Data Privacy And Ownership Issues Indicate Exposure

<B>Data Privacy And Ownership Issues Indicate Exposure</B>

When a drug manufacturer mistakenly releases the full "mailing list" on the Net to all individual users of its depression medicine, we know we have real problems of privacy and data misuse with e-commerce. There are an increasing number of suspicious souls who will not buy or shop online for fear of "Big Brother," potential for misuse of credit card numbers or simply the nuisance of unwanted solicitations.

The commercial travel industry is certainly no exception. Trust in the industry is falling, and legal exposure rising, over passenger/employee rights of privacy and corporate rights of ownership of data.

Suppliers of travel services are engaged in sophisticated "data mining" to learn more about passengers and corporate travel profiles. As suppliers consolidate by merger or alliance and collaborate to streamline marketing and services, the risks increase. Some are searching for technology solutions in monitoring front-end discounts to minimize risks of non-delivery of share after travel occurs. Objectives include improved accuracy, timeliness and reduced costs for compliance activities.

Most corporate travel buyers are honestly sensitive to compliance with share commitments and will make reasonable efforts to collect current, accurate data and allow for needed disclosure, provided there are effective safeguards for protecting ownership of company information and traveler privacy. Disclosure of travel information either directly to suppliers or to third parties depends on compliance with privacy laws and regulations, contractual commitments and consistency in observance of ethical rules in dealing with all suppliers. Third parties, agencies, data processors and consultants also must observe privacy requirements, protect data ownership and comply with contractual confidentiality. Noone disputes this, but the devil is in the details.

Europe and other parts of the world have been and are more sensitive to privacy and data ownership than the United States. No U.S. federal statute today compares with the European Union Privacy Directive or the United Kingdom's Data Protection Act of 1998 and related rules and interpretations. Extensive rules govern collection, processing and consent for use of data and cross border transmission. Suppliers must prove that they protect data equally in a non-E.U. country as required in the European Union, a large challenge in view of the Internet, data consolidation and global deal tracking. European regulators are strict in their view of competitiveness and data protection. With the Honeywell merger rejection, they now are emboldened in their independence from U.S. law, culture and perspective.

Traditionally, airlines tracked performance on discounts, and for marketing intelligence in general, primarily by purchasing Market Information Data Tapes. In the United States, that was considered routine and acceptable to most corporations, not so in Europe today. The European Commission is investigating the lawfulness under its statutes of MIDT tapes used by competitors. The hotly contested process of drilling to segment level by airline below the detail of MIDT can be expected to draw substantial attention from E.C. regulators. They are showing how much tougher they are than anyone in the United States. The proposed International Air Transport Association code marking for PNRs, while being reevaluated within IATA due to corporate resistance, is also subject of the E.C. investigation and could end up like the Honeywell merger. If frequent flyer benefits can be outlawed due to competitive impact, it would not be a stretch to rule against release of detailed travel data shared by competitors. Nothing in travel, however, is homogenous. There could be a host of differing rules and interpretations on travel data.

Who owns the travel data is not legally decided by definitive court rulings or statute either in Europe or the United States. A strong case can be made that travel data on company-paid trips--origin and destination, city pairs, segment detail, routes and spend--belong to the company that is protected by express contract language and acknowledged by the supplier. In most cases, suppliers do not resist waiving rights to proprietary assertions on company travel data.

As for required disclosure of detail claimed by the airline as needed for compliance but resisted by the corporate as an intrusion against data ownership of confidentiality requirements in contracts with objecting competitors, some corporates have sacrificed discounts rather than permit what they consider unauthorized use of their data.

Data misuse can impact adversely all supplier partnerships. Contracts on dominant routes might be ruled unenforceable or require revisions as "contracts of adhesion."

Masking probably does not resolve the problems if there is unauthorized disclosure to a masking third party not in privity with the customer and within the clearly worded prohibition against disclosure to any "unauthorized third party." Also, masking must be effective as opposed to only clouding over what a route or pricing analyst can translate quickly.

Masking at the source, however, can be tantamount to nondisclosure under circumstances considered acceptable to the contracting supplier whose data is at risk. One option could be a commonly agreed format observed by the larger corporate agencies. This would not necessarily satisfy the European Commission unless pre-approved.


<B>Six Major Factors </B>

<B>Confidentiality:</B> While cynics might claim everyone knows everything, partnerships require discretion and a confidential relationship. Without this, there is little value to dealing. Contract drafting becomes even more important with e-commerce and "data mining."

<B>Privacy:</B> The laws and culture of each country must be considered carefully. Some corporate buyers, but few suppliers, have chief privacy officers. Consulting with legal experts is essential. Consent may take time, but could be critical to managing travel costs.

<B>Security</B>: Strong and reliable security is vital to protection. This should be auditable and "open book."

<B>Customer Acceptance:</B> Suppliers need to be more sensitive to alienating customers over data ownership and privacy concerns, especially if the level of detail is not critical to compliance. Suppliers need to understand that forcing disclosure of traveler information can expose the corporation to risks of its own. Indemnities rarely work after the fact in these situations.

<B>Contract Violations:</B> Contract compliance for one supplier could be a prohibited disclosure for another. Competitive objections against legitimate business requirements of other suppliers could be a smokescreen. Evaluate each case separately.

<B>Antitrust:</B> Mergers and alliances add to the risks of detailed collection and use of data by competitors on corporate users. Balance is needed between compliance tracking versus gaining sensitive competitive information to allow for collusion or muscling customers.

More attention is required by all parties to the impact of European regulations affecting privacy and data processing and usage on global deals. Expect more attention in the United States to these issues.

For once, the United States may begin to follow the lead of other jurisdictions on sensitive questions at the heart of business relationships.

Trust in partnering and ethics in dealing are important but not the ultimate guardian of privacy. The cornerstone must be governing law and regulation.


<I>Attorney John Caldwell is president of Washington-based travel management consulting firm Caldwell Associates.