Ever suspected an airline was using your data to upsell, overcharge, target you with ads, or was selling it to third parties? Worried about how secure their systems are when you input that passport number? The US Department of Transportation is looking into it with a review of the country's ten biggest airlines.

The probe will look at air carriers' policies and procedures to determine if they are safeguarding personal info properly, unfairly or deceptively monetizing it, or sharing it with third parties, the agency said yesterday. If they're indeed doing anything "problematic," they can look forward to scrutiny, fines, and new rules, says the DOT.

"Airline passengers should have confidence that their personal information is not being shared improperly with third parties or mishandled by employees," said US Transportation Secretary Pete Buttigieg.

"This review of airline practices is the beginning of a new initiative by DOT to ensure airlines are being good stewards of sensitive passenger data."

The ten airlines going under the magnifying glass are Delta, United, American, Southwest, Alaska, JetBlue, Spirit, Frontier, Hawaiian and Allegiant.

It won't have escaped anyone's notice, though, that airlines flying to and from the United States already are obliged to share airline passenger name records (PNR) with the US Department of Homeland Security (DHS) - including names, telephone and credit card numbers, and more, soon after they've booked a flight. The hope would be that the government's system security is beyond reproach.

The idea of PNR is to screen folks with terrorist or criminal intent before the flight departs. US Customs and Border Control says the PNR information it collects from airlines is audited, and protected with access controls, although it may be made available to other government agencies outside the DHS for law enforcement purposes pursuant to the "routine uses" under "applicable laws, regulations, DHS policies, and international agreements/arrangements."

It assures folks that data won't be shared outside of DHS "unless the recipient agency has a proper need to know the information and can ensure the information will be properly protected." So that's alright then.

Before Europe-based readers start smiling smugly, by 2016 the EU had also adopted legislation requiring the transfer of PNR data by air carriers to authorities in the destination country, covering flights in and out of the EU, as well as intra-EU ones, although the latter has been a matter of some dispute. Late in 2022, the EU conceived of a central hub where all data will flow, with the aim of making data transfer smoother and safer - and which will not store details.

Besides looking into how commercial airlines deal with data, the US transport department is also looking at some other consumer rights, including a proposal to ban family seating junk fees and guarantee that parents can sit with their children for no extra charge when they fly, ruining the fun of TikTokers everywhere. Before last year, no US airline committed to guaranteeing fee-free family seating. Now, four of them do.

Another proposal in the works is to ensure "fee transparency" so that consumers know the cost of flying with a checked or carry-on bag and for changing or canceling a flight before they buy a ticket. ®

https://www.theregister.com//2024/03/22/data_privacy_airlines/