Airline must ensure policies comply with Canadian privacy law

PIPEDA Report of Findings #2011-002

Complaint under the Personal Information Protection and Electronic Documents Act (the Act)

1. The complainant alleges that Koninklijke Luchtvaart Maatschappij n.v, operating as KLM Royal Dutch Airlines (KLM), failed to provide him with information about its policies and practices relating to the management of his personal information.

2. The complainant also alleges that KLM denied him access to his personal information and that of his family members, which was collected and used for KLM flights in 2005.

Summary of Investigation

Jurisdiction

3. After a thorough analysis, this Office determined that we have jurisdiction to investigate the two complaints, despite the fact that KLM is an international airline company headquartered in Amstelveen, the Netherlands.

4. In Lawson v. Accusearch Inc., [2007] 4 F.C.R. 314, the Federal Court held that the relevant test to determine whether the Commissioner has jurisdiction under PIPEDA to investigate a complaint against a foreign-based organisation is whether there is a real and substantial connection between either the subject matter, the parties, or the territory to Canada. 

5. In the circumstances, we found that there is a real and substantial connection to Canada.  A summary of our rationale follows:

1. The complainant and his family members are Canadian residents who are seeking access to their personal information;
2. KLM offers services within Canada, with employees at several international airports in Canada;
3. KLM has a Canadian version of a website that actively targets Canadians, that is accessible by Canadians and from which Canadians may reserve flights with KLM;
4. KLM regularly operates scheduled non-stop flights to and from Canadian destinations;
5. The complainant originally booked a flight from Toronto operated by KLM; and
6. KLM needs to collect personal information from Canadian passengers in order to offer its services to Canadian passengers.

Access

6. The complainant and family members were passengers of KLM, originally booked to travel from a foreign destination to Toronto, with two connections. In one of the connecting cities, however, the tickets were exchanged for two different KLM flights and an Air Canada flight to Toronto.

7. The complainant claims that in a letter dated January 10, 2009, he requested from KLM access to passenger-information records pertaining to him and his family, including all their personal data, the details of all processing of their data (including the purposes of the processing), and all recipients of their data. In sum, he asked for access to 13 types of personal information relating to two flights that the complainant and his family had taken.  

8. KLM claims it received a request letter for the same information from the complainant on March 17, 2009, by International Expresspost. It responded and provided an update to the complainant by e-mail on April 28, 2009.

9. In its letter dated May 6, 2009, KLM formally replied to the request, stating that, since four years had elapsed since the flights, KLM was unable to retrieve any of the requested identifiable passenger information except the check-in information of one of the flights. A copy was provided to the complainant.

10. Not satisfied with KLM’s response, the complainant filed a complaint with this Office, dated June 10, 2009.

11. In its representations to this Office, which we received on February 18, 2010, KLM indicated that it had “no additional information which seems to be relevant to this investigation” since the complainant’s information had been removed from KLM’s reservation and departure control systems years before. Further, it advised that that while some of the complainant’s information had been retained longer—for interline and accounting purposes—it was also deleted at one point, in accordance with the airline’s retention policies.

12. In June 2010, KLM re-confirmed to this Office that it does not have any additional information related to this case and that it processes all passenger data in accordance with the Dutch Personal Data Protection Act, which is based on EU Directive 95/46/EC.

13. It specified that, while it had processed personal information of the complainant contained in Passenger Name Records (PNR), this information is not kept for a long period of time. As a result, KLM could not retrieve the PNRs so long after the complainant’s flight dates.

Openness

14. In the complainant’s same letter of January 10, 2009, he asked KLM for information about its policies for the use, access, retention, and destruction of his data, and those of any recipients of his data, particularly those outside the European Union.

15. In its response of May 6, 2009, KLM did not address this aspect of the complainant’s request.

16. During our investigation, we reviewed KLM’s privacy policy, the sole privacy policy accessible on its main website (www.klm.com), which appears to apply to all individuals, regardless of their country or the language chosen when individuals access the site.

