Following a request under the US Freedom of Information Act, EPIC obtained documents from NASA that showed that that Northwest Airlines had given the agency personal data about millions of its passengers. The data was retained by NASA for two years before being returned in September last year – just after JetBlue Airways was severely criticised for making similar disclosures to a defence agency.
The data, for July, August and September 2001, was sent to NASA shortly after the September 11th atrocities, when the agency requested data in order to test various schemes for identifying terrorists.
The transfer, says the US civil liberties group, was in clear breach of Northwest's own privacy policy, which states that passengers will control "the use of information [they] provide to Northwest Airlines." The airline further assures customers that it has "put in place safeguards to ... prevent unauthorized access or disclosure" of the information it collects.
NASA retained the details for two years but then returned the CDs on which the records were kept. A NASA researcher noted in an e-mail message to the airline that, "you may have heard about the problems that JetBlue is now having after providing passenger data for a project similar to ours."
JetBlue Airways was sued by customers in September last year after admitting that it had released customer data to Torch Concepts, a contractor for the US Department of Defence, for a security risk assessment project.
EPIC has now filed a complaint with the US Department of Transportation, alleging that Northwest's disclosure constitutes an unfair and deceptive trade practice, and requesting a formal investigation.
EPIC has also confirmed that it will file suit against NASA to seek release of other material still held by the agency.
"The airline industry has been at the centre of several recent privacy controversies," said EPIC General Counsel David Sobel. "The improper disclosures of personal data all involve government efforts to 'screen' passengers for security risks. The security benefits of these efforts are questionable, and there is a great deal of scepticism within Congress and the general public."
Northwest's disclosure is likely to fuel concerns about passenger data privacy that have long been expressed by the European Union.
The European Commission gave approval in December to controversial privacy protections that aim to safeguard the personal details of US-bound air passengers. In terms of the deal airlines operating passenger flights to, from or through the US, will provide the US Customs Border Protection Bureau, upon request, with electronic access to passenger data contained in their reservation and departure control systems.
However it was established last week by rights group European Digital Rights, that the deal agreed by the Commission did not rule out the use of EU passenger data in the testing process for the US Computer Assisted Passenger Pre-Screening System (CAPPS II) – the proposed domestic airline passenger screening system.
According to EPIC Staff Counsel Marcia Hofmann: "The Department of Transportation has previously assured the EU that airline privacy practices would be closely monitored. DOT's response to the complaint we will submit this week will be the first test of those assurances."