Working in the privacy field in the United States, I observe considerable discussion about the fact that U.S. data protections practices are not currently considered to be “adequate” under EU law. So, as I prepared for a 10-day trip of sightseeing in Milan, Italy and hiking and boating in the Italian Lakes region, I expected that I would enjoy my first true vacation in several years without a thought of privacy issues because I would be in a region of the world that considers privacy to be a human right.
Surprise #1
So, imagine my first surprise when boarding a flight bound for Frankfurt, Germany I learned that I did not need to present a boarding pass because the German airline, Lufthansa, uses biometric boarding which relies on facial recognition technology to match identities with passport photo information. My privacy radar went off and I made a mental note to research this issue upon return.
(Spoiler alert: 1) Lufthansa states that it does not store photos and that individuals can opt out. However, I did not see any opportunity to opt out either when I checked in or as the crowd lined up to board; 2) Recent reports indicate that Europe may be moving towards a ban on facial recognition In public settings; 3) The U.S. passport application states that all information on the application can be “disclosed to another domestic government agency, a private contractor, a foreign government agency, or to a private person or private employer in accordance with certain approved routine uses;” 4) The U. S. Department of Homeland Security has conducted a privacy impact assessment of its use of facial recognition technology and the provision of images to an airline.)
Surprise #2
My second surprise occurred upon arrival in Milan where we checked in at a lovely, independent boutique hotel near Parco Sempione. My eye was drawn to a large display case in the wall near to the elevator. A large guest ledger displayed the names of 50 guests who had visited the hotel in early 1971. Not only were their first and last names on display, but also: birthplace and birthdate; nationality and residence; identification document type, number, and issuance date; and check in and check out dates. At the time of their visits, guests ranged in age from 23-55. Most were European, but a few were from the U.S. =In front of the ledger was a tongue-in-cheek sign bearing the hotel’s logo that reads “Sophisticated reception management software.” (I would love to include a photo here, but better sense prevails. However, if you visited Milan in 1971 and want the name of the hotel, please let me know.)
Surprise #3
The third surprise occurred a few days later when we boarded a bus to begin the hiking portion of our trip. On the ride from Milan to a beautiful spot near Lake Orta, the Italian trip leaders passed around a clipboard with a sheet of paper and suggested that we provide our names and passport numbers to speed up check-in at each of the three hotels where we would spend the next five nights. My husband and I were the only two out of 18 participants to not provide our information. I am happy to report that we experienced no delay in checking in at any of the hotels.
Other Surprises & Conclusion
The rest of my surprises were all about the beautiful scenery. But the next time I hear claims that the U.S. data privacy protections are not adequate, I will chuckle quietly to myself and look forward to my next trip, as this past trip was certainly more than adequate.