OA hands over passenger files to US
If you are planning to travel to the US, take note. Booking a plane ticket involves nearly as much red tape as applying for a visa. Before you travel, a file (the airline’s Passenger Name Record) bearing 39 fields of personal data will have already crossed the Atlantic. Olympic Airways began this procedure a few months ago, contrary to the law on the Protection of Personal Data, in a climate of absolute secrecy and lack of transparency. The blame lies with both Olympic and the government. The request for the data by the US authorities, citing security reasons, was complied with initially both by the European Union of Airlines and the European Commission, which urged airlines to go along with the US authorities. The US authorities have acquired access to 39 fields of personal data which include, apart from name, sex, date of birth, nationality and passport number, address and telephone number, details such as point of ticket issue, the itinerary followed before the final flight into the US, means of payment for ticket, credit card number if one was used, meal preference during the flight (revealing one’s religion – Muslims won’t eat pork, Hindus beef – as well as one’s health, for example if the person orders a meal for diabetics), other requests such as for a wheelchair that might indicate a person’s health status, hotel name and room number in the US, any car rented and so on. It is clear that the list includes not only sensitive personal data such as religion, health status and personal movements, but that these data, such as credit card numbers, could be accessed by experienced «data miners.» There are several scandalous aspects to this arrangement, particularly for Olympic Airways and the Greek government. First of all, the airline began forwarding the information to the US without prior approval from the Authority for the Protection of Personal Data. OA’s press officer said they began providing the information on passengers «when the other European airlines did so,» which was March 5 for the major airlines in Europe (Lufthansa, British Airways, Iberia). Representatives of the Authority for the Protection of Personal Data told Kathimerini that OA has recently submitted a file, which it is examining, although no conclusions have yet been reached. The same sources said that according to the law, the collection and processing of sensitive personal data can only take place with the permission of the authority. The second point is that OA does not inform its customers that their data is being sent to the US, in contrast to other airlines such as Lufthansa and British Airways. Lufthansa warns its customers to consider that their requests for special services during the flight and their method of payment will be recorded in the Passenger Name Record (PNR). European acquiescence to the US government’s request is no justification for OA’s action. First of all, Greek law on the protection of personal data cannot be sidestepped. OA and the Greek government could have taken a stand such as that adopted by Alitalia, when the corresponding Italian authority ruled that providing any information aside from that included in a person’s passport was a violation of Italian law. Austrian Airlines also asked for further negotiations with Washington after its own authority rejected the move. Responsibility lies not only with OA, the Transport Ministry and the government, but with the authority, for not stepping in despite the publicity surrounding the issue.
