Out-Law News 2 min. read
17 Jun 2004, 12:00 am
The data transfers
The lawsuits relate to revelations in January that Northwest Airlines had given NASA personal data about millions of its passengers. The data was retained by NASA for two years before being returned in September last year, just after another airline - JetBlue Airways - was severely criticised for making similar disclosures to a defence agency.
The data, for July, August and September 2001, was sent to NASA shortly after the September 11th atrocities, when the agency requested data in order to test various schemes for identifying terrorists.
The transfer, according to US civil liberties group Electronic Privacy Information Center (EPIC), was in clear breach of Northwest's own privacy policy, which states that passengers will control "the use of information [they] provide to Northwest Airlines."
The airline further assures customers that it has "put in place safeguards to ... prevent unauthorised access or disclosure" of the information it collects.
EPIC filed a complaint with the US Department of Transportation, alleging that Northwest's disclosure constitutes an unfair and deceptive trade practice, and requesting a formal investigation. It has also filed suit against NASA to seek release of other material still held by the agency.
But Northwest Airlines faced its own suits over the alleged privacy breach after irate passengers filed seven separate class actions against it. These were subsequently lumped together into one consolidated action.
Dismissal
Dismissing that action on 6th June, District Court Judge Paul Magnuson could find no legal basis for claims that the airline had violated such US statutes as the Electronic Communications Privacy Act and the Fair Credit Reporting Act.
Nor did he find that Northwest had actually breached its on-line privacy policy.
"Although Northwest had a privacy policy for information included on the web site, plaintiffs do not contend that they actually read the privacy policy prior to providing Northwest with their personal information," wrote Magnuson. "Thus, plaintiffs' expectation of privacy was low."
"The disclosure here was not to the public at large, but rather was to a government agency in the wake of a terrorist attack that called into question the security of the nation's transportation system. Northwest's motives in disclosing the information cannot be questioned," he continued.
Civil liberties reacted angrily.
"I don't think it's relevant whether or not they actually read the privacy policy first," Lee Tien, senior staff lawyer for the Electronic Frontier Foundation (EFF) told CNET News.com. "Think of all the 'fine print' we run into every day – warranties and the like. Rather than focus on what the plaintiffs actually read, we should focus on what Northwest said it would do."
According to the Associated Press, a statement on behalf of Northwest said that the airline "acted appropriately and consistent with the company's own privacy policy and all applicable federal laws, and the court agreed."
William Malcolm, a privacy law specialist with Masons, the international law firm behind OUT-LAW.COM, commented:
"Although the FTC has been cracking down on companies not living up to the promises in their privacy statements recently, this case underlines the fact that there is still no coherent framework for the protection of privacy in the US. In light of recent FTC action this case will send a mixed message to companies concerned to ensure that they are compliant in this area. If anything this case encourages companies to hide their policies, an approach that is not consistent with transparency and best practice."