17. The policy explains the following: a) the purposes for which the personal information of passengers is collected and processed by the organization; b) how such personal information is used; c) how an individual can access their personal information; d) how an individual can withdraw consent for the use of personal information, except where inappropriate; e) how to update or correct personal information; f) how personal information is safeguarded by KLM; g) how  personal information is transferred to countries beyond the European Union’s borders, and; h) how to contact the privacy officer.

18. If individuals wish to view their personal data, have it corrected or if they object to the use of their personal information, they are advised to submit a written request, with proof of identity, to the company’s privacy office in the Netherlands.

Application

19. In making our determinations, we applied subsection 8(3), 8(4) 8(5) and Principles 4.1.4, 4.8, 4.8.1, 4.8.2, 4.9 and 4.9.4.

20. Subsection 8(3) states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request. Subsection 8(4) continues that an organization may extend the time limit for a maximum of another thirty days if meeting the time limit would unreasonably interfere with the activities of the organization, or the time required to undertake any consultations necessary to respond to the request would make it impractical to meet the time limit, or to convert the personal information into an alternative format. In order to avail itself of Subsection 8(4), an organization must send a notice of extension to the individual, advising them of the new time limit and their right to make a complaint to the Commissioner regarding the extension. 

21. Subsection 8(5) stipulates that if an organization fails to respond within the time limit, the organization is deemed to have refused the access request.

22. Principle 4.1.4 provides that organizations shall implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures.

23. Principle 4.8 states that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.  Principle 4.8.1 states as follows: “Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable”.  Equally relevant is Principle 4.8.2, which states that: “The information made available shall include (a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded; (b) the means of gaining access to personal information held by the organization; (c) a description of the type of personal information held by the organization, including a general account of its use; (d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and (e) what personal information is made available to related organizations (e.g., subsidiaries).

24. Principle 4.9 provides that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.  We also applied Principle 4.9.4, which states that an organization shall respond to an individual’s request within a reasonable time.

Findings

April 15, 2011

25. On October 4, 2010, this Office issued a preliminary report of investigation, in which we noted that KLM’s actions were not in compliance with various provisions of the Act and we made recommendations to KLM, with the view of helping the organization meet its obligations. KLM responded to the recommendations.

26. The following analysis is based on the report of investigation:

27. At issue in the first place is whether KLM denied the complainant access to his personal information.

28. At one point, KLM stated that it did not process access requests sent by e-mail. However, our investigation was not able to determine that a first request, which the complainant purportedly sent in January 2009, was in fact sent by e-mail. On the other hand, we did establish that the complainant’s second request, in March 2009, was in letter form and sent by International Expresspost.

29. The request from March 17, 2009, was acknowledged on April 28, 2009, and not formally responded to until May 6, 2009. Under subsection 8(3), the Act allows a period of thirty days for the responding organization to reply, unless an extension has been requested. In this case, there was no evidence that KLM had advised the complainant that it needed an extension, although this is required under subsection 8(4). The Act also provides, under subsection 8(5), that if the request is not responded to within the 30 days, it is deemed to have been refused. Clearly, the response was issued after more than 30 days; thus, the complainant was denied access to his personal information by KLM under subsections 8(3) and 8(5).

30. KLM responded to the complainant that no other personal information was still available other than the check-in information of one of the flights. This response seems acceptable, given that three and a half years had elapsed since the date of the flights and the complainant’s first request. The Act states that organizations should not retain personal information longer than required to fulfil identified purposes. Unless there were extenuating circumstances, it is not clear why KLM would be expected to retain the complainant’s personal information for longer. Therefore, we are satisfied that the complainant received all personal information covered by his complaint, if that information still existed.

31. In our view, in light of the confusion surrounding the complainant’s first request (of which we obtained a printed copy from the complainant) and the delay involved in responding to the second one, KLM is in need of an access-to-personal information request procedure that is straightforward and that will be adhered to by KLM personnel handling these requests. Training of personnel would be a useful complement to the new procedure. In doing so, KLM would be in compliance with the requirements of Principle 4.1.4. 

