Imagine the global alliance makers as players on a Monopoly board, all lined up at the start and keen to roll the dice. The world's major airlines are dotted around the board and each player aims to put together the best combination. But is that infamous Go to Jail card lurking in the pack?
Airline chief executives around the world may do well to pay more attention to the warning of that card before their global alliances fall foul of a new directive in the European Union (EU)on data privacy. One senior manager within another industry has already found himself with a German prison sentence because his company infringed the rules. Could airlines be the next high-profile target?
The discomforting answer to that question is that it might. Many airlines, especially those based outside Europe, might assume they are out of the reach of the new rules. They could be forgiven for believing that so long as they provide what the customer wants, then the interests of the consumer will come first.
But these are now potentially dangerous assumptions, particularly in the quest to provide seamless service across a global alliance. The European Data Protection Directive, which came in force at the end of October, effectively turns the definition of best consumer interests on its head and starts from the point of view that personal privacy is a fundamental human right and, therefore, a consumer interest in itself. Further, where data is transferred to non-EU countries, the directive includes provisions to prevent the rules being circumvented. The European Commission (EC)says the basic rule is that data will be transferable to a non-EU country only if it will be adequately protected there.
Some lawyers and consultants are convinced that many airlines around the world, especially in the USA, have not yet grasped the full extent of this directive and how it will affect their global alliance aspirations. The culture clash with the USA, where the emphasis is on freedom of information, is particularly acute on this issue, although inter-government talks are in progress to try to avoid what could turn into a trade war, and the EC says it will include a "practical system of exemptions and special conditions".
In the meantime, however, ignorance may be the biggest enemy. "Airline managers either don't know about the directive, or, if they are aware of it, they assume that the rules cannot possibly apply to them. They believe no one would dare target the airlines. But I think the opposite may be true. The airlines are, in fact, a very large and obvious target," says Martin White, principle with London-based travel consultancy TFPL.
There are already some ominous signs that White's observations may be on the mark. The Swedish authorities, for example, have brought an enforcement action against American Airlines and its computer reservation system company, Sabre. That action is now at an appeals stage and Sabre says the issue is over applying the ruling equally to all reservation systems so that American is not put at a competitive disadvantage. Sabre adds that it expects to be well within the directive's requirements; purging any new personal data within 72h and any archived information after two years. But White believes airlines should still interpret this action as a warning "shot across the bows".
The crux of the problem for airlines as individual organisations and as global alliance partners is that the directive requires companies to obtain the explicit consent of an individual to process and hold any personal data. Also, organisations must prove it is necessary to obtain and process such information in order for them to fulfil a contract with the customer. As White points out:" The issue is really one of uncertainty." Interpreting exactly what the EC means by "consent" and a "contract" will be all-important as an airline meanders its way through the directive.
For example, is the contract between an airline and a passenger merely a pledge to provide transportation between two points? Or does it also include the provision of additional services such as food, frequent flyer miles and special privileges for key customers? A strict interpretation of "contract" could mean that airlines would be prevented from storing information about a passenger's seat preference, special food requirements, or even date of birth because these facts are not necessary for the provision of transportation.
Certainly, the transfer of frequent flyer miles accumulated in Europe would not be transferable back to the USA if the strict view were taken. Even more difficult is the area of multiple companies sharing personal data on frequent flyers, as happens when an airline partners with hotels, rental car companies, credit cards and other organisations. The amount of work involved in obtaining each frequent flyer member's consent to store and share this data could prove overwhelmingly time consuming and expensive - and customers may have to be contacted for renewed consent to store their data every time a new partner joins an alliance.
Anne McDade Smith, project manager consumer marketing at Delta Air Lines, is among those who believe it is this time consuming nature of the directive that could prove to be its most worrying element. "There is a lot of concern about what will be regarded as the proper way to communicate to our customers the message that we need their explicit consent for certain information and that the information may be stored in our database. Will we need to contact everyone through a mass mailing?" she asks, adding that, with 25 million Delta frequent flyer members, the issue comes down to cost. She goes on to point out that something as simple as a special meal request would take much longer to process. "Seconds are money," she says.
Neither is it clear whether each European country will go about interpreting the directive. Delta alone does business in 15 EU member states and fears having to adopt different rules for each. "A blanket directive would, in some ways, make compliance easier. The real worry is that we don't know enough yet to be able to do the right thing. We think that maybe the best way to go forward is to adopt the rules of which ever country has the strictest policy," says McDade Smith.
Delta, of all the US carriers, seems to be the most proactive over the issue. It has established an executive-level corporate sponsor within the company who would be able to champion the call for additional financial resources should they be needed. Delta also hopes to have in place by the end of the year a company data policy document which is workable and which can be shown to the EC as proof that it is aware of data transfer issues and is taking them seriously.
But the directive touches so many issues that many airlines may not be sure where to begin to address compliance. Internet Web sites, for instance, are a major concern of the EC. Some lawyers looking at the directive believe that it would affect any organisation with a Web site which collects personal data from site visitors, even if that organisation does not actually conduct business with anyone in the EU. Travel with laptops and transfer of data on European employees who are posted to a non-EU country are other areas of concern.
As of 23 October, Greece, Italy, Portugal, Sweden and the UK have implemented the directive, although the latter three countries still need to adopt some additional rules, which are expected to be in place in early 1999. Implementing laws are being considered by the parliaments of other member states.
There is evidence that there are some high-level dialogues being held to avoid unnecessary conflict. The EC directorate for the internal market and financial services, which is overseeing the new directive, is aware of the problem and has held a meeting with some airlines - although only one US carrier apparently turned up. There are other discussions going on with the US Federal Trade Commission, as well as between the airlines, the International Air Transport Association and the EC's transport directorate.
John Richardson, deputy head of the EC's Washington DC delegation, is reported to have explained to the USA that Europe is not seeking "100%" compliance, but more a "good level of overall compliance". But doubts remain over what exactly amounts to a "good level".
In the meantime, lawyers who have analysed the directive are advising organisations, including airlines, to follow the Delta lead and develop their own compulsory codes of conduct. They should also develop privacy policies and contractual guarantees that protect the personal information they collect and they should make those policies conspicuous - remembering also to include them on their Web sites. The hope is that, if airlines are proactive and make it clear that they intend to handle personal data in a responsible way, then they will be allowed to continue their global alliance games without having to spend time waiting for a "Get Out of Jail Free" card. But the EC has cast the first die.
The EC directiveThe new European directive on the protection of personal data came into effect on 25 October.
It lays down common rules for those who collect, hold or transmit personal data as part of their business and is meant to ensure that such data is only transferred to countries outside the European Union when its continued protection is guaranteed. Data subjects now have the following rights: information about where the data originated; right of access to their personal data; right of rectification; right to opt out of allowing their data to be used in certain circumstances; sensitive data can only be processed with the explicit consent of the individual and if it is necessary to perform a contract.Source: Airline Business
