BUSINESS TRAVEL IS DOMINATED BY US-BASED SERVICE PROVIDERS. Even if your travel management company does not conduct a large chunk of its operations from across the pond (as three of the big four do), chances are it is plumbed into one of the two major global distribution systems with a heavy US presence. Then there are the online booking, expense management, traveller tracking and card sectors, all of them stacked with American market leaders.
It is therefore almost impossible for any European company with a managed travel programme to avoid having at least one US-based travel service provider (hereinafter rejoicing under the acronym TSP). If you are one of these rare exceptions, congratulations, you are excused from reading the rest of this article. If not, read on, because over the past few months many US TSPs and their corporate clients have been landed potentially in breach of European data privacy law.
The crisis dates back to October 2015 when the European Court of Justice (ECJ) ruled invalid the Safe Harbor framework. Safe Harbor allowed companies to self-certify they stored European Union (EU) citizens’ personal data in the US to more stringent European levels of protection. No fewer than 4,500 businesses were signed up to Safe Harbor, so the decision instantly positioned some of them as violators of the EU data privacy directive every time they imported personal data to servers in the US, which is exactly how many leading TSPs operate.
Following the ECJ ruling, the Article 29 Working Party (WP29), which represents EU member states’ national data protection authorities, gave the European Commission (EC) and US authorities until January 31 this year to build a successor to Safe Harbor. They missed the deadline by two days, but on February 2 the two sides announced “political agreement” on a new framework with another Hollywood name: Privacy Shield.
What is Privacy Shield? No one knows yet. As the law firm Eversheds put it: “What we appear to have at present is an agreement to agree.” Details were expected as Buying Business Travel was going to press, after which WP29 will decide whether Privacy Shield offers the protection that Safe Harbor did not. Many lawyers and privacy advocates argue Privacy Shield will also fail because it is impossible to reconcile European principles of data privacy with the extensive powers of the US government to access information on individuals. “The comments from the EC [on the principles of Privacy Shield] are not enough to make data exchange safer than before,” says Hans-Ingo Biehl, executive director of German travel buyers’ association VDR.
As a result, says Biehl, it is no longer viable for travel managers to ignore whether their travellers’ personal data is being sent to the US and if such information is being handled compliantly. Action is required now. “Talk to your service providers and don’t accept any wording which effectively says ‘don’t worry – we have it under control’, which is what one of our members was told,” he says.
The Snowden revelations
Safe Harbor debuted in 2000. Since pretty much all that it required a US company to do was declare its adherence to EU data privacy standards, there was “a general lack of confidence that Safe Harbor was a particularly robust means for safeguarding data heading across the Atlantic,” one UK travel manager tells BBT.
By 2013, Safe Harbor looked less robust than a chocolate fireguard after revelations by former National Security Agency contractor Edward Snowden of US government electronic surveillance of phone records and internet activity. That prompted the EC to start negotiations with the US for a ‘Safe Harbor 2.0’.
The Schrems case
Negotiations took on added urgency when the ECJ torpedoed the original Safe Harbor last October. The ECJ was ruling on the case of Max Schrems, a young Austrian lawyer who objected to the Irish subsidiary of Facebook forwarding his personal data to the US. The ECJ ruled Safe Harbor invalid because it did not allow EU member state data protection commissioners to verify whether US companies really were protecting data in the way they had undertaken to do.
Safe Harbor failed mainly because of a complete lack of accountability or oversight. But the judgment went further. It effectively said data stored in the US is inherently incapable of EU-standard protection. One part of the judgment read: “National security, public interest and law enforcement requirements of the United States prevail over the Safe Harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.”
Repercussions for corporate travel
“In the business travel sector, management information and the export of traveller data and PNR [passenger name record] information to the US is fairly frequent,” says Ian Skuse, a partner specialising in travel with law firm Blake Morgan. There is no evidence US agencies routinely access data servers belonging to TSPs (although they do, by law, gather PNRs for every flight to, from and through the US). But what matters is whether data transfers to US-based TSPs currently comply with European law.
YOUR OPTIONS FOR ACHIEVING COMPLIANCE:
Establish the facts
Start by following the data trail. Do your TSPs store personal data of any of your travellers in the US? Researching is easier said than done because your TSPs may forward data to other intermediaries or use independent third parties for storage.