32. At issue in the second place is whether, as required by Principle 4.8, KLM makes its policies and practices regarding the management of personal information readily available to individuals and, specifically, to the complainant when he requested it.

33. Our investigation’s review of KLM’s on-line privacy policy for its Canadian website concluded that the policy is incomplete, is not compliant with the Act, and does not include comprehensive information on its practices and policies relative to KLM’s personal information management practices. Our investigation confirmed that when the complainant specifically requested this type of information from KLM, he was not provided with any sort of response. In our view, this approach is far from satisfactory and in violation of Principle 4.8 of the Act.

Recommendations made to KLM

34. In the report of investigation, we recommended the following:

• That KLM develop a simple and clear access-to-personal-information-request procedure and make this readily available to customers.
• That KLM ensure that the privacy policy for the Canadian version of its website complies with the Act, and that this online privacy policy either includes information relating to the management of personal information by the company, or at the very least indicates that this type of information can be obtained from KLM on request.

KLM’s responses to recommendations

35. After we provided KLM with an extension to the usual thirty days to respond, KLM replied to this Office on November 15, 2010. It asserted that information about KLM’s policies and practices is easily available from the KLM website. Further, KLM stated that the complainant could be expected to look for and find this information on the KLM website. KLM explained that the Dutch Personal Data Protection Act, to which KLM adheres, does not require any further transparency of KLM’s policies and practices regarding the management of personal information.

36. In KLM’s view, the Dutch Data Protection Authority supervises KLM in the security of personal data, under the Dutch Personal Data Protection Act. This law also regulates KLM’s fair and lawful use of information and how KLM processes information requests. KLM advised that it was not aware that the Office of the Privacy Commissioner of Canada had jurisdiction over how KLM protects personal information of individuals. KLM also explained that the Dutch law only allows individuals to view their personal information, not to access it.

37. KLM disagrees that it had denied the complainant access to his personal information and notes that it only received a complete access request from the complainant on March 17, 2009, by International Expresspost. (KLM still contends that it had received an earlier request by e-mail, which did not contain any proof of the requestor’s identity). To research the second request, KLM required more time, and KLM believes that where it may have failed was in not giving a proper update regarding its ongoing investigation. KLM notes that this update was ultimately provided to the complainant on April 28, 2009.

38. We agree that KLM should have updated the complainant sooner about the status of his second request. In waiting approximately six weeks to do so, until April 28, 2009, KLM was in violation of subsection 8(3) of the Act, which stipulates that a response must be made with due diligence within thirty days of receiving the request. 

39. With specific regard to our second recommendation, KLM expressed a desire to amend its privacy policy so that it is compliant with the Act, as soon as KLM was informed how to amend its existing policy. 

40. This Office followed up with KLM on December 23, 2010, explaining that our mandate restricts us from offering consulting services on how to write a privacy policy that adheres to the requirements of the Act. However, we provided KLM with documents able to help the organization understand and meet its obligations under the Act. We also suggested consulting the online privacy policies of other airlines operating in Canada.

41. In an e-mail from KLM dated February 17, 2011, it indicated that its planned updating of KLM’s privacy policy had been postponed due to technical difficulties, but that KLM would inform this Office in writing of a new date, when it became available.

42. We note that KLM originally appeared quite willing to implement our second recommendation by updating its Canadian website’s privacy policy in order to meet its obligations under the Act. However, we are disappointed by KLM’s latest report to us on this matter and its lack of commitment to any particular timelines in implementing the recommendation.

43. We would like to re-emphasize that KLM’s commercial activities in the context of this complaint do bring it under this Office’s jurisdiction, thereby requiring KLM’s compliance with the Act.  As we have received no concrete assurances from KLM of when it will become compliant, we are left with no alternative but to close our investigation with an unsatisfactory result. That being said, it still remains in both our offices’ best interests to pursue without undue delay the dialogue over how KLM may meet its obligations under the Act.

Conclusion

44. Accordingly, we conclude that the matter is well-founded.