEN S CHORUS HELSINKI, TALLINN & STOCKHOLM

UNITED STATES OF AMERICA L- +: i DEPARTMENT OF TRANSPORTATION OFFICE OF THE SECRETARY WASHINGTON, D. C.

PUBLIC ACCOUNTABILITY PRINCIPLES FOR CANADIAN AIRPORT AUTHORITIES

Qantas Premier Credit Card Rewards Terms and Conditions

Transcription:

BEFORE THE DEPARTMENT OF TRANSPORTATION ADVISORY COMMITTEE ON AVIATION CONSUMER PROTECTION STATEMENT OF MICHAEL VATIS, STEPTOE & JOHNSON LLP ON BEHALF OF GLOBAL DISTRIBUTION SYSTEMS AMADEUS, SABRE, AND TRAVELPORT May 21, 2013 Madam Chair and Members of the Committee, My name is Michael Vatis. I am a partner at the law firm of Steptoe & Johnson, and I am here today to speak on behalf of the Global Distribution System members of the Travel Technology Association, specifically, Amadeus, Sabre, and Travelport. These three GDSs are the largest GDSs globally and in the United States. I am pleased to be here today to share with you information about how the GDS system works, and how GDSs protect the personal information of airline travelers. Although I am speaking on behalf of all three GDSs, my knowledge is greatest with respect to Amadeus, as it is a Steptoe client. So I may make more specific references to the way Amadeus operates to illustrate key points. GDSs serve two sides of the air travel marketplace, travel agents and airlines. Airlines provide GDSs with constantly updated information about the flights they offer and the fares and seat availability on each flight. The GDS then provides the tool by which travel agents can access the vast amount of information provided by the airlines through appropriate searches and make bookings on behalf of consumers, and then store, change, and service those bookings. In this trilateral relationship, the travel agent typically has an agreement with the airline under which the airline enables the agent to sell the airline s services, and the travel agent and airline 1

must each have agreements with the GDS regarding utilizing the GDS in creating and issuing travel itineraries. Virtually all network airlines (and a significant number of low-cost carriers) participate in each of the GDSs. Agents often utilize the services of one GDS, but can and do use more than one GDS. Travel agents use a GDS to determine what flights are offered between the points the passenger seeks to travel, the availability of seats on any particular flights, the relevant fares and other pertinent information. The GDS also provides to the agents the facility to make the booking on the chosen flight and important back-office functions that allow the agency to maintain required records. When a consumer seeks to buy a seat on an airline, the travel agent enters the relevant data about the passenger and her itinerary into the GDS, and thereby creates a Passenger Name Record (PNR). Any modification in the itinerary will also be entered by a travel agent into the GDS. The GDS then transmits that information to the airline, which accepts the reservation on behalf of the consumer/passenger. The GDS has no direct interaction with the consumer during this process. Generally, the consumer is unaware of the role of the GDS or the identity of the GDS used by the travel agency. A PNR contains the details of a passenger's reservation and other information related to a passenger's trip. To create a PNR into a GDS, a travel agent must include at least the following data: Name Itinerary Contact information Ticketing information (i.e., when the ticket is going to be issued) 2

Received From (i.e., the travel agent who has created or modified the ticket) The PNR may also contain other data, such as frequent flier information. Only the travel agent, airline or airlines if the travel involves more than one airline, and the GDS have access to the PNR, unless one of them permits access by a third party. The GDSs do not disclose personal information to third parties except where necessary to fulfill any bookings, purchases, or requests, or for credit checks or fraud prevention; when required by law; or when necessary to comply with a lawful request by government authorities or a court. When personal data is transferred to a third party, as is required in order to fulfill a booking, it is typically the policy of each GDS to require through provisions in contractual arrangements that the party to which the data is transferred agree to abide by applicable privacy and data security laws and policies. Amadeus, for example, has explicit provisions in its contracts with both travel agency subscribers and with airline and other travel providers that impose mutual obligations to adhere to applicable laws governing the privacy of data. GDSs generally retain PNR data for 72 hours after the flight departure of the last segment on an itinerary. After that, the data is taken out of the system and stored offline for a period of several years, before it is permanently erased. The purpose of this archiving is generally to allow travel agents or airlines to resolve any billing disputes. GDSs operate in dozens of jurisdictions globally, many of which have their own privacy laws and regulations. Each of the GDSs undertakes to comply with the privacy laws and regulations of the jurisdictions in which they operate, including those governing data privacy and security. In particular, Amadeus, which is based in Spain and maintains its data center in Germany, is subject mainly to the European Data Protection Directive. That Directive creates a comprehensive regime regarding the protection of personal information. 3

