Why do airlines share my itinerary with my bank? GDPR violation? Any travelers switching to cash?
Why do airlines share my itinerary with my bank? GDPR violation? Any travelers switching to cash?
cross-posted from: https://links.hackliberty.org/post/125466
My credit card issuer apparently never gets to know what I purchased at stores, cafes, & restaurants -- and rightfully so. The statement just shows the shop name, location, and amount.
Exceptionally, if I purchase airfare the bank statement reveals disclosures:
- airline who sold the ticket
- carrier
- passenger name
- ticket number
- city pairs
So that’s a disturbing over-share. In some cases the airline is a European flag carrier, so IIUC the GDPR applies, correct? Doesn’t this violate the data minimization principle?
Airlines no longer accept cash, which is also quite disturbing (and illegal in jurisdictions where legal tender must be accepted when presented for PoS transactions).
Has anyone switched to using a travel agent just to be able to pay cash for airfare?
UPDATE
A relatively convincing theory has been suggested in this other cross-posted community:
https://links.hackliberty.org/comment/414338
Apparently it’s because credit cards offer travel insurance & airlines have incentive to have another insurer involved. Would be useful if this were documented somewhere in a less refutable form.
GDPR question still outstanding.
Seconding the guess that it's so your card doesn't get frozen. If your bank knows you're meant to be in a specific place, they'll know transactions happening there aren't because someone's stolen your card. It would probably be a valid exception to GDPR on those grounds.
In fact, now you mention it, I'm guessing this is why my credit card company never raised any issue with me using the card in London a couple months ago, after buying train tickets to London on the same card. I thought that was odd, given they regularly ask me for 2FA on transactions that aren't unusual, but suddenly being halfway across the country wasn't flagged as being even remotely suspicious.
That said, I think the amount of information being given here does seem excessive. Just letting your bank know the destination and dates ought to be sufficient for security purposes. For data protection, it would be better if the airline said nothing, and your bank waited for you to tell them when and where you're travelling... but how many people would remember to do that?
Every single person who has traveled has been advised to do this. "People might forget" is no good reason to mandate sharing this data. It should be opt-in, and it's disgusting that it's not.
It's been more than 15 years since I last travelled abroad, but I've now got a holiday booked next July. It genuinely hadn't occurred to me that I'd need to tell the bank I'm going, because I actually haven't received any advice to do so. It's not as common knowledge as you think it is. Thankfully, I'm now aware of the need to do so, so I will. But it's not in any of the confirmation emails for the tickets, nor on the government's travel advice pages (which I have checked, and started organising things like updating a couple of my vaccinations.)
Nevertheless, I agree it ought to be opt-in, rather than mandatory. Everybody should get to make the choice, even if it means occasionally they get stranded abroad with no access to money.
Every bank’s AI-driven fraud detection system is different and non-transparent. Whenever my account gets frozen for “fraud” and I removed¹ at the bank over it, I ask WHY my account was frozen. The CSR guesses what happened (because apparently it’s such a secret the bank’s own staff is kept in the dark). This can be deceiving because bankers seem to be trained to propose their guesswork with confidence to thwart questions. I ask “where in my terms of service agreement does it say I shouldn’t do [whatever the CSR thinks triggered the fraud sensors] & how can I prevent this false positive in the future?” They can never answer that.
Some banks don’t require travel notices and some do. The banks that don’t: how are they finding out my travel plans when I buy the ticket using a different bank? Most likely their fraud algo is (or tries to be) smart enough to not need to track you.
How is sharing purchase info with banks within the bounds of the airline’s operational needs? The bank’s problem is not the airline’s problem.
(edit)
1: woah, slur filter did a silent hit-and-run on my post. The word “removed” should be some form of “complain” using a synonym that begins with a “b”.
The AI-driven fraud detection system is probably more accurate when the other transactions on the account support the questioned transaction. If there's a bunch of transactions in a city/country you've never been to before, the fraud detection algorithm can come to two conclusions: either you have travelled there, or someone has cloned your card. If there's a transaction showing you bought tickets to that city/country for the same dates that transactions happen within that city/country, that's evidence to support one decision over the other on the algorithm's part.
The prevention of crime and fraud is a valid exception to GDPR, and it being the bank's problem entitles them to request the data from the airline/train company/whatever.
Like I said, I don't agree with the quantity of data being shared here, but let's face it, if you travel to another place and use your card there, then your bank are going to know you're there. If you use your card to buy foreign currency, they're going to know you're going to that country. So as a general principle, I don't think a travel company sharing the dates and destination really makes any difference.