Once you have completed this task, write to all those which do store data in the US or, indeed, any countries whose data protection falls below the requirements of the European Economic Area (EEA) – the EU plus Norway, Iceland and Liechtenstein. Tell them to provide evidence of how they make themselves compliant with EU law.
Safe Harbor
WP29 confirmed on February 3 that Safe Harbor is no longer an acceptable means of protection even though it has yet to pronounce on the adequacy of successor Privacy Shield. Some TSPs, including the data consolidator Prism (a Sabre subsidiary some airlines insist corporate clients release data to in order to secure their highest discounts), still proclaimed adherence to Safe Harbor in their online privacy policies at time of writing.
Standard contractual clauses/binding corporate rules
WP29 says that, for now, it considers these remain valid mechanisms to make data transfers compliant. Standard contractual clauses are a fixed text which the data exporter (client) and data importer (supplier/service provider) insert into their contract to guarantee transferred data will be treated to standards compliant with the EU Data Protection Directive. Failure to meet those standards is grounds for termination of the contract.
Binding corporate rules govern how multinational corporations transfer their data internally from their entities within the EEA to those outside it. Companies which go down this route have to produce evidence to one of the EU’s data protection authorities that they provide necessary oversights, staff training on data handling and numerous other protections.
VDR recommends to its members that for now they ensure all data transfers to the US are covered by either standard contractual clauses or binding corporate rules. TSPs are moving that way, too. For example, BCD Travel says it is currently expanding its implementation of both model clauses and binding corporate rules. However, the future of these mechanisms is uncertain. WP29 says it will begin a review of their validity once it has reported on its assessment of Privacy Shield, most likely in April.
Re-visit your contracts
“It’s always worth considering who owns/controls the data, and who is responsible if there is a data control breach,” says Skuse. “The travel sector is full of intermediaries who either sell data or purport to ‘own’ it, entitling them to impose conditions on contracting parties. Contract negotiators need to carefully wrap this up to avoid data breaches which they may be blamed for.”
ISO 27001
BCD says all its data centres maintain international certification ISO 27001 for operations in security. The travel manager spoken to by BBT says his organisation requires ISO 27001 of its TSPs, but this alone does not guarantee compliance with the EU Data Protection Directive.
Privacy Shield
If Privacy Shield can be made to stick, it will probably be the easiest route to data compliance, but it will still require more work than the self-certification of Safe Harbor. The EC claims: “US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which make them enforceable under US law.”
The EC says Privacy Shield will offer several forms of redress for EU citizens for the first time and that the US has “ruled out indiscriminate mass surveillance on the personal data transferred to the US”. Whether this will satisfy WP29 is unclear. Even if it does, Skuse warns there are likely to be additional legal challenges.
Store data only within the EU
“In commercial agreements in the travel sector various clauses are often used that prohibit the export of data outside the EU,” says Skuse. Some TSPs have said they are increasing their data storage capability within the EU. However, even where this happens, European clients sometimes find their data is exported to the US anyway.
Only use EU-based TSPs
Will EU law ever consider data transferred to the US adequately protected? “This could be the key issue in the end,” says Biehl. “Can we really walk down the same road? I doubt this at the moment. If TSPs can’t answer this question, I see a shift to Europe-based TSPs in future.”
Watch this space...
Above all, the question of data protection needs careful monitoring for further changes to a very fluid situation. If you don’t already work closely with your company’s in-house data privacy expert, now is the time to start.
Safe Harbor/Privacy Shield isn’t the only data worry out there.
MICROSOFT vs UNCLE SAM
Microsoft has been fighting a long lawsuit to prevent the US government accessing its data servers outside the US – in this particular case, in Dublin. Currently in the appeal courts, Microsoft expects the case to go to the Supreme Court.
HOTEL HACKERS
Criminals want your travellers’ data, too. Over the past 12 months, Starwood, Hilton, Hyatt, Trump and Mandarin have all had their point-of-sales systems attacked by malware, giving the perpetrators potential access to guests’ credit card details.
Safe enough
The only countries and territories outside the European Economic Area judged by the EU to offer adequate data protection are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.