Lack of Clarity with respect to fate of CLEAR data?

Anita Ramasastry recently wrote an article (Note: at the time of this post, this link no longer pointed to the correct article; until this problem is corrected, you may find the original article here in Google's cache) for FindLaw discussing the imminent demise of CLEAR—a private company which worked in conjunction with the Transportation Security Administration to offer customers less hassle at airport security in exchange for giving up some of their privacy (and payment of an annual membership fee). Perhaps it was inevitable that some enterprising American would develop this kind of business model following the ever increasingly burdensome and inconvenient security measures being imposed at airports subsequent to 9/11. One might question, however, whether the federal government should have allowed it (See also this article for criticism that CLEAR failed to deliver on its “promise”). The business model was made possible by the TSA’s "Registered Traveler" program.

Although CLEAR was not the only provider of such services in the US, it was the most popular with approximately 165,000 members, according to Ramasastry. She reports that members had to provide CLEAR with biometric data in the form of fingerprints and iris scans to participate in the program. This data was then encoded on the member’s CLEAR card, which had to be tendered to bypass the standard security checkpoint lines. Now that CLEAR is going out of business, what will happen to all the personal data they hold, Ramasastry asks: Will it be sold to one or more other companies? Will the TSA claim it? What say does each member have as to what will happen with his or her data?

Unlike the EU, the US doesn’t have any overarching legal instrument that establishes a basic framework for the handling of personal data. And as Ramasastry points out, CLEAR, as a private company is not subject to the same kinds of privacy regulations as government agencies. But should companies that operate in this area not be subject to the same privacy standards as government bodies? Or should the TSA be authorized to intervene to secure personal data on behalf of former customers of CLEAR? An announcement on the CLEAR website reassures customers of its commitment to protect their personally identifiable information. Yet, even assuming CLEAR had a strong corporate privacy policy in place, it’s UNclear how the company will ensure that that policy is upheld if it ends up being liquidated in bankruptcy. Not to mention, former customers may find it difficult if not impossible to seek compensation for any violation of the policy. The website also speaks of TSA/ federal requirements. But, one source has suggested that neither TSA nor the Dept. of Homeland Security have any relevant requirements in place. The TSA website itself states that “all RT [Registered Traveler] service providers were obligated to follow data security standards to continue offering service [following the initial pilot project]. Each service provider's use of data, however, is regulated under its own privacy policy and by its relationship with its customers and sponsoring airport or airline.” (emphasis added) The only data usage requirement that the TSA imposed may have been that “RT service providers . . . use customer data only for purposes of the RT program unless customers expressly opted-in to other uses.”

In the meantime, the other two Registered Traveler operators, FLO, Corp. and Vigilant Solutions, have reportedly also both closed down the special security clearance lanes they operated at US airports.