There was an unusual press release yesterday from the U.S. Department of Transportation. According to the statement, U.S. Secretary of Transportation Pete Buttigieg launched a "privacy review of the nation's ten largest airlines regarding their collection, handling, maintenance, and use of passengers' personal information."

It is not every day we hear about privacy scrutiny from the Department of Transportation. But why does this agency have privacy authority in the first place?

It was in the days of the EU-U.S. Privacy Shield that I first learned about the DOT's jurisdiction over data privacy matters. I was administering the Independent Recourse Mechanism at BBB National Programs. One of our screening questions for companies that wished to self-certify under the Privacy Shield Principles asked whether the company was subject to the jurisdiction of the U.S. Federal Trade Commission or the DOT.

The form field was a bit of a curiosity. And though the IRM program had a process established for verifying eligibility — we routinely had to exclude nonprofit organizations, for example, due to the FTC's lack of jurisdiction over them — I never encountered a self-certifying entity that checked the DOT box.

A quick search of the new EU-U.S. Data Privacy Framework list shows that no current or former company under the DOT's jurisdiction has ever participated in the framework or its progenitors. Nevertheless, the department maintains guidance on its potential oversight of DPF participants, along with the rest of its jurisdiction over what it calls "air consumer privacy."

Why does the U.S. exclude airlines and similar companies from the jurisdiction of the FTC and instead place consumer protection matters under the purview of the DOT? The answer requires a bit of a history lesson.

It all starts with a Cornell economist named Alfred E. Kahn.

Before 1978, the U.S. airline industry was tightly regulated. Even details like pricing and route selection were prescribed by federal regulators. Kahn was convinced the only way to increase competition, bring down prices and fuel airline innovation was to totally change the regulatory structure of airlines. It was the beginning of the age of deregulation.

President Jimmy Carter appointed Kahn to serve as the chairman of the Civil Aeronautics Board, the primary oversight body over airlines at the time. While leading the agency, Kahn spearheaded the U.S. Airline Deregulation Act of 1978, which, when passed by U.S. Congress effectively deregulated his agency out of existence, "laying the groundwork for freer, more dynamic markets in the air, rail, trucking, telecommunications, finance, and utility industries."

Among the collateral effects of the act was the removal of FTC oversight for consumer protection matters over air carriers. The act also preemptively preempted any state-level regulation of airlines, including around matters of unfair and deceptive conduct — the core ideas behind consumer protection law in the U.S.

Congress explicitly restored consumer protection oversight of the skies in 1994, but it did not give the authority back to the FTC. Instead, it gave the DOT explicit authority to stop unfair and deceptive trade practices among "air carriers, foreign air carriers, and ticket agents."

The law also empowered DOT to issue protective rules related to "the availability of a variety of adequate, economic, efficient, and low-priced services without unreasonable discrimination or unfair or deceptive practices" and "preventing unfair, deceptive, predatory, or anticompetitive practices in air transportation."

Thus the DOT has authority around the safety and "adequacy" of air transportation, along with issues of equity, discrimination, and consumer protection. On the subject of unfair and deceptive practices, regulatory guidance from the DOT has made clear that the agency generally tracks the interpretations of unfair and deceptive practices that the FTC codifies in its own policy statements.

The DOT has made use of its consumer protection authorities to issue rules limiting the length of ground delays, requiring documentation of delayed flights, mandating disclosures to consumers and providing consumers with rights related to cancellations. To date, however, the DOT has not focused its consumer protection lens on privacy practices.

Consistent with the FTC's use of its Section 5 authority to enforce against privacy missteps, the DOT's similar jurisdiction should provide it with similar authorities. Yet, while the FTC has settled dozens of privacy cases in recent decades, the DOT has not released any public enforcement actions against air carriers related to data privacy matters.

There is general guidance from the agency about its authority over privacy matters, including through the above consumer protection statute as well as the Children's Online Privacy Protection Act. The guidance reminds air carriers that, "Mishandling the private information of consumers may be considered an unfair or deceptive practice. DOT has the authority to investigate complaints and take action against airlines and ticket agents for unfair or deceptive practices. This authority includes imposing civil penalties where appropriate."

This new action goes one step farther. It appears to signal an active "review" by the DOT of the privacy practices of all major air carriers.

This likely means air carriers will receive explicit inquiries from the agency to document their data privacy practices. These inquiries apparently also ask "whether airlines are unfairly or deceptively monetizing or sharing" consumer data with third parties.

The agency is leaving open its options for how to proceed once it establishes a better understanding of existing data practices in the industry. "As DOT finds evidence of problematic practices, the Department will take action, which could mean investigations, enforcement actions, guidance, or rulemaking."

These developments will certainly have an impact on privacy practices within airlines, but there may be broader lessons for similarly situated companies as we learn more about the application of consumer protection principles to travel services. Regardless of outcome, it is clear the DOT is working to secure its place on the map of sectoral privacy enforcers in the federal government.

Upcoming happenings:

  • 26 March: The IAPP Knowledge-Net chapters in the DMV region jointly host a discussion about FISA Section 702 reauthorization (Conference Center at the Row on 19th).
  • 27 March: The R Street Institute hosts a panel titled Making 2024 the Year We Secure American Data (virtual).
  • 2 April: The IAPP DC Knowledge-Net chapter hosts a happy hour sponsored by CYPFER (The Dignitary).
  • 3-4 April: The IAPP hosts its Global Privacy Summit 2024 (Convention Center).

Please send feedback, updates and deregulatory reflections to cobun@iapp.org.