Senators Express Concerns Over Impact of Contact Tracing Order on Data Privacy, Security

CDC order requires airlines to collect a significant amount of personal information from all passengers and retain for 30 days

November 2, 2021

WASHINGTON – U.S. Sens. Roger Wicker, R-Miss., ranking member of the Senate Committee on Commerce, Science, and Transportation, John Thune, R-S.D., Deb Fischer, R-Neb., Jerry Moran, R-Kan., Marsha Blackburn, R-Tenn., Rick Scott, R-Fla., and Michael Lee, R-Utah, today sent a letter asking White House Coronavirus Response Coordinator Jeffrey Zients to inform Congress on how the Biden Administration plans to address data collection concerns following the recent Centers for Disease Control and Prevention (CDC) “contact tracing” order, which requires airlines and operators to collect personal information from incoming international passengers, including American citizens.

“It is unclear at this time whether the aviation industry is equipped to collect and retain more personal information from passengers than it does today and share it across multiple proprietary systems before responsibly and securely transmitting it to the CDC,” the Senators wrote.

“The traveling public must be informed of the potential costs this order could impose on their privacy.” 

The CDC order requires airlines and operators to retain a passenger’s personal information for a minimum of 30 days from the flight’s departure and transmit it to the agency within 24 hours of a request from the CDC Director. This order gives airlines the option to submit contact tracing information to CDC via “an established DHS data system.” If airlines submit via this method, the order notes that the Department of Homeland Security (DHS) will also submit this information into its Automated Targeting System, which will be retained for a minimum of fifteen years and used for non-public health purposes. It is unclear if consumers are aware of their data being potentially retained by the federal government for a significant amount of time. 

Wicker has been a strong advocate for protecting consumer data. Last Congress, Wicker, Thune, Moran, and Blackburn introduced the COVID-19 Consumer Data Protection Act. The legislation would direct companies to inform consumers on how their data will be handled, to whom it will be transferred, and how long it will be retained at the point of collection.

Click here or read the full letter below.

Mr. Zients: 

Recently, CDC issued an order titled, “Requirement for Airlines and Operators to Collect and Transmit Designated Information for Passengers and Crew arriving into the US; Requirement for Passengers to Provide Designated Information.” The order requires airlines and other aircraft operators to collect additional personal information from all passengers, including American citizens, travelling to the United States from a foreign last point of departure and submit it to CDC for the purposes of COVID-19 contact tracing. The order requires airlines and operators to retain this information a minimum of 30 days from the flight’s departure and, within 24 hours of a request from the CDC Director, transmit it to CDC.

We write to express concerns about the impact this policy could have on the privacy and data security of the American flying public. It is unclear at this time whether the aviation industry is equipped to collect and retain more personal information from passengers than it does today and share it across multiple proprietary systems before responsibly and securely transmitting it to the CDC. This data collection and transfer process must potentially comply with numerous international data privacy regulations. It is also unclear whether the CDC has the data management capabilities to secure a new trove of personal information that would become a valuable target for both criminal hackers and cyber espionage agents of foreign governments. Finally, it is unclear if consumers will be aware that their personal information may be retained by private entities or the federal government for various amounts of time and may be used for non-public health purposes. Per the order, it is possible for a passenger’s personal information to be retained by the Federal government for a “minimum of fifteen years.” The traveling public must be informed of the potential costs this order could impose on their privacy. 

It is essential that Congress is kept fully informed of how the administration will address these and other concerns. We therefore request that you, and the appropriate executive departments, provide a briefing to our staffs as soon as possible on this order.

Thank you for your prompt attention to this important matter.