Travelport GDS, which operates the Apollo/Galileo and Worldspan global distribution systems, became the first GDS to complete a U.S. Dept. of Commerce self-certification process related to privacy practices when transferring data from Europe to the U.S.
The Safe Harbor program is designed to bridge the differences between EU and U.S. data-privacy laws and requires participating companies to certify that they meet certain data-privacy principles when transmitting customer information from the Continent to the U.S. The types of data that fall under its framework include passengers' personal details and their travel arrangements, both of which are housed in Passenger Name Records (PNRs).
Travelport's headline on its press release about the issue, "Travelport is First GDS Provider to be Safe Harbor Certified," may be true, but can easily be misconstrued because Safe Harbor is a self-certification process.
Privacy expert Edward Hasbrouck, who has written extensively about the issue, notes that what Travelport's Safe Harbor designation "means is that Travelport has made a formal claim ... that Travelport complies with certain Safe Harbor principles. That claim has not been vetted, audited or verified by anyone."
As part of the process, Safe Harbor-certified companies must establish a recourse mechanism in the event that there is a pattern of noncompliance on policy issues.
Travelport GDS spokeswoman Jill Brenner says Travelport already was meeting some Safe Harbor requirements -- such as using reasonable precautions to protect data security -- prior to the Safe Harbor certification, and she notes that "we have not said anywhere that the EU certified us for this."
To go through the Safe Harbor process, Travelport had to establish establish "contractual safeguards with developers and other third parties to ensure personal data are adequately protected," Brenner says.
And, the company took several other actions, including:
- Changing its privacy policy;
- Requiring third parties with access to GDS data to include a Safe Harbor addendum in contracts;
- Implementing Safe Harbor guidelines for managers and training for employees.
Asked if going through the Safe Harbor process had anything to do with Travelport's now-withdrawn IPO in London, Brenner says, "This certification had nothing to do with getting ready for the IPO. It is a measure of the importance we give to the issue of privacy."
Hasbrouck wonders about the lack of an IPO tie.
"None of the GDS companies comply with EU data protection law, or have made any effort even to pay lip service to it until now," Hasbrouck says. "It could be that, because this is a normal part of the paperwork for a European company, the absence of any mention of data protection compliance was noted by European investment bankers, analysts, or potential investors. Travelport's move to self-certify as compliant with Safe Harbor principles may be a response to questions raised during due diligence in the City."
Tad Ostrowski, the Travelport GDS general counsel, says Travelport went through the optional Safe Harbor process to punctuate its commitment to data privacy and to give confidence in that regard to its customers.
Hasbrouck, a consultant to the Identity Project, says a prime function of self-certification would be to provide safeguards for Travelport GDS suppliers and travel agencies.
"An agency or airline that subscribes to Travelport might be able to argue, in mitigation of damages or fines, that it relied in good faith on Travelport's self-certification, and therefore believed that it was legal to subscribe to Travelport and legal to store its customer data on Travelport servers in the U.S.," Hasbrouck says.
While Travelport GDS is alone among GDS vendors to have a Safe Harbor certification, numerous other travel companies have certifications. Here is a sampling: StarCite, Hertz, Disney, Topaz International,Travel Technology Group, TravelCLICK, Travizon, TripIt, TRX, World Access and Radius.
Meanwhile, Sabre says it doesn't "have any plans to pursue this certification."
"Data privacy is very important to us and we believe the systems and processes we have in place are very robust around this," says Sabre spokeswoman Nancy St. Pierre.