Foreign Carriers Must Comply With Canadian Privacy Laws

Privacy highlighted

A Canadian resident sought information from KLM about its policies and practices relating to the management of his personal information as a passenger.

The airline was slow to respond and ultimately provided a minimal response.

The passenger complained to the Office of the Privacy Commissioner of Canada that KLM was in breach of the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Notwithstanding KLM’s foreign incorporation, the Commission took jurisdiction over the complaint on the grounds that there was a real and substantial connection between the complaint, the parties and Canada.  In particular, the complainant was a Canadian resident; KLM offers services within Canada; and the complainant originally booked his flight from Toronto.

In its defence, KLM asserted that its policies and practices relating to the handling of passenger data were designed to comply with the Dutch Personal Data Protection Act, based on EU Directive 95/46/EC.

The Commission concluded that KLM had not complied with the provisions of PIPEDA and that compliance with Dutch law was not sufficient to satisfy the airline’s obligations under Canadian law.

The Commissioner concluded that the complaint was well founded and recommended that KLM revise its policies and practices for handling personal information as well as its procedures published on its website.

Foreign carriers doing business in Canada should review their policies and procedures for handling passenger information to ensure that they comply with applicable Canadian legislation.