Data Collection from Passengers for Virus Contact Tracing Purposes

Since at least the time of the SARS epidemic in 2005, when it issued an ultimately abandoned notice of proposed rulemaking, the Centers for Disease Control (“CDC”) has been interested in gathering information from airlines on passengers arriving in the United States. CDC wants such information to engage in contact tracing, a term that perhaps few of us ever heard of before COVID-19, but now has entered the popular lexicon. In essence, contact tracing refers to identifying the persons with whom an infected or contagious person may have been in contact for the purpose of requiring the contacted persons to quarantine and thereby avoid further infection of others. Such tracing will need to be an essential part of efforts to reopen the US economy. The problem for airlines is that for about half of their passengers, they don’t currently collect the contact data that CDC needs.

The CDC’s most recent, COVID-19 spawned effort to require airlines to transmit data on their arriving international passengers is reflected in a February 12, 2020 Interim Final Rule (“IFR”), made effective immediately, published at 85 Fed. Reg. 7574. Under the terms of the IFR, upon an order from the CDC airlines would be required to transmit to CDC, within 24 hours of a request, the following information on arriving passengers: name; address (while in the US for non-residents and permanent lawful address for citizens and other permanent residents); primary and secondary phone numbers and email address. Just days after the IFR was published, on February 24 CDC issued an order implementing the rule during the term of the current public health emergency as to persons arriving in the US from China and specifying the time frame for and manner of data transmission. See 85 Fed. Reg 10439.

Airlines, which have fought previous CDC efforts to require that they collect the contact data that CDC seeks, have not been pleased with the IFR and have filed extensive comments with CDC opposing it. Among many of their arguments, the airlines point out that they don’t have all of the information because in the ordinary course of handling bookings they do not collect all of this information (e.g., US addresses and email addresses) and would have to spend many millions of dollars to create systems to collect it. Nor do airlines receive detailed contact data from third party booking agents (e.g., online and traditional travel agencies), which in most cases are reluctant to share passenger contact data (beyond names) with airlines with which they compete for bookings. The airlines thus argue that if CDC wants the information it or some other agency of the US Government should establish a website and mobile app to collect it directly from passengers.

Further, the airlines argue that CDC should have used traditional notice and comment rulemaking rather than establish an interim final rule, make it immediately effective and then ask for comments, as happened here. Moreover, they claim, the requirement that they collect and transmit detailed passenger data might cause the airlines to run afoul of EU data privacy laws which the EU claims apply extraterritorially to data about EU persons.

Given their opposition and refusal to expend the resources to begin a data collection effort, the airlines apparently have not been in full compliance with the IFR. Since there are few passengers arriving in the US from China these days, the lack of compliance may not present a serious enforcement issue right now, although CDC did threaten for a time in March to impose fines on airlines. The threat of fines was indeed odd given that airlines are now receiving substantial Government loans and grants to stay afloat during the COVID-19 shutdown period under the CARES Act. Notably, the airlines were able to persuade Congress not to make data collection a condition of such aid, as CDC had wanted. What airlines presumably have been complying with is a much weaker 2016 CDC rule at 23 CFR 71.4, which requires that they transmit certain passenger information to CDC upon request, but only to the extent that such data are already available and maintained by the airline. These limiting words are notably missing from the February 2020 IFR; hence the dispute and CDC’s continued inability to contact trace for a significant percentage of incoming passengers.

How the CDC/airline impasse ends is unclear. The Administration seems unwilling to pressure the airlines into compliance with the IFR, but to date has also taken no overt steps to collect the data directly from passengers through some form of Government-run website and/or app. There are some signs that some in Congress are interested in tackling the issue, but no bill has been introduced yet and no consensus view has emerged.

The problems with collecting data on the small subset of persons who travel by air are significant, but broader questions also abound. Should we be collecting data that could be used for tracing on persons who travel domestically and persons who use rail or bus to travel? Should we be allowing the use of tracing apps generally to help persons identify if they have come into contact with someone infected by COVID-19? Apple and Google, for example, are working on an app that would alert persons through their cellphones that they have come into contact with someone who tested positive, allowing such persons to then quarantine themselves. In some other countries, Governments have rolled our similar tracing apps. But privacy and trust concerns abound in this area and such concerns may prevent enough people from participating to make such systems viable.

Whether any data collection will be accepted by the populace is an unresolved question, but one worth monitoring.

Share this post:

Comments on "Data Collection from Passengers for Virus Contact Tracing Purposes"

Comments 0-5 of 0

Please login to comment