Yesterday, the International Air Transport Association (IATA) responded in Aviation Daily to the concerns Business Travel Coalition (BTC) has raised about the non-compliance of IATA’s Passenger Intelligence Services (PaxIS) product with data privacy protections for corporations found in the new Code of Conduct for CRSs that take effect in just over two weeks. IATA dismissed BTC’s concerns out-of-hand and told the publication, “The concerns of the Business Travel Coalition appear to be misguided. IATA complies with all of its legal obligations in terms of privacy. This includes commercial products such as our Passenger Information Services (PaxIS). Privacy is a concept applied to individuals, not commercial entities.”
It is IATA that is misguided. To set the record straight, the new European Union’s Computerised Reservation System (CRS) Code of Conduct, which becomes officially effective on 29 March 2009, contains clear obligations to mask travel agency and corporate purchasers’ identification in all sales and booking data products any firm markets to airlines.
Under Section 4 of the new Code, entitled “Protection of Personal Data,” Article 11.5, corporations are covered by strict provisions governing the protection of personal data. Article11.5 says that marketing, booking, and sales data “…shall include no identification, either directly or indirectly, of natural persons or, where applicable, of the organisations or companies on whose behalf they are acting." So much for the IATA notion that commercial entities that purchase travel have no privacy rights.
Moreover, the last sentence of Article 7.3 of the new Code (included in Section 2) states, “This [the requirement of masking] applies equally to the supply of such data by system vendors to any other party for use by this party other than for billing settlement.” In short, since IATA derives PaxIS from the data that the GDSs submit to Billing and Settlement Plans (BSPs) for billing settlement purposes, IATA must mask the travel agency identification for any purpose “other than billing settlement.” PaxiS is manifestly not a use for “billing settlement” but as the product name says, a “Passenger Intelligence” tool.
BTC chairman Kevin Mitchell calls on IATA to answer some basic questions: “Will IATA mask all corporate identities in PaxIS effective March 29 when the new Code takes effect, yes or no? Will IATA mask all travel agency identities in PaxIS as of that date except for travel agencies who have expressly consented to have their identity disclosed, yes or no?” “Corporate victims of IATA’s unapologetic, Big Brother espionage will be outraged if their identities are not masked. IATA’s disclaimer to Aviation Daily puts travel agents and corporates on notice – IATA clearly plans to violate their hard-won privacy rights under the new Code,” said Mitchell.