The complaint, filed by US civil liberties group Electronic Privacy Information Center (EPIC) alleged that Northwest's disclosure constituted an unfair and deceptive trade practice, and requested a formal investigation.
Background
The data transfer came to light in January when NASA sent EPIC documents, requested under the US Freedom of Information Act, that showed that Northwest Airlines had given the agency personal data about millions of its passengers.
The data, for July, August and September 2001, was sent to NASA shortly after the September 11th atrocities, when the agency requested data in order to test various schemes for identifying terrorists. It was retained by the agency for two years before being returned in September 2003, just after another airline – JetBlue Airways – was severely criticised for making similar disclosures to a defence agency.
The transfer, argued EPIC, was in clear breach of Northwest's own privacy policy, which states that passengers will control "the use of information [they] provide to Northwest Airlines." The airline further assures customers that it has "put in place safeguards to ... prevent unauthorised access or disclosure" of the information collected.
In January EPIC filed a complaint with the US Department of Transportation, which can investigate and rule on the business practices of companies in the industry. The Department of Transportation dismissed the complaint last week.
The pressure group also filed suit against NASA, seeking release of other material still held by the agency. That suit settled earlier this month when NASA handed over what EPIC describes as "a substantial number of documents detailing its data mining research".
Department of Transportation complaint
According to the Department of Transportation, the transfer of data did not result in an infringement of Northwest Airline's privacy policy because the policy did not actually cover the question of sharing information with the authorities.
"Specifically," said the ruling, "we find that Northwest's privacy policy did not unambiguously preclude it from sharing data with the federal government; that, even if it did, such a promise would be unenforceable as against public policy".
The ruling continued:
"In this case, the record contains no evidence of actual or likely harm to those passengers who provided Northwest with the data that it shared."
The dismissal of the complaint follows on from a class action brought against Northwest by some of its customers.
That suit was dismissed by District Court Judge Paul Magnuson in June, in part because it could not be shown that passengers had actually read the policy. But Magnuson also said:
"The disclosure here was not to the public at large, but rather was to a government agency in the wake of a terrorist attack that called into question the security of the nation's transportation system. Northwest's motives in disclosing the information cannot be questioned".
According to reports, one other class action lawsuit, brought in Tennessee, is still outstanding.
Speaking to the Washington Post, Marcia Hofmann, in-house lawyer with EPIC, confirmed that the group would be petitioning for a review of the ruling. "This [decision] calls into question the legitimacy of any privacy policy — certainly any airline privacy policy," she said.