Each GDS has employees that manage programs designed to protect personal information from unauthorized use, disclosure, destruction, or alteration. These programs comprise technical, physical, and administrative measures. The technical measures include encryption technology to ensure the secure transmission of confidential information, including credit card details. They also include authentication technology, including password protections, to prevent unauthorized access to such data. In all cases, passenger data is made available only on a needto-know basis; unless there is an agreement to the contrary, personal data compiled by one travel agency and entered into the GDS is not shared with any other travel agency or with any entity other than the travel providers or others who may need to have the data to provide service to the passenger. With regard to privacy, it is important to note the different approaches taken by Europe and the United States. In the European Union, GDSs are regulated by Council Regulation (EC) No. 80/2009, which established a Code of Conduct. The Code of Conduct is generally designed to ensure fair competition in the provision and use of GDS services. It also, however, requires that the privacy of end consumers be respected. In particular, Article 11 of the Code provides, among other things, that: personal data collected for the purpose of making reservations or issuing tickets shall only be processed in a way compatible with these purposes; personal data shall only be processed insofar as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; 4

sensitive data (concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or health or sex life) shall only be processed where the data subject has given his or her explicit consent on an informed basis; personal information concerning identifiable individual bookings shall be stored offline within seventy-two hours of the completion of the last element in the individual booking and destroyed within three years. Access to such data shall be allowed only for billingdispute reasons; and marketing, booking and sales data shall include no identification, either directly or indirectly, of natural persons or the organizations or companies on whose behalf they are acting. In addition, when personal data has been collected in the EU, the actors involved in the collection and processing of the data must comply with the European Data Protection Directive (95/46/EC), the principal data protection law in the EU. The Directive applies to the data collected in any of the 27 EU Member States plus Iceland, Liechtenstein, and Norway. The Directive and national implementing legislation in each country impose stringent data protection requirements on the processing of personal information from persons subject to the Directive. Among other things, the Directive requires that: personal data be processed fairly and lawfully, and collected for specified explicit and legitimate purposes. The data must also be accurate and, where necessary, kept up-to-date; personal data be processed only if the data subject has unambiguously given his or her consent or where processing is necessary: 5

o for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; o for compliance with a legal obligation to which the data controller is subject; o in order to protect the vital interests of the data subject; o for the performance of a task carried out in the public interest; or o the for purposes of legitimate interests pursued by the data controller or a third party to whom the data is disclosed; the data controller provide the data subject with certain information (the identity of the data controller, the purposes of the processing, recipients of the data, etc.); the data subject be allowed access to his data in order to rectify errors or have the data erased or blocked; the data subject have the right to object to further processing of such data; the data controller implement appropriate measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and the data controller notify the relevant national supervisory authority about the processing before carrying out processing operations. Companies within Member States may not transfer personal information to a non-eu state unless that country has been deemed to provide an adequate level of protection; the data subject unambiguously consents to the transfer; the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject s request; the transfer is necessary for the 6

conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party (which is generally the case for GDS bookings); the transfer is necessary or legally required on important public interest grounds or for the exercise or defense of legal claims; or the transfer is necessary to protect the vital interests of the data subject. Such a transfer is also permitted if the company utilizes approved binding corporate rules or standard contractual clauses to ensure the protection of data by the receiving entity. The United States as a whole has not been deemed by the EU to provide adequate protection. However, under the EU-U.S. Safe Harbor Framework, EU data can be transferred to U.S. companies that certify that they will abide by the Safe Harbor principles. These principles generally require U.S. companies to provide data protection commensurate with the requirements of the EU Data Protection Directive. As a company with significant operating facilities in both the EU and the U.S., Travelport has held a Safe Harbor certification since 2010. In the United States, by contrast, there is no general data protection directive. Rather, at the federal level, data protection rules are established on a sector-by-sector basis. Thus, the Gramm-Leach-Bliley Act establishes privacy and security requirements for financial institutions, and the Health Insurance Portability and Accountability Act (HIPAA) does so for certain healthcare companies. In addition, the Federal Trade Commission in recent years has begun to assert its general power to police unfair and deceptive practices in commerce to bring enforcement proceedings against companies that it believes have provided inadequate protection to personal information. The Department of Transportation also administers a similarly broad prohibition, found at 49 U.S.C. 41712, against unfair and deceptive practices in the sale of air transportation. Airlines and ticket agents, which include GDSs, are subject to this statute. 7

At the state level, 46 states plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands have passed laws requiring companies to notify affected individuals and, in some cases, regulators if certain personal information about a state resident has been breached. In addition, states such as Massachusetts have begun to establish laws and regulations requiring companies to institute data security programs and procedures to protect personal information of state residents. The GDSs are highly respectful of the legitimate interests of passengers in maintaining the confidentiality of travel data and of the policies underlying the laws noted above. They also conduct regular data privacy training and certification for their employees. The industry is justifiably proud of its long and successful record of maintaining high data security standards and taking all reasonable steps to avoid improper disclosures. They will be pleased to provide any further information that the Committee may require in this area. I hope this brief statement has been useful in describing the operation of GDSs and the ways they protect consumer data, and general privacy frameworks in the EU and U.S. I would be happy to take any questions you might have. Thank you. 8

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback