Airline Comments to CDC PRA Reviews (OMB Nos. 0920-1180 0920-1181)

Attachment 13 Airline Comments to CDC PRA Reviews (OMB Nos. 0920-1180 0920-1181).pdf

Requirement for Airlines and Operators to Collect and Transmit Designated Information for Passengers and Crew Arriving Into the United States

Airline Comments to CDC PRA Reviews (OMB Nos. 0920-1180 0920-1181)

OMB: 0920-1354

Document [pdf]
Download: pdf | pdf
BEFORE THE
CENTERS FOR DISEASE CONTROL AND PREVENTION
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVCIES
ATLANTA, GA
__________________________________________

)
)
)
Agency Forms Undergoing Paperwork
)
Reduction Act Reviews
)
)
__________________________________________)
In the Matter of:

Dockets CDC-2019-0092
CDC-2019-0100
OMB Control Nos. 0920-1180
0920-1181

JOINT COMMENTS OF
AIRLINES FOR AMERICA,
THE INTERNATIONAL AIR TRANSPORT ASSOCIATION,
THE REGIONAL AIRLINE ASSOCIATION, AND
THE NATIONAL AIR CARRIER ASSOCIATION
Communications with respect to this document should be addressed to:
Graham C. Keithley
Assistant General Counsel
AIRLINES FOR AMERICA
1275 Pennsylvania Avenue, NW
Suite 1300
Washington, DC 20004
(202) 626-4000
[email protected]

Douglas E. Lavin
Vice President, Member and External
Relations North America
INTERNATIONAL AIR TRANSPORT
ASSOCIATION
1201 F Street, NW, Suite 650
Washington, DC 20004
(202) 628-9443
[email protected]

Nobuyo Reinsch
Vice President, Aviation Safety & Security
REGIONAL AIRLINE ASSOCIATION
1201 15th Street, NW
Suite 430
Washington, DC 20005
(202) 367-2335
[email protected]

Paul Doell
Vice President, Government Affairs and
Security Policy
NATIONAL AIR CARRIER
ASSOCIATION
1735 N. Lynn Street, Suite 105
Arlington, VA 22209
(703) 358-8060
[email protected]

May 16, 2020

BEFORE THE
CENTERS FOR DISEASE CONTROL AND PREVENTION
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVCIES
ATLANTA, GA
__________________________________________

)
)
)
Agency Forms Undergoing Paperwork
)
Reduction Act Reviews
)
)
__________________________________________)
In the Matter of:

Dockets CDC-2019-0092
CDC-2019-0100
OMB Control Nos. 0920-1180
0920-1181

JOINT COMMENTS OF
AIRLINES FOR AMERICA,
THE INTERNATIONAL AIR TRANSPORT ASSOCIATION,
THE REGIONAL AIRLINE ASSOCIATION, AND
THE NATIONAL AIR CARRIER ASSOCIATION
Airlines for America (“A4A”), the International Air Transport Association (“IATA”), the
Regional Airline Association (“RAA”), and the National Air Carrier Association (“NACA”)
submit these Comments on behalf of their members 1 in response to the Centers for Disease
Control and Prevention’s (“CDC”) Agency Forms Undergoing Paperwork Reduction Act
Review for (i) Airline and Vessel Traveler Information Collection (42 CFR part 71) (OMB
Control No. 0920-1180) (“Airline Contact Information Collection”) 2 and (ii) Airline and
Traveler Information Collection: Domestic Manifests and the Passenger Locator Form (OMB
Control No. 0920-1181) (“CDC Contact Information Collection”) 3 (collectively the “PRA
Reviews”). In addition to these PRA review comments, readers should also review our
substantive views and concerns regarding the underlying requirements in CDC’s interim final

1
2
3

Appendix A contains our members and representation, covering all major airlines operating in the United States.
85 Fed. Reg. 21,235 (Apr. 16, 2020) (hereinafter “Airline IC PRA Notice”).
85 Fed. Reg. 23,357 (Apr. 27, 2020) (hereinafter “CDC IC PRA Notice”).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 2 of 37
rules related to the Airline Contact Information Collection (“IFR”), 4 which were submitted to the
IFR docket. 5 Attachment A.
Both information collections involve the CDC’s collection of passenger contact
information for purposes of contact tracing for communicable diseases, but by different methods:
the Airline Contact Information Collection requires that airlines collect the contact information
from the passengers and transmit it to the CDC, while the CDC Contact Information Collection
involves CDC’s collection of contact information directly from the passengers. We submit that
the Airline Contact Information Collection is substantially flawed and must be withdrawn (along
with the related rules) or disapproved by the Office of Management and Budget (“OMB”) and
that CDC or other U.S. Government entity should instead pursue the collection of contact
information directly from passengers through its existing contact information collection website.
We appreciate the comment period extensions for the PRA Reviews to give all
stakeholders, most especially our members, an opportunity to submit invaluable information,
particularly for the new and burdensome obligations of airlines to collect and transmit passenger
contact information to the CDC under the IFR. The PRA Reviews are an unprecedented
opportunity for public-private collaboration to determine the best means of collecting passenger
contact information for the global response to the COVID-19 pandemic, as well as future
communicable diseases. We are grateful for the CDC and the entire Administration’s
unwavering dedication to defeat the devastating COVID-19 pandemic, including the exploration

4
5

See CDC, Control of Communicable Diseases; Foreign Quarantine, 85 Fed. Reg. 7,874 (Feb. 12, 2020)
(hereinafter “IFR”).
Joint Comments of Airlines for America, the International Air Transport Association, the Regional Airline
Association, and the National Air Carrier Association (Mar. 13, 2020) (CDC-2020-0013) (hereinafter “Airlines
IFR Comments”). A4A submitted supplemental comments to the IFR, which were not docketed but are included
in Attachment A.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 3 of 37
of new and novel tools to help prevent the further spread within the United States. We continue
to be willing to do what it takes to meet the challenges posed by COVID-19 and partner with all
governments, foreign and domestic, to facilitate a rapid and global response to COVID-19. 6
There are, however, deficiencies with the PRA Reviews and related information
collections. As explained below, we respectfully submit that the Airline Contact Information
Collection for the IFR is contrary to the letter and spirit of the Paperwork Reduction Act of 1995
(“PRA”). 7 Specifically, it is:
1. Not an improvement of the quality of information that CDC collects;
2. Duplicative of other U.S. Government information collections and therefore
unnecessary;
3. Based upon inaccurate burden and cost estimates;
4. A shift of disproportionate costs and burdens to airlines; and
5. An increase in the burden for airlines, without minimizing such burden or exploring
more reasonable alternatives.
Also, the CDC did not meet the PRA standards for the OMB to approve the Airline Contact
Information Collection for the IFR because the CDC did not give a meaningful opportunity for
public comment.
Additionally, we submit that the newly revised CDC Contact Information Collection,
which does not consider the CDC’s collection of contact information directly from passengers
through a CDC website, is materially deficient because it does not minimize the burden on
passengers and does not explore more reasonable alternatives.

6

7

See Joint Comments of Airlines for America, the International Air Transport Association, the Regional Airline
Association, and the National Air Carrier Association 2 (Apr. 23, 2020) (CDC-2020-0033) (explaining how
airlines are assisting the U.S. government’s response to COVID-19).
Pub. L. No. 104-13 (codified at 44 U.S.C. § 3501 et seq.)

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 4 of 37
Accordingly, like our comments to the IFR, 8 we strongly recommend that the CDC cure
these deficiencies by withdrawing the IFR and pursue instead the CDC Contact Information
Collection using CDC’s contact information collection website, or alternatively, to conduct a full
notice of proposed rulemaking (“NPRM”) with a sufficient PRA review that gives the public a
meaningful opportunity to comment on the Airline Contact Information Collection. Also, we
recommend that the NPRM contain all data, methodology, and assumptions by which the CDC
arrived at its estimates so that the public will have a meaningful opportunity to provide
comments and fulfill the purposes of the PRA. If the CDC chooses not to undertake a full
rulemaking, we submit that the OMB must disapprove the Airline Contact Information
Collection, at least for the information collect related to the IFR. Additionally, we submit that
the CDC must consider and adopt the use of its own contact information collection website for
the CDC Contact Information Collection.
We present our comments to the PRA Reviews together because the airlines’ collection
of passengers’ contact information and the CDC’s collection of contact information from the
same passengers are inherently interrelated and cannot be reviewed in isolation. 9 We reserve the
opportunity to submit additional comments to the PRA review for the CDC Contact Information
Collection until the close of the public comment period.

8

9

See supra note 5, Airlines IFR Comments (recommending that the CDC should withdraw the IFR and “adopt
digital portals (i.e., website and mobile application) and require passengers to provide contact information directly
to the CDC for COVID-19, relying on CDC’s explicit authority to compel individuals to provide such
information”) (citing 42 C.F.R. § 71.20).
Cf. 44 U.S.C. § 3506 (requiring agencies to certify that the information collection is not unnecessarily duplicative
of information otherwise reasonably accessible to the agency); 5 C.F.R. § 1320.5(d)(1)(ii) (requiring the agency to
demonstrate that it has taken every reasonable step to ensure that the prosed collection of information is not
duplicative of information otherwise accessible to the agency); OIRA, Memorandum for the Heads of Executive
Departments and Agencies (June 22, 2012) (recognizing that Executive Order 13610 requires agencies to focus on
“cumulative burdens”).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 5 of 37
I.

The Airline Contact Information Collection Does Not Improve the Quality of the
U.S. Government’s Information.
A purpose of the PRA is to “improve the quality and use of Federal information to

strengthen decision making, accountability, and openness in Government and society.” 10
Notably, this purpose is so important that CDC is obligated to and did seek public comment on
the information quality. 11 We submit that the Airline Contact Information Collection fails to
meet that purpose. Specifically, the CDC’s goal is “[t]he collection of timely, accurate, and
complete conveyance and traveler information.” 12 The CDC states that “[o]nly through
collecting [contact] information directly from the airlines via travelers can the most up to date
information be made available to CDC.” 13 This assertion is incorrect because it fails to consider
CDC’s direct collection of contact information from the passenger, or access to existing contact
information already held by other agencies (i.e., U.S. Department of Homeland Security
(“DHS”), the U.S. Department of State (“State Department”), and the U.S. Citizenship and
Immigration Services (“USCIS”)).
As explained repeatedly in our comments to the IFR, airlines cannot validate or otherwise
ensure the accuracy of the contact information that they will collect from passengers or are
provided from ticket agents or other third parties (e.g., other airlines). As A4A recently
explained to the U.S. Senate Committee on Commerce, Science, and Transportation: “
We only sell 50 percent of our own tickets. So [if] somebody comes back to us and says
that my email address is Mickey Mouse and you know Disney World dot com, we don’t
44 U.S.C. § 3501(4).
44 U.S.C. § 3501(c)(2)(A)(ii) and supra note 2, Airline IC PRA Review at 21,236.
12
See CDC, Airline Vessel Traveler Information Collection (42 CFR 71) (OMB Control No. 020-1180) Request for
Revision 4-5 (submitted Mar. 20, 2020) (“CDC anticipates that this information collect as specified in regulatory
provisions will improve the submission of more timely, accurate, and complete traveler contact information by air
and maritime companies.”) (hereinafter “Airline Collection Supporting Statement”) available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202003-0920-014. See also, supra note 4, IFR
at 7,876.
13
See supra note 12, Airline Collection Supporting Statement at 8.
10
11

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 6 of 37
have a real way to check that. We don’t know. We can’t find out if they have a second
phone number or not. . . .
Currently, as you know, we have a passenger name record and advanced passenger
information system where much of the data requested that the government would like to
have cannot be verified by us. In some case, it can in many cases [it] is not because we
don’t sell all of our own tickets.
There’s global distribution systems, there’s travel agents and then there’s other airlines
where we have connecting passengers. We can’t validate the email address and
oftentimes don’t usually get anything near the address, phone numbers, or the physical
address. We think this is a government function. Its’ one that can be easily handled, it
needs to be required and it would work more quickly and better if the government were to
do it . . . . 14

In sum, while the Airline Contact Information Collection may get the CDC more passenger
contact information, it does nothing to ensure the accuracy or quality of that information.
Unlike the Advance Passenger Information System (“APIS”) data, which resides on
machine readable zones of government-issued identity documents, the data elements CDC is
pursuing in the IFR are not tied to any government-issued identity document. Thus, airlines
might request the new data elements, but they have no means to validate that any data submitted
is either timely or accurate.
On the other hand, as explained in our comments to the IFR and alluded to in testimony
to U.S. Senators, the CDC has the authority to compel passengers, under law, to directly provide
contact information to the CDC or another U.S. Government agency. 15 We submit that a U.S.
government mandate and threat of penalty of law for submission of inaccurate information to the
U.S. Government will ensure that the contact information that the CDC receives directly from
passengers (or was provided by passengers to other U.S. Government agencies) is of far better

14

The State of the Aviation Industry: Examining the Impact of the COVID-19 Pandemic: Hearing Before the S.
Comm. on Commerce, Sci., & Transp., 116th Cong. (May 6, 2020) (statement of Nicholas Calio, Pres. & CEO,
A4A).
15
See supra note 5, Airlines IFR Comments at 45 – 46.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 7 of 37
accuracy and quality than the contact information that will be collected by airlines and
transmitted to the CDC under the IFR.
II.

The Airline Contact Information Collection is Duplicative and Unnecessary.
The PRA requires that agencies “certify (and provide a record supporting such

certification, including public comments received by the agency) that each collection of
information submitted to [OMB]— . . . (B) is not unnecessarily duplicative of information or
otherwise reasonably accessible to the agency.” 16 The IFR requires that airlines collect, at all
times and for all flights arriving into the United States, five passenger contact information
elements—name, address, primary and secondary phone numbers, and an email address. 17 Much
of this information is already collected by the U.S. Government, including the CDC, and is
reasonably accessible to the CDC. Accordingly, we submit that the CDC cannot make such
certification, and that the Airline Contact Information Collection is therefore unnecessary for the
proper performance of CDC’s functions. 18
First and foremost, the CDC uses the passenger locator form (“PLF”) to get contact
information directly from passengers, particularly “when there is a strong confirmation or strong
suspicion that an individual(s) aboard a flight is infected with or exposed to a communicable
disease that is a threat to co-travelers, and CDC is made aware of the individual(s) prior to arrival
in the United States.” 19 This form includes all five elements that the IFR requires the airlines to
collect. 20 Thus, the airlines’ collection of passenger contact information from those passengers
44 U.S.C. § 3506(c)(3)(B). See also 5 C.F.R. § 1320.8(d)(1)(ii).
42 C.F.R. § 71.4(d).
18
See 44 U.S.C. § 3506(c)(3)(A); 5 C.F.R. § 1320.8(d)(1)(i); supra note 2, Airline IC PRA Notice at 21,236.
19
See supra note 3, CDC IC PRA Notice at 23,357.
20
See CDC, Airline and Traveler Information Collection: Domestic Manifests and the Passenger Locator Form (42
CFR parts 70 and 71) (OMB Control No. 0920-1181) 3 (Mar. 4, 2020) (hereinafter “CDC Collection
Justification”) available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202003-0920-003.
16
17

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 8 of 37
is duplicative and unnecessary. More importantly for COVID-19, which CDC asserts is the basis
of and limitation to the IFR, 21 the CDC has developed an electronic (website) version of the PLF
(“ePLF”) at https://tdc.cdc.gov for “travelers who are on the same flight as an individual who has
visited a location with a Level 3 CDC Travel Notice.” 22 The CDC has issued a global Level 3
travel notice, recommending that travelers avoid all nonessential international travel. 23
Accordingly, currently, every international passenger is subject to CDC’s collection of contact
information through the ePLF and directly from the passengers, which render the airlines’
collection of passenger contact information under the IFR duplicative and unnecessary.
Second, the CDC fails to acknowledge adequately that substantial passenger contact
information is already collected by U.S. government agencies and is readily available to the CDC
for contact tracing purposes. For example, the CDC’s own 2017 report acknowledges that the
CDC can obtain an address and single phone number from over 90% of passengers based upon
the pre-IFR rules and other government collections. Under DHS’s Electronic System for Travel
Authorization (“ESTA”) program for the Visa Waiver Program, passengers must already provide
their names, telephone numbers, contact phone numbers and email addresses, and destination
addresses, as well as employment addresses, phone numbers, and emails. 24 Under DHS’s
Electronic Visa Update System (“EVUS”) for Chinese nationals who wish to travel to the United
States with a full validity 10-year visitor visa, passengers must provide their names, addresses,

See supra note 4, IFR at 7,874. But see, supra note 5, Airlines IFR Comments at 39 – 40 and 46 – 47 (discussing
the broader application of the IFR beyond COVID-19).
22
See supra note 20, CDC Collection Justification at 3. See Attachment B, containing screenshots of the ePLF,
available at https://tdc.cdc.gov/ and https://tdc.cdc.gov/PassengerLocator/Index?lan=English.
23
See CDC, Global COVID-19 Pandemic Notice (March 27, 2020), available at
https://wwwnc.cdc.gov/travel/notices/warning/coronavirus-global.
24
See supra note 5, Airline IFR Comments at 23.
21

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 9 of 37
telephone numbers, emails, an destination addresses. 25 Additionally, U.S. passport applicants
must provide the State Department their names, addresses, telephone numbers, email addresses,
and both mailing addresses and permanent addresses (if different). USCIS requests residency
applicants to provide their names, mailing addresses, telephone numbers, and emails.
In sum, the CDC already has many sources for the same information that the CDC now
wants to burden the airlines to collect and transmit to the CDC under the IFR. Because the
Airline Contact Information Collection is duplicative, it is therefore unnecessary and contrary to
the purposes of the PRA, including minimizing the paperwork burden on private entities and
maximizing the utility of information that is already collected by the U.S. government. 26 In
other words, the airlines’ collection and transmission of passenger contact information to the
CDC under the IFR is not “necessary for the proper performance of the functions” of the CDC. 27
III.

The PRA Review for the Airline Contact Information Collection Is Based on
Inaccurate Estimates and Assumptions.
The PRA Reviews specifically seek public comments so that CDC and the OMB can

“evaluate the accuracy of the agencies estimate of the burden of the proposed collection of
information, including the validity of the methodology and assumptions used.” 28 In addition to
the infirmities regarding CDC’s lack of disclosure regarding its estimates, as discussed in Section
VII.B below, many of the CDC’s estimates regarding the Airline Contact Information Collection
are inaccurate and/or based upon incorrect assumptions. Moreover, the PRA Reviews also fail to
consider additional costs that will be borne by airlines and other parties.

Id. at 25.
See 44 U.S.C. § 3501.
27
44 U.S.C. § 3506(c)(2)(A)(i).
28
See supra note 2, Airline IC PRA Notice at 21,236 and supra note 3, CDC IC PRA Notice at 23,357.
25
26

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 10 of 37
A.

Inaccurate Estimates and Incorrect Assumptions in the Airline Contact
Information Collection PRA Review.

The CDC estimates that “some 12 US major carriers and 61 major foreign carriers will
modify their data systems, or contract with third party reservation system providers, to ensure
that the information required under the IFR is transmitted using existing mechanisms to [U.S.
Customs and Border Protection (“CBP”)] (e.g., PNR, APIS, eAPIS).” 29 This estimate is based
on incorrect assumptions and is altogether incorrect. First, although we do not know the metric
by which CDC considers carriers to be “major” and have not received an explanation from
CDC, 30 we submit that substantially more airlines will have to modify their data systems or
contract with third party reservation system providers to comply with the IFR. In October 2019,
18 U.S. airlines flew more than 500 passengers from foreign destinations into the United
States. 31 In that same month, over 106 foreign airlines flew more than 500 passengers from
foreign destinations into the United States. 32 For these airlines to avoid the costly and
unreasonable manual information collection and related data entry for their passengers, all 124
airlines would have to modify their data systems or contract with third-party reservation system
providers to efficiently and automatically capture this information. Moreover, the CDC’s
estimate is inaccurate. Airlines that fly fewer passengers from foreign locations to the United
States also have data systems that would need to be updated to collect and transmit passenger
contact information. In fact, 183 air carriers fly, on average, more than one person daily from
foreign locations to the United States. 33 Also, based upon information from CBP, we understand

See supra note 2, Airline IC PRA Notice at 21,236.
See supra Section VII.B, discussing the CDC’s failure to provide its methodologies and assumptions.
31
Based on U.S. Department of Transportation (“DOT”) Bureau of Transportation Statistics (“BTS”) T-100 data.
32
Based on DOT BTS T-100 data.
33
See supra note 5, Airlines IFR Comments at 15.
29
30

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 11 of 37
that substantially more than 100 air carriers transmit information through interactive APIS and
have a reservation system and are required to provide CBP with access to Passenger Name
Records (“PNR”). 34 Given this information, we submit that CDC’s estimate is arbitrary and not
based upon available data from CBP regarding the actual number of air carriers that submit
passenger information through interactive APIS or PNR. We strongly recommend that CDC get
an accurate number from CBP of air carriers that submit information through PNR or interactive
APIS to CBP. In fact, CBP estimates that 1,130 commercial airlines submit information to CBP
through APIS. 35 As an alternative to getting an accurate number from CBP, and at a minimum
to be conservative, we recommend that the CDC should revise its estimate to 183 airlines.
Second, this estimate is based on an unsupported assumption that non-major air carriers
are situated differently than “major” air carriers and would not have to modify data systems or
contract with third-party reservation system providers. Moreover, the CDC gives no assumption
or related explanation that costs and burdens for non-major air carriers that do not have to change
systems (or contract with third-party reservation system providers) would be materially lower
than the costs and burdens for major air carriers. We submit that many non-major carriers would
have data systems that would need to be upgraded to capture passenger contact information,
whether submitted through PNR, APIS, or eAPIS. Many major carriers rely on relationships
with smaller carriers, or carriers that are not currently regulated by the U.S. government, to
broaden their market reach. Thus, a passenger may originate on a carrier that does not serve the
United States. That carrier will also have to modify its systems to collect the requested data to
successfully process that passenger to his final destination.
34
35

See infra note 35 and accompanying text.
See CBP, Agency Information Collection Activities: Passenger and Crew Manifest, 85 Fed. Reg. 29,469, 29,470
(May 15, 2020) (hereinafter “CBP APIS PRA Review”).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 12 of 37
The CDC estimates that it will cost $700,000 per “major carrier” to modify data systems
or contract with third-party reservation system providers to make the changes necessary to
comply with the IFR. 36 It states the total cost would be $51,000,000 based upon the number of
estimated major carriers (73) that would have to make these changes. These estimates are
inaccurate.
First, the CDC appears to have ignored cost-related comments to the IFR, which were
submitted before the CDC concluded its analysis of the potential costs to airlines. At that time,
we estimated that “the costs to modify systems for most passenger airlines will be considerably
more than $1 million per airline.” 37 We also noted that some airlines estimated that their costs
would range from $23-46 million.38 In separate comments, one airline estimated that
“reconfiguration of [the airline’s] internal data collection systems and sharing protocols to fully
comply with the IFR will result in $74,000 in additional daily expenditures, amounting to a total
annual cost of $27,000,000.” 39
Second, because airlines have not received technical specifications from the CDC
regarding how to comply with the IFR, including “the format acceptable to the Director”
regarding how airlines should send the information to the CDC (i.e., via Passenger Name Record
(“PNR”) or Advance Passenger Information System (“APIS”)) and the format of the airlines’
information (e.g., acceptable coding for passengers that refuse to give the information or give
partial information), 40 it is impossible for airlines to accurately estimate the potential upgrade

See supra note 2, Airline IC PRA Notice at 21,236 and supra note 12, Airline Collection Supporting Statement at
15.
37
See supra note 5, Airlines IFR Comments at 15.
38
Id. 16-17.
39
See Comments of American Airlines, Inc. (Mar. 13, 2020) (Docket CDC-2020-0013).
40
Airlines have repeatedly asked the CDC for technical specifications so that the airlines may begin planning and
implementing solutions to the IFR. The CDC has not responded to the airlines’ requests.
36

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 13 of 37
costs to comply with the IFR. Remarkably, CDC now asserts it can estimate the costs despite
not having these specifications. Airlines, on the other hand, have developed rough estimates
based on existing information from CDC or estimated a range of costs based upon various
assumptions (e.g., transmission through PNR or APIS).
Based upon additional analysis by airlines, we conservatively estimate that it will cost
most airlines between $1.48 million and $2.53 million per airline to update data systems. 41
Some airlines continue to estimate dramatically higher costs, including in the range of $31
million to $35 million.42 Even excluding these dramatically higher costs for some airlines and
applying our conservative estimate across all airlines, we estimate that the total cost to the major
airlines will be $271 million to $463 million,43 approximately five to nine times CDC’s estimate.
The CDC estimates that it will take passengers 30 seconds to provide airlines with their
contact information and believes this to be an overestimate “because CDC anticipates that
airlines have much of this information already and that collecting this information is already part
of their reservations process, thereby reducing the burden of collecting this information on
travelers.” 44 The CDC’s estimate and belief are inaccurate. First, at the time of booking (or
even at check-in), passengers (especially non-U.S. residents) may not have the address where

Based on five major U.S. airlines estimates of: $795,000; between $1 million and $4 million; $1.6 million;
between $1 million and $1.25 million; and between $3 million and $5 million. These programming costs are
based on the multiple systems that the airlines will have to modify.
42
This higher estimate includes a base upgrade estimate of $8 million to $10 million based on the implementation of
similar data solutions for U.S. Department of Homeland Security requirements, an additional $10 million in costs
to enhance and extend EDIFACT and all systems that publish or consume EDIFACT data to ensure that all
participating airlines and partners can exchange or deliver the collected data, and an additional $13 million to $15
million in lost opportunity costs by the delay of planned strategic projects. This does not include the potential
additional costs in the event that EDIFACT must be updated, which are estimated to double or triple the total
programming costs.
43
Multiplying the estimated costs per airline by 183 airlines.
44
See supra note 2, Airline IC PRA Notice at 21,237 and supra note 12, Airline Collection Supporting Statement at
12.
41

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 14 of 37
they are staying in the United States, nor two phone numbers and an email where they may be
reached while in the United States. Accordingly, passengers will have to spend additional time
after the booking process to give their contact information to the airline, either by contacting a
reservations agent by phone, communicating with a ticket or gate agent at the airport, or
providing the information while checking-in with the airline. If the passenger does not have easy
access to the hotel or destination information (e.g., website), the passenger will have to spend
additional time calling or otherwise researching the contact information for the hotel or
destination. Accordingly, we anticipate that a substantial number of passengers will take longer
than 30 seconds to recall or research and provide complete contact information to airlines.
Second, the CDC is incorrect that airlines already collect much of the information from
passengers that the CDC now seeks to collect from the airlines. Although airlines may collect
phone numbers, addresses, and emails from passengers, they do not specifically collect contact
information related to the passenger’s travel or location while in the United States. For example,
an airline may collect a billing address for a passenger’s credit card, but such credit card may be
registered with a foreign residence or a business which is unrelated to the location where a
passenger is staying in the United States. Airlines may generally ask for phone numbers or
emails, but because such information is intended to contact the passenger prior to travel (such as
to inform them of flight delays or cancellations), passengers may and often will provide airlines
the contact information that does not meet the CDC’s needs and requirements, such as home
phone numbers in foreign locations or work email addresses that are not available while traveling
in the United States. Especially for travelers making reservations while living or working
outside the United States, none of the contact information they provide to airlines may satisfy the
CDC’s contact tracing needs and requirements. It would also not be feasible to force all

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 15 of 37
passengers to only provide United States contact information at the time of booking, as
international travelers may not have a billing address or a valid pre-departure contact phone
number or email address in the United States.
In sum, the CDC inaccurately estimates the process by which passengers will give and
airlines will collect the contact information sought by CDC. Many passengers are unlikely
prepared to give the required information and will require additional time to do so, while airlines
do not have the process to collect the specific information sought by the CDC. The CDC should
recalculate its estimate based upon this additional information.
The CDC also assumes that it will take the same amount of time (30 seconds) for airline
personnel to solicit the information from customers and believes that this is overestimated for the
same reasons that it believes the estimate for passengers is overestimated and because airlines
will have an ability to record the traveler information via an electronic means (i.e., airline
reservations website or mobile application) requiring no airline staff time. 45 Although we
anticipate that a majority of passengers eventually will be able to submit their contact
information through electronic means (after the CDC provides the specifications for airlines to
collect and transmit the data to CDC and airlines are able to implement the data system updates,
which we anticipate will take most airlines 12-18 months), this does not mean that airlines will
have to spend no more than 30 seconds to solicit contact information for a substantial number of
passengers. For example, for those passengers that book travel through telephone reservations
agents, airlines will have to explain the specific information needed (i.e., contact information
while in the United States), solicit the information from the passenger, and input that information

45

See supra note 2, Airline IC PRA Notice at 21,237 and supra note 12, Airline Collection Supporting Statement at
12.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 16 of 37
into the passenger’s record. Additionally, for passengers that book travel through third-party
travel agents that do not transmit the requisite contact information to the airline, airlines will
have to solicit information directly from the passenger. Notably, for customers that ultimately
decide not to travel with the airline, this additional time and costs are baseless—the airline
ultimately has no reason to assume such burden for that customer. Also, for those passengers
that did not have their U.S. contact information readily available at booking, the airline will have
to make some type of determination that the information the passenger provided does not satisfy
the CDC’s requirements, explain the additional information needed, and solicit such information
a second time. Based on airlines’ experience with the current APIS requirement to provide an
address for a foreign visitor’s first night in the United States, 46 airlines find it difficult to explain
the requirement to passengers and overcome language barriers, wait for passengers to locate the
information, and/or spend additional time with such passengers at the airport during the critical
check-in or boarding processes. Our airlines estimate that solicitation of contact information
from passengers, when not conducted electronically, will conservatively take at least 75
seconds, 47 two and a half times CDC’s estimate.
The CDC estimates that passengers will have to provide, and airlines will have to collect,
contact information from 110,000,000 passengers. Because the IFR is not keyed to the COVID19 pandemic and will continue in perpetuity, 48 we presume that the Airline Contact Information
Collection will continue long after the airline industry has recovered from the COVID-19

See supra note 5, Airlines IFR Comments at 20 and App’x D 3
A4A airlines estimate the time for employees to solicit, collect, and input contact information from passengers
will range from 75 seconds to 3 minutes.
48
See supra note 5, Airlines IFR Comments at 39-40 (explaining that the text of the IFR is not keyed to COVID-19
and that the rule contains no sunset provision).
46
47

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 17 of 37
pandemic. In fact, CDC’s own estimates look past COVID-19. 49 Accordingly, and in
consideration of other current U.S. Government estimates, we submit that CDC’s estimate is
inaccurate. In fact, CBP predicts that 184,050,663 commercial airline passengers will have to
provide information to CBP for purposes of the APIS information collection. 50 CBP also
predicts that 460,000 aircraft pilots will have to provide information to CBP to satisfy the APIS
requirements. 51 In total, CBP predicts that 184,510,663 persons will have to provide information
through APIS. We submit that the CDC should adopt this total number as its estimate for the
number of persons that will have to provide contact information pursuant to the IFR.
In sum, we submit that CDC’s estimates and assumptions are incorrect or misplaced and
strongly urge the CDC to adopt the estimates herein and reassess the total costs and burdens for
the Airline Contact Information Collection. Before doing so, however, the CDC should ensure
that it considers all costs and burdens by stakeholders, not just those currently estimated.
B.

Costs and Burdens Not Estimated by CDC

The purpose of the PRA is to “minimize” the burden of collections of information for the
U.S. Government. 52 The CDC cannot minimize the burdens if it does not recognize them. 53 We
submit that CDC’s omission of certain costs and burdens for the Airline Contact Information
Collection PRA review is substantial and significant. Specifically, the CDC must consider

See supra note 12, Airline Collection Supporting Statement at 12 (explaining the estimate “to ensure that no
underestimation of burden occurs in the future”).
50
See supra note 35, CBP APIS PRA Review at 29,471. The CDC may also consider the most recent annual
volume of international passengers to the United States: 127 million passengers, based on APIS data collected by
U.S. Department of Commerce National Travel & Tourism Office.
51
Id.
52
See 44 U.S.C. § 3501
53
Cf. 5 C.F.R. § 1320.3(b) (defining burden broad to include “time, effort, and financial resources necessary to
comply with a collection of information”) (emphasis added); Adam M. Samaha, Death and Paperwork Reduction,
65 Duke L. J. 279, 292 (2015) (“Perhaps the Act’s definitional provision, in context, is best interpreted such that a
paperwork “burden” can be any of these things and none should ever be ignored.”).
49

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 18 of 37
airlines’ operational costs to implement and operate the new passenger contact information
collection systems, including but not limited to:
•

The number of crewmembers and the time required for crewmembers to provide
updated contact information to airlines, as well as the costs of crewmember time; 54

•

Updating airline data systems to collect and update crewmember contact information
and transmit that information to the CDC;

•

Increased data storage costs; 55

•

Increased reservation center call times, requiring additional staffing;

•

Increased airport operation customer contacts (e.g., ticket counter agents and gate
agents);

•

Training costs for airline agents at reservation call centers and at airports; and

•

Increased airport kiosk needs; and

•

Alternative procedures when government system outages occur.

Excluding time and costs related to crewmember contact information collection and
transmission, we estimate that the annual operational costs for most airlines will range from $9.3
million to $15.4 million per airline. 56 Applied across 183 airlines, 57 we estimate that the annual
costs to the industry will range from approximately $1.7 billion to $2.82 billion. Over 10 years,
these costs will range from $17 billion to $28.2 billion. Ultimately, these costs will be passed on
to the passengers, making air travel more expensive and less accessible.
The CDC also fails to estimate or even consider the costs for other stakeholders that may
be directly or indirectly involved in the collection of passenger contact information, including:
See e.g., CBP, Supporting Statement Passenger and Crew Manifest (OMB Control No. 1651-0088) (uploaded
June 2, 2017) (estimating the costs of pilot time to submit information via APIS) available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201701-1651-001.
55
The CDC requires that airlines collect passenger contact information all the time, but only requires transmission
upon an order from the Director of the CDC. 42 C.F.R. § 71.4(d). Accordingly, airlines will have to store the
information for an indeterminate period of time, unless the CDC provides technical specifications with respect to
data storage requirements.
56
Based on five major U.S. airlines estimates of: $17.8 million; between $10 million and $20 million; between
$13.86 million and $27.72 million; between $3.8 million and $9.5 million; and between $1 million and $1.5
million. One airline estimated that the annual increased IT costs alone would be $250,000.
57
See supra note 33 and accompanying text.
54

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 19 of 37
•

The burden and costs to non-major airlines and other air carriers (e.g., charter
airlines) that don’t have passenger data systems and may have to develop passenger
data systems and/or increase staffing to collect and provide the substantial volumes of
contact information via PNR, APIS, or eAPIS; 58

•

Ticket agents (including online ticket agents) and global distribution systems that
populate the airlines’ passenger data systems with customer data and will have to
update their data systems and increase staffing to solicit contact information;

•

Increased customer contact time for hotels and other destinations to respond to
customers requests for contact information; and

•

Costs to DHS and CBP to modify data systems to receive the information.

We cannot adequately estimate these costs, in part because of the lack of technical specifications
from CDC, but submit that they are not insignificant, particularly given the typical number of
people that take air transportation from foreign locations to the United States and the costs borne
by these stakeholders in implementing other similar programs like ESTA, EVUS, and the
Australian Electronic Travel Authorization), and that a proper exploration of those burdens and
costs should be conducted through an NPRM, which would also permit exploration of whether
such burden could be minimized by automating the confirmation process in coordination with
CDC and DHS.
In sum, we submit that CDC must reassess the costs to the airline industry and third
parties and include all potential burdens so that CDC can determine whether it has minimized
such burdens.

58

We understand based upon information from CBP that over 1,000 air carriers provide information through eAPIS.
See supra note 35, CBP APIS PRA Review at 29,470. We submit that CDC’s assumption that small carriers will
not have to purchase equipment and/or incur programming expenses to comply with this information collection
based on the use of eAPIS is incorrect. Small airlines will still have to collect the information and store that
information before submitting it through APIS. Additionally, CDC fails to consider the operational costs for
small carriers to collect the information.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 20 of 37
As we have noted before, 59 the total estimated costs for airlines alone (including
estimated costs in Section III.A and III.B) will far exceed the threshold of the Unfunded
Mandates Reform Act of 1995 (“UMRA”), which is $164 million.60 Including an accurate
estimate of costs to passengers, we have no doubt the UMRA threshold is surpassed.
Accordingly, the CDC must meet its UMRA obligations, including considering “a reasonable
number of regulatory alternatives and from those alternatives selecting the least costly, most
cost-effect or least burdensome alternative that achieves the objectives of the rule.” 61
IV.

The Airline Contact Information Collection Shifts Disproportionate Costs from the
U.S. Government to the Airline Industry.
Under the OMB’s regulations implementing the PRA, CDC “shall also seek to minimize

the cost to itself of collecting, process, and using the information, but shall not do so by means
of shifting disproportionate costs or burdens onto the public.” 62 We submit that the Airline
Contact Information Collection shifts disproportionate costs or burdens onto the public.
Based on our above estimates, the Airline Contact Information Collection will cost
airlines approximately $1.97 billion to $3.28 billion in the first year alone, not only for the
upgrading of systems, but also the operation of the passenger contact information systems (e.g.,
reservation call center costs). Importantly, this does not include the costs to smaller airlines and
air carriers, as well as third parties (e.g., ticket agents, global distribution systems, hotels and
destinations), which the CDC must estimate and minimize. Comparatively, the CDC has already
created its own electronic contact information collection system with the ePLF. The CDC

See supra note 5, Airlines IFR Comments at 48.
See Congressional Research Service, Unfunded Mandates Reform Act: History, Impact, and Issues 3 (Jan. 2,
2020) (noting that the 2019 threshold amount for private sector mandates is $164 million).
61
See 2 U.S.C. § 1535.
62
See 5 C.F.R. § 1320.5(c)(d)(iii)
59
60

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 21 of 37
estimates that it will collect contact information from 2.7 billion passengers flying from foreign
locations to the United States for purposes of outbreaks of public health significance. 63 It
estimates that the total annual costs to the CDC for the ePLF (along with other information
collections, including paper-based information collections) are approximately $355,282. 64 We
submit that any necessary scale-up of the ePLF to cover all passengers flying from foreign
locations to the United States would be de minimis and be limited. We presume that CDC has
already taken such costs into consideration given that the ePLF is targeted for Level 3 Travel
Notices and CDC has issued a global Level 3 Travel Notice that covers all passengers entering
the United States from foreign locations. Importantly, CDC’s ownership and control of the ePLF
allows the agency to make changes quickly and directly to the information that it seeks from
passengers to immediately react to any new crisis without relying on any third-party collection
process which would undoubtedly result in delays.
Additionally, we estimate that the potential to incorporate confirmation of CDC’s
successful collection of contact information directly from the passenger by airlines’ checkin/boarding systems, particularly through existing interactive DHS platforms (e.g., APIS Quick
Query, commonly referred to as AQQ), would dramatically reduce the potential costs for
airlines, including the increased airline employee time to “confirm submission of the information
by reviewing a message that is crated and sent to the traveler’s device in response to a completed
PLF.” 65 One major U.S. airline estimates that the data system modifications to incorporate
confirmation of CDC’s collection of contact information would cost approximately $250,000,

See supra note 3, CDC IC PRA Notice at 23,358.
See OMB, View ICR – Agency Submission OMB Control No. 0920-1181 (certification Mar. 4, 2020) (“CDC
Collection Submission”) (Attachment C) available at
https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202003-0920-003.
65
See 5 C.F.R. § 1320.8(d)(1)(iv).
63
64

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 22 of 37
which is less than one quarter of the expected modification costs for most airlines to modify
systems to comply with the IFR. Below is a table of the estimated costs of this CDC-airline
solution, compared to CDC’s IFR costs.
Costs

CDC-Airline Solution

IFR

CDC Annual Costs

$355,282

$910,093 66

Airlines Upgrade Costs

$45,750,000
$271 million to $463
(183 airlines x $250,000/airline) million67

Total Costs (First Year)

$46,105,282

$222 million to $464 million

We acknowledge that these estimates do not include the costs to CDC and DHS to modify their
systems to send confirmation messages to the airlines, the costs for small air carriers to confirm
submission by message review, or airlines’ operational costs which we submit will be less than
or equivalent to the airlines’ operational costs under the IFR because of the significantly reduced
burden of not having to collect information from passengers. However, we submit that the
overall costs of the CDC-airline solution will be significantly lower than the costs of the IFR.
V.

The Airline Contact Information Collection Does Not Minimize the Burden on
Airlines.
As required under the OMB rules, 68 the CDC explicitly asks for public comments so that

the CDC may “minimize the burden of the collection on those who are to respond, including,
through the use of appropriate automated, electronic, mechanical, or other technological
collection techniques or other forms of information technology, e.g., permitting electronic
submission of responses.” 69 We submit that the IFR and the Airline Contact Information

See OMB, View ICR – Agency Submission (OMB Control No. 0920-1180) (certification Apr. 16, 2020) available
at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202003-0920-014.
67
See infra Section III.A.
68
5 C.F.R. § 1320.8(d)(1)(iv)
69
See supra note 2, Airline IC PRA Notice at 21,236.
66

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 23 of 37
Collection do not minimize the burdens because they fail to provide airlines with the necessary
information to implement collection and transmission solutions.
First and foremost, the IFR requires that airlines transmit passenger contact information
“in a format acceptable to the Director” without any further instruction. 70 Despite requesting
which format is acceptable to the Director, 71 airlines have not received any guidance and are left
guessing how they should implement solutions. Accordingly, airlines may sink costs into
solutions that are unacceptable, require additional expenditures, and increase the costs to airlines.
Second, for the Airline Contact Information Collection, the CDC states that “[t]he
protocols and processes used for this data collection are continually updated and improved for
quality of data collection and ease of use for both the public, industry and CDC program
administrators.” 72 If this is the case, airlines will have to undertake repeat data systems
modification costs to update their data collection and transmission to the CDC, ultimately
delaying CDC’s ability to obtain information which may be critical to the health of the
homeland. Not only does this fail to minimize the burden through technology, it exacerbates the
shift of disproportional costs from the CDC to airlines. If a single government system is
adopted, only one system will have to be updated to collect different information from
passengers, while an airline solution will involve hundreds of airlines and air carriers and cost
hundreds of millions of dollars over and over for each change.

See supra note 4, IFR at 7,880 (42 C.F.R. § 71.4(d)).
The CDC asserts that “CDC is continuing to have meetings with air industry and federal partners to facilitate the
collection of the information using existing mechanisms.” See supra note 12, Airline Collection Supporting
Statement at 9. This is incorrect. Since our last communication with the CDC on March 2, 2020, the CDC has
not communicated, met, or offered to collaborate with the airlines.
72
See Airline and Vessel Traveler Information Collection (42 CFR part 71) (OMB Control No. 0921-1180) Request
for New Information Collection 4 (Mar. 20, 2020) (B. Collections of Information Employing Statistical Methods)
(hereinafter “Airline Collection Statistical Methods”).
70
71

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 24 of 37
Third, by placing the burden on airlines to collect this information (particularly from
international passengers in foreign jurisdictions prior to their entry into the United States),
airlines face risks associated with privacy laws that attach to airlines’ collection of such contact
information. 73 We reiterate our comments to the IFR regarding the risks associated with
regulations that require airlines to directly collect personal information from passengers. 74
Airlines can be held responsible under the laws of other countries for transferring such personal
information to the U.S. Government without adequate privacy safeguards in place, and fines,
penalties, or other regulatory consequences may attach.
Airlines should not be required to collect personal information from passengers and
provide this information to the U.S. Government, unless and until thorough investigation and full
vetting of the privacy implications of such regulatory requirements and privacy safeguards are
established that mitigate the risks airlines might face under other nations’ laws from complying
with the IFR. The only way for the CDC to effectively mitigate this risk to airlines under
regulations, such as the EU’s General Data Protection Regulations (“GDPR”), is to build privacy
safeguards into any regulations requiring the collection of personal information (including
contact information) from passengers. As noted in our comments to the IFR, where airlines are
responsible for collecting personal information and transferring it to the CDC, the US-EU PNR
Agreement would be an appropriate model to use for incorporating privacy safeguards into CDC
regulations requiring personal information. 75 Alternatively, the direct collection of personal

For example, the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679 (Apr. 6,
2016), available at https://eur-lex.europa.eu/eli/reg/2016/679/oj, hereinafter “GDPR”) strictly regulates the
collection and use of personal information including contact information of EU data subjects, including EU
citizens or residents booking travel on U.S. airlines.
74
See supra note 5, Airlines IFR Comments at 57 – 75.
75
The Agreement between the United States and the European Union on the Use and Transfer of Passenger Name
Records of 2011 to the United States Department of Homeland Security.
73

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 25 of 37
information from passengers by the CDC would not only eliminate airlines’ cost burdens in
overhauling their systems and processes to collect the additional data sought by the CDC, but
also eliminate the costly risk of airlines facing privacy violations under laws such as the GDPR.
In sum, although the CDC sought to minimize the burden by limiting the amount of data
collected from each passenger, it has failed to minimize the burden that airlines must undertake
regardless of the amount of data collected, particularly in data system modification costs and
privacy risks.
VI.

CDC Contact Information Collection
We fully support the CDC’s collection of contact information directly from passengers.

As explained in Sections I and IV above, as well as in our comments to the IFR, we submit that a
CDC- or U.S. Government-owned and controlled website will produce more accurate and costefficient information for the CDC to perform its contact tracing functions than the IFR and the
Airline Contact Information Collection. In fact, the CDC itself has acknowledged that its
“responsive web application version [of the PLF] will streamline the collection of the
information and better allow CDC to work with state and local health departments to provide
appropriate public health follow-up in response to COVID-19.” 76
However, in the middle of the 30-day public comment period and without explanation,
the CDC materially changed the CDC Contact Information Collection. We submit that CDC’s
newest proposal for this information collection is deficient and the CDC must consider the earlier
proposal of using its contact tracing website.

76

See supra note 20, CDC Collection Justification at 3 – 4.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 26 of 37
Specifically, on March 4, 2020, the CDC proposed to collect contact information directly
from passengers through a CDC website. 77 As explained above, the CDC estimated that the
costs of such program would be $355,282. 78 Then, on May 13, 2020, the CDC revised its
proposal to exclude the CDC website and only use the paper version of the PLF, increasing the
costs to the CDC. 79 Now, the CDC asserts “the hard copy form is the only version formally
approved by [the International Civil Aviation Organization (“ICAO”)], the formal owner of the
PLF.” 80 Because the CDC has not given an explanation for abandoning its March proposal for
the website version of the PLF, we presume that its new assertion regarding ICAO’s approval is
the basis for changing the information collection.
First, the CDC’s assertion that it cannot use an electronic version of the PLF is incorrect.
ICAO’s Annex 9 to the Convention on International Civil Aviation (Chicago Convention), the
International Standards and Recommended Practices for Facilitation (“Annex 9”), states:
8.15.1 Recommended Practice.— When a public health threat has been
identified, and when the public health authorities of a Contracting State require
information concerning passengers’ and/or crews’ travel itineraries or contact
information for the purposes of tracing persons who may have been exposed to a
communicable disease, that Contracting State should accept the “Public Health
Passenger Locator Form” reproduced in Appendix 13 as the sole document for
this purpose. 81
Most importantly, the use of ICAO’s PLF is a “recommended practice.” It is not an
“international standard” and the U.S. Government does not need to file a difference with ICAO

See supra note 64, CDC Collection Submission.
Id.
79
See OMB, View ICR – Agency Submission (OMB Control No. 0920-1181) (certification May 13, 2020)
(estimating annual costs to the CDC of $818,871) (Attachment D) available at
https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202004-0920-009.
80
See CDC, Airline and Traveler Information Collection: Domestic Manifests and the Passenger Locator Form (42
part 70 and 71) (OMB Control No. 0920-1181) Revision 8 (May 13, 2020).
81
ICAO, Annex 9 to the Convention on International Civil Aviation, Facilitation 8-3 (15th ed. Oct. 2017)
(International Standards and Recommended Practices).
77
78

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 27 of 37
to adopt practices that are different from ICAO’s recommendation. 82 Accordingly, CDC’s
proposed use of an electronic version of the PLF does not deviate from international standards.
Also, nothing in ICAO’s Annex 9 suggests states are prohibited from using an electronic version
of the PLF. In fact, the form is scannable to convert the information from paper to electronic
form. Accordingly, we submit that the CDC must consider and should adopt the website version
of the PLF, not only to meet its obligation to evaluate “whether the burden on respondents can be
reduced by use of . . . electronic . . . collection techniques or other forms of information
technology, e.g., permitting electronic submission of responses,” 83 but to minimize that burden
on passengers and airlines. 84
Although the CDC has not estimated the costs for airlines to confirm passengers’
submission of contact information in the ePLF, we submit that those costs, automated through
DHS messaging, will be dramatically lower by multiples than the costs to airlines under the
Airline Contact Information Collection. We strongly urge the OMB to quickly approve such
information collection so that CDC may implement this electronic solution for all airline
passengers and that airlines can direct passengers to complete the ePLF as soon as possible.
Additionally, the CDC Contact Information Collection is approved for domestic
passengers, but the Airline Contact Information Collection is not. As CDC has recognized,
spread of COVID-19 has also involved interstate travel. 85 Accordingly, the CDC Contact
Information Collection, and especially the ePLF, is the information collection best suited for

Id. at x.
5 C.F.R. § 1320.8(a)(5).
84
Id. § 1320.8(d)(1)(iv).
85
See CDC, Public Heath Response to the Initiation and Spread of Pandemic COVID-19 in the United States,
February 24 – April 21, 2020 (May 8, 2020) available at
https://www.cdc.gov/mmwr/volumes/69/wr/mm6918e2.htm.
82
83

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 28 of 37
adaptability on an industry-wide scale. Also, we recommend that passengers should have a
single and consistent process through which to submit information to the CDC, and not require
different submissions for different flights.
VII.

CDC’s PRA Review for the Airline Contact Information Collection Failed to Meet
PRA Standards.
An important purpose of the PRA is to “improve the responsibility and accountability

of . . . Federal agencies . . . to the public for implementing the information collection review
process . . . .” 86 The improved accountability under the PRA is best reflected in the agencies’
obligation to solicit and consider public comments for each proposed collection of information. 87
Also, public comments “lend[ ] democratic legitimacy to regulatory decisions.” 88 Although the
CDC extended the public comment period for the Airline Contact Information Collection PRA
review for purposes of adding information collection under the IFR, 89 the public comment
opportunity failed to meet the PRA review standards, which undermines the public’s opportunity
to hold the CDC accountable in its information collection review process.

44 U.S.C § 3501(11).
See 44 U.S.C. §§ 3506(c)(2) – (3) (requiring solicitation of public comments and inclusion of public comments in
the record supporting certification of the information collection); 5 C.F.R. §§ 1320.5(a) and 1320.8(d) (requiring
solicitation of public comments, evaluation of public comments, a summary of public comments and actions in
response to the comments). Cf. Nat’l Women’s Law Ctr. V. OMB, 358 F. Supp. 3d 66, 91 (D.D.C. 2019) (“agency
may not rely on comments ‘uncritically’ and must apply its ‘expert evaluation’”) (citing Nat’l Ass’n of Regulatory
Util Comm’rs v. FCC, 737 F.2d 1095, 1125 (D.C. Cir. 1984)); id. (“Without explaining why, an agency cannot
rely on some comments while ignoring comments advocating a different position.”) (citing AARP v. U.S. Equal
Emp’t Opportunity Comm’n, 267 F. Supp. 3d 14, 32 (D.D.C. (2017)); Michael A. Livermore, Cost-Benefit
Analysis and Agency Independence, 81 U. Chi. L. Rev. 609, 687 (2014) (concluding that an agency’s control over
the development of cost-benefit analysis makes both agencies and OIRA accountable to a specific group of
outside experts); Donald J. Kochan, The Commenting Power: Agency Accountability Through Public
Participation, 70 Okla. L. Rev. 601 (2018) (explaining that the public participation requirement in the notice and
comment rulemaking process, “with its ‘two-way street’ obligation to dialogue, is a critical check on agency
power”).
88
See Regulations.gov, Public Comments Make a Difference, available at
https://www.regulations.gov/docs/FactSheet_Public_Comments_Make_a_Difference.pdf.
89
See supra note 2, Airline IC PRA Notice at 21,236 (extending the comment period 30 days and adding the new
information collection under the IFR).
86
87

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 29 of 37
A.

60-Day Comment Period

The PRA and the OMB’s implementing rules generally require that the public have a 60day opportunity to comment on an agency’s proposed information collection. 90 Shorter public
comment periods are acceptable only when: (i) the OMB has granted an exemption from the 60day requirement for emergency processing purposes; or (ii) the notice and comment period for a
proposed rule had the same purpose of soliciting comments on the proposed information
collection (“Proposed Rule Exception”). 91 For a rulemaking to qualify for the Proposed Rule
Exception, the agency must “provide notice and comment through the notice of proposed
rulemaking for the proposed rule and such notice specifically includes the solicitation of
comments for the same purposes” as the PRA review. 92 Neither exception applies to CDC’s
Airline Contact Information Collection for the IFR, and the CDC was required to give the full
60-day public comment period.
The CDC has not requested an exemption, nor has the OMB granted an exemption.
The public comment period for the IFR fails to qualify for the Proposed Rule Exception.
First, the IFR did not “specifically” solicit comments for the same purposes of the PRA review. 93
In fact, it effectively evaded comments on the new information collection requirements under the
IFR. As explained in our comments to the IFR, the IFR imposes new obligations on airlines to
collect and transmit information to the CDC that was not previously required under CDC’s rules,
specifically passenger contact information that airlines do not otherwise collect from passengers

See 44 U.S.C. § 3506(c)(2)(A) and 5 C.F.R. § 1320.8(d)(1).
See id.
92
5 C.F.R. § 1320.8(d)(3) (emphasis added). See also 44 U.S.C. § 3506(c)(2)(B) (“for any proposed collection of
information contained in a proposed rule (to be reviewed by the Director under section 3507(d)), provide notice
and comment through the notice of proposed rulemaking for the proposed rule and such notice shall have the same
purposes specified under subparagraph (A)(i) through (iv)”).
93
See supra note 4, IFR at 7,879 – 880 (assessing the information collection for purposes of the PRA).
90
91

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 30 of 37
in the airlines’ normal course of business. 94 However, the IFR reported that the OMB
(incorrectly) determined that “there is no new information collection requiring a submission of a
new information collection request under the Paperwork Reduction Act, (44 U.S.C. Chapter
35).” 95 Instead, the CDC relied on a 2016 PRA review, which only covered the CDC’s
collection of information under the pre-IFR rules. 96 Accordingly, by not recognizing the new
information collection under the IFR, the IFR did not and could not have specifically solicited
comments from the public that are now being solicited under Airline Contact Information
Collection PRA review.
Second, whether the CDC solicited the requisite PRA review public comments or not, the
public was effectively prevented from providing PRA review comments during the IFR public
comment period because the IFR did not provide sufficient information regarding the Airline
Contact Information Collection. To have qualified for the Proposed Rule Exception, the IFR
must have given the public information to have the opportunity to comment so that the CDC
may:
(i) Evaluate whether the proposed collection of information is necessary for the
proper performance of the functions of the agency, including whether the
information will have practical utility;
(ii) Evaluate the accuracy of the agency's estimate of the burden of the proposed
collection of information, including the validity of the methodology and
assumptions used;
(iii) Enhance the quality, utility, and clarity of the information to be collected; and

See supra note 5, Airline IFR Comments at 11 and 53 (discussing the increase in information collection
requirements for airlines under the IFR).
95
See supra note 4, IFR at 7,879 – 880.
96
See id. at 7,879. See also CDC, Proposed Data Collection Submitted for Public Comment and Recommendations,
81 Fed. Reg. 60,702 (Sept. 2, 2016) (Airline and Traveler Information Collection: Domestic Manifests and the
Passenger Locator Form) (relating to the information collection under the pre-IFR requirements).
94

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 31 of 37
(iv) Minimize the burden of the collection of information on those who are to
respond, including through the use of appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms of
information technology, e.g., permitting electronic submission of responses. 97
In many ways, the public simply could not comment on these issues. For example, in the IFR,
the CDC did not provide an estimate of the burden of the collection of information, and
therefore, the public could not comment on the accuracy of the CDC’s estimate. Not until the
April 16, 2020 Airline Contact Information Collection PRA review was the public informed of
CDC’s estimates and the related public comment period. Additionally, the supporting
documents for the information collection were not publicly released until March 20 or March 21,
2020, 98 one week after the public comment period for the IFR closed. The IFR also failed to
adequately discuss the CDC’s own contact tracing website and other government sources of
information that are duplicative of airlines’ contact information collection, raising issues of the
necessity. 99 In sum, regardless of whether the CDC solicited comments specific to the PRA
review issues, the public lacked critical information to make the requisite PRA comments during
the IFR comment period, disqualifying this PRA review for a shortened comment period.
Third, the earlier 60-day public comment period for the Airline Contact Information
Collection that started on December 23, 2019 also fails to satisfy the PRA standards. It
contained no assessment of the new information collection under the IFR, including estimated
burdens for passengers and airlines. Also, this collection was issued 46 days before the IFR.

See 44 U.S.C. §§ 3506(c)(2)(A) - (B); 5 C.F.R. § 1320.8(d)(1) and (3).
See OIRA, ICR Documents (OMB Control No. 0920-1180) (stating that the documents were uploaded on March
20 or March 21, 2020) available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=2020030920-014 and OIRA, View Information Collect (OMB Control No. 0920-1180) (containing five forms and
instructions and the 2020 Rationale for OMB Changes to Manifest Orders (uploaded Mar. 21, 2020) available at
https://www.reginfo.gov/public/do/PRAViewIC?ref_nbr=202003-0920-014&icID=240814.
99
See infra Section II.
97
98

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 32 of 37
Simply put, the CDC cannot assert that this earlier opportunity for public comment should count
towards the comment period for the new information collect under the IFR.
Moreover, even if the CDC had given the full 60-day comment period for the Airline
Contact Information Collect PRA review, such opportunity would have been inadequate because
the CDC failed to provide sufficient information about the information collection for the public
to comment meaningfully. In other words, even if the CDC again re-opens the PRA review
comment period, such opportunity will be meaningless until the CDC discloses important
additional information that it used to conduct its PRA review.
B.

No Meaningful Opportunity to Comment

As required by OMB’s rules, 100 the PRA Reviews solicit comments to “[e]value the
accuracy of the agencies estimate of the burden of the prosed collection of information, including
the validity of the methodology and assumptions used.” 101 Additionally, the CDC was required
to “inform[ ] and provide[ ] reasonable notice to the potential persons to whom the collection of
information is addressed of— . . . [a]n estimate, to the extent practicable, of the average burden
of the collection (together with a request that the public direct to the agency any comments
concerning the accuracy of this burden estimate and any suggestions for reducing this
burden) . . . .” 102 Although the CDC gave the requisite solicitation and some notice after the
IFR, it failed to give the public an meaningful opportunity to comment on the accuracy of CDC’s
estimates or the methodologies and assumptions used to arrive at such estimates, thereby
invalidating CDC’s solicitation and notice. 103

See 5 C.F.R. § 1320.8(d)(1)(ii).
See supra note 2, Airline IC PRA Notice at 21,236 and note 3, CDC IC PRA Notice at 23,357.
102
See 5 C.F.R. § 1320.8(b) (emphasis added).
103
See Home Box Office, Inc. v. FCC, 567 F.2d 9 (D.C. Cir. 1977) (“[T]here must be an exchange of views,
information, and criticisms between interested persons and the agency. Consequently, the notice required by the
100
101

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 33 of 37
First, the CDC provides burden estimates without explaining how it arrived at those
estimates, including any methodology and assumptions. The omissions for the Airline Contact
Information Collection are numerous and significant, relating to critical costs and burdens for
airlines, including the costs for airlines to update their systems to collect and transmit passenger
contact information to the CDC. Specifically, the CDC provides the following estimates without
disclosing its methodology or assumptions it used to arrive at these estimates:
•

12 US major carriers and 61 major foreign carriers will modify their data systems, or
contract with third party reservation system providers, to ensure that the information
required under the IFR is transmitted using existing mechanisms to CBP; 104

•

Such changes will cost approximately $700,000 per carrier, for a total cost of
$51,000,000; 105

•

Based on data provided by OAG, approximately 110,000,000 travelers per year will
be queried by airlines for the five pieces of contact information required under the
IFR; 106

•

International passengers will take 30 seconds to respond to an airline’s query for the
five pieces of contact information under the IFR; 107 and

•

Airline staff will take 30 seconds to solicit the contact information required under the
IFR from passengers. 108

The CDC also does not explain why it did not estimate the burden for airlines to collect and
transmit contact information for crewmembers under the IFR. 109 Therefore, we cannot
reasonably evaluate the CDC’s apparent assumption that the cost to airlines for collecting and

APA, or information subsequently supplied to the public, must disclose in detail the thinking that has animated the
form of a proposed rule and the data upon which that rule is based. Moreover, a dialogue is a two-way street: the
opportunity to comment is meaningless unless the agency responds to significant points raised by the public. . . .
[A]n agency proposing informal rulemaking has an obligation to make its views known to the public in a concrete
and focused form so as to make criticism or formulation of alternatives possible.”) (internal citations omitted).
104
See supra note 2, Airline IC PRA Notice at 21,236 and supra note 12, Airline Collection Supporting Statement at
15.
105
Id.
106
See supra note 2, Airline IC PRA Notice at 21,236 and supra note 12, Airline Collection Supporting Statement at
12.
107
Id.
108
Id.
109
See supra note 4, IFR at 7,880 (requiring airlines to collect and transmit crewmember contact information).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 34 of 37
transmitting crewmember information is zero. We submit that these omissions are fatal to the
PRA review for the Airline Contact Information Collection for the IFR. Without providing any
supporting information for these estimates, we must presume and submit that these estimates are
arbitrary and should be disregarded, the CDC should adopt the estimates provided herein, and the
CDC should undertake a comprehensive PRA review to estimate all costs and burdens with wellreasoned methodologies and assumptions that are fully disclosed to the public for a meaningful
opportunity to comment.
In the CDC Contact Information Collection PRA review, the CDC does not explain why
it did not estimate the burden for airlines to “confirm submission of the information by reviewing
a message that is crated and sent to the traveler’s device in response to a completed PLF.” 110
Based on this omission, we can reasonably presume that the CDC arbitrarily assumes the burden
to be zero. We submit that the airlines will have burdens and costs to confirm submission and
that they are likely to be significant, given carriers’ experience with similar government
programs (e.g. ESTA and the Australian Electronic Travel Authorization), and that a proper
exploration of those burdens and costs should be conducted through a
Second, and more critical than the above omissions, we requested CDC’s methodologies
and assumptions for its estimates, but the CDC never provided them. The PRA Reviews give the
option for the public to “request additional information on the proposed protect or to obtain a
copy of the information collection plan and instruments.” 111 A4A submitted timely requests for
such information, including any methodology and assumptions used by CDC to arrive at its

110
111

See supra note 20, CDC Collection Justification at 3.
See supra note 2, Airline IC PRA Notice at 21,236 and supra note 3, CDC IC PRA Notice at 23,357.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 35 of 37
estimates, Attachment E and Attachment F. 112 As of the date of these comments, CDC has not
responded to A4A’s requests, effectively nullifying our opportunity to provide meaningful
comments for the PRA Reviews.
Third, the OMB docket for the Airline Contact Information Collection does not contain
the Privacy Impact Statement for CDC’s secure system called Epi-X (Epidemic Information
Exchange), which was an attachment to CDC’s Request for Revision to the Airline Contact
Information Collection PRA review. 113
Fourth, the OMB docket information and supporting documents for the CDC Contact
Information Collection was substantively changed and submitted to the OMB on May 13, 2020,
more than two weeks into the 30-day comment period, further limiting stakeholders opportunity
to assess the information collection. Additionally, stakeholders were not able to comment until
OMB updated its docket website on May 15, 2020, allowing stakeholders to file comments or
request information from the CDC. As discussed in Section VI above, the information collection
was materially changed from the information collection that CDC had proposed and submitted to
the OMB on March 4, 2020, but without explanation of why the CDC had changed the proposed
information collection.
To remedy the above infirmities, we strongly recommend that the CDC withdraw the IFR
to conduct a full NPRM with a sufficient PRA review that gives the public a meaningful
opportunity to comment on the Airline Contact Information Collection. Given CDC’s apparent

See Letter from G. Keithley, A4A, to J. Zirger, Lead, CDC Information Collection Review Office (Apr. 20, 2020)
(requesting information related to CDC’s PRA review for the Airline Contact Information Collection) and Letter
from G. Keithley, A4A, to J. Zirger, Lead, CDC Information Collection Review Office (Apr. 27, 2020)
(requesting information related to CDC’s PRA review for the CDC Contact Information Collection).
113
See Airline and Vessel Traveler Information Collection (42 CFR part 71) (OMB Control No. 0921-1180) Request
for Revision 19 (“Attachment 3B: Epi-X Privacy Impact Statement”).
112

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 36 of 37
reluctance to provide the supporting information upon request, we also recommend that the
NPRM contain all data, methodology, and assumptions by which the CDC arrived at its
estimates so that the public will have a meaningful opportunity to provide comments and fulfill
the purposes of the PRA. If the CDC chooses not to undertake a full rulemaking, we submit that
the OMB must disapprove the Airline Contact Information Collection, at least for the
information collect related to the IFR. We also submit that the CDC and the OMB must consider
and approve the CDC Contact Information Collection proposed by the CDC on March 4, 2020.
Conclusion
Airlines continue to treat COVID-19 as a top concern and priority, especially the health
and safety of our passengers and crewmembers. We will take all feasible, effective, and
reasonable measures to respond to the COVID-19 threats and impacts. However, we respectfully
submit that the CDC must withdraw the overly broad IFR that is premised on an inadequate PRA
review for the Airline Contact Information Collection that is duplicative of existing information
collections and based on inaccurate burden estimates. Additionally, the CDC should complete
its review and the OMB should approve CDC’s proposed contact information collection through
its own contact tracing website—the ePLF. We look forward to working with the CDC to
develop feasible and effective alternatives to CDC’s IFR and strongly recommend that CDC
adopt use the CDC Contact Information Collection for all airline passengers.
We greatly appreciate the opportunity to provide these comments and thank you for the
consideration.

*

*

*

*

*

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181
Page 37 of 37

Respectfully submitted,

_________________________________
Graham C. Keithley
Assistant General Counsel
AIRLINES FOR AMERICA

_________________________________
Douglas E. Lavin
Vice President, Member and External
Relations North America
INTERNATIONAL AIR TRANSPORT
ASSOCIATION

_________________________________
Nobuyo Reinsch
Vice President, Aviation Safety &
Security
REGIONAL AIRLINE
ASSOCIATION

_________________________________
Paul Doell
Vice President, Government Affairs and
Security Policy
NATIONAL AIR CARRIER
ASSOCIATION

Dated: May 16, 2020

APPENDIX A
Airline Trade Association Members & Representation
A4A’s members are: Alaska Airlines, Inc.; American Airlines Group, Inc.; Atlas Air, Inc.; Delta
Air Lines, Inc.; Federal Express Corp.; Hawaiian Airlines; JetBlue Airways Corp.; Southwest
Airlines Co.; United Continental Holdings, Inc.; and United Parcel Service Co. Air Canada is an
associate member.
IATA represents over 290 airlines in 120 countries.
RAA’s members are: Air Wisconsin; CommutAir; CapeAir; Empire Airlines; Envoy; Endeavor
Air; ExpressJet; GoJet Airlines; Grand Canyon Scenic Airlines; Horizon Air; Jazz; Mesa
Airlines; New England Airlines; PenAir; Piedmont; Ravn Alaska; PSA Airlines; Republic
Airways; Seaborne Airlines; and SkyWest Airlines.
NACA’s members are: Allegiant; AmeriJet; Air Transport International; Atlas Air Worldwide;
Everts Air Cargo; Frontier Airlines; Kalitta Air; Lynden Air Cargo; Miami Air International;
Northern Air Cargo; OAI; Spirit Airlines; Sun Country Airlines; SwiftAir; USA Jet Airlines;
WGA; and World Atlantic Airlines.

Joint Comments of A4A, IATA, RAA, and NACA
(CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181

Attachment A

BEFORE THE
CENTERS FOR DISEASE CONTROL AND PREVENTION
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
ATLANTA, GA
__________________________________________
)
In the Matter of:
)
)
Docket CDC-2020-0013
Control of Communicable Diseases;
)
Foreign Quarantine
)
__________________________________________)
JOINT COMMENTS OF
AIRLINES FOR AMERICA,
THE INTERNATIONAL AIR TRANSPORT ASSOCIATION,
THE REGIONAL AIRLINE ASSOCIATION, AND
THE NATIONAL AIR CARRIER ASSOCIATION
Communications with respect to this document should be addressed to:
Patricia Vercelli
Senior Vice President, General Counsel and
Secretary
Graham Keithley
Assistant General Counsel
AIRLINES FOR AMERICA
1275 Pennsylvania Avenue, NW
Suite 1300
Washington, DC 20004
(202) 626-4000
[email protected]
[email protected]

Douglas E. Lavin
Vice President, Member and External
Relations North America
Jeffrey N. Shane
General Counsel
INTERNATIONAL AIR TRANSPORT
ASSOCIATION
1201 F Street, NW
Suite 650
Washington, DC 20004
(202) 628-9443
[email protected]
[email protected]

Nobuyo Reinsch
Vice President, Aviation Safety & Security
REGIONAL AIRLINE ASSOCIATION
1201 15th Street, NW
Suite 430
Washington, DC 20005
(202) 367-2335
[email protected]

Paul Doell
Vice President, Government Affairs and
Security Policy
NATIONAL AIR CARRIER
ASSOCIATION
1735 N. Lynn Street
Suite 105
Arlington, VA 22209
(703) 358-8060
[email protected]

March 13, 2020

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)

TABLE OF CONTENTS
I.

INTRODUCTION ................................................................................................................... 3

II.

COVID-19 .......................................................................................................................... 6

III.

BACKGROUND ................................................................................................................... 10

A.

Passenger and Crewmember Information ......................................................................... 11

1. Passenger Name Record (“PNR”) ................................................................................... 11
2. Advance Passenger Information ....................................................................................... 20
3. Electronic System for Travel Authorization (“ESTA”) .................................................... 22
4. Electronic Visa Update System (“EVUS”) ....................................................................... 24
5. U.S. Passport and Visa Application Information.............................................................. 25
B.

Crewmembers ................................................................................................................... 26

C.

Third-Party Bookings Through Other Airlines, OTAs, and GDSs ................................... 27
1. Bookings Through Other Airlines ..................................................................................... 27
2. Bookings Through OTAs/Travel Agents/GDSs ................................................................. 29

D.

Section 71.4 History and Airline Compliance .................................................................. 30

1. 2005 CDC Rulemaking ..................................................................................................... 31
2. 2016 CDC Rulemaking ..................................................................................................... 32
3. CDC Report on Section 71.4(a) and Airlines Compliance under Section 71.4(a) ........... 34
THE IFR SIDESTEPS REQUIRED STATUTORY PROCEDURE ............................................ 35

IV.
A.

CDC Failed to Provide Sufficient Public Notice and an Opportunity to Comment ......... 35

B.

A Critical Component of the IFR Was Improperly Left Out of the Rule Itself ................ 41

V.

THE IFR IS ARBITRARY AND CAPRICIOUS ...................................................................... 42

A.

The IFR Creates Substantial Burdens While Failing to Solve the Problem that
Purportedly Necessitates the Rule .................................................................................... 42

B.

The IFR Implicates Privacy Laws and May Cause Airlines to Run Afoul of International
Legal Requirements .......................................................................................................... 47

C.

The IFR Violates Other Statutory Requirements .............................................................. 48
1. Unfunded Mandates Act .................................................................................................... 48
2. Executive Order 12866 ..................................................................................................... 48
3. Executive Order 13771 ..................................................................................................... 50

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
4. Information Quality Act (“IQA”) ..................................................................................... 50
VI.

IFR IS AN ABUSE OF DISCRETION AND EXCEEDS CDC’S AUTHORITY .......................... 52

VII.

THE IFR, AS ENACTED, CANNOT BE ENFORCED ............................................................. 53

A.

Paperwork Reduction Act ................................................................................................. 53

B.

Regulatory Flexibility Act ................................................................................................ 54

VIII. COMPLIANCE WITH FORUM DATA PROTECTION REQUIREMENTS ................................ 56
A.

The GDPR Applies to PNR or API Transmissions of Passenger Contact Information.... 58

B.

No Blanket Exception to the GDPR for Public Health Emergencies ............................... 60
1. The Four Explicit Exceptions to the GDPR are Inapplicable .......................................... 60
2. Recitals Are Not Blanket Exceptions for Public Health Emergencies .............................. 61

C.

Obligations for Ensuring a Lawful Basis for Processing Personal Data .......................... 62
1. Some Lawful Bases for Justifying the IFR are Unavailable ............................................. 64
2. Justification Under a “Public Interest” or “Legitimate Interest” Only with Additional
Clarity and Safeguards ..................................................................................................... 66

D.

Airlines (as “Controllers”) Have Substantive Obligations ............................................... 67

1. Transfers ........................................................................................................................... 68
2. Certain Other Processing Principles ................................................................................ 71
E.

US-EU PNR Agreement is Relevant for Legal Basis and Safeguards ............................. 71
1. The US-EU PNR Agreement Does Not Provide a European Legal Basis for Public Health
Emergencies ...................................................................................................................... 72
2. The PNR Agreement has Safeguards and the IFR Should Have Similar Safeguards ....... 73

IX.

CONCLUSION .................................................................................................................... 76
APPENDICES

APPENDIX A AIRLINE TRADE ASSOCIATION MEMBERS & REPRESENTATION
APPENDIX B SUMMARY OF CONTACT INFORMATION AVAILABLE TO THE U.S. GOVERNMENT
BEFORE THE IFR
APPENDIX C PASSENGER NAME RECORD (PNR)
APPENDIX D ADVANCED PASSENGER INFORMATION (API)

BEFORE THE
CENTERS FOR DISEASE CONTROL AND PREVENTION
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
ATLANTA, GA
__________________________________________
)
In the Matter of:
)
)
Docket CDC-2020-0013
Control of Communicable Diseases;
)
Foreign Quarantine
)
__________________________________________)
JOINT COMMENTS OF AIRLINES FOR AMERICA,
THE INTERNATIONAL AIR TRANSPORT ASSOCIATION,
THE REGIONAL AIRLINE ASSOCIATION, AND
THE NATIONAL AIR CARRIER ASSOCIATION
Airlines for America (“A4A”), the International Air Transport Association (“IATA”), the
Regional Airline Association (“RAA”), and the National Air Carrier Association (“NACA”)
submit these Comments on behalf of their members 1 in response to the Centers for Disease
Control and Prevention’s (“CDC”) interim final rule, Control of Communicable Diseases;
Foreign Quarantine (“IFR”). 2 Airlines annually transport over 122 million passengers from
foreign destinations to the United States and over 807 million passengers within the United
States. The health and safety of our passengers and crewmembers is our topmost concern. We
are willing to do what it takes to meet the challenges posed by COVID-19 3 and partner with all
governments, foreign and domestic, as well as local and federal, to facilitate a rapid global
response to COVID-19. But, the solutions must be practical, implementable, and effective.
Our greatest and sincere concern is the IFR cannot get the CDC what it needs for
COVID-19—accurate passenger contact information to perform public health follow-ups to
prevent the spread of COVID-19 and get individuals the health care they need. Although the
airline industry could take many months and obligate hundreds of millions of dollars to modify

1
2
3

Appendix A contains our members and representation, covering all major airlines operating in the United States.
85 Fed. Reg. 7,874 (Feb. 12, 2020) (hereinafter the “IFR”).
References to COVID-19 include the coronavirus (SARS-CoV-2) and related disease (COVID-19).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 2 of 77
systems to collect passenger contact information and send it to the CDC, we will still not be able
to confirm that the information that we collect will be accurate. The CDC can require that
passengers directly give the CDC accurate contact information.
To that end, the CDC should adopt the solution that the airlines offered, at no development
cost to the CDC, and will be rapidly effective: a CDC website and mobile application for passengers
to send their contact information directly to the CDC. Like the systems already developed in other
countries, a passenger would simply go online or to the mobile application prior to travel and send
the CDC the needed contact and travel information. For the health and safety of passengers,
crewmembers, and the public, the CDC should not discard the airlines proposed solution.
The airline solution is preferable to the IFR because the CDC presumes that airlines have
infrastructure, in the form of IT systems that are interconnected between industry stakeholders,
that simply does not exist. Like a COVID-19 vaccine, the creation and modification of industrywide systems to meet the IFR requirements will take substantial time to develop, must conform
to international standards and coordinated across every stakeholder, and cannot be willed into
existence by regulatory requirements. The airline solution, unlike a COVID-19 vaccine, is a
swift solution that meets CDC’s goals of the IFR.
Additionally, the CDC should withdraw the IFR because it needlessly extends far beyond
COVID-19, which is a novel virus posing near-term challenges. As it has done twice before
without requiring collection of additional contact information or verification for accuracy, the CDC
should create broad long-term rules through a full Administrative Procedure Act (“APA”)4
rulemaking process. The CDC’s claim that COVID-19 justifies the IFR is a pretext to avoid this
process which is contrary to the public’s interest. The full APA process will ensure that the CDC
adopts faster, feasible, effective, and available solutions to meet CDC’s long-term contact tracing
goals, while reflecting the CDC’s public health needs and actual capabilities of airlines.

4

5 U.S.C. § 551 et seq.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 3 of 77
I.

INTRODUCTION
Airlines annually transport over four billion passengers and 52 million metric tons of

cargo worldwide, employ over 10 million aviation professionals, support over 65.5 million jobs
worldwide, and support $2.7 trillion (3.6%) in global economic activity. Airlines are the
backbone of international transportation. To that end, the airline industry knows firsthand the
gravity of the situation presented by COVID-19. Accordingly, in addition to our constant and
primary responsibility to ensure the safety of our passengers and crewmembers, we recognize
our unique position and responsibility to help public health officials address public health threats,
including CDC’s response to COVID-19.
When COVID-19 became a public health threat, the airlines were among the first to
respond, and we continue to respond as the COVID-19 threat evolves. Airlines help public
health officials respond to outbreaks by adjusting services, diverting passengers to designated
airports for screening, screening passengers, enhancing aircraft cleaning, transporting individuals
to their country of citizenship, and voluntarily waiving flight change and cancellation fees.
Compliant with CDC’s pre-IFR rule, 42 C.F.R. § 71.4(a) (“Section 71.4(a)”), airlines provide the
CDC with available passenger contact information as quickly as possible to respond to COVID-19.
However, airlines do not have all the passenger contact information that the CDC desires,
nor can we validate contact information, now or in the future. Accordingly, airlines have
proposed feasible, effective, and efficient alternative solutions beyond Section 71.4(a) to meet
CDC’s immediate COVID-19 contact tracing needs, including paper forms and building the
CDC a website and mobile application for passengers to provide contact information directly to
the CDC. In sum, throughout the COVID-19 public health threat, the airline industry has been
an active and willing partner in developing reasonable and effective solutions. We pledge our

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 4 of 77
continued assistance and compliance, so long as the requirements are technologically feasible,
tethered to the realities of the aviation industry, and reasonably tailored to address COVID-19.
In our discussions with the CDC, we have focused primarily on the capabilities of
airlines, both in the near and long-term. On a global scale with 222 airlines flying internationally
to and from the United States, 5 travel agents worldwide, and other third parties, the entire airline
industry simply cannot modify its operations, systems, and processes, in less than 12 months, to
collect and provide passenger contact information through existing airline data channels to the
CDC. The constellation of systems designed in accordance with international standards,
processes, and operations by scheduled passenger airlines are extraordinarily complex, and
charter airlines face additional challenges because we have less interaction with passengers and
their systems and operations are fundamentally different from those of scheduled passenger
airlines. More fundamentally, forcing airlines to collect unverifiable passenger contact
information will not fulfill CDC’s public health mission to identify and contact passengers who
may have been exposed to COVID-19 or any future communicable disease; only the government
has the sovereign authority to require and enforce that passengers provide accurate contact
information that is useful for CDC’s public health follow-up purposes.
For these reasons and others explained herein, the IFR fails to adopt a rational solution
for COVID-19 public health follow-up; is fundamentally flawed, overly broad, and legally
deficient; fails to properly consider passenger privacy laws and international agreements;
imposes undue burdens on private industry in contravention of the Administration’s rulemaking
policies; and sets the airlines up for failure with extreme unavoidable penalties for
noncompliance. We submit that the CDC should:

5

Based on U.S. Department of Transportation (“DOT”), Bureau of Transportation Statistics (“BTS”) T-100 data for
the period of September 2018 through August 2019, including airlines carrying to the United States daily: (i) one
or more passengers; or (ii) more than 0.5 tons of cargo.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 5 of 77
1.

Withdraw the IFR and undertake a full APA rulemaking process to revise
Section 71.4 in a manner that addresses the long-term needs of CDC and
creates effective solutions that take into account the airline industry’s
technical complexities; and

2.

Adopt digital portals (i.e., website and mobile application) and require
passengers to provide contact information directly to the CDC for COVID19, relying on CDC’s explicit authority to compel individuals to provide
such information. 6

Alternatively, the CDC must, at the very least, revise the text of the new rules, 14 C.F.R. §
71.4(d)-(e) (“Section 71.4(d)-(e)”), to:
1.

Limit its applicability to COVID-19; and

2.

Allow an airline to submit passenger contact information through each
airline’s selected method (e.g., paper, email spreadsheet, etc.) based on
their capabilities that address identified gaps in contact information.

To be clear, airlines are not opposed to assisting CDC in collecting passenger contact
information to combat the spread of COVID-19. We respectfully disagree, however, with the
way that CDC imposed requirements to obtain passenger contact information in the IFR without
considering what passenger contact information other federal agencies possess and without
conducting due diligence with respect to feasible and more effective methods that address CDC’s
immediate COVID-19 needs.
In fact, the only solution for the CDC to meet its COVID-19 contact tracing needs is our
suggested solution: an airline-designed but CDC-controlled website and mobile application
services, through which passengers can directly send the CDC the passenger’s contact and travel
information. This solution has already been implemented in Korea and other countries. 7 With
this solution, the CDC can, among other benefits:
6
7

See 42 C.F.R. § 71.20 (giving the CDC Director authority to require individuals to provide contact information, as
well as other pertinent information to assist CDC’s response to communicable diseases).
See e.g., http://ncov.mohw.go.kr/selfcheck/ (providing access to download the Korean Self Diagnosis Mobile App
which requires information regarding recent travel and at least one phone number: a phone number in Korea, an
emergency contact phone number in Korea, or a roaming phone number), Attachment 1; BBC News, China
Launches Coronovirus ‘Close Contact Detector’ App (Feb. 11, 2020), available at
https://www.bbc.com/news/technology-51439401 (explaining that Chinese mobile app), Attachment 2.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 6 of 77
•

Collect passenger contact information in as little as two weeks via the
mobile application and up to four weeks via the website, making it a viable
solution for COVID-19;

•

Collect accurate contact information directly from passengers under the
penalty of law;

•

Without a rulemaking or lengthy industry implementation, quickly modify
the passenger information requirements beyond that which is required
from the airlines in the IFR, such as recent travel to specific countries, as
well as contact and travel information from passengers on other modes of
transportation (i.e., rail, bus, and maritime, including cruise lines);

•

Avoid the unnecessary complexities, substantial technical risks, costs, and
long implementation times of creating and/or modifying integrated airline,
online travel agent (“OTA”), global distribution systems (“GDS”), and
U.S. Customs and Border Protection (“CBP”) systems, processes, and
operations to get unvalidated contact information from the passengers,
through the airlines (and OTAs and GDSs) and CBP, which is clearly
unattainable to serve CDC’s immediate COVID-19 contact tracing needs;

•

Avoid major CDC costs: A4A has offered to develop the website and
mobile application at no cost to the U.S. government; and

•

Avoid privacy issues related to airlines collecting and transferring
passenger contact information to the U.S. government.

For these reasons alone, the CDC should withdraw the IFR and implement this solution urgently.
II.

COVID-19
Since the beginning of the COVID-19 threat, airlines have been actively involved in the

response. In fact, the airline industry was communicating and coordinating with the CDC before
the President’s Proclamation on Suspension of Entry as Immigrants and Nonimmigrants of
Persons who Pose a Risk of Transmitting 2019 Novel Coronavirus on January 31, 2020
(“January 31 Proclamation”) and the funneling of persons who were at risk of exposure in China
to designated airports for screening by the CDC. During this early engagement, the CDC
informed the airlines that the active entry screening protocol was in place, involving the U.S.
government’s identification of passengers from Wuhan, China, medical screening of passengers
at select airports, and the requirement of the completion of traveler health forms. Concurrently,

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 7 of 77
the CDC and CBP informed the airlines that they were collaborating to identify at-risk
passengers from the Wuhan, China region on direct and indirect flights to the United States.
After the January 31 Proclamation, but before the IFR, airlines implemented the U.S.
government’s directives to stop carrying foreign nationals from China to the United States and
funneled all other passengers that had been in China within 14 days to designated airports. We
continued to engage with the CDC, CBP, and other agencies on possible next steps to help the
response to COVID-19, including responding to any CDC requests for passenger contact
information under Section 71.4(a) in a timely and comprehensive manner to the best of their
ability. During this time, the CDC informed the airlines of its intent to mandate airlines’
collection of passenger contact information in the very near term, based on the immediate threat
presented by COVID-19 and its belief that existing passenger contact information coming from
the airlines was not only incomplete, but “inaccurate,” and the CDC had an immediate need for
“quality” information. The CDC suggested that, since the last CDC rulemaking in 2016, airlines
should have known that we would eventually have to develop a process to collect passenger
contact information to help with communicable disease tracing, despite the final 2016 rule’s
preamble stating, in no uncertain terms, that airlines would not be required to collect additional
passenger information beyond what airlines already collected and maintained. It also
acknowledged that it would take the airlines many months to operationalize CDC’s passenger
contact information requirements.
During their limited interactions with the CDC, and more frequent interactions with
representatives from the HHS, airlines raised many, if not all of the infeasibilities of the IFR
discussed herein, including that airlines have no ability to validate the contact information that a
passenger or travel agent provides; the need to consider alternative, faster, and more effective

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 8 of 77
solutions; that modifying the airline industry’s systems would take at least 6-12 months, and
likely longer; 8 that the CDC needs to identify and focus on addressing the U.S. government
agency gaps in contact information; issues with the OTAs and GDSs; and domestic and
international privacy issues. In response, the CDC has conveyed that it believed that the best
way to ensure that passenger contact information is accurate is to verify the information with the
passenger at the closest time of CDC’s need for the information (i.e., close to the time that the
CDC conducts contact tracing). The CDC, to the extent it participated in these contacts, and
representatives of HHS dismissed the airlines’ proposed alternatives. Also, HHS representatives
admitted that, if the COVID-19 threat ends before the airline industry can modify their systems
to get the CDC the required information for COVID-19, the CDC would still want this
information.
After the issuance of the IFR on February 7, 2020, which was posted online without
warning to airline representatives, and prior to CDC’s issuance of the related order, a HHS
representative explained on a call with airlines on February 10, 2020 that the purpose of CDC’s
effort to obtain the passenger contact information was to facilitate “case management” for
patients when they deplane in the United States and a “soft-handoff” of those patients from the
CDC to state and local public health departments so that the patients get the follow-up care that
they need. In the same discussion, the HHS official also explained that the IFR covers contact
tracing. The CDC has also acknowledged that the scope of the IFR is vast and extends far
beyond COVID-19, including all passengers arriving in the United States and any communicable
disease, as the plain terms of the IFR make clear.

8

The airlines conducted further technical analysis and based on that analysis estimate that the modifications will
take at least 12 months.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 9 of 77
Because airlines cannot implement the IFR in any material way or with any degree of
speed in the face of CDC’s immediate COVID-19 needs, the airlines offered to implement a
short-term solution, whereby airlines would manually collect passenger contact information for
those passengers that were in China 14 days prior to attempted travel to the United States and
manually input that information into the PNR. The airlines explained that this solution would
not be scalable beyond 100-200 passengers per day, per airline, entering the United States with a
China travel history, as a result of airlines operational and resource constraints. In other
discussions about possible implementation options and the channels through which airlines could
potentially send passenger contact information, CBP acknowledged that APIS cannot be
modified in the short term. CBP also acknowledged that PNR does not exist for crewmembers.
On February 18, 2020, the CDC issued its first order to implement the IFR (“February 18
Order”), 9 for which airlines implemented the manual data collection and entry of passenger
contact information into PNR for passengers from (or who traveled through) China. The airlines
continued to engage the CDC on potential solutions that would help yield more effective
collection of accurate passenger information to facilitate contact tracing. Specifically, the
airlines have repeatedly offered to develop and pay for a website and mobile application to be
used by CDC whereby passengers could enter the CDC’s desired contact information, which
could be transmitted immediately and directly to the CDC. According to the airlines’ contractor,
the mobile application could be functional in two weeks and the website could be functional in
four weeks.

9

See CDC, Collection of Certain Data Regarding Passengers and Crew Arriving From Foreign Countries by
Airlines, 85 Fed. Reg. 10,439 (Feb. 24, 2020) (Agency order, issued on February 18) (hereinafter “February 18
Order”).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 10 of 77
On February 19, 2020, the airlines submitted questions to the CDC requesting necessary
guidance to facilitate compliance with the February 18 Order. While the CDC did eventually
post answers to some of those questions on February 28, 2020, the airlines continue to have
outstanding questions that are critical to facilitating their compliance.
Airlines are complying with the February 18 Order to the best of their capabilities. We
are also working with a contractor to develop a website and mobile application for use by the
CDC so that passengers may submit contact information directly to the CDC. On March 11,
2020, the President issued a third proclamation to restrict passengers traveling from the European
Schengen Zone to the United States. 10 Today, according to the Department of Homeland
Security’s (“DHS”) process for Americans returning from certain European countries, China,
and Iran, Attachment 3, upon arrival, passengers will proceed to customs processing and
undergo enhanced entry screening, which the U.S. government performs, including being “asked
for contact information for local health authorities.” 11 We understand that airlines will not be
required to collect passenger contact information from such passengers and send it to CDC.
III.

BACKGROUND
To assess the sufficiency, adequacy, and legality of the IFR, it is imperative that the CDC

first understand and consider the complexity of the circumstances, including the history, facts,
and complexity of airline passenger data systems; the interoperability of airline passenger data
systems with third-party systems; the information that the U.S. government received from
airlines and passengers before the IFR; and the pre-IFR regulatory framework for the CDC to

See Proclamation – Suspension of Entry as Immigrants and Nonimmigrants of Certain Additional Persons Who
Pose a Risk of Transmitting 2019 Novel Coronavirus (Mar. 11, 2020).
11
See DHS, Department of Homeland Security Outlines New Process for Americans Returning from Certain
European Countries, China, and Iran (March 13, 2020).
10

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 11 of 77
obtain passenger contact information from the airlines, including the regulatory history and
airlines’ compliance. As explained in Section V below, the CDC’s failure to consider the
following critical facts, renders the IFR fatally flawed.
A.

Passenger and Crewmember Information

Airlines and passengers already provide substantial contact information to the U.S.
government. See Appendix B, Summary of Contact Information Available to the U.S.
Government Before the IFR. According to CDC’s report following the 2017 final rule that
implemented Section 71.4, discussed in Section III.D.3 below, the CDC appears to successfully
leverage this existing information, as well as the supplemental information that airlines provide
pursuant to Section 71.4(a), for public health follow-up and other purposes. It is important for
the CDC to recognize that no major change to the airline industry’s systems, processes, or
operations that capture, transmit, and/or use passenger contact information, like the IFR will
require, has been accomplished in less than 12 months from inception to full implementation.
1.

Passenger Name Record (“PNR”)

PNR is a commercial passenger information data set that scheduled passenger airlines
have long used for reservation and ticketing business purposes. Charter airlines 12 typically do
not have PNR because we do not normally sell individual seats to the public. The International
Civil Aviation Organization (“ICAO”) aptly describes PNR as “the generic name given to
records created by aircraft operators or their authorized agents for each journey booked by or on
behalf of any passenger.” 13 Airlines and their agents have used PNR for their commercial and
operational purposes long before airlines began transmitting PNR to the U.S. government for

Charter airlines do not operate on a schedule, but generally operate on customer demand and by contract, such as
sports teams chartering an aircraft to travel to a competition.
13
See ICAO, Guidelines on Passenger Name Record (PNR) Data, Doc. 9944 ¶ 2.1.2 (1st ed. 2010) (hereinafter
“ICAO Doc. 9944”), Attachment 4.
12

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 12 of 77
security reasons. Because PNR is proprietary to each airline, the scope and collection of PNR
data varies widely across airlines. A full description of PNR is provided in Appendix C.
Key facts about PNR include:
•

Beyond a passenger’s name, which all airlines collect and include in a
PNR, no law, international standard, or other arrangement requires an
airline’s PNR to contain passenger contact information (e.g., address,
phone, or email); accordingly, some airlines’ PNRs may not contain any
contact information beyond an individual’s name.

•

The data that airlines capture for PNR depends on the existing systems and
the systems of third parties (e.g., GDS and OTAs), which may not be
designed to capture, include in a PNR, or transmit passenger contact
information. 14

•

PNR data only contains information that is provided by or on behalf of the
passengers (e.g., parent or OTAs), which may be provided up to a year in
advance and cannot be verified by the airlines for accuracy or
completeness. 15

•

It is internationally recognized that “[s]tates should not require or hold an
airline responsible for submission of PNR data that are not already
collected or held in the operator’s reservation or [departure control system
(“DCS”)]. An operator should be held responsible only for data that are
available in its reservation system or DCS.” 16

•

After the CDC issues specifications for airlines to meet the IFR
requirements, which has yet to occur, airlines estimate that it will take at
least 12 months to modify existing systems to ensure that the CDCspecified passenger contact information is collected and included in a
PNR, and, for airlines that do not have existing PNR-related systems (e.g.,
charter airlines), it may take even longer depending upon the situation.

In 2001, Congress passed the Aviation and Transportation Security Act (“ATSA”), which
responded to aviation security issues identified after the September 11, 2001 terrorist attacks and

Cf. IATA, Air Transport & Travel Industry: Principles, Functional and Business Requirements, PNRGOV 7
(Version 13.1, Aug. 2013) (“The specific data elements that might be available from an aircraft operator’s system
will also depend upon the type of air transport services provided by the operator . . . and by how and by whom the
passengers’ reservations were finalized.”) (hereinafter “IATA Principles”), Attachment 5.
15
See supra note 13, ICAO Doc. 9944 at ¶¶ 2.1.2, 2.1.11, and 2.16.1 (“States should acknowledge that PNR data
collected by aircraft operators cannot be verified for accuracy or completeness.”).
16
Id. at ¶ 2.5.2 (emphasis added). It is also recommended that states should not take action against an operator nor
should an operator be held legally, financially, or otherwise responsible for transferring PNR data that have been
collected in good faith, but which are later found to be false, misleading, or otherwise incorrect. Id. at ¶ 2.16.1.
14

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 13 of 77
required airlines to provide to the U.S. government information or access to information
regarding passengers and crewmembers. 17 Specifically, Congress required that airlines make
PNR data available to the Customs Service (“Customs”) upon request. 18 Notably, even before
this mandate, airlines voluntarily provided the U.S. Immigration and Naturalization Service
(“INS”) and Customs access to reservations systems for the purpose of sharing PNR data.
Accordingly, the U.S. government, through CBP, which replaced INS and Customs, has long had
access to PNR, including for passengers at risk of COVID-19 exposure.
When implementing ATSA, Customs emphasized that airlines were required to make
“any and all” PNR data elements relating to identity and travel plans available to Customs, but
explicitly limited the scope “to the extent that the carrier in fact possesses the requested data
elements in its reservation system and/or departure control system.” 19 It included that “there is
no requirement that an air carrier collect any other Passenger Name Record information than the
particular PNR data that the carrier already collects on its own and maintains in its electronic
reservation/departure control systems.” 20 Under these PNR access requirements, an airline must
also provide access to the airline’s flight schedule and the airline’s passenger flight lists, 21 which
may help the CDC find additional passenger contact information. The CBP has not substantively
changed these rules. 22

Pub. L. No. 107-71 § 115 (2001) (codified at 49 U.S.C. § 44909) (hereinafter “ATSA”).
Id.
19
See Customs Service, Passenger Name Record Information Required for Passengers on Flights in Foreign Air
Transportation to or From the United States, 67 Fed. Reg. 42,710 (June 25, 2002) (Interim rule) (hereinafter “PNR
IFR”); 19 C.F.R. § 122.49d(b)(2). Airlines are required to ensure that their systems interfaced with Customs
Service within 30 days of Customs contacting the airline to request an interface. Id. § 122.49d(c)(2).
20
19 C.F.R. § 122.49(b)(2).
21
See 19 C.F.R. § 122.49d(c)(1).
22
The regulation was recodified from 19 C.F.R. § 122.49b to 19 C.F.R. § 122.49d. See Bureau of Customs and
Border Protection, Electronic Transmission of Passenger and Crew Manifests for Vessels and Aircraft, 70 Fed.
Reg. 17,820 (Apr. 7, 2005) (Final rule).
17
18

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 14 of 77
Notably, during the rulemaking, Customs acknowledged that “[g]enerally speaking, the
PNR information contained in an air carrier’s automated PNR database may consist of as few as
5 data elements or in excess of 50 data elements, depending upon the particular record and
carrier.” 23
In sum, and in alignment with international standards and practices, including the many
issued by ICAO and IATA discussed in Appendix C, CBP does not require airlines to collect
and include specific information, like passenger contact information, in a PNR.
As explained in Appendix C, each airline would have to create and/or modify multiple
systems to ensure that passenger contact information is collected and included in a PNR (or
Advanced Passenger Information (“API”)) 24 for transmission to CBP. The process to create or
modify these systems is complex because the systems are interconnected—the systems,
connections, and modifications must be thoroughly tested to prevent disruptions to other systems
and uses (e.g., security screening), as well as coordinated with third parties, including
governments, OTAs, GDSs, and other airlines. For example, an airline’s passenger information
systems may feed passenger data into the airline’s flight planning systems that calculate aircraft
“weight and balance,” which is vital to aviation safety, including, among other factors, aircraft
loading, takeoff and approach speeds, engine thrust settings, and required runway length.
Accordingly, any system changes must be carefully planned, rigorously tested, and precisely
executed. System errors can have serious consequences. 25
See supra note 19, PNR IFR, 67 Fed. Reg. at 42,711.
See infra Section III.A.2.
25
See e.g., Ingrid Melander and Tim Hepher, New Computer Glitch Delays United Airlines Flights, REUTERS (Oct.
14, 2016), available at https://www.reuters.com/article/us-unitedairlines-delays-idUSKBN12E0N3 (reporting that
an issue with United Airline’s weight reporting system delayed flights); Robert Wall and Alison Sider, U.S.
Airlines Report Delays Caused by System Fault, The Wall Street Journal (Apr. 1, 2019), available at
https://www.wsj.com/articles/southwest-airlines-says-systemwide-technology-problem-affecting-flights11554117011 (reporting that an issue with a third-party computer system, which helped dozens of airlines
calculate aircraft weight and balance, caused substantial operating impacts); Nicholas Sakelaris, British Airways
23
24

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 15 of 77
As explained in Section III.C below, over one-third of major U.S. passenger airline
bookings are indirectly purchased through travel agents and OTAs (and then through GDSs),
which may be the only source of (limited) passenger information until the passenger checks-in
with the airline, either online or at the airport. Accordingly, any passenger contact information
solution developed to meet CDC’s needs will have to account for the complex interoperability of
both airline, ticket agent/OTA, and GDS systems to attempt to ensure that all passenger contact
information is included in a PNR.
We conservatively estimate that scheduled passenger airlines need at least 12 months to
ensure that all relevant systems (i.e., reservation systems, kiosks, websites, mobile applications,
etc.) are modified to capture and include specific passenger contact information in every PNR.
Because of current operational and business processes, it is resource- and time-prohibitive to
modify systems for a select population of passengers (e.g., passengers traveling from a foreign
country to the United States) or phase-in individual elements of passenger contact information
(e.g., updating the systems first for phone number and later for email address). In other words,
all relevant systems must be modified for all required passenger contact information elements to
be included in PNR.
We conservatively estimate that the costs to modify systems for most passenger airlines
will be considerably more than $1 million per airline and the total impact across airlines will far
exceed $164 million (based on $1 million for each of the 183 airlines carrying passengers to the
United States) 26. The actual costs will be enormous—one airline estimates that the costs to

Cancels, Delays Hundreds of Flights After Computer Glitch, UNITED PRESS INTERNATIONAL (Aug. 7, 2019)
available at https://www.upi.com/Top_News/World-News/2019/08/07/British-Airways-cancels-delays-hundredsof-flights-after-computer-glitch/6631565185125/ (reporting that a computer glitch delayed or canceled hundreds
of British Airways flights that affected more than 15,000 passengers and flights around the world).
26
Based on DOT, BTS T-100 data for the period of September 2018 through August 2019, including airlines
carrying one or more passengers to the United States daily.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 16 of 77
modify its systems will be approximately $23-46 million. Moreover, the collective costs to
modify systems across the entire airline industry, including airlines, travel agents/OTAs, and
GDSs, will be even greater. Importantly, these estimated costs do not include:
•

Stakeholders’ increased recurrent costs related to manpower, training,
equipment, and programming to collect the required passenger contact
information and ensure it is transmitted to airlines and then to the CDC;

•

Airlines’ increased real estate costs for additional airport counterspace to
allow more agents to interact with passengers to get passenger contact
information;

•

Stakeholders’ sunk costs to collect passenger contact information
unnecessarily when the passenger ultimately decides not to board the
aircraft to travel to the United States, including manpower to explain the
passenger contact information requirement and address any privacy
concerns, request that the passenger give contact information that is
accurate, and collect and enter the passenger contact information;

•

Stakeholders’ costs to renegotiate the agreements between the following
sets of stakeholders: (i) OTAs/travel agents and GDSs; and (ii) GDSs and
airlines; and

•

Passengers’ burden to retrieve contact information that may not be readily
available when booking a reservation or checking-in to their flight (e.g.,
retrieving hotel address and phone numbers), as well as burdens on other
industries to help passengers get the contact information (e.g., hotel agents
providing the hotel phone number and address to passengers).

It is also important that CDC recognize that airlines will have substantial operational
impacts and resulting inestimable costs from the collection of passenger contact information at
the airport when the passenger has not provided it to the airline (or relevant third-party) before
the passenger arrives at the airport. For example, the collection of passenger contact information
will result in longer wait times in airport check-in areas because the information can only be
manually entered by the passenger or airline agent and cannot be automatically captured at a
ticket counter or kiosk, like a scan of a passport. Airlines can only mitigate such impacts by
dedicating additional resources (i.e., purchase and installation of more kiosks, hiring of more
agents, purchasing and installation of additional computers, etc.). For connecting passengers,

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 17 of 77
airlines will also have to dedicate additional resources at the gate. Moreover, the collection of
passenger contact information at airports increases person-to-person contact between passengers
and airline agents, raising the potential to spread COVID-19. The increased number of
passengers waiting in unsecured terminal areas to provide the airline the passenger contact
information will also raise security concerns for airlines, airports, local law enforcement, and the
U.S. government.
In practice, and largely as a result of increased airline website and mobile application
bookings, many airlines do collect some passenger contact information that the CDC requires in
the IFR. Airlines generally collect and include the passenger’s name in the PNR.
However, no airline or third-party system is designed to ensure the capture and
transmission of the passenger contact information that the IFR requires via PNR. Even if an
airline collects more contact information than the passenger’s name, its systems may not be
designed to include such information in the PNR, in part because it is not required to do so and to
comply with privacy laws. As the CDC is aware, some airlines’ systems do include address,
phone number, and email address in the PNR. However, a PNR with multiple passengers may
contain a single address, phone number, and email address, which may belong to one of the
passengers or, as discussed in Section III.C.2 below, to a travel agency.
We understand from discussions with the U.S. government that it believes that airlines
include a phone number in approximately 74% of PNRs and an email in approximately 54% of
PNRs. The U.S. government has not explained the nature of the contact information gaps that it
asserts are present, nor has it not committed to working with the airlines and other stakeholders
to identify the gaps and the root causes for any gaps.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 18 of 77
Some airlines can manually input passenger contact information into an existing PNR,
which we are doing to ensure compliance with the IFR and the related CDC order. However,
this manual entry is only possible on an extremely de minimis scale (i.e., 50-100 people per day,
per airline) because of operational processes and available resources. Specifically, airlines have
largely automated the booking and check-in processes (e.g., websites, mobile applications, and
kiosks) to allow passengers to have a seamless and more efficient travel experience and reduce
face-to-face interaction with airline agents. Because many passengers use these automated
portals (and doing so reduces face-to-face interactions between passengers and airline agents that
could spread COVID-19), airlines have reduced staffing that serves customers on a one-on-one
basis and have limited personnel available at airports and airline call centers. Any increase of
the manual collection of passenger contact information at airports and entry into existing PNRs,
at any scale, would cause massive operational disruptions (e.g., extremely long check-in lines,
boarding processes, and call center wait times), require an increase in airline agents at the airport,
and cause passengers to miss flights and connections.
Additionally, only limited numbers of airline agents have access to and are trained in
updating PNR data. For example, some airlines do not allow new bookings at airport ticket
counters or kiosks; customers must contact the airline’s call center to book a flight. Therefore,
airline agents at airport ticket counters or passengers at kiosks may be unable to update
passenger contact information in the passenger’s PNR. Also, airlines use common-use (i.e., nonexclusive) aircraft gates that may not have the capability to update passenger contact information
in an existing PNR because the shared-use computer at the gate is not connected to the necessary
airline systems. An example scenario may play out as follows: a passenger is connecting from
one airline to another, but the first airline has not collected, coordinated, or shared any passenger

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 19 of 77
contact information with the second airline because the first airline does not serve the United
States. Therefore, the first opportunity for the passenger to share his or her contact information
with the second airline (the airline transporting the passenger to the United States) is at a
common-use gate, where the airline agent may not have access to the necessary systems to
update the PNR with the passenger’s contact information.
Even if an airline agent has the capability and is trained to make a change to passenger
contact information in an existing PNR, the resulting delays in gate check-in and boarding would
have significant impacts, including increased aircraft gate times; the rearrangement of slots and
flight schedules; and, burdens on passengers (e.g., increased passenger connection time and
disrupted schedules). To avoid such impacts, airlines would have to implement unreasonable
and costly mitigation efforts that cannot be accomplished in the short-term for COVID-19 (e.g.,
adding personnel and computer resources at gates (common-use and exclusive)).
In fact, many passengers traveling to the United States from foreign destinations travel
through multiple connections and travel on multiple airlines. Closing all passenger contact
information sharing gaps between airlines, as well as between airlines and GDSs, including to
attempting to improve the accuracy of passenger contact information, will take significant time,
resources, and funding, and is impossible in a reasonable time to address immediate COVID-19
needs. Despite closing these gaps, the airline industry still cannot ensure the accuracy of the
passenger contact information. For example, the second airline (the airline transporting a
passenger to the United States) will not always have passengers’ contact information from a
connecting airline or ticket agent/OTA and will therefore have to solicit unverified contact
information directly from passengers at the gate, which will result in delays.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 20 of 77
It is important to recognize that substantial operational impacts would likely occur in any
circumstance under the IFR, including more automated airline industry solutions or where an
airline agent must manually collect passenger contact information directly from the passenger,
regardless of the system through which the airline delivers the data to the U.S. government.
2.

Advance Passenger Information

In ATSA, Congress required airlines to transmit passenger and crewmember manifests of
international flights electronically to Customs before landing in the United States in a Customsprescribed manner, time, and form, and containing full names, date of birth, citizenship, gender,
passport number and country of issuance, and (if applicable) visa or resident alien card number
of each passenger and crewmember. 27 This information is called API. Congress also
acknowledged that airlines may provide API through the Advanced Passenger Information
System (“APIS”), further described in Appendix D. 28 In 2002, Congress added the requirement
that API include the individual’s U.S. address while in the United States. 29 CBP does not require
the address for U.S. citizens, lawful permanent residents, or persons who are in transit to a
location outside the United State. 30
Key facts about API include:
•

For contact information, airlines only transmit the passenger’s selfreported name and address (of a foreign national’s first night’s stay in the
United States) through APIS to CBP, but the address information is
unverified, and may include a general description of the location in the
United States, if it is unknown by the passenger, and API only includes the

Pub. L. No. 107-71 § 115 (2001) (codified at 49 U.S.C. § 44909) (hereinafter “ATSA”). The Customs Service
implemented this requirement in December 2001. See Customs Service, Passenger and Crew Manifests Required
for Passenger Flights in Foreign Air Transportation to the United States, 66 Fed. Reg. 67,482 (Dec. 31, 2001)
(Interim rule). Before ATSA, airlines were only required to send passenger manifests to the U.S. government
following an aviation disaster outside of the United States. See 49 U.S.C. § 44909 (2000), Attachment 6.
28
See supra note 27, ATSA § 115. Congress also provided that Customs may share this information with other
Federal agencies for the purposes of protecting national security. Id.
29
See Enhanced Border Security and Visa Entry Reform Act of 2002, Pub. L. No. 107-173 § 402.
30
See 19 C.F.R. § 122.49a.
27

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 21 of 77
permanent residence for crewmembers (not the location while in the
United States).
•

API does not include phone numbers or email addresses.

•

API contains non-contact information (e.g., passport information) that the
U.S. government can leverage to identify passenger contact information
that the U.S. government already has in its possession, including through
the U.S. government systems discussed in Sections III.A.3-5 below.

•

The foundational data element of APIS is the information from passports,
which are machine-readable to facilitate data entry and reduce errors.
Additional passenger contact information beyond what is already
contained in API will not be machine readable—all information must be
entered manually, substantially increasing booking and check-in times, as
well as the potential for errors.

•

Airlines compile API from multiple systems that would need to be
modified to ensure capture and inclusion of specific passenger contact
information in API and transmission to CBP. CBP, OTAs, and GDSs
would also need to modify their systems to capture, transmit, and/or
receive the contact information that is not already required by the APIS
regulations (i.e., phone numbers, email, and a crewmember’s address in
the United States).

•

Despite very close collaboration between all stakeholders, APIS changes
have historically taken years to develop and implement because APIS is
designed to collect verifiable biographic information which can be
collected in an automated manner. Modification of the APIS framework
to include manually entered and unverifiable passenger contact
information for purposes of CDC’s contact tracing would represent a
significant departure from the API framework and standards.

Like PNR systems, we anticipate that airlines will need at least 12-18 months to modify
their systems to transmit the CDC-required passenger contact information as API. And, like
PNR, this timeframe is exclusive of the time it will take to ensure that all APIS-related systems
remain interoperable, including those of CBP, travel agents/OTAs, GDSs, and other airlines.
Unlike PNR, APIS changes will also require implementation of changes by CBP, for which the
timeframe and costs are unclear. Also, airlines that do not have automated systems to collect
passenger contact information and transmit it through APIS (i.e., some charter or smaller

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 22 of 77
airlines) will likely require a longer time to develop the requisite systems that collect the
information, process it, connect with CBP, and transmit the information to the CBP.
We conservatively estimate that the system modification costs per airline will easily
exceed $1 million per airline and the total cost to the airline industry, including all the airlines
(passenger and cargo), travel agents/OTAs, and GDSs will far exceed $164 million. Like PNR,
this estimate is exclusive of other indirect costs to and operation impacts on airlines and
passengers. The indirect costs and operational impacts associated with PNR (e.g., increased
recurrent costs, real estate costs, sunk costs, passenger burdens, increased wait times, etc.),
discussed in Section III.A.1 above, will also be incurred if CDC requires that the IFR passenger
contact information be sent as API.
Unlike scheduled passenger airlines, which collect passenger information in various
forms and systems, charter airlines typically limit their collection of passenger information to the
data elements required as API and submit such data via APIS. Accordingly, charter airlines are
unable to unilaterally modify their API submissions—CBP will have to modify systems before
charter airlines can submit the CDC-required passenger contact information as API.
3.

Electronic System for Travel Authorization (“ESTA”)

The Secure Travel and Counterterrorism Partnership Act of 2007 required that the DHS
implement an electronic travel authorization system and other measures to enhance the security
of the Visa Waiver Program (“VWP”). 31 Pursuant to this mandate, CBP developed ESTA—“an
automated system used to determine the eligibility of visitors to travel to the United States under
the [VWP] and whether such travel poses any law enforcement or security risk.” 32

Pub. L. No. 110-53 § 711 (Subtitle B of the Implementing Recommendations of the 9/11 Commission Act of
2007).
32
CBP, ESTA Frequently Asked Questions, available at https://esta.cbp.dhs.gov/faq (hereinafter “ESTA FAQ”)
(What is the Electronic System for Travel Authorization?), Attachment 7.
31

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 23 of 77
Passengers traveling under the VWP must submit biographic (including contact) and
travel information to ESTA to apply for an ESTA authorization. 33 CBP has confirmed that a
passenger must specifically provide, among other information:
•
•
•
•
•
•

Name (first name and surname), date of birth, country of citizenship and
residence;
Passport information (number and issuing country);
Telephone number (home or cellular) and email address;
Contact phone number and email address;
Destination address; and
Employment address, phone number, and email.

Additionally and importantly, applicants must answer whether the applicant has any
communicable diseases. 34
All passengers traveling under the VWP, even if merely transiting through the United
States, must apply and have an ESTA authorization. 35 The passenger should apply no later than
72 hours before departing for the United States and the authorization is valid for two years or
until the passenger’s passport expires. 36 The average time at which passengers submit the
application to CBP before their travel is unclear.
In April 2007, leveraging the collaborative development of APIS Quick Query (“AQQ”)
messaging, 37 the airline industry became involved in the development of the ESTA program
because CBP and airlines sought to incorporate a prospective VWP passenger’s ESTA status as a
component of the passenger’s boarding eligibility status. 38 Approximately 14 months later in

See 8 C.F.R. § 217.5(a).
See DHS, Privacy Impact Assessment Update for the Electronic System for Travel Authorization 8 (ESTA) (Feb.
17, 2016) (adding severe accurate respiratory illness capable of transmission to other persons and likely to cause
mortality to the list of communicable diseases in the ESTA application), Attachment 8.
35
See supra note 32, ESTA FAQ (Do I need to apply if I’m only transiting the United States en route to another
country?).
36
See id. (How long is my ESTA valid for?).
37
See infra Appendix D at 1-2.
38
See CBP, Changes to the Visa Waiver Program to Implement the Electronic System for Travel Authorization
(ESTA) Program, 73 Fed. Reg. 32,440, 32,443 (June 9, 2008) (Interim final rule).
33
34

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 24 of 77
June 2008, CBP issued an ESTA interim final rule that became effective 2 months later in
August 2008, at which point ESTA was available to travelers. 39 ESTA authorization did not
become mandatory for all non-immigrant aliens traveling under the VWP until January 2009. 40
Because the airline industry was working collaboratively to develop the requisite systems and
electronic messaging, CBP supported a period of informed compliance to increase awareness for
the traveling public and to give the industry an opportunity to modify their systems. In midJanuary 2010, the CBP announced a 60-day transition period from informed compliance to full
compliance enforcement on March 21, 2010. 41 In the end, it took CBP and the airline industry
nearly three years from the inception of ESTA to full implementation.
4.

Electronic Visa Update System (“EVUS”)

EVUS is an automated system that determines eligibility to travel to the United States for
temporary business or pleasure on a U.S. visitor Visa, class B1, B2, or B1/B2, which are
generally valid for 10 years. 42 EVUS enrollment is required for citizens and nationals of the
People's Republic of China (“China”). 43 Eligible passengers must enroll with EVUS at any time
prior to boarding for travel to the United States. 44 Notably, like ESTA, the purpose of EVUS is
for the U.S. government to obtain updated biographic information from repeat visitors who travel

39

Id.
See CBP, The Electronic System for Travel Authorization: Mandatory Compliance Required for Travel Under the
Visa Waiver Program 73 Fed. Reg. 67, 354 (Nov. 13, 2008) (General notice).
41
See Letter from T. Goyer, Exec. Dir. Admissibility and Passenger Programs, CBP, to B. Kostuk, Managing Dir.
Of Passenger Facilitation, Air Transport Assoc. (Dec. 18, 2009), Attachment 9. CBP issued final rules for ESTA
in 2015. See CBP, Changes to the Visa Waiver Program to Implement the Electronic System for Travel
Authorization (ESTA) Program and the Fee for Use of the System, 80 Fed. Reg. 32,267 (June 8, 2015) (Final
rule).
42
See CBP, EVUS Frequently Asked Questions, available at https://www.evus.gov/#/faq (hereinafter “EVUS
FAQ”), Attachment 10.
43
Id. (Who is required to enroll with EVUS?).
44
Id. (If I have made travel plans, when should I enroll with EVUS?).
40

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 25 of 77
to the United States multiple times over the span of a long-term visa. 45 CBP has confirmed that
to enroll in EVUS, a passenger must provide, among other information:
•
•
•
•

Name (first name and surname), date of birth, and country of citizenship
and residence;
Address, telephone number (home or cellular), and email;
Destination address; and
Communicable disease(s).

An EVUS notification of compliance, which is the EVUS approval, is valid for two years. 46 The
average time at which a passenger submits the application to CBP before their travel to the
United States is unclear.
Like ESTA, airlines were instrumental in the development and implementation of EVUS.
It took approximately 13 months from initial outreach to the industry to reach full
implementation of EVUS. It is important to recognize, however, that the implementation of
EVUS was largely facilitated by leveraging the existing AQQ systems and messaging that was
implemented with ESTA (which took nearly three years to fully implement). Despite leveraging
existing systems and messaging, the implementation was resource intensive. For example, one
airline expended approximately 460 hours (or 58 eight-hour days) to update the airline’s
mainframe systems to recognize the EVUS messaging and properly action it. It took additional
time for the airline to update check-in applications to recognize EVUS messaging. Some airlines
required even more time to update their systems to recognize the EVUS-specific messaging.
5.

U.S. Passport and Visa Application Information

Another U.S. government collection point for traveler information are the application
processes for a U.S. passport or a U.S. visa. These application processes generally capture
contact information that must be accurate under penalty of law. In the IFR, it is unclear:

45
46

See DHS, Establishment of the Electronic Visa Update System, 81 Fed. Reg. 72,481, 72,482 (October 20, 2016).
See 8 C.F.R. § 215.24

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 26 of 77

B.

•

Whether the CDC has considered the contact information that is available in these
applications and/or determined the currency of such information (i.e., time
between application and travel);

•

Whether the CDC and relevant agencies have examined the possibility of
requiring applicants to update their contact information in the applications to
capture the contact information that the CDC requires of airlines in the IFR; or

•

Whether the CDC and relevant agencies have explored the possibility of creating
systems akin to EVUS or ESTA through which passport and visa application
information could be updated to ensure timely collection of contact information
from travelers.
Crewmembers

Generally, airlines have contact information for their crewmembers, including home
address, phone number, and email address. Airlines also typically have an address for
crewmembers who are traveling as an operating crewmember away from their home, such as the
hotel where the crewmembers are staying. However, on a flight-by-flight basis, airlines do not
collect and/or validate the crewmembers’ contact information that an airline has in its files.
A PNR is not created for operating crewmembers. Apart from APIS, discussed in
Section III.A.2 above, airlines simply do not have systems or processes to collect, update, and
transmit through existing channels on a flight-by-flight basis, a crewmember’s contact
information, and especially not the phone numbers or email addresses that may be the best way
to contact them while they are in the United States.
We also note that airlines have taken measures to protect crewmembers who travel to
locations subject to a travel restriction or warning. These programs, which are based on Federal
Aviation Administration (“FAA”) and CDC guidance, 47 ensure crewmembers are protected
while on duty and during rest, and monitor crewmembers’ health on an ongoing basis. As such,

47

See e.g., FAA, SAFO 20003 (Mar. 12, 2020) (2019 Novel Coronavirus: Interim Health Guidance for Air Carrier
and Crews), Attachment 11.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 27 of 77
the CDC should regard flight crewmembers operating with health protections differently from
ordinary travelers.
As we have advocated since the CDC issued the IFR, we maintain that crewmembers
should be exempt from the IFR and any related CDC order because of the health services already
provided by airlines and the burdens of creating or modifying systems to track pilot information
on an individual flight basis.
C.

Third-Party Bookings Through Other Airlines, OTAs, and GDSs

It is critical that CDC understand the third-party booking process and the complex
interplay between multiple airlines, OTAs, and GDSs, particularly given the substantial volume
of bookings through OTAs and travel agents. 48
1.

Bookings Through Other Airlines

Airlines enter into various agreements that allow flights of multiple airlines to be booked
on a single itinerary and in many cases have infrastructure to allow seamless connections
between those flights. This includes interline and codeshare arrangements. An interline
arrangement can, among other things, help airlines transfer a passenger and their baggage
between the airlines when the passenger connects from one airline to the other, preventing the
passenger from having to get tickets from each airline and retrieve their checked baggage
between the flights. Because this is the most basic relationship between airlines, an interline
arrangement typically involves the least amount of shared information and it is less likely that
the airlines’ systems are designed to collect, much less share, passenger contact information.
Furthermore, if the first airline of the passenger’s travel does not serve the U.S. directly, it is

48

Based on publicly available information and A4A research, approximately 36% of all bookings with A4A
members are indirect bookings (e.g., OTAs) and some of A4A’s individual members’ bookings are approximately
50% indirect.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 28 of 77
very likely that such airline will never collect the passenger contact information required by the
CDC. If the second airline is transporting the passenger from a foreign destination to the United
States, that second airline will likely have to solicit the passenger’s contact information directly
from the passenger at the gate, which will have substantial implications that are discussed in
Sections III.A.1-2 above.
A codeshare arrangement allows two or more airlines to publish and market a single
flight operated by one of the airlines using the marketing airline’s code. The scope and depth of
the cooperation between airlines varies under the codeshare arrangement—from a simple
bilateral codesharing to complex alliances involving many airlines—although, the relationship is
typically more cooperative than a basic interline arrangement. It is important to note, however,
that no two arrangements, whether interline or codeshare, are identical, and the scope and depth
at which information is shared between the airlines is dependent upon the arrangement and the
airlines’ existing systems.
Additionally, airlines may be hosted by other airlines and/or on different systems at
different airports, bringing more systems and complexity into consideration before any
modification can be made for the IFR to capture and transmit passenger contact information. For
example, a U.S. airline may rely on the personnel and/or systems of their codeshare partners at a
foreign airport, requiring additional coordination between the airlines.
In sum, before modifying systems to capture and include specific passenger contact
information in PNR or API, airlines would need to assess their arrangements and system
connections with each and every airline with whom the airlines share passengers in each and
every country the airline serves. Each airline would have to determine interoperability and
potential obstacles to ensure that transfer of every passenger’s contact information is successful.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 29 of 77
Additionally, many regional airlines that codeshare and operate under their mainline
partners flight numbers typically do not own reservation systems. This means that these regional
airlines do not own or have access to passenger information. Therefore, these regional airlines
are only responsible for submitting crewmember information to CBP and complying with the
API requirements. It is illogical to hold such regional airlines responsible for providing
passenger contact information that we simply do not have and penalizing them for lacking the
infrastructure to capture and share passenger contact information with the U.S. government.
2.

Bookings Through OTAs/Travel Agents/GDSs

Traditional travel agencies and OTAs typically connect through GDSs to book travel with
an airline. Except the information that an airline requires for booking, the information that is
exchanged between the travel agent/OTA and the GDS (e.g., contact information) depends upon
the arrangement and the interoperability of systems between the travel agent/OTA and GDS. We
expect that the scope of exchanged information varies widely and submit that the CDC must ask
travel agents/OTAs and GDSs about the details regarding their relationships and data exchange.
Travel agents/OTAs are not subject to the IFR and face no consequence for not sharing
complete or accurate passenger contact information. In fact, we believe that travel agents/OTAs
are disincentivized to share passenger contact information because they want to keep that
information confidential and maintain the relationships with their customers. To require that
travel agents/OTAs provide passenger contact information, we expect that every relevant system
would need to be updated (including airlines, GDSs, and travel agents/OTAS) and contracts
would need to be amended to attempt to ensure compliance. Moreover, private entities,
especially those outside of the United States, are unlikely to agree to contractual changes unless
they are subject to a government mandate for every party to do so. Notably, thousands of travel

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 30 of 77
agents and OTAs exist around the world and we expect that it would take years to ensure all
travel agents and OTAs were up-to-date and compliant. We do not expect that it could be
accomplished to respond to COVID-19. And, even if CDC and HHS have the authority to
regulate OTAs, travel agents, or GDSs, and it is unclear that they do, the airlines would still be
unable to validate the accuracy or meaningfully mandate compliance by these third parties.
The same complexities exist at the next level between GDS and the 183 passenger
airlines that operate to and within the United States. Each GDS has its own system that would
have to be modified to capture passenger contact information. That modification would have to
be tested against each airline system (and travel agents/OTAs systems) after the airline system
has been updated to receive the passenger contact information. Each GDS has an arrangement
with each airline, which would have to be reviewed and possibly amended to ensure that any
passenger contact information that the GDS captures is then shared with the airline.
We also note that, if CDC does not expect that travel agents, OTAs, or GDSs are part of
the solution to collect passenger contact information—which would make the airlines the only
parties responsible for collecting the information, we expect that the rules will have a real and
substantial impact on passengers. Specifically, many passengers that book through travel agents/
OTAs will have to provide their contact information to the airline(s) upon check-in or before
departure, which will add a substantial amount of time to that passenger’s itinerary. This could
lead to missed flights and duplicative collection of passenger contact information that passengers
already provided to travel agents/OTAs but was not subsequently shared with the airlines.
D.

Section 71.4 History and Airline Compliance

The CDC twice considered imposing rules that require that airlines collect passenger
contact information that the airlines do not ordinarily collect in their existing processes and

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 31 of 77
disclose such information to the CDC. In each instance, the CDC undertook a full APA
rulemaking process and never determined that airlines must collect more passenger contact
information than we already collect and maintain.
1.

2005 CDC Rulemaking

In 2005, CDC proposed that each airline must develop a plan to ensure that it would
solicit information from passengers and crewmembers on domestic flights operating out of
certain airports and on all international flights. 49 The proposal was not limited to passengers
who may be at risk of exposure to a communicable disease. 50 If the rules had been finalized,
airlines would have been required to submit a plan six months after the final rule and prepared to
transmit the information electronically to the CDC two years after completion of the plan. 51 In
the preamble to the proposed rules, the CDC acknowledged the airlines’ history of cooperation
and that the “primary responsibility for locating passengers rests with public health
authorities.” 52
A4A (then called Air Transport Association, Inc.) and IATA submitted extensive
comments, Attachments 12 and 13, which echo many of the facts and concerns that are raised
in these comments to the IFR. Notably similar issues that were raised include, but are not
limited to: information validation issues; inadequate consideration of less costly alternatives,
including a U.S. government-controlled portal for direct submission from passengers; issues with

See CDC, Control of Communicable Diseases, 70 Fed. Reg. 71,892 (Nov. 30, 2005). The information included
(in order of the relative utility of each piece of data for contract tracing): full name, emergency contact
information, flight information, at least one current phone number (in order of preference: mobile, home, pager, or
work), email address, current home address, passport number or travel document number, name of traveling
companions or group, returning flight (date, airline number, and flight number), and if necessary to prevent
introduction, transmission, or spread of communicable disease, additional information in the airlines possession.
Id.
50
Id.
51
Id. at 71,931
52
Id. at 71,898.
49

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 32 of 77
travel agents and GDSs; the disconnect between the rules and CDC’s stated intent, including an
overly broad scope; the inadequate consideration of information already collected by the U.S.
government; and privacy concerns.
Without explanation, the CDC abandoned the 2005 rulemaking and the CDC has not
provided any apparent basis to now shift the responsibility of collecting contact information to
the private sector, let alone to one specific segment of the industry.
2.

2016 CDC Rulemaking

In 2016, the CDC proposed Section 71.4. 53 Notably, the information that CDC directed
airlines to report is limited to that which is “already available and maintained by the airline,” and
the transmission of such information must be in a format “available and acceptable to both the
airline and the CDC.” 54
The only change between the proposed and final rules was the inclusion of Section
71.4(c), requiring the CDC to publish and seek comment on a report evaluating the burden of
Section 71.4 on affected entities and duplication of activities in relation to mandatory passenger
data submissions to DHC/CBP. 55 The CDC was also required to include recommended actions
to streamline and facilitate the use and transmission of any duplicate information collected.
In the preamble to the proposed rules, the CDC acknowledged that, under the process that
was in effect before 71.4, airlines may not be in possession of the passenger contact information
sought by HHS/CDC and may not be able to transmit contact data to HHS/CDC in a timely
manner. 56 It stated that the purpose of the rulemaking was to codify the existing practice at that

See CDC, Control of Communicable Diseases, 81 Fed. Reg. 54,230 (Aug. 15, 2016) (hereinafter “2016 NPRM”);
CDC, Control of Communicable Diseases, 82 Fed. Reg. 6,890 (Jan. 19, 2017) (hereinafter “2017 Final Rule”).
54
See 42 C.F.R. § 71.4(a) (emphasis added).
55
See CDC, Report as Required by the 2017 Control of Communicable Diseases Final Rule (hereinafter “CDC 2017
Report”), available at https://www.cdc.gov/quarantine/42-cfr-71.html, Attachment 14.
56
See supra note 53, 2016 NPRM at 54,251.
53

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 33 of 77
time. The CDC also acknowledged that “airlines are not required to verify the accuracy of the
information collected, and airlines are not required to collect additional information from
passengers than already collected and maintained by the carrier.” 57 It stated that “[b]ecause
airline manifest data are often insufficient to contact potentially exposed travelers reliably, CDC
will supplement these data with information from CBP, including APIS and Passenger Name
Record (PNR), consistent with current practice.” 58 Notably, according to the CDC’s subsequent
report, discussed in Section III.D.3 below, it appears that the CDC was successful in getting at
least some contact information for each passenger through this process.
In joint comments, the airline trade associations responded to the CDC’s proposed rules,
Attachment 15, which raised issues similar to those made herein.
In the final rules, the CDC reiterated the acknowledgement that airlines were not required
to verify accuracy or collect additional information already maintained by the airlines. 59
Notably, just over three years ago, the CDC concluded that the final rules were “the best
solutions for protecting U.S. public health while allowing for continued travel,” while also being
compliant with the policy that the U.S. government’s regulatory system must protect public
health, welfare, and safety while promoting economic growth, innovation, competitiveness, and
job creation, while being based on the best available science. 60 The CDC also acknowledged
that “passengers are not required by HHS/CDC to submit specific data elements provided by

Id. at 54,251. In the rulemaking, CDC also considered the alternative of airlines voluntarily complying with the
data sharing requirements and HHS/CDC would not solicit contact data from airlines. The CDC determined that
the proposed rules met their contact tracing requirements. Id.
58
Id.
59
See supra note 53, 2017 Final Rule at 6,928.
60
Id. at 6,930.
57

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 34 of 77
passengers.” 61 In other words, passengers are not obligated to provide their contact information
to airlines. This remains true under the IFR.
3.

CDC Report on Section 71.4(a) and Airlines Compliance under
Section 71.4(a)

Pursuant to the 2017 final rules, the CDC issued a report evaluating the burden of Section
71.4 and the potential duplicative burdens that the regulatory provisions have on the airline
industry. 62 In the report, the CDC acknowledged that it makes use of information from CBP’s
National Targeting Center (“NTC”) via APIS with two analysts co-located at NTC who conduct
data searches to supplement passenger contact information provided by airlines. According to
the report, the CDC signified that it intended to maintain its current practice of obtaining
information from CBP to minimize requests on airlines. The report also indicated that after the
effective date of the final rules, airlines sent passenger information to the CDC in a relatively
timely manner for urgent requests, with all airlines responding within 72 hours and most
responding within 24 hours. Additionally, the CDC confirmed that it was able to provide at least
one piece of contact information to health departments for 99.9% of travelers both before and
after the regulations went into effect. It also confirmed that it had increased the amount of data
sent to health departments after supplementing the data received from airlines with additional
data obtained from CBP’s NTC. According to the report, the CDC is able to provide the contact
information elements to health departments at the rates in Table 1 below.
Since the promulgation of Section 71.4(a), airlines have been compliant with CDC’s
requests for information. We are not aware of any instance in which an airline has refused to

61
62

Id. at 6,928.
See supra note 55, CDC 2017 Report at *8. Based on the responses of industry participants, CDC did not identify
any increased burden or duplication of effort as a consequence of the 2017 final rule. Id. at *3.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 35 of 77
give the contact information required under Section 71.4(a). Airlines have been fully compliant
with the requirements of 71.4(a) for COVID-19.
Table 1. CDC Report on 71.4 – Rate CDC Shared Passenger Contact Information to
Health Departments
Passenger Contact Information
Element
U.S. Address Category 1 (any address
information)
U.S. Address Category 2 (complete
address information)
Email Address
Single Phone Number
Two or more phone numbers

Post-2017 Rate CDC Provided
Information to Health Departments
95.1%*
98.8%*
79.9%
91.1%
53.8%*

* indicates that differences were significant at the 95% level based on both Fishers exact test for
pairwise comparisons and logit models that controlled for urgency of requests and for foreign v.
domestic carriers.

IV.

THE IFR SIDESTEPS REQUIRED STATUTORY PROCEDURE
The aforementioned circumstances, including the impossibility of airlines to meet CDC’s

goal to collect accurate passenger contact information for COVID-19, which was well-known to
the CDC, underscores the critical need for the CDC to have undertaken a fully informed
rulemaking process. Moreover, the shortcomings of the IFR will become increasing apparent
and problematic for airlines, including their capability to comply and increased potential for
unavoidable liability, especially as the CDC issues more orders under the IFR.
A.

CDC Failed to Provide Sufficient Public Notice and an Opportunity to Comment

The APA requires an agency to give advance notice of a proposed rulemaking and an
opportunity for all “interested persons” to comment. 63 The APA also requires that a substantive
63

See 5 U.S.C. § 553(c). Federal agencies are required, prior to the promulgation of any regulation, to publish in the
Federal Register a general notice of proposed rulemaking that includes: (1) a statement of the time, place, and
nature of public rulemaking proceedings; (2) reference to the legal authority under which the rule is proposed; and
(3) either the terms or substance of the proposed rule or a description of the subjects and issues involved. Id. at §
553(b).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 36 of 77
rule be published at least 30 days before it becomes effective. 64 By issuing the IFR without
notice and comment, the CDC did not provide stakeholders an opportunity to request
clarification and necessary changes to the burdensome and vague rule, in violation of
fundamental principles of agency rulemaking. 65
Airlines appreciate that COVID-19 poses a serious public health event and poses certain
logistical challenges to various government agencies, including CDC, but the COVID-19
outbreak does not justify an exception to notice and comment rulemaking for this particular rule.
CDC’s invocation of the APA’s good-cause exception 66 is not well taken considering the CDC’s
past rulemakings and the CDC’s preexisting expectation that upcoming global communicable
disease threats will require passenger contact information. 67 Moreover, the movement of people
and goods in international air transportation, which has been occurring for more than eight
decades, is neither an emergency nor the basis of a good-cause exception that justifies a rule of
general and indefinite applicability bypassing the procedural protections of the APA.
Additionally, the exception generally applies where Congress has specifically authorized
an exception or mandated rulemaking on such an expedited schedule that public notice and
comment would be impracticable. 68 Neither of those predicates exists here. Congress has not

Id. at § 553(d).
See id. § 553.
66
In issuing the IFR, CDC improperly claimed the “good cause” exception to § 553 applied: “HHS and CDC
therefore conclude that there is good cause to dispense with prior public notice and the opportunity to comment on
this rule before finalizing this rule. For the same reasons, HHS and CDC have determined, consistent with section
553(d) of the APA, that there is good cause to make this interim final rule effective immediately upon filing at the
Office of the Federal Register.” See supra note 2, IFR at 7,878.
67
Cf. Am. Academy of Pediatrics v. Heckler, 561 F. Supp. 395 (D.D.C. 1983) (rejecting an argument that an IFR
was necessary because “any delay would leave lives at risk” and “[s]uch an argument could as easily be used to
justify immediate implementation of any sort of health or safety regulation, no matter how small the risk for the
population at large or how long-standing the problem.”) (internal citations omitted and emphasis added).
68
See 5 U.S.C. § 553(d) (excepting notice and comment “when the agency for good cause finds (and incorporates
the finding and a brief statement of reasons therefor in the rules issued) that notice and public procedure thereon
are impracticable, unnecessary, or contrary to the public interest”).
64
65

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 37 of 77
authorized the CDC to promulgate the current rule as an IFR. Whereas Congress specifically
gave the CDC interim final rulemaking authority in various other statutory provisions, it did not
bestow the statutory authority on which the CDC relied in issuing the IFR. That distinction by
itself is determinative: the CDC has no inherent authority to act in a manner inconsistent with the
authority granted to it by Congress. 69 Nor does Congress require the CDC to impose regulations
within a certain time frame in this instance.
By failing to provide notice and an opportunity to comment, the CDC violated this
central procedural requirement of the APA. 70 CDC’s justification for the IFR obfuscates the
considerable procedural flaws of CDC’s action. Exceptions to the APA’s notice requirement for
“good cause” are “to be narrowly construed and only reluctantly countenanced.” 71 As a general
matter, the opportunity for the regulated community to comment is itself in the public interest. 72
Airlines’ objection to the procedural flaws of the IFR is no mere formalism. The notice
requirements of 5 U.S.C. § 553 “are designed (1) to ensure that agency regulations are tested via
exposure to diverse public comment, (2) to ensure fairness to affected parties, and (3) to give
See FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 125 (2000) (“Regardless of how serious the
problem an administrative agency seeks to address, however, it may not exercise its authority ‘in a manner that is
inconsistent with the administrative structure that Congress enacted into law.’” (quoting ETSI Pipeline Project v.
Missouri, 484 U.S. 495, 517 (1988)); Asiana Airlines v. FAA, 134 F.3d 393, 397 (D.C. Cir. 1998) (explaining that
interim final rulemaking is an exception to notice and comment allowed as “whether Congress has established
procedures so clearly different from those required by the APA that it must have intended to displace the norm.”).
70
See Ass’n of Private Sector Colls. and Univs. v. Duncan, 681 F.3d 427, 461 (D.C. Cir. 2012) (agency violates the
APA when it does not give notice of provisions of a regulation, thus depriving the public of the chance to
comment on those provisions); Northern Mariana Islands v. United States, 686 F. Supp. 2d 7, 17 (D.D.C. 2009)
(explaining that the deprivation of procedural notice and comment protections under the APA is actionable harm).
71
Jifry v. FAA, 370 F.3d 1174, 1179 (D.C. Cir. 2004) (internal citations omitted). Courts carefully scrutinize an
agency’s justification for invoking the “good cause” exception. See Mid–Tex Elec. Co–op., Inc. v. FERC, 822
F.2d 1123, 1132 (D.C. Cir. 1987) (“[O]ur inquiry should be a close one.”); Council of S. Mountains, Inc. v.
Donovan, 653 F.2d 573, 580 (D.C. Cir. 1981) (“[C]ircumstances justifying reliance on this exception are ‘indeed
rare’ and will be accepted only after the court has ‘examine(d) closely proffered rationales justifying the
elimination of public procedures.’”) (quoting Am. Fed’n of Gov’t Employees v. Block, 655 F.2d 1153, 1157 n. 6
(D.C. Cir. 1981)).
72
See Mack Trucks, Inc. v. EPA, 682 F.3d 87, 95 (D.C. Cir. 2012) (“The public interest prong of the good cause
exception is met only in the rare circumstance when ordinary procedures—generally presumed to serve the public
interest—would in fact harm that interest.”); NRDC v. Nat’l Highway Traffic Safety Admin., 894 F.3d 95, 114 (2d
Cir. 2018) (regarding notice and comment as beneficial to the public interest).
69

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 38 of 77
affected parties an opportunity to develop evidence in the record to support their objections to
the rule and thereby enhance the quality of judicial review.” 73 After such notice is published,
“the agency shall give interested persons an opportunity to participate in the rule making through
submission of written data, views, or arguments with or without opportunity for oral
presentation.” 74 Agencies must consider the comments presented and provide a “concise general
statement” of the basis and purpose for the final rules. 75
Here, CDC’s failure to engage industry prior to issuing a rule that is detached from the
realities of modern aviation has left the industry flummoxed (not to mention vulnerable to
significant civil and criminal penalties for non-compliance). 76 As indicated by the requests for
clarification, the IFR contains multiple provisions that are unclear, inconsistent, or require
additional information and explanation before airlines can comply. Even as these comments are
submitted, CDC has not provided a full response to industry questions and has failed to address
certain questions, the answers to which are essential to stakeholders responding to the impact of
the IFR meaningfully. Because CDC failed to provide the opportunity for comment that is
fundamental under the APA, the IFR is fatally defective.
CDC has not adequately explained the importance of the public interest or even alleged a
systemic threat that could constitute good cause. 77 CDC did not point to any separate statutory

Int’l Union, United Mine Workers of Am. v. Mine Safety & Health Admin., 407 F.3d 1250, 1259 (D.C. Cir. 2005).
See 5 U.S.C. § 553(c).
75
Id.
76
Meanwhile, the government’s action of imposing an unfeasible, immediate burden on airlines has also caused
industry to be portrayed unfairly in the press, as though it is not taking the concerns posed by COVID-19
seriously, which cannot be further from the truth. See, e.g.,
https://www.washingtonpost.com/business/2020/03/02/airline-data-cdc-coronavirus/, Attachment 16.
77
See, e.g., Sorenson Commc’ns Inc. v. F.C.C., 755 F.3d 702, 709 (D.C. Cir. 2014) (Agency must “articulate a
satisfactory explanation for its action.”). See also Mobil Oil Co. v. Dep’t of Energy, 610 F.2d 796, 803 (Temp.
Emer. Ct. App. 1979) (“It is axiomatic that a mere recital of good cause does not create good cause. Similarly, a
desire to provide immediate guidance, without more, does not suffice for good cause.... [I]f the conclusory
statement that normal procedures were not followed because of the need to provide immediate guidance and
73
74

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 39 of 77
authority allowing it to promulgate the IFR on an interim basis, and as noted, CDC does not have
that authority. The Public Health Service Act 78 (“PHSA”), on which CDC relies for its
authority, is clear when it provides CDC with the authority to promulgate interim final rules.
Congress did not extend that authority to public health emergencies or quarantine. For example:
•

§ 239b. Smallpox vaccine injury table: “The Secretary shall establish by interim
final regulation ….”

•

§ 247d–6d. Targeted liability protections for pandemic and epidemic products and
security countermeasures (c)(2)(A): “The Secretary … shall promulgate
regulations, which may be promulgated through interim final rules ….”

•

§ 300gg–92. Regulations: “The Secretary, consistent with section 104 of the
Health Care Portability and Accountability Act of 1996, may promulgate such
regulations as may be necessary or appropriate to carry out the provisions of this
subchapter. The Secretary may promulgate any interim final rules as the Secretary
determines are appropriate to carry out this subchapter.”

Unlike those statutory provisions, the PHSA sections cited by CDC in the IFR do not convey
authority to promulgate interim final rules under the circumstances at issue here.
Furthermore, even if the COVID-19 outbreak may justify a COVID-19 specific IFR, the
IFR itself is not keyed only to COVID-19—it applies far more broadly, and CDC offers no
justification for why a broadly sweeping and generally-applicable rule that will remain inscribed
in the CFR indefinitely as binding regulations should not first be subject to notice and comment
rulemaking. In fact, the CDC has admitted that the IFR will extend beyond COVID-19. 79 The

information . . . constitutes good cause, then an exception to the notice requirement would be created that would
swallow the rule.” (internal quotation omitted)).
78
See 42 U.S.C. § 201 et seq.
79
See supra Section II. See also IFR, supra note 2 at 7,875 (noting that CDC needs to identify travelers to control
the spread of diseases “such as 2019-nCoV,” (emphasis added) and that “[c]ontact tracing is effective at reducing
cases of communicable disease at the early stages of a potential outbreak … when the first ill passengers arrive,”
but that such stage had already passed in the U.S. and “a public health emergency has existed in the United States
as a result of confirmed cases” of COVID-19); id. at 7,876 (choosing to collect information from airlines instead
of passengers because collection from passengers “unless conducted at all times for all passengers – would
inevitably mean that CDC would not have information … for those individuals who were on flights at the
beginning of or before an outbreak.” and noting that “it is impossible to predict outbreaks, and … the information
from the earliest affected flights would be critical” so the information must be “continually collected”); id. at

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 40 of 77
very fact that CDC has gone down the rulemaking path before on the same subject matter is
evidence that CDC knows it must adhere to notice and comment.
Moreover, by the time airlines, travel agents/OTAs, GDSs, and CBP are able to develop
and implement the system modifications the IFR will require—which, for the reasons explained
above, will undoubtedly take at least a year—it is doubtful the IFR will serve any effective
purpose as it relates to COVID-19. The U.S. government has essentially acknowledged this
shortcoming to airlines, while admitting that it still wants such information. The IFR is also not
“interim”: it amends the CFR and nothing in its language suggests it will have a short shelf-life.
Although the preamble states that the rule will expire when COVID-19 ceases spreading or CDC
determines it is no longer needed, the rule itself contains no sunset provision. The preamble, the
text of the IFR, and CDC’s statements to airlines contemplate that the rule will become a
permanent fixture within the CFR.
If CDC is serious about its longer-term ability to obtain passenger contact information, it
should withdraw the IFR and restart with a notice of proposed rulemaking or, even more
appropriately, a request for information. Airlines appreciate that CDC is affording industry the
opportunity now to comment, but as many courts have pointed out, a post-promulgation
comment period is no substitute for a pre-promulgation comment period. This is because
agencies have substantially less incentive to give serious consideration to any ex post facto
comments that may be received. As the D.C. Circuit aptly put it: “[P]ermitting the submission of
views after the effective date of a regulation is no substitute for the right of interested persons to
make their views known to the agency in time to influence the rule making process in a
7,878 (requesting comment regarding CDC’s authority to require submission of data prior to declaring a public
health emergency, despite fact that COVID-19 was declared an emergency approximately two weeks before
issuance of the IFR, indicating CDC asked this question because it foresees this regulation applying to future
diseases).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 41 of 77
meaningful way.” 80 The point of the pre-promulgation comment period is to allow for
“criticisms which the Agency might find convincing.” 81
B.

A Critical Component of the IFR Was Improperly Left Out of the Rule Itself

The IFR is procedurally defective for the added reason that it compels airlines to provide
the requested data “in a format acceptable to the Director” yet does not specify that format in the
rule itself, leaving it to the ad hoc judgment of CDC as the perceived need arises. Inasmuch as
the “format” of data collection is every bit as much a rule as the required information, 82 the
specified format itself must be subject to notice and comment rulemaking. Without further
information from CDC on how to comply, it is extremely difficult for airlines to determine how
to properly collect and organize the information for purposes of transmission to CDC, and we
may well be deprived of fair notice of what is expected of us when the time comes.
The February 18 Order illustrates, among other things, the shortcomings of not spelling
out in the IFR what CDC means by “acceptable” format. In fact, the February 18 Order provides
no further clarification of that point. That Order directs airlines to use “existing data-sharing
channels” to transmit the required information, but the terms of the Order make clear that data-

Am. Fed’n of Gov’t Employees v. Block, 655 F.2d 1153, 1158 (D.C. Cir. 1981) (citation omitted); see also New
Jersey v. EPA, 626 F.2d 1038, 1049 (D.C. Cir. 1980) (“Section 553 is designed to ensure that affected parties have
an opportunity to participate in and influence agency decision making at an early stage, when the agency is more
likely to give real consideration to alternative ideas.”); U.S. Steel Corp. v. U.S. EPA, 595 F.2d 207, 214-15 (5th
Cir. 1979) (“Permitting the submission of views after the effective date is no substitute for the right of interested
persons to make their views known to the agency in time to influence the rule making process in a meaningful
way .... ‘We doubt that persons would bother to submit their views or that the Secretary would seriously consider
their suggestions after the regulations are a Fait accompli.’”) (citation omitted); Sharon Steel v. EPA, 597 F.2d
377, 381 (3rd Cir. 1979) (“If a period of comments after issuance of a rule could cure a violation of the APA’s
requirements, an agency could negate at will the Congressional decision that notice and an opportunity for
comment must precede promulgation.”).
81
USWA v. Marshall, 647 F.2d 1189, 1225 (D.C. Cir. 1980).
82
See Am. Tort Reform Ass’n v. Occupational Safety & Health Admin., 738 F.3d 387, 395 (D.C. Cir. 2013)
(describing a “legislative rule” requiring notice and comment as agency actions that, inter alia, “impose
obligations”). Mandating that airlines comply with the Director’s format for transmitting the required data
certainly imposes an additional obligation that does not currently exist.
80

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 42 of 77
sharing channels are just a “means of transmission,” not a format for compiling the information.
Airlines are left wondering whether we are in compliance, even as we transmit the required data.
V.

THE IFR IS ARBITRARY AND CAPRICIOUS
CDC’s proposal is arbitrary and capricious on numerous grounds. For the reasons given

in the comments in Section IV, above, CDC has failed to satisfy fundamental principles of
rulemaking. As the Supreme Court has explained:
[T]he agency must examine the relevant data and articulate a satisfactory
explanation for its action including a “rational connection between the
facts found and the choice made.” Burlington Truck Lines v. United States,
371 U.S. 156, 168 (1962). In reviewing that explanation, we must
“consider whether the decision was based on a consideration of the
relevant factors and whether there has been a clear error of judgment.”
Bowman Transp. Inc. v. Arkansas-Best Freight System, 419 U.S., 281, 285
(1974). . . . Normally, an agency rule would be arbitrary and capricious if
the agency has relied on factors which Congress has not intended it to
consider, entirely failed to consider an important aspect of the problem,
offered an explanation for its decision that runs counter to the evidence
before the agency, or is so implausible that it could not be ascribed to a
difference in view or the product of agency expertise. 83

The IFR fails this basic test.
A.

The IFR Creates Substantial Burdens While Failing to Solve the Problem that
Purportedly Necessitates the Rule

The new requirements imposed on industry regarding the collection, storage, and
transmission of passenger data create unwarranted and unsupportable burdens. CDC has not
provided adequate discussion of, or apparently given any consideration to, alternatives that could
accomplish the same public health goals with greater efficiency and effectiveness, and at a lower
cost. CDC failed to sufficiently consider less-burdensome alternatives, and the IFR is
unreasonable, vague, and ambiguous on its face; and it disregards operational reality.

83

Motor Vehicle Mfrs. Ass’n v. State Farm Auto. Ins., 463 U.S. 29, 43 (1983); see also FCC v. Fox Television
Stations, Inc., 556 U.S. 502, 515, (2009) (requiring the agency to “provide reasoned explanation for its action”).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 43 of 77
For example, the IFR obligates airlines to collect data, but does not obligate airlines to
store data, implying that airlines must keep the passenger contact information indefinitely or for
an indeterminate period until the CDC requests the information. Without further information, an
airline may inadvertently act in a manner contrary to CDC’s expectations or ad hoc requests for
information by disposing of passenger contact information or not designing systems to keep
passenger contact information. This may subject the airlines to unforeseen enforcement actions
and penalties without explanation. Notably, as CDC has explained in its previous rulemakings:
the incubation period is the time when contact tracing is beneficial, otherwise the benefits are
severely reduced. And, in 2005, the CDC proposed a 60-day storage period. However, the CDC
fails to address the information storage requirement for airlines in any way, nor does it consider
the cybersecurity or privacy risks and liabilities associated with the collection and storage of
passenger contact information.
The airlines have proposed multiple alternatives that accomplish CDC’s goals, some
using faster, more efficient, and more effective methods, for example:
•

As discussed above, CDC could set up a website and mobile application
for passengers to connect directly to CDC to provide relevant contact
tracing. This online option would eliminate the need for the airlines to act
as an intermediary, and it would create a government-mandated one-onone, more immediate and enforceable relationship between a passenger
and CDC.

•

CDC could form an interagency contact tracing cell at CBP’s National
Targeting Center to collate relevant information sets rapidly so such
information sets may be leveraged.

•

Airlines offered to hand out a public health locator form for passengers on
flights when it is clear that a passenger on board has either been to or
transited the People’s Republic of China or the Islamic Republic of Iran.
These forms could then be delivered to CDC, much like I-94 immigration
forms are delivered to CBP.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 44 of 77
The failure to consider alternatives adequately is especially apparent given the CDC’s
imprudent approach to COVID-19. First, the CDC issued a Paperwork Reduction Act (“PRA”)
notice regarding its collection of information from passengers to detect individuals who are ill or
at risk of being ill with COVID-10. Curiously, not only did the CDC open the comment period
for 60-days giving time for notice and comment (despite having explicit statutory authority to
waive such process), it did not raise this review in the IFR at all.
Second, the CDC has previously obtained approval for the use of the World Customs
Organization (“WCO”) Passenger Locator Form for use by airlines. 84 Although this machinereadable form may not be ideal in the long term, it represents an immediate solution to the
immediate problem of known gaps in passenger contact information, without forcing undue
burdens on the airlines. It does not appear that the CDC has considered this alternative here as
an approved form to conduct contact tracing.
Third, the CDC acknowledges its explicit authority to compel individuals to give the
CDC contact information, but narrowly and unnecessarily limits its consideration of this
authority, without explanation, by focusing on the anticipated effort for CDC to process contact
information received through paper forms. The CDC simply ignores airlines’ repeated
suggestions, in past rulemakings and during the COVID-19 threat, that CDC should adopt a
digital portal through which passengers could submit contact information directly to the CDC.
The IFR is arbitrary and capricious because it lacks a rational connection between the
factual premise (CDC’s need for the required information on a 24-hour basis) and the option
CDC selected to implement its passenger contact information collection mandate (imposing the

84

See Attachment 12, at 6. See also, CDC, Proposed Data Collections Submitted for Public Comment and
Recommendations, 70 Fed. Reg. 58,416 (Oct. 6, 2005).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 45 of 77
electronic collection and reporting requirement on airlines, as opposed to passengers or obtaining
the information from other existing government databases). The burdens and uncertainties are
extensive, such as:
•

The impossibility of airlines’ being able to comply on a wide-scale basis
in the near future to address the COVID-19 issue—the purported
justification for the rule. Full implementation would take at least twelve
months.

•

CDC requires the collection of information that may never be used and is
unreliable—knowing that airlines cannot compel passengers or third
parties to give accurate information, which would be critical for
addressing problems CDC claims to have identified with the information
that airlines currently provide.

•

The scope is overly broad, giving authority to CDC to extend the
requirements to all international and domestic flights, to an ambiguous
population of those who are at risk of exposure, and for an unclear period
of applicability.

•

What constitutes an acceptable format for transmission of the data is not
addressed.

Furthermore, while CDC states that gaps in its existing regulations (42 C.F.R. §§ 71.4
and 71.20) frustrate its ability to contact individuals in a timely and accurate manner about
potential exposure to communicable diseases, the IFR as phrased does nothing to close those
very gaps, instead it perpetuates them: it requires the information in the five identified data fields
only “to the extent that such information exists for the individual.” 85 The airlines themselves
have no authority (and no business need) to compel passengers to provide all of the requested
information. So, the CDC is using the COVID-19 outbreak to make airlines spend hundreds of
millions of dollars to create new systems or modify old systems to accommodate the passenger
contact information that cannot be validated and will not likely provide any practical utility for

85

See IFR, supra note 2 at 7,876.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 46 of 77
addressing COVID-19 (because of timing) nor address the information gaps that the CDC has
identified as rationale for issuing its IFR.
Airlines are meanwhile subject to potential enforcement and penalties (and burdens of
proof) if passengers do not provide the information, despite airlines having no effective means to
ensure that passengers provide accurate contact information, because contact information is
found nowhere on government-issued identity documents. 86 For the reasons stated elsewhere in
these comments, CDC could address its perceived “problem” by requiring the information
directly from passengers (42 CFR § 71.20) or by working with its counterpart U.S. government
agencies, which the 2017 CDC report proves and the 2016 final rulemaking articulate plainly,
has been effective in the past.
The justifications for the IFR as articulated in its preamble are further undermined by
contradictory and conflicting agency comments made as part of the rollout. 87 Specifically, the
CDC explained that the collection of the information required in the IFR was an urgent and
immediate need for widespread contact tracing for individuals identified as having COVID-19,
but was unwilling to entertain proposals for viable short-term alternatives to the time-consuming
modification of airline and GDS/OTA systems necessary to facilitate collection and transmission
of unvalidated information to CBP. CDC/HHS subsequently articulated that the information
collected would be used for purposes of case management of patients and useful for providing
contact information to state and local public health officials for continued case management. But
the IFR is silent on this purpose, leaving the public and regulated stakeholders guessing as to

See supra note 9, February 18 Order at 10,440. (The Order directs airlines to inform CDC of every passenger who
refused to or could not provide the required information.) This potentially sets up airlines for conflict with their
passengers if CDC intends to take enforcement measures.
87
See, e.g., Sorenson Commc’ns Inc., 755 F.3d at 706 (finding that no good cause existed when the agency failed to
establish facts supporting a claimed “threat of impending fiscal peril” and lacked “record support proving the
emergency”).
86

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 47 of 77
CDC’s true intent. Additionally, notwithstanding the CDC’s attempt to use COVID-19 as a
justification, by the IFR’s clear terms, the CDC designed and intended for the IFR to be used for
communicable diseases other than COVID-19.
B.

The IFR Implicates Privacy Laws and May Cause Airlines to Run Afoul of
International Legal Requirements

The IFR also implicates the General Data Protection Regulation (“GDPR”) and the The
Agreement between the United States and the European Union on the Use and Transfer of
Passenger Name Records of 2011 to the United States Department of Homeland Security (“USEU PNR Agreement”), 88 for which—like the IFR—airlines could bear the risk of penalty for
violations of GDPR despite the inability to help the CDC in its mission of getting accurate
information to conduct contact tracing for the immediate COVID-19 situation. There is also a
significant chance that the rules conflict with other data privacy laws around the world, whereby
airlines may face diametrically opposite government mandates. The CDC cannot give airlines
comfort because it has failed to consider these implications or consulted with other U.S.
government or EU officials before implementing the rules.
As explained in Section VIII, below, we believe that the IFR triggers GDPR protections
for which no blanket exceptions are likely available and potential defenses are unclear, requiring
airlines to honor the GDPR safeguards (which are totally absent from the IFR) unnecessarily an
creating potential violations, liabilities, and costs for the airlines which the CDC has not
apparently considered.

88

See infra note 104 and accompanying text.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 48 of 77
C.

The IFR Violates Other Statutory Requirements

The IFR is arbitrary and capricious in its failure to comply with the Unfunded Mandates
Reform Act, various executive orders, and the Information Quality Act.
1.

Unfunded Mandates Act

The CDC correctly acknowledges that, under Section 202 of the Unfunded Mandates
Reform Act of 1995, 2 U.S.C. § 1532, it must prepare a budgetary impact statement before
promulgating a rule that includes a Federal mandate that results in expenditures exceeding $164
million. However, the CDC’s analysis that the IFR will not meet the threshold is woefully
incorrect.
As explained above, approximately [190] airlines will likely have to spend at least $1
million per airline, and up to $23-46 million for one airline, in system modifications to ensure
that each airline collects, stores, and can transmit passenger contact information to the U.S.
government, as well as the other entities with which it may exchange information. Moreover,
each third-party participant in the booking process, e.g., GDSs, will inevitably need to make
updates to their systems, which will incur additional substantial costs. Accordingly, regardless
of how the CDC wants to require airlines to transmit passenger contact information—either
through PNR or APIS—the threshold is easily met and the CDC must prepare a budgetary
impact statement and specifically address the regulatory alternatives considered.
2.

Executive Order 12866

Executive Order 12866 requires an agency to “assess both the costs and the benefits of
the intended regulation,” and propose a new regulation only after a reasoned determination that
the benefits warrant the costs. 89 The CDC has acknowledged that the IFR is a significant

89

Exec. Order No. 12866 § 1(b)(6) (1993).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 49 of 77
regulatory action subject to this executive order, but it has not conducted the necessary costbenefit analysis. First, the CDC does not explain any basis on which it is exempt from this
executive order. The IFR explains the perceived exemption to the Regulatory Flexibility Act,
but it does not identify an exemption to E.O. 12866, nor could it do so. The only exception the
CDC may wish to apply is the emergency exemption, but, as discussed in Section IV, above, the
IFR by its terms does not target an emergency—it creates a broadly applicable set of new
requirements that are not limited to COVID-19 and cannot possibly be implemented in time to
address the COVID-19 situation, when CDC could have taken the opportunity to employ notice
and comment rulemaking, including a cost-benefit analysis. This cost-benefit analysis would
have shown the wasteful and impractical nature of this rule. 90 In addition to a consideration of
the costs and benefits, the IFR failed to consider alternatives to the IFR, as required by E.O.
12866. The failure to consider alternative proposals is especially troubling here, where A4A,
and other industry members have presented CDC with reasoned alternatives to CDC’s
substantially similar proposals in 2005 and 2016, including a CDC website and paper
alternatives. The comments to CDC’s prior proposed rules identified the costs that CDC ignores
in the IFR as well as alternatives that alleviate these costs while ensuring public health. Industry
explained that this proposed data collection approach requires changes to various industry
platforms, training, and additional customer support time, but a far smaller change to government
systems would easily provide the same information. Thus, CDC could have developed a better
rule by considering the known alternatives. CDC’s failure to do so is not just wrong; it is in

90

See supra Section III.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 50 of 77
violation of E.O. 12866. CDC was obligated to apply the known information to “tailor its
regulations to impose the least burden on society.” 91
As demonstrated herein, the choice that CDC made in the IFR is far from imposing the
least burden on society. In fact, compared to the feasible, effective, and efficient solution put on
the table by the airlines (i.e., website and mobile application for direct passenger input to CDC),
the IFR is undoubtedly one of the most costly, and least effective, approaches to get the contact
information that CDC needs to conduct public health follow-up.
3.

Executive Order 13771

Contrary to CDC’s statement in the IFR, the IFR is subject to Executive Order 13771.
The pertinent exemption requires a rule to meet two criteria. First, “[t]he benefit-cost analysis
demonstrates that the regulation is anticipated to improve national security as its primary direct
benefit.” OMB M-17-21. This IFR is designed to protect the public health, not national security,
so the exemption is inapplicable. Additionally, to be exempt, “OIRA and the agency [must]
agree the regulation qualifies for a ‘good cause’ exception under 5 U.S.C. 553(b)(3)(B).” 92 CDC
has not addressed this requirement, and nowhere does the agency claim OIRA has reviewed the
IFR and agreed that the good cause exception applies. Lacking such oversight and approval,
Executive Order 13771 applies, and CDC must identify additional regulations for repeal and
ensure that the net costs be no greater than zero.
4.

Information Quality Act (“IQA”)

CDC’s reliance on faulty information violates the IQA and demonstrates the arbitrary
nature of the IFR. The IQA requires agencies to manage their information to improve its integrity

91
92

See Exec. Order No. 12866 § 1(b)(11).
Id.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 51 of 77
and quality. The IFR’s inclusion of sub-par data, and CDC’s failure to disseminate useful and
objective scientific evidence in support of the IFR is a substantial deviation from the data quality
standards mandated by the IQA and the HHS information quality guidelines that implement the
IQA.
In 2005 and 2016, in response to CDC’s proposals which were akin to the IFR, industry
provided comments that reinforce what passenger data is available and the systems through
which the data can be obtained. The CDC seems to have ignored this information, and once
again asks “[t]he extent to which airlines currently collect . . . the data” 93 and assumes a low
burden for airlines to gather the information. Contrary to the IQA, the IFR lacks accurate, clear,
objective, and unbiased information supporting CDC’s mandate to collect passenger data
elements. In fact, in the IFR, the CDC once again cites a June 2004 Harvard study that the
International Air Transport Association thoroughly critiqued in their 2006 comments to CDC’s
earlier versions of this rule. Had the CDC weighed the quality of the information it disseminated
in the IFR against the standards contained in CDC’s Guidelines, it would have concluded that the
information does not justify the IFR and its corresponding impact on airlines.
Even more inexcusable is that CDC, a science-based agency, is choosing to turn a blind
eye to well-known and U.S. government-acknowledged facts that: (i) airlines cannot provide the
desired contact information in a timeframe that meets CDC’s immediate COVID-19 needs; and
(ii) airlines cannot provide information that is validated or reliable—leaving the CDC in the
same position where it was when it issued the IFR. Instead of using its resources to create an
effective solution that would address COVID-19 in the short-term, like a website or mobile
application, which airlines suggested in 2005, it chose to use its resources to a force solution

93

See supra note 2, IFR at 7,878.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 52 of 77
through the airline industry, and only the airline industry, that the CDC has been unable to
implement for over 15 years.
VI.

IFR IS AN ABUSE OF DISCRETION AND EXCEEDS CDC’S AUTHORITY
The CDC has a duty to examine the relevant data and articulate a satisfactory explanation

for its action that demonstrates a rational connection between the facts found and the choice
made. It has not done so in the IFR and has failed to adequately explain how it arrived at its
conclusions.
In carrying out rulemaking, an agency is required to “disclose the basis of its order” and
“give clear indication that it has exercised the discretion with which Congress has empowered
it.” 94 The PHSA and other legal authority discussed in the IFR do not authorize regulations that
are unnecessary, discriminatory, or impose an unreasonable burden on airlines. And, as noted,
the CDC does not have statutory authority to amend 42 C.F.R. § 71.4 via an IFR. As explained
above, Congress knows how to grant interim final rulemaking authority and did so for CDC in
specific provisions not at issue here (e.g., 42 U.S.C. §§ 239b, 247d-6d, and 300gg-92). An
agency has no authority beyond that which Congress grants to it, and there is no reason to infer
interim final rulemaking authority here where Congress, having granted the CDC interim final
rulemaking authority in other statutory provisions, chose to omit it in 42 U.S.C. § 264.
We support actions by the government to increase public health and safety using lawful,
well-crafted, and well-reasoned rules that are rooted in the realities of our global industry.
Airlines have voluntarily worked with the CDC to provide timely passenger information, often at
substantial expense and exceeding regulatory requirements. The IFR is flawed both in its lack of

94

Burlington Truck Lines, 371 U.S. at 167-168 (1962) (“The agency must make findings that support its decision,
and those findings must be supported by substantial evidence.”)

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 53 of 77
statutory authority and the impossibility of its requirements. Having failed in this fundamental
regard, the CDC should withdraw the IFR and provide a full and fair opportunity for
stakeholders to comment on a new proposed regulation, including consideration of all issues, or
continue voluntary cooperation.
VII. THE IFR, AS ENACTED, CANNOT BE ENFORCED
The IFR is unenforceable as written because its adoption violates the PRA and the
Regulatory Flexibility Act (“RFA”).
A.

Paperwork Reduction Act

The PRA forbids agencies from requiring the submission of information unless OMB has
approved the collection. The IFR points to the fact that OMB has approved the collection of
information related to “any passenger who has departed from, or was otherwise present within,”
China within 14 days of a flight to the U.S. (“Designated Passengers”). 95 The OMB-approved
collection does not cover anyone other than a Designated Passenger; crewmembers or any
passengers who are not returning to the U.S. after recent time in China are not included in the
OMB-approved collection. But, the IFR is far broader. Any additional requirements in the IFR
beyond those in OMB Control No.: 0920-1180 cannot impose obligations on the airline. 96
Currently, OMB has only authorized the collection of information on Designated Passengers, and
as such, airlines cannot be required to collect the contact information of others.

95
96

See supra note 9, February 18 Order, Attachment 17.
See United States v. Hatch, 919 F.2d 1394, 1398 (9th Cir. 1990) (finding defendant could not be liable for failure
to submit information because “the Forest Service did not comply with the PRA and since therefore Hatch cannot
be subject to any penalty”); see also, 44 U.S.C. § 3507(h)(3) (“An agency may not make a substantive or material
modification to a collection of information after such collection has been approved by the Director, unless the
modification has been submitted to the Director for review and approval under this subchapter.”); see also, 44
U.S.C. § 3512(a) (“[N]o person shall be subject to any penalty for failing to comply with a collection of
information … if … the collection of information does not display a valid control number.”).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 54 of 77
If the CDC were to argue that its IFR only seeks information regarding these Designated
Passengers, then the IFR is written too broadly, and there is no good cause for this broad
emergency action.
B.

Regulatory Flexibility Act

The RFA requires that agencies determine their rules’ economic impact on small entities,
explore regulatory options for reducing these impacts, and explain their ultimate choice. The
CDC acknowledges that it has not done this. 97
CDC’s position that it can wait up-to 180 days to fulfill its obligation under the RFA is
incorrect. The RFA obligations may only be delayed if “the final rule is being promulgated in
response to an emergency that makes compliance or timely compliance with the provisions of
section 603 of this title impracticable.” 98 As discussed in Section IV, above, after ignoring the
immediately effective alternatives to address the COVID-19 situation, this rule simply is an
attempt to implement provisions that the CDC has coveted for over a decade and with which
airlines will be incapable of complying for months to come. Because the IFR was unnecessary
and will not expedite compliance or the receipt of complete and reliable passenger contact
information, the CDC could and should have taken time to comply with the RFA. Its failure to
do so violates the act.

If the CDC had fulfilled these obligations, it would realize that the regulation contradicts the Trade Agreements
Act. 19 U.S.C. §§ 2531-2533. The Trade Agreements Act prohibits agencies from setting standards that create
unnecessary obstacles to the foreign commerce of the United States and requires agencies to consider and, where
possible, adopt international standards. Id. There are relevant international standards in this space. It is
internationally-recognized that “states should not require or hold an airline responsible for the submission of PNR
data that are not already collected or held in the operator’s reservation or DCS. An operator should be held
responsible only for data that are available in its reservation system or DCS.” See supra note 13, ICAO Doc.
9944 at ¶ 2.5.2. Thus, international standards recognize that the data elements that CDC mandates in the IFR are
not required and that passenger data will not necessarily be available from airlines. See also WCO/IATA/ICAO,
Guidelines on Advance Passenger Information § 8.1.5 (2014) (hereinafter “API Guidelines”), Attachment 18.
Additionally, as discussed below, GDPR establishes privacy standards that are violated by the IFR. By deviating
from these existing international standards, the IFR violates principles of the Trade Agreements Act.
98
See 5 U.S.C. § 608(a).
97

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 55 of 77
Even if the COVID-19 emergency justifies the IFR, the CDC must complete the required
review within 180 days of publication of the IFR. Failure to do so would invalidate the IFR.
When the CDC conducts the necessary analysis, it will be apparent that the CDC failed to
conduct an adequate analysis before adopting the IFR, and the CDC did not fairly consider major
alternative options and weigh their probable effects. 99 The IFR will have a severe impact on
small business airlines, and the agency has not explained and cannot explain why this option is
better than the myriad of alternatives.
In general, this IFR poorly defines airlines and fails to acknowledge different types of
airline operations. As previously discussed above, many regional airlines that operate codeshare
flights under their mainline partners’ flight number do not even own or have access to passenger
information and cannot be held accountable for not providing passenger contact information.
In addition, there are small airlines that provide international services between the United
States and its neighboring countries, including Caribbean destinations. These airlines who could
be operating under various FAA regulations, including 14 C.F.R. part 135, 14 C.F.R. part 121, or
other applicable FAA air carrier certificate regulations, must comply with proposed requirements
regardless of the size and type of operations. Some airlines offer several flights a day between
the United States and these destinations using aircraft with few seats. In fact, some of these
airlines operate as few as 9 aircraft and have far fewer than 500 employees.
Given the substantially smaller relative size of these airlines and the cost burdens relative
to that size, the IFR is unjustified without adequate discussion or consideration of alternatives

99

See Nat’l Ass’n of Psychiatric Health Sys. v. Shalala, 120 F. Supp. 2d 33, 42-44 (D.D.C. 2000) (remanding to the
agency because HHS did not obtain data or analyze available data on the impact of the final rule on small entities,
nor did it properly assess the impact the final rule would have on small entities, so it failed to comply with the
RFA).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 56 of 77
that could accomplish the same public health goals with greater efficiency and at a lower cost.
One option is for the U.S. government to share and use already-available information more
effectively and broadly. Alternatively, the CDC could provide passengers with machinescannable forms, permitting direct responses that can be used in a timely fashion without
imposing significant harm on small airlines. In fact, this solution has already been approved by
the CDC and OMB.
VIII. COMPLIANCE WITH FORUM DATA PROTECTION REQUIREMENTS
While we appreciate the need for airlines to help collect personal information from
passengers for public health and contact tracing purposes, we have serious concerns about the
risks to data protection and privacy compliance posed by the breadth of the IFR. 100 Our
concerns principally relate to the European Union (EU) General Data Protection Regulation
(GDPR), 101 but they may also arise under other data privacy laws (of which there are at least 107
frameworks globally). 102 We assert these concerns notwithstanding the WHO’s declaration of a
“public health emergency of international concern” for COVID-19. In our view, the IFR will
create a compliance dilemma for the airlines, where operationalization of and compliance with
the IFR may result ipso facto in violations of data privacy obligations to which we are subject.
Such obligations govern how airlines may collect, use, and transfer personal data, including

See supra Section V.A.
See Regulation (EU) 2016/679 (Apr. 6, 2016), available at https://eur-lex.europa.eu/eli/reg/2016/679/oj
(hereinafter “GDPR”).
102
We are aware of 107 national jurisdictions that have data privacy laws according to the UN (2020 publication).
See United Nations Conference on Trade and Development, Data Protection and Privacy Legislation Worldwide,
available at https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-ProtectionLaws.aspx, Attachment 19. Due to the enactment of the Data Protection Act 2018 by the UK Parliament, which
locally enacted the GDPR in the United Kingdom, privacy obligations substantively equivalent to the GDPR will
continue to apply in the United Kingdom once the United Kingdom withdrawal from the EU is complete. For
expedience, discussion of the “EU” herein may be understood to include the United Kingdom, and “GDPR”
herein may be understood to mean both the EU and the substantively equivalent post-Brexit UK privacy
obligations of airlines.
100
101

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 57 of 77
passenger contact information, and the actions airlines can take if a passenger refuses to provide
the required information.
One of the difficulties is that the IFR (like the February 18 Order) requires systematic,
wholesale transmission of passenger data to the CDC, which the CDC expects to be transmitted
through PNR or APIS. This transmission is clearly distinguishable from case-by-case contact
tracing requests with respect to particular individuals or limited group of individuals on
particular flights, which CDC can request under its pre-IFR authority under Section 71.4(a). 103 It
is this wholesale, automated processing and transmission of personal data that falls squarely
within the ambit of data privacy law and privacy rights.
Specifically, we submit that the IFR raises serious privacy law concerns. We strongly
encourage the CDC to consider reconciling the following before taking any regulatory action:

103
104

(i)

The GDPR applies to PNR or API transmissions as required under the
IFR;

(ii)

No blanket exception to the GDPR is available for public health
emergencies;

(iii)

An airline is responsible for ensuring a lawful basis for its data processing,
as well as the lawful basis for any legal entity to which it transfers
personal data—a lawful basis is unclear with the IFR;

(iv)

Even with an identified lawful basis, airlines, as data controllers, have
substantive obligations regarding (a) transfers beyond the EU and (b)
certain processing principles that will likely be difficult to honor in the
context of the IFR; and

(v)

The US-EU PNR Agreement, 104 Attachment 20, is highly relevant
material for consideration on questions relating to legal basis and
safeguards.

In other countries this authority is usually supported by reference to local statutory powers or a court order.
Dec. 14, 2011 (hereinafter “US-EU PNR Agreement”).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 58 of 77
A.

The GDPR Applies to PNR or API Transmissions of Passenger Contact
Information

In the EU, the protection of natural persons in relation to the processing of personal data
is a fundamental right. 105 The right to the protection of personal data is not absolute, however: it
must be considered in relation to its function in society and be balanced against other
fundamental rights, in accordance with the principle of proportionality.
The GDPR was adopted with the objective to strengthen individuals’ fundamental rights
and to clarify rules for companies that deal with personal data. 106 The GDPR aims to achieve
this through a single framework of rules applicable across the EU and also outside the EU in
circumstances described in Article 3 of the GDPR, as discussed below. 107 For the purposes of
the GDPR, airlines are likely considered to be data “controllers” as discussed under Section
VIII.C below, meaning we may be responsible for compliance with such regulatory framework
governing how airlines process passenger contact information and may be held liable for how
passenger contact information is processed or transferred outside the EU. 108 The passenger
contact information and the airlines requirements under the IFR clearly fall within the broadly
applicable protections of the GDPR.
Personal Data. The material scope of the GDPR is broad:
•

The GDPR “applies to the processing of personal data wholly or partly by
automated means and to the processing other than by automated means of
personal data which form part of a filing system or are intended to form
part of a filing system”; 109 and

Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the
Functioning of the European Union provide that everyone has the right to the protection of personal data
concerning him or herself. See supra note 101, GPDR, Recitals 1-4.
106
GDPR repealed the former Data Protection Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995. See supra note 101, GDPR, Art. 171. The GDPR was adopted in May 2016 and applies as of
May 25, 2018.
107
See supra note 101, GDPR, Recitals 3 and 9-11.
108
Id., Art. 4(7).
109
Id., Art. 2.
105

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 59 of 77
•

Personal data is defined as “any information relating to an identified or
identifiable natural person [ . . . ] in particular by reference to an identifier
such as a name, an identification number, location data, [or] an online
identifier . . . .” 110

The information required for passengers by the IFR (Designated Data) includes the passenger’s
full name, a primary contact phone number while in the United States, a secondary contact phone
number, an address while in the United States, and an email address. These elements all fall
under the definition of “personal data” and therefore fall within the scope of the GDPR. 111
Processing. The GDPR broadly defines processing of personal data and states:
Processing means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available…” 112
The IFR requires that the Designated Data be transmitted to the CDC “in a format acceptable to
the Director” and the CDC has stated that these channels can include the PNR or APIS.
Additionally, the February 18 Order requires that airlines must “produce, using existing datasharing channels, the Designated Information.” The use of such systems to collect, store,
retrieve and transmit such information clearly falls within the GDPR’s definition of “processing”
under Article 4(2).
Extraterritorial Application. EU Regulators assert that the GDPR broadly applies to
activities and circumstances outside the territory of the EU, based on Article 3 of the GDPR:

Id., Art. 4(1). An identifiable natural person is one who can be identified, directly or indirectly. Id.
See also, id., Art. 4(1) (“personal data means any information relating to an identified or identifiable natural person
[…]; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person”).
112
Id., Art. See also, id., Art. 3. For all airlines (regardless of whether they are an “establishment” in the EU), the
GDPR would apply, at a minimum, to processing related to the offering of goods or services to customers in the
EU.
110
111

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 60 of 77
(1) This Regulation applies to the processing of personal data in the context of the
activities of an establishment of a controller or a processor in the Union, regardless
of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in
the Union by a controller or processor not established in the Union, where the
processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data
subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within
the Union. 113

This asserted application includes entities established outside of the EU, whenever those entities
process personal data related to their offering of goods or services to customers in the EU. 114
Accordingly, the GDPR likely applies not only to airlines based in the EU, but also to the
processing of EU-located individuals’ personal data by a non-EU airline. The GDPR can
consequently be assumed to apply to significant numbers of EU, U.S., and other airlines, and, as
such, is a global concern for A4A and IATA members.
B.

No Blanket Exception to the GDPR for Public Health Emergencies

No blanket exception exists for public health emergencies in the GDPR. Mere references
to contagious disease and contact tracing in the preamble to the GDPR do not create an
exception.
1.

The Four Explicit Exceptions to the GDPR are Inapplicable

The GDPR has four explicit exceptions to the processing of personal data, specifically for
processing:
(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope
of Chapter 2 of Title V of the [Treaty of the European Union]; 115

See id., Art. 3(1).
See id., Art. 3(2).
115
Chapter 2 of Title V of the Treaty of the European Union relates to activities to carry out foreign and security
policy under the Treaty of the European Union.
113
114

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 61 of 77
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties,
including the safeguarding against and the prevention of threats to public
security. 116
None of these exceptions applies in the case of a public health emergency, like the COVID-19
outbreak. More specifically, they do not apply to the IFR because personal data for flights
originating in the EU would need to be collected within the EU (and thus would be collected
within the scope of EU law) and because the IFR is an activity by a non-EU government. In
other words, the collection of the Designated Data by airlines under the IFR would fall within the
scope of EU law (Article 2(a)) and an airline is neither a Member State (Article 2(b)), a natural
person (Article 2(c)), nor a Competent Authority (Article 2(d)) under these exceptions.
2.

Recitals Are Not Blanket Exceptions for Public Health Emergencies

Recitals are not operative provisions under EU law and, as such, recital references to
contact tracing and contagious disease offer little support for any argument for a blanket
exception to the GDPR.
Recital 112 of the GDPR specifically refers to the application of “derogations (…) to data
transfers required and necessary for important reasons of public interest, for example (…) for
public health, for example in the case of contact tracing for contagious diseases.” This recital
must, however, be read in conjunction with other recitals, one of which states:
In any case, the controller [the airlines] should make use of solutions that provide
data subjects [the passengers] with enforceable and effective rights as regards the
processing of their personal data in the Union once those data have been transferred
so that they will continue to benefit from fundamental rights and safeguards. 117

116
117

See id., Art. 2.
See id., Recital 114. Also, the recitals state “Provision should be made for the possibility for transfers where
important grounds of public interest laid down by Union or Member State law so require or where the transfer is
made from a register established by law and intended for consultation by the public or persons having a
legitimate interest.” Id., Recital 111 (emphasis added).

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 62 of 77
In other words, the expectation under GDPR is that airlines relying on the derogations must still
ensure that adequate safeguards are in place to protect transferred personal data. Importantly,
these recitals should be understood as interpretative aids to derogations from the specific rules
applicable to transfers of data outside of the EU (in Chapter 5), and not as a general exemption or
‘carve-out’ to the framework of regulation applied by the GDPR. Recital 112 cannot be the basis
for a broad exception based on emergency circumstances. 118
In sum, the GDPR recital that references contact tracing and communicable
disease does not offer a wholesale safe-harbor for airlines to comply with the IFR without
application of the GDPR.
C.

Obligations for Ensuring a Lawful Basis for Processing Personal Data

Where the GDPR applies, any organization involved in the processing of personal data
must assess whether it falls under the definition of a “controller” or a “processor.” A controller,
to which most of the obligations under the GDPR apply, means “the natural or legal person,
public authority, agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data.” 119
Airlines are likely controllers under the GDPR with respect to PNR or API. As
controllers, airlines will be accountable for demonstrating compliance with fundamental
principles of the GDPR, including Article 5 of the GDPR, which states:
Personal data shall be:
Such an interpretation that such a broad exception exists is also unsupported by the relevant treaties in
the EU, which establish privacy as a fundamental right and apply specific balancing tests to any
derogation of fundamental rights. See e.g., Article 52 of the EU Charter of Fundamental Rights (“Any
limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by
law and respect the essence of those rights and freedoms. Subject to the principle of proportionality,
limitations may be made only if they are necessary and genuinely meet objectives of general interest
recognised by the Union or the need to protect the rights and freedoms of others.”)
119
See supra note 101, GDPR, Art. 4(7).
118

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 63 of 77
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject
(‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or statistical
purposes shall, in accordance with Article 89(1), not be considered to be incompatible
with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed (‘data minimization’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that personal data that are inaccurate, having regard to the purposes for which they
are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal data may
be stored for longer periods insofar as the personal data will be processed solely for
archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) subject to implementation of the
appropriate technical and organisational measures required by this Regulation in order to
safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational measures (‘integrity
and confidentiality’).

When processing the IFR Designated Data for disclosure to the CDC, an airline would be bound
to observe all of these key principles regardless of a global public health emergency and pandemic.
One of the most critical elements is for the airline to identify a legal basis (also referred to as
“lawfulness”) for the processing of the data.
Article 6 of the GDPR sets out six possible grounds under which personal data can lawfully
processed. This means an airline can lawfully collect and transfer EU-located passengers’ personal
data to the CDC only if, at least, one of the six following grounds applies: (emphasis added)
(a) The data subject has given consent to the processing of his or her personal data for
one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to entering into a
contract;
(c) processing is necessary for compliance with a legal obligation to which the controller
is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of
another natural person;
(e) processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller;

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 64 of 77
(f) processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child.

While these provisions may initially appear broad, they are qualified in many respects by
other provisions of the GDPR. For the purposes of our analysis, it is convenient to bifurcate a
treatment of these grounds by their potential utility for the IFR.
1.

Some Lawful Bases for Justifying the IFR are Unavailable

Some grounds appear unavailable as a basis upon which to conduct the processing required
by the IFR. For example, consent is not a viable ground for the IFR because
•

Consent as a ground under Article 6(1)(a) is subject to strict scrutiny under GDPR. Article
7 of the GDPR defines the conditions for consent, providing that “the request for consent
shall be presented in a manner which is distinguishable from the other matters, in an
intelligible and easily accessible form, using clear and plain language. (…) The data subject
shall have the right to withdraw his or her consent at any time.” Fine print and
automatically checked boxes, for example, will not be enough 120. Importantly, consent
shall be “informed”, meaning that the individual should have a clear understanding of the
purposes for which their personal data will be processed.
In Guidelines on Consent under Regulation 2016/679 121, the Article 29 Working Party
(now the European Data Protection Board) wrote that “Generally, consent can only be an
appropriate lawful basis if a data subject is offered control and is offered a genuine choice
with regard to accepting or declining the terms offered or declining them without detriment.
(…) Inviting people to accept a data processing operation should be subject to rigorous
requirements, since it concerns the fundamental rights of data subjects and the controller
wishes to engage in a processing operation that would be unlawful without the data
subject’s consent.” The Working Party emphasized the element “free” implies the need
for real choice on the part of data subjects. Any imbalance of power between the controller
and the data subject shall be considered. Where the individual has no realistic alternative,
there shall be no free consent. Finally, the controller needs to demonstrate that it is possible
to refuse or withdraw consent without detriment or a clear disadvantage for the data subject.
Accordingly:
(i) What would the consequences be for a passenger who refuses to share their data
with the CDC?

Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679 16 (Nov. 28, 2017)
(“The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an
intervention from the data subject to prevent agreement (for example ‘opt-out boxes’).”) (citations omitted),
Attachment 21.
121
Id. at 3.
120

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 65 of 77
(ii) How would a passenger withdraw their consent? (Giving rise to a circumstance
where the airline or the CDC would be obligated—under the GDPR—to cease
processing their data.)
The practicalities of obtaining and maintaining passenger consent pose real questions. For
these reasons, we submit that consent would be an objectively poor basis upon which to
justify sharing information with the CDC.
•

The ground of “necessary for the performance of the contract” under Article 6(1)(b)
also raises questions. This legal ground is narrowly interpreted by the data protection
regulators in Europe. In recent Guidelines, the European Data Protection Board recalls
that “the processing in question must be objectively necessary for the performance of a
contract with a data subject, or the processing must be objectively necessary in order to
take pre-contractual steps at the request of a data subject.” 122 It follows that an airline might
rely on this lawful basis if they need to process the passengers’ personal data: to deliver a
contractual service to them; or because the passengers have asked the airlines to do
something before entering into a contract. A live question is the extent to which a service
is contractual; airlines are not by definition quarantine or customs clearance brokers
promising to facilitate a certain process or outcome with the authorities. It is not clear that
processing for a secondary purpose, related more objectively to disease control under the
IFR, bears the necessary relationship to the initial contractual promise of air carriage from
A to B.

•

The legal obligations ground in Article 6(1)(c) expressly refers to obligations arising under
EU law and not foreign law. 123 As a consequence, neither the IFR, as a non-EU legislative
instrument, nor the US-EU PNR Agreement can constitute a “legal obligation.” 124

•

Vital interest is a ground under Article 6(1)(d). The concept was drafted to deal with the
interests of one or more specific individuals (“the vital interests of the data subject or of
another natural person”), in specific circumstances, rather than being a concept of broad
application for wholesale data sharing. In Opinion 06/2014, the Article 29 Working Party
considered that a “restrictive interpretation must be given to this provision” and it should
be limited to “a case by case analysis.” 125 First, the phrase “vital interest” appears to limit
the applicability of this ground to questions of life and death, or at the very least, threats
that pose a risk of injury or other damage to the health of the data subject.” Second, the
Working Party also questioned the ground’s scope, including whether it could justify a
“preventative measure […] on a wide scale, such as the collection of airline passengers’
data where a risk of epidemiological disease […] has been identified” and settled on the
restrictive interpretation. While this legal ground could support individual tracing

European Data Protection Board, Guidelines 2/2019 on the Processing of Personal Data Under Article 6(1)(b)
GDPR in the Context of the Provision of Online Services to Data Subjects ¶ 22 (version 2.0 Oct. 8, 2019),
Attachment 22.
123
Article 6(1)(c) provides as follows: “The basis for the processing referred to in point (c) and (e) of paragraph 1
shall be laid down by: (a) [EU] law; or (b) Member State law to which the controller is subject.”
124
The US-EU PNR Agreement deals with terrorism and serious transnational crime, not public health emergencies.
See infra note 134 and accompanying text.
125
Article 29 Data Protection Working Party, Opinion 06/2014 on the Notion of Legitimate Interests of the Data
Controller under Article 7 of Directive 95/46/EC 20 (Apr. 9, 2014) (hereinafter “Opinion 06/2014”),
Attachment 23.
122

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 66 of 77
disclosures, 126 we submit that it could not support the wholesale provision of information
on all passengers, regardless of whether they have been potentially infected or not.
2.

Justification Under a “Public Interest” or “Legitimate Interest” Only with
Additional Clarity and Safeguards

The grounds of “public interest” and “legitimate interest” may be more promising.
•

The “performance of a task carried out in the public interest” is a ground under Article
6(1)(e). It may be submitted that an epidemic enlivens an obvious “public interest.” Action
taken in compliance with the IFR would then arguably be a “task” carried out to further
such an interest. Support might be derived from authoritative pronouncements on COVID19 127 and certain recital language in the GDPR itself: recitals 46, 52 and 112 recognize that
“monitoring epidemics and their spread,” “the prevention or control of communicable
diseases” and “contact tracing for contagious diseases” are important reasons of public
interest. Such submissions are appealing and may win in principle recognition with
regulators. One obstacle however is whether the relevant public interest can be linked to
EU or member state law, which is a prerequisite to the validity of the ground under Article
6(3). While the monitoring of an outbreak and the of taking preventative action could
satisfy a public interest under EU law, it is not clear that the precise directives of the IFR
would meet with such recognition as a foreign regulatory requirement (absent a specific
endorsement from an EU or EU member state instrument). Whether or not such an
argument is sustainable may depend upon authorities or courts finding creative ways to
give weight to the obvious policy concern in the light of more general international legal
instruments, as cited, or relevant other executive statements from EU governments.

•

Legitimate interest is a further ground under Article 6(1)(f). Similarly, to “public
interest”, airline assistance to government authorities in relation to monitoring epidemics
and preventing the spread of communicable disease could be argued to further a clear
“legitimate interest”. One possible advantage to this ground is that it does not require an
explicit EU legal instrument in the same way as Article 6(1)(c) and (e). Moreover,
legitimate interest need not be assessed from the sole perspective of the controller but can
also be assessed from the perspective of a third party (such as the CDC). There is an open
question on the extent to which a non-EU authority is a third party, but the point is at least
arguable in the absence of definitive guidance from regulators. Accordingly, one might
argue that airline controllers have a legitimate interest in sharing information with the CDC

Recital 46 of GDPR states: “Processing of personal data based on the vital interest of another natural person should
in principle take place only where the processing cannot be manifestly based on another legal basis. Some types
of processing may serve both important grounds of public interest and the vital interests of the data subject as for
instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their
spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”
However, this basis seems more suited to contact tracing of passengers where there has been a confirmed case on
an aircraft and not the pro-active provision of data where there has been no confirmed case as the CDC is now
requesting.
127
The WHO-China Joint Mission on Coronavirus Disease 2019 has defined coronavirus as “a new pathogen that is
highly contagious, can spread quickly, and must be considered capable of causing enormous health, economic and
societal impacts in any setting.” World Health Organization, Report of the WHO-China Joint Mission on
Coronavirus Disease 2019 (COVID-19) 18 (Feb. 16-24, 2020), Attachment 24.
126

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 67 of 77
in the context of a health emergency. There is supportive guidance from the Article 29
Working Party on this interpretation, which has written that “the fact that a controller acts
not only in its own legitimate (e.g. business) interest, but also in the interests of the wider
community, can give more 'weight' to that interest. The more compelling the public interest
or the interest of the wider community, and the more clearly acknowledged and expected
it is in the community and by data subjects that the controller can take action and process
data in pursuit of these interests, the more heavily this legitimate interest weighs in the
balance.” 128 In justifying reliance on the ground, however, it must recalled that the relevant
processing must be “necessary” for the identified legitimate interest and must not override
the “interests or fundamental rights and freedoms of the data subject”—implying
proportionality and balancing tests.
While “public interest” and “legitimate interest” would seem arguable bases under Article 6 of
the GDPR to justify compliance with the IFR, both require interpretation in consideration of the
objectives and precise terms of the IFR. Where, for example, the IFR is broader than strictly
necessary, questions arise to whether the full extent of the required processing would be
supported by the boundaries of these GDPR concepts. Additional clarity on the part of the IFR
to identify conclusive arguments under Article 6 and achieve legal certainty for airlines.
However, this is best achieved through an EU legal act providing such a basis (or, alternatively
an express agreement between the US and the EU in the appropriate form may meet this
requirement).
D.

Airlines (as “Controllers”) Have Substantive Obligations

Controllers with a lawful basis for their activity must also satisfy additional provisions of
the GDPR if they wish to transfer personal data outside the EU. They must, at all times, abide by
their ongoing duties as prescribed by Article 5 and further elaborated upon by supporting
provisions of the GDPR.

128

See supra note 125, Opinion 06/2014 at 35.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 68 of 77
1.

Transfers

Controllers must demonstrate compliance with Chapter V of the GPDR (“Transfers of
personal data to third countries or international organizations”). As a general principle, transfers
outside of the EU are prohibited by the GDPR. Transfers may however take place if the EU
authorities determine that the foreign country ensures an adequate level of protection (formalized
through an “adequacy decision” of the European Commission). In the absence of an adequacy
decision, transfers may occur if:
•

one of the safeguards listed in Article 46 is applicable; or

•

as a last resort, a derogation for certain specific circumstances is applicable (as
listed in Article 49).

Because there is no adequacy decision for the United States and Article 46 is not of
immediate assistance, the enquiry becomes whether derogations could support the IFR transfers.
These are as follows:
(a) the data subject has explicitly consented to the proposed transfer, after having
been informed of the possible risks of such transfers for the data subject due to
the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data
subject and the controller or the implementation of pre-contractual measures
taken at the data subject's request;
(c) the transfer is necessary for the conclusion or performance of a contract
concluded in the interest of the data subject between the controller and another
natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defense of legal
claims;
(f) the transfer is necessary in order to protect the vital interests of the data
subject or of other persons, where the data subject is physically or legally
incapable of giving consent;
(g) the transfer is made from a register which according to Union or Member
State law is intended to provide information to the public and which is open to
consultation either by the public in general or by any person who can
demonstrate a legitimate interest, but only to the extent that the conditions laid
down by Union or Member State law for consultation are fulfilled in the
particular case.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 69 of 77
The public interest derogation in paragraph 49(1)(d) is the most likely cross-border
transfer derogation that could apply. Recital 112 of the GDPR specifically refers to contagious
diseases as follows:
Those derogations should in particular apply to data transfers required and necessary for
important reasons of public interest, for example in cases of international data exchange
between competition authorities, tax or customs administrations, between financial
supervisory authorities, between services competent for social security matters, or for
public health, for example in the case of contact tracing for contagious diseases or in
order to reduce and/or eliminate doping in sport.

Article 49(4) provides that the public interest must be recognized in EU law or the law of
the relevant Member State. However, European Data Protection Board guidelines confirm that:
The existence of an international agreement or convention which recognises a certain
objective and provides for international cooperation to foster that objective can be an
indicator when assessing the existence of a public interest pursuant to Article 49 (1) (d),
as long as the EU or the Member States are a party to that agreement or convention.

A relevant international agreement would be the International Health Regulations (2005), Article
45(2) of which states:
[…] States Parties may disclose and process personal data where essential for the purposes
of assessing and managing a public health risk, but State Parties, in accordance with
national law, and WHO must ensure that the personal data are:
(a) processed fairly and lawfully, and not further processed in a way incompatible with that
purpose;
(b) adequate, relevant and not excessive in relation to that purpose;
(c) accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that data which are inaccurate or incomplete are erased or rectified; and
(d) not kept longer than necessary.

In 2006, the Article 29 Working Party issued an Opinion on a general data sharing
initiative proposed by the US (i.e., not related to a specific health threat). 129 The Working Party

129

Article 29 Data Protection Working Party, Opinion 4/2006 on Notice of Proposed Rule Making by the US
Department of Health and Human Services on the Control of Communicable Disease and the Collection of
Passenger Information of 20 November 2005 (Control of Communicable Disease Proposed 42 CFR Parts 70 and
71) (June 14, 2006), Attachment 25.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 70 of 77
determined that the proposal would not be compatible with the 1995 Directive, but in doing so
provided guidance on the circumstances when such a mechanism could be, for example:
Article 26 (d) of the Directive does not apply as the transfer is not necessary or legally
required on important public interest grounds of a EU Member State, but only in the US
interest, unless the transfer is based on international health agreements providing for
harmonized health measures at an international or European level, e.g. within the
meaning of Article 2 and Article 35 of the International Health Regulation (2005), under
specific conditions. 130

The Opinion also includes a specific reference to Article 45 of the International Health
Regulations (2005):
The WHO International Health Regulations (2005) also lay down specific requirements
for the treatment of personal data: Article 45 requires health information which refers to
an identified or identifiable person to be kept confidential and processed anonymously.
Only where it would be essential for the purposes of assessing and managing a public
health risk, as defined in the International Health Regulations (2005), State Parties and
the WHO may process personal data. 131

Considering these supporting materials from the EU, there appears to be some basis to support
the view that the “public interest” derogation may be satisfied for certain transfers related to
COVID-19. However, it is far from clear that this could support a mechanism under which
wholesale transfers occur in the manner prescribed by the IFR.
One alternative basis for considering the derogation could be the existence of an
agreement between the US and EU in line with Article 48 of the GDPR, which provides that:
Any judgment of a court or tribunal and any decision of an administrative authority of a
third country requiring a controller or processor to transfer or disclose personal data may
only be recognized or enforceable in any manner if based on an international agreement,
such as a mutual legal assistance treaty, in force between the requesting third country and
the Union or a Member State, without prejudice to other grounds for transfer pursuant to
this Chapter.

No such agreement exists, as explained further below in Section VIII.E.

130
131

Id. at 7. As noted earlier, this Direction was the predecessor instrument to the GDPR.
Id. at 8.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 71 of 77
2.

Certain Other Processing Principles

In addition to the requirements to comply with the core data protection principles
described above, which apply to everyone, controllers are subject to a full set of specific
obligations under the GDPR. First, as a controller, airlines will have to communicate
information in a transparent manner to their passengers regarding the disclosure of their data,
including the specific provisions, included above, that we are relying on as authority for
disclosing and transferring such data to the CDC, to enable passengers to exercise their rights
under Article 15 (“Right of access”), Article 16 (“Right to rectification”), Article 17 (“Right to
erasure”) and Article 21 (“Right to object”), among others. Each controller must maintain a
record of processing activities under the GDPR.
Article 24 of the GDPR requires controllers to “implement appropriate technical and
organizational measures to ensure and to be able to demonstrate that processing is performed in
accordance with this Regulation.” In other words, the controller is accountable for the security
of the processing and will bear the responsibility in case of breach or unauthorized access to the
data. Appropriate safeguards to mitigate these risks to the privacy and the integrity of the
transferred data must considered as a matter of the highest importance.
E.

US-EU PNR Agreement is Relevant for Legal Basis and Safeguards

The US-EU PNR Agreement is relevant to an analysis of the problems posed by the IFR.
In particular, the US-EU PNR Agreement addresses concerns on lawful basis, transfers, and
ongoing safeguards in the specific context of terrorism and transnational crime. The
arrangements provided for by the Agreement should be considered closely by the CDC in
making amendments to the IFR.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 72 of 77
1.

The US-EU PNR Agreement Does Not Provide a European Legal Basis
for Public Health Emergencies

The United States and the EU entered into the US-EU PNR Agreement on December 14,
2011. 132 It applies to “carriers operating passenger flights between the European Union and the
United States,” including “carriers incorporated or storing data in the European Union and
operating passenger flights to or from the United States.” 133 It covers use and transfer of
personal data via PNR to the US for the purpose of “preventing, detecting, investigating, and
prosecuting […] terrorist offences and related crimes”, a number of other specified criminal
activities relating to terrorism or violent acts and “other crimes that are punishable by a sentence
of imprisonment of three years or more and are transnational in nature.” 134 The US-EU PNR
Agreement does not refer to other circumstances and makes no provision for the use and transfer
of personal data for public health purposes. Article 1 does however state that the “purpose of
this Agreement is to ensure the security and to protect the life and safety of the public,” which
would appear to be plenary language. Article 4, however, is headed “Use of PNR” and is
exhaustively specific in respect of the types of crime addressed by the Agreement. Article 4
must prevail over the general drafting in Article 1, which is supported by the recitals, which refer
only to “terrorist offences and transnational crime” and measures to “prevent and combat
terrorist offences and transnational crime.” Accordingly, the Agreement sets out the legal basis
upon which systematic use and transfer can occur, following Articles 6(1)(c) and Article 48 of
the GDPR. The fact that the US-EU PNR Agreement predates the GDPR (effective in 2018) is
not determinative, recalling that (i) the former 1995 Directive contained similar provisions and
(ii) the status of privacy as a fundamental right within the EU’s founding treaties. In sum, it is
See supra note 104, US-EU PNR Agreement.
Id., Art. 2(2) and (3).
134
Id., Art. 4(1).
132
133

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 73 of 77
clear that the US-EU PNR Agreement with respect to terrorism, but no other conceivable albeit
important purposes, such as a public health emergency.
Notwithstanding pragmatic action on the part of governments, it is clear that a legal basis
would be required for systematic public health transfers under the GDPR and that no such
agreement, such as the US-EU PNR Agreement, presently exists between the United States and
the EU for such transfers using the PNR or API systems. We therefore suggest that the U.S. and
EU authorities begin urgent discussions to settle a legal basis that might provide legal certainty
to consumers and airlines alike and crucial GDPR recognition to the IFR under Articles 6(1)(c)
and 48.
2.

The PNR Agreement has Safeguards and the IFR Should Have Similar
Safeguards

One critical feature of the PNR agreement, and similar agreements, is the presence of
safeguards for the use and protection of personal data transferred to the US. Chapter III of the
PNR Agreement deals with these aspects. Articles 5 to 16, for instance, are headed “Data
security,” “Sensitive data,” “Automated individual decision,” “Retention of data,” “Nondiscrimination,” “Transparency,” “Access for individuals,” “Correction or rectification for
individuals,” “Redress for individuals,” and “Oversight.”
These provisions aim to ensure that the transferred personal data is handled to generally
reflect some of the broader duties imposed by the GDPR on the use and protection of personal
data. It is evident that considerable energy had been put into negotiating and formalizing these
safeguards, in order to ensure compatibility—from the EU’s perspective at least—with
fundamental rights and the related requirements of proportionality and necessity of the EU legal
order. It follows that similar safeguards are likely to be required of any future instrument for the
systematic use and transfer of personal data for public health reasons. It is also clear that these

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 74 of 77
safeguards are acceptable to the U.S. government and it would therefore be reasonable to suggest
that these measures could be acceptable to the U.S. government in other contexts, such as the one
at hand.
Failure to comply with privacy and data protection laws can expose airlines to regulatory
action and litigation including substantial financial fines and the risk of class actions lawsuits.
Under the GDPR, for example, an enforcement authority is empowered to levy as much as 4% of
annual global turnover as a fine for privacy violations. 135 While the airlines are willing to
provide the most efficient and complete support to the U.S. authorities in their management of
COVID-19, we also naturally desire to maintain a high level of protection of their passengers’
data, consistent with their own compliance standards, GDPR and other applicable privacy law.
We suggest that, at a minimum, equivalent safeguards to the US-EU PNR Agreement be
introduced in the IFR. This would serve three important purposes. First, these provisions would
be in place and therefore ‘ready’ for any legal instrument the U.S. government may choose to
enter into with the EU at a later stage. Second, such provisions may offer mitigation to any
suggestion that compliance with the IFR is a breach of the relevant obligations under the GDPR
and therefore assist with the conflict of laws problem faced by airlines. Third, such provisions
would tend to increase public confidence in, and support for, both the CDC’s efforts (and those
of airlines), while also allowing greater transparency to the travelling public with respect to the
uses of personal data. Accordingly, and at a minimum, the CDC should consider amendments to
the IFR to the effect that:
•

135

The transmitted personal data shall only be used for specified purposes,
in accordance with the “purpose limitation” principle - CDC shall use the
Designated data only for “monitoring epidemics and their spread”, “the

See supra note 101, GDPR Art. 83.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 75 of 77
prevention or control of communicable diseases” and “contact tracing for
contagious diseases”;
•

The integrity and confidentiality of personal data shall be guaranteed via
legal means –CDC shall process personal data in a manner that ensures
appropriate security of the personal data, including protection against
unauthorized or unlawful processing and against accidental loss, destruction
or damage, applying appropriate technical or organizational measures;

•

Continued storage of personal data shall be limited in time to a specific
retention period – the IFR states the information will be deleted “when no
longer required for the purposes set forth above” which may be considered
insufficiently precise under the GDPR. The IFR should state the retention
period for personal data collected by the CDC.

In conclusion to Section VIII, it can be presumed that the GDPR is applicable to the processing
activities undertaken by airlines to comply with the IFR. The design of the IFR has material
consequences for the data privacy compliance obligations of airlines and, if poorly adapted, can
create a conflict of laws scenario. These concerns would be generally applicable to other data
privacy legislation that follows the same approach as the GDPR. While we submit that
arguments exist on a lawful basis, these require the interpretation of ambiguous provisions that
are largely untested. Where a basis can be identified and satisfied, additional provisions with
respect to transfers and safeguards must also be honored. Without the inclusion of further
safeguards to the IFR, legitimate concerns must remain on a legal conflict with the GDPR’s
requirements. A public health emergency does not allay such concerns—the IFR is broad, is not
time-limited, not limited to COVID-19, and requires systematic and wholesale transmission of
passenger data. Fundamental rights such as privacy cannot be dismissed under the EU legal
system simply by reference to a compelling emergency.
The CDC should give close consideration to the terms of the US-EU PNR Agreement in
incorporating necessary safeguards within its regulatory action. This would have the benefit of
improving legal certainty for passengers and airlines, as well as reducing or mitigating conflict of

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 76 of 77
law concerns. The U.S. government should, as a matter of urgency, seek to formalize a suitable
instrument or practical interim understanding with the EU to provide a sure footing for the IFR.
IX.

CONCLUSION
The airlines are treating COVID-19 as a top concern and priority, especially the health

and safety of our passengers and crewmembers. We will take all feasible, effective, and
reasonable measures to respond to the COVID-19 threats and impacts. However, we respectfully
submit that the CDC must withdraw the overly broad IFR that is falsely premised on COVID-19
contact tracing and conduct a full APA rulemaking to properly consider all of the implications of
CDC’s proposed rules. We look forward to working with the CDC to develop feasible and
effective alternatives to CDC’s IFR and strongly recommend that CDC adopt our recommended
website/mobile application solution that avoids unnecessary burdens and costs, increases
accuracy, and can be adopted in a short time to help CDC respond to COVID-19.
We greatly appreciate the opportunity to provide these comments and thank you for the
consideration.

[NO FUTHER TEXT – SIGNATURE PAGE FOLLOWS]

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Page 77 of 77

Respectfully submitted,

_________________________________
Patricia Vercelli
Senior Vice President, General Counsel
and Secretary
AIRLINES FOR AMERICA

_________________________________
Douglas E. Lavin
Vice President, Member and External
Relations North America
INTERNATIONAL AIR TRANSPORT
ASSOCIATION

_________________________________
Nobuyo Reinsch
Vice President, Aviation Safety &
Security
REGIONAL AIRLINE
ASSOCIATION

_________________________________
Paul Doell
Vice President, Government Affairs and
Security Policy
NATIONAL AIR CARRIER
ASSOCIATION

Dated: March 13, 2020

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
APPENDIX A
Airline Trade Association Members & Representation
A4A’s members are: Alaska Airlines, Inc.; American Airlines Group, Inc.; Atlas Air, Inc.; Delta
Air Lines, Inc.; Federal Express Corp.; Hawaiian Airlines; JetBlue Airways Corp.; Southwest
Airlines Co.; United Continental Holdings, Inc.; and United Parcel Service Co. Air Canada is an
associate member.
IATA represents over 290 airlines in 120 countries.
RAA’s members are: Air Wisconsin; CommutAir; CapeAir; Compass Airlines; Empire Airlines;
Envoy; Endeavor Air; ExpressJet; GoJet Airlines; Grand Canyon Scenic Airlines; Horizon Air;
Jazz; Mesa Airlines; New England Airlines; PenAir; Piedmont; Ravn Alaska; PSA Airlines;
Republic Airways; Seaborne Airlines; SkyWest Airlines; and Trans States Airlines.
NACA’s members are: Allegiant; AmeriJet; Air Transport International; Atlas Air Worldwide;
Everts Air Cargo; Frontier Airlines; Kalitta Air; Lynden Air Cargo; Miami Air International;
Northern Air Cargo; OAI; Spirit Airlines; Sun Country Airlines; SwiftAir; USA Jet Airlines;
WGA; and World Atlantic Airlines.

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
APPENDIX B
Summary of Contact Information Available to the U.S. Government Before the IFR
(Excluding information available through U.S. passport and U.S. visa applications)
Contact Information
Persons Covered

PNR
All passengers

Name
Address while in the
United States
Phone Number #1
Phone Number #2
Email
Conditions & Notes

Yes
Maybe*
Maybe*
Maybe*
Maybe*
• Airlines cannot
validate accuracy
• Not for crewmembers
* IF the relevant systems
(airline, GDS, OTA)
capture it and include
it in the PNR and IF
the passenger or travel
agent provides it

API
All passengers and
crewmembers
Yes
Yes**
No
No
No
• Airlines cannot
validate accuracy
**For foreign nationals
only; crewmember
address information is
the crewmember’s
permanent residence on
record with the airline,
which is not updated on a
flight-by-flight basis

ESTA
Enrolled foreign national
passengers eligible for
VWP
Yes
Yes
Yes
No
Yes
• Required to be
accurate by law
• Not for crewmembers

EVUS
Enrolled and eligible
Chinese citizen
passengers
Yes
Yes
Yes
No
Yes
• Required to be
accurate by law
• Not for crewmembers

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
APPENDIX C
Passenger Name Record (PNR)
The following summary is a general description of the information, standards, processes,
and systems related to PNR. It does not reflect specific PNR information for individual airlines,
which is proprietary and confidential.
PNR Creation
The systems used to create a PNR vary widely. The systems may include, but are not
limited to:
•
•
•
•
•
•
•
•
•

Airline websites that are used to book reservations;
Check-in kiosks;
Applications (app);
Customer service agent systems at airport check-in desks or gates;
Reservation agent systems (i.e., call centers);
Employee check-in systems;
Frequent flyer systems;
Global distribution systems (GDS); and
Travel agencies, including OTAs.

If an airline were to be required to collect and include specific information in a PNR, it would
have to modify all of these systems, which are connected through complex software and
networked equipment, and would require different levels of extensive programming.
The reasons an airline must modify all systems are demonstrated in the following
scenarios of how passengers may provide and airlines may capture information from the
passenger for a PNR:
•

A passenger books and checks-in for a flight at an airport ticket counter—
requiring check-in counter systems to be able to input passenger contact
information;

•

A passenger books a flight more than 24-hours in advance of the flight, including
through the website, mobile phone application, or call center, but checks-in
through another portal, such as the ticket counter, airline website, check-in kiosk,
or mobile application;

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
Appendix C, Page 2
•

A passenger books a flight through an OTA, checks-in through the airline’s
website, but changes their flight through a mobile application or at a kiosk;

•

An employee books a flight in advance, but checks-in at the gate.

PNR Data Sources and Accuracy
Data for a PNR is provided by the passengers themselves or by a third-party on behalf of
the passenger (e.g., travel agent). 136
Airlines cannot validate the PNR data against any external system or source to confirm
that the information is accurate. 137 For example, airlines cannot confirm that a phone number
provided during the booking process is accurate before including that information in the PNR.
Also, passenger contact information is not imbedded in any form of government-issued identity
document. Accordingly, a passenger may input false or incorrect data. It is also possible that a
passenger may not possess all types of contact information (such as an email address, a
secondary phone number, or a known address while in the United States) required by the CDC in
the IFR.
It is also the practice of some travel agents to provide the contact information of the
travel agent, not the passenger, to the airline. This protects the travel agent’s relationship with
the passenger and prevents the airline from directly contacting the passenger.
PNR Data Elements
The scope of information in a PNR—i.e., the number and nature of fields of information
in the PNR—varies depending upon the systems collecting the data, the itinerary, and
requirements of the passenger. 138 Any required PNR data elements are managed through

See supra note 13, ICAO Doc. 9944 at ¶ 2.1.2.
See id. at ¶ 2.16.1.
138
See id. at ¶ 2.1.8.
136
137

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
Appendix C, Page 3
bilateral arrangements between countries and airlines, as defined by national legislation. 139 The
U.S. government has never required airlines to collect and provide specific information in a
PNR. We are not aware of any country that requires the collection and sharing of passenger
contact information that is required by the CDC in the IFR.
In practice, airlines capture only limited data as key elements for the creation of PNR for
their own operational business purposes, but these elements vary widely from airline to
airline. 140 No two airlines collect and include the same information in a PNR.
Generally, airlines do include some passenger contact information in a PNR. For
example, all airlines collect and include the passenger’s name in a PNR. The extent to which an
airline collects and includes additional passenger contact information varies widely. The largest
factor is the airline’s reservation and passenger information systems. For example, some
airlines’ systems require that a customer include a telephone number when booking a
reservation, which the airline then may include in a PNR.
As explained herein, all passenger contact information that is currently captured by
airlines in a PNR is fully accessible to the U.S. government. 141
Standards Around Transmission of PNR Data
Many governments and their agencies around the world require that airlines to share PNR
data for the purpose of preventing, detecting, and investigating terrorist offences and other
transnational crimes. Throughout the years, international organizations have developed
international standards and guidelines to facilitate the orderly transfer of PNR data from airlines
to governments. Governments adhere to those international standards, which provide the

See supra note 14, IATA Principles, at 10.
See supra note 13, ICAO Doc 9944 at ¶ 2.1.7.
141
See supra Section III.A.1.
139
140

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
Appendix C, Page 4
uniformity and predictability that is needed for the aviation system to operate soundly and
economically.
In March 2005, the ICAO Council adopted the following Recommended Practice for
inclusion in Annex 9 to the Chicago Convention—Facilitation: “Contracting States requiring
Passenger Name Record (PNR) access should conform their data requirements and their handling
of such data to guidelines developed by ICAO.” 142 ICAO’s current International Standards and
Recommended Practices provide that:
•

•

Each Contracting State requiring PNR data shall align its data requirements
and its handling of such data with the guidelines contained in ICAO Doc
9944, Guidelines on Passenger Name Record (PNR) Data, Attachment 3,
and in PNRGOV message implementation guidance materials published and
updated by the World Customs Organization (“WCO”) and endorsed by
ICAO and IATA; and
Contracting States requiring the transfer of PNR data shall adopt and
implement the EDIFACT-based PNRGOV message as the primary method for
airline-to-government PNR data transferal to ensure global interoperability. 143

Several ICAO’s Member States, including the U.S. Government, have developed a PNR standard
that will make the collection of PNR data mandatory for all countries. The proposed text of the
standard will be part of Amendment 28 to the 15th Edition of Annex 9 and was endorsed by the
ICAO Air Transport Committee in February 2020. 144 Section 9.29(a) of the new standard states:
“Contracting States shall not require aircraft operators to collect PNR data that is not required as
part of their normal operating procedures nor to filter the data prior to transmission.” 145

See supra note 13, ICAO Doc. 9944 at v.
See ICAO, Annex 9 to the Convention on International Civil Aviation, Facilitation 9-4 (15 ed. Oct 2017),
available at https://store.icao.int/products/annex-9-facilitation (hereinafter “ICAO Annex 9”).
144
See ICAO, Air Transport Committee (ATC), 219th Session – Second Meeting, Summary of Decisions (Feb. 17,
2020), Attachment 26.
145
See ICAO, State Letter EC 6/3 – 20/14, Proposed Amendment to Annex 9 (Feb. 25, 2020) (hereinafter “ICAO
State Letter”), Attachment 27.
142
143

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
Appendix C, Page 5
To the extent that the regulations and practices of a country differ from these international
standards, the country must notify ICAO of such differences. 146 In the case of significant
differences, the country must publish such differences. 147
Accordingly, to the extent that the U.S. government requires changes to the PNR data
formatting or elements for purposes of collecting passenger contact information that differs from
the internationally recognized standards, the U.S. government must adhere to its international
obligations. For example, if the U.S. government imposes a PNR data element requirement that
is specific to the passenger’s address while in the United States and no international standard
currently exists for such data element, the U.S. government must adhere to its obligations under
the Chicago Convention regarding notice and publication of such changes.
To compliment ICAO’s Standards and Recommended Practices, ICAO, the World
Customs Organization (WCO), and IATA, as joint industry-government working group, have
developed internationally recognized standards for PNR elements and messages, providing a
consistent approach for all airlines required to provide PNR information to governments, via the
PNRGOV message. 148 Like ICAO, 149 IATA also recognizes that “[t]here is no mandate for the
provision of additional data not presently stored or provided within the systems.” 150
IATA has recognized that the standard PNR data elements are: 151

See supra note 143, ICAO Annex 9 at x.
Id.
148
See e.g., supra note 14, IATA Principles; IATA, Passenger and Airport Data Interchange Standards, EDIFACT
Implementation Guide, PNR Data Pushed to States or Other Authorities, PNRGOV Message 26 (Ver. 16.1 2016)
(hereinafter “IATA EDIFACT”), Attachment 28; IATA, Air Transport & Travel Industry Message
Modifications: Approved Revision Process PNRGOV (version 12.1 Aug. 1, 2012) (hereinafter “Message
Modification”), Attachment 29. The IATA standards also state, “[w]hile not currently mandated, the underlying
principle guiding development of the PNRGOV message is to provide a standard message structure that may be
utilized by States and Carriers.” See supra note 14, IATA Principles at 7.
149
See supra note 16, and accompanying text.
150
See supra note 14, IATA Principles at 5.
151
See id. at 11.
146
147

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
Appendix C, Page 6
PNR record locator code
Date of reservation / issue of ticket
Date(s) of intended travel
Name(s) on the PNR
Available frequent-flyer information (free tickets, upgrades, etc.)
Other names on PNR, including numbers of travelers on the PNR
All available contact information (including originator information)
All forms of payment information and billing information (not including other
transactions details linked to a credit card or account and not connected to the
travel transaction)
Travel itinerary for specific PNR
Travel agency and Travel agent
Code share PNR information
Split / Divided PNR information
Travel status of passenger (including confirmations and check-in status)
Ticketing information including Ticket number, one-way tickets, and Automated
Ticket fare quotes
All baggage information
Seat information include seat number
General remarks including OSI and SSR information
Any collected APIS information
All historical changes to the PNR listed in data types 1 to 18 above
The PNRGOV messaging standard contains an approved message segment for address
information. 152 This address segment may be used for passenger contact information, but
152

See supra note 148, IATA EDIFACT at 26.

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
Appendix C, Page 7
airlines may also use the segment for billing or payer address information. The standard
recognizes a physical address and includes a free-text field to include phone number. IATA has
also developed standards for Special Service Requests (“SSR”), as well as Other Service
Information, which are supplementary elements, to populate additional passenger-related
information, including passenger contact information. Passenger contact information OSI for
PNR include: CTCA – Address (home or hotel); CTCB – Business phone; CTCH – Home
phone; CTCT – Travel Agent phone; CTCP – Phone nature not known. SSRs relating to
passenger contact information include: CTCM – Mobile Phone; CTCE – Email; and CTCR –
Refused.
Because these standards are used around the world and for interfacing communications
systems, including between airlines, governments, distribution systems, and ticket agents,
changes to the standards must undergo a specific process. The WCO, IATA, and ICAO maintain
the PNRGOV message format and have control over the authorization of modifications to the
message structure. 153 Amendments to the message structure fall under WCO/IATA/ICAO API
PNR Contact Committee, which includes representatives from the United States, ICAO, IATA,
and other interested countries. 154 Changes are made through parallel, complimentary, and
iterative WCO Data Maintenance Request (“DMR”) process and IATA process, which include
technical assessments and consideration of stakeholder feedback. 155
Recognizing the importance of the process in place for amending the message structure,
the new ICAO PNR Standard contains a provision to the effect that—states shall, when
considering requiring elements that deviate from the standard, submit a request to the

See supra note 148, IATA Message Modification at 3.
Id.
155
Id. at 4-5.
153
154

Joint Comments of A4A, IATA, RAA and NACA (CDC-2020-0013)
Appendix C, Page 8
WCO/IATA/ICAO API PNR Contact Committee in conjunction with the WCO’s Data
Maintenance Request (DMR) process via a review and endorsement process for inclusion of the
data element in the guidelines. 156
Additional Information
Additional information regarding PNR can be found online at:

156

•

ICAO, API Guidelines and PNR Reporting Standards, available at
https://www.icao.int/Security/FAL/SitePages/API%20Guidelines%20and%20PNR%20R
eporting%20Standards.aspx

•

IATA, API-PNR Toolkit, available at https://www.iata.org/en/publications/api-pnrtoolkit/

See supra note 145, ICAO State Letter at A-3.

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
APPENDIX D
Advanced Passenger Information (API)
The following summary is a general description of the information, standards, processes,
and systems related to API. It does not reflect API system information for individual airlines,
which is proprietary and confidential.
The implementation of APIS has been a long and collaborative process between all
industry stakeholders, particularly the airlines and CBP. In fact, before the Congressional
mandate in ATSA, APIS was available for airlines to voluntarily transmit manifest information.
Soon after ATSA, CBP released an interim rule on December 31, 2001 implementing the
Congressionally-required passenger and crew manifest requirements, setting forth the general
requirements for the electronic transmission of manifests to CBP.157 In effect, all airlines were
sending API to the U.S. government for each inbound flight to the United States.
Implementation was facilitated by the voluntary pre-existing systems and connectivity between
the airlines and CBP. Since the 2001 rulemaking, CBP has undertaken multiple rulemakings to
finalize and implement APIS, including expanding the options by which airlines may transmit
manifest information through APIS. 158
Most recently, CBP modified the APIS rules to allow for APIS Quick Query (“AQQ”),
which allowed airlines to submit passenger data to CBP as each passenger checks-in for the

See CBP, Passenger and Crew Manifests Required for Passenger Flights in Foreign Air Transportation to the
United States, 66 Fed. Reg. 67,482 (Dec. 31, 2001).
158
See e.g., CBP, Electronic Transmission of Passenger and Crew Manifests for Vessels and Aircraft, 70 Fed. Reg.
17,820 (Apr. 7, 2005); CBP, Advance Electronic Transmission of Passenger and Crew Member Manifests for
Commercial Aircraft and Vessels, 72 Fed. Reg. 48,320 (Aug. 23, 2007) (hereinafter “AQQ Final Rule”); CBP,
Establishing U.S. Ports of Entry in the Commonwealth of the Northern Mariana Islands (CNMI) and
Implementing the Guam-CNMI Visa Waiver Program, 74 Fed. Reg. 2,824 (Jan. 16, 2009); CBP, Establishing
U.S. Ports of Entry in the Commonwealth of the Northern Mariana Islands (CNMI) and Implementing the GuamCNMI Visa Waiver Program; Change of Implementation Date, 74 Fed. Reg. 25,387 (May 28, 2009).
157

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Appendix D, Page 2
flight from the beginning of the check-in process up to 15 minutes prior to departure. 159 The
collaborative efforts of airlines and CBP to incorporate AQQ into APIS began long before CBP
proposed rules to allow for airlines’ use of AQQ, including written submissions, teleconferences,
and in-person meetings. In fact, CBP, in coordination and with input from the airlines, issued
multiple drafts of the AQQ User Guide more than a year before the CBP proposed rules. 160
Ultimately, CBP issued proposed rules in July 2006 and, after receiving comments from airlines,
issued final rules in August 2007. 161 The rules did not go into effect for another six months,
extending the process to over three years. Even with this long and collaborative development
process to allow for AQQ, airlines were still required to submit its electronic transmission
system to CBP testing and get CBP’s certification that the airline’s system is capable of
interactively communicating with the CBP system for effective transmission of manifest data and
receipt of appropriate messages.
CBP requires, among other elements, the following information in manifests that airlines
send to CBP:
•
•
•
•
•
•

Full name, date of birth, and gender;
Citizenship and country of residence;
Travel document type, number, and country of issuance;
Alien registration number (if applicable);
PNR locator, if available; and
Flight number and date of aircraft arrival. 162

CBP only requires U.S. address information for non-U.S. nationals/residents. For crewmembers,
API includes the address of permanent residence. 163

See supra note 158, AQQ Final Rule at 48,320.
The first draft was issued on December 31, 2005.
161
See CBP, Passenger Manifests for Commercial Aircraft Arriving in and Departing From the United States;
Passenger and Crew Manifests for Commercial Vessels Departing From the United States, 71 Fed. Reg. 40,035
(July 14, 2006); supra note 158, AQQ Final Rule at 48,320.
162
See 19 C.F.R. §§ 122.49a, 122.49b, and 122.49c.
163
Id.
159
160

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Appendix D, Page 3
Because airlines are not required to transmit other contact information (e.g., two phone
numbers, an email address, and U.S. address for U.S. nationals/residents), airline systems are not
designed to require collection of and transmission of such information as API (nor typically
collect it in the PNR). Also, airlines do not have to transmit active duty U.S. military passenger
information, when those passengers are transported as passengers on arriving Department of
Defense commercial chartered aircraft. 164 The Department of Defense provides very limited
passenger information to charter airlines.
Airlines cannot validate address information for accuracy. To that end, CBP recognizes
that the passenger (and therefore the airlines) may not know the first night stay or the general
itinerary and allows for general information to be included in the address elements. 165 For
example, the address information may be: 166
•
•
•
•

Street Address: Touring the Grand Canyon
City: Grand Canyon
State: AZ
Zip Code: 99999

CBP also allows for general descriptions of locations if the exact address is unknown, such as a
hotel description (e.g., Washington Downtown Hotel Hilton). 167
Like PNR, 168 airlines may collect the CBP-required API data from various automated
sources, such as booking websites, mobile applications, and check-in kiosks. Each of these
systems, including underlying systems like the carrier’s Department Control System (DCS),
would have to be modified to comprehensively capture the CDC-required passenger contact

See 19 C.F.R. § 122.49a.
See CBP, Advance Passenger Information System (APIS) Final Rule Requirement (May 23, 2013),
Attachment 30.
166
Id.
167
Id.
168
See supra Section III.A.1 and Appendix A at 1.
164
165

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Appendix D, Page 4
information and successfully transmit that information to CBP via APIS. Airlines estimate that it
will take at least 12-18 months to update all systems to ensure capture and arrange for transmittal
to CBP. Also, GDSs and OTAs would have to update their systems to ensure capture of the
contact information, as well as coordinate with each airline to ensure that the captured
information was successfully transmitted to the airlines for subsequent transmittal to CBP. This
additional coordination will likely prolong and add complexity to the process.
Moreover, CBP would have to update its systems to receive the additional contact
information. Based on the history of developing APIS and transmission options, airlines
estimate that the process will be much longer than CBP’s estimate to ensure that all systems are
able to capture, transmit, and receive the new contact information.
Some airlines do not have automatic information collection systems or direct connectivity
to CBP for purpose of transmitting API data through APIS. For airlines that are not directly
connected to CBP, CBP developed the Electronic Advance Passenger Information System
(“eAPIS”). 169 This system allows airlines to enter or upload passenger and crew manifests
through a website. The manifests that airlines upload must confirm to international standards,
discussed below. 170
Like PNR, 171 API is used ubiquitously by customs agencies around the world. 172
Accordingly, also like PNR, international organizations (i.e., WCO, IATA, and ICAO) have
issued standards and recommendations regarding the data to be transmitted. These organizations
also recognize that “[n]on-standard API programme implementation may lead to operational and

See CBP, Electronic Advance Passenger Information System, Help, Attachment 31.
Id. (How do I upload a manifest I created offline?)
171
See supra Appendix C at 3.
172
See supra note 143, ICAO Annex 9 at 9-1 (“Each Contracting State shall establish an Advance Passenger
Information (API) system.”).
169
170

Joint Comments of A4A, IATA, RAA, and NACA (CDC-2020-0013)
Appendix D, Page 5
financial implications for both government and aircraft operators,” 173 while recommending that
the information is limited in scope to contain only limited contact information—i.e., passenger
name and destination address. 174
We understand from CBP that CBP has data fields available to receive the information
required by CDC, including phone numbers and email address. The international organizations
have also established guidelines for email and phone. 175 However, airlines have not included
these elements into their API systems, in part because it is not required to do so and also to
comply with privacy laws.

See supra note 97, API Guidelines at 3.
See id. at 19-22 (regarding API data to be captured and transmitted—“The WCO, IATA, and ICAO have jointly
agreed on the maximum set of API data that should be incorporated into the PAXLST message to be used for the
transmission of such data by the carriers to the Border Control Agencies. It is important to note that countries
should limit their data requirements to the minimum necessary and according to national legislation.”).
175
See WCO/IATA/ICAO, Passenger List Message (PAXLST) Implementation Guide 19 (version 6.0 Nov. 2014),
Attachment 32.
173
174

BEFORE THE
CENTERS FOR DISEASE CONTROL AND PREVENTION
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
ATLANTA, GA
__________________________________________
)
In the Matter of:
)
)
Docket CDC-2020-0013
Control of Communicable Diseases;
)
Foreign Quarantine
)
__________________________________________)
SUPPLEMENTAL COMMENTS OF
AIRLINES FOR AMERICA
Communications with respect to this document should be addressed to:
Patricia Vercelli
Senior Vice President, General Counsel and
Secretary
Graham Keithley
Assistant General Counsel
AIRLINES FOR AMERICA
1275 Pennsylvania Avenue, NW
Suite 1300
Washington, DC 20004
(202) 626-4000
[email protected]
[email protected]

March 20, 2020

BEFORE THE
CENTERS FOR DISEASE CONTROL AND PREVENTION
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
ATLANTA, GA
__________________________________________
)
In the Matter of:
)
)
Docket CDC-2020-0013
Control of Communicable Diseases;
)
Foreign Quarantine
)
__________________________________________)
SUPPLEMENTAL COMMENTS OF
AIRLINES FOR AMERICA
Airlines for America (“A4A”) submits these Supplemental Comments on behalf of their
Members 1 in response to the Centers for Disease Control and Prevention’s (“CDC”) interim final
rule, Control of Communicable Diseases; Foreign Quarantine (“IFR”). 2 We supplement our
comments, which we submitted on March 13, 2020 and were joined by other airline trade
associations (“March 13 Joint Comments”), 3 because facts regarding the U.S. government’s
direct collection, processing, and use of contact information from passengers came to light
within hours of the IFR public comment deadline and the submission of our comments. 4 We
applaud the U.S. government for performing these critical, inherently governmental duties to
prevent the spread of COVID-19. The rapid developments of the COVID-19 crisis over the last
week, including the economic impacts, have demonstrated the vital need for globally coordinated
government responses. To that end, we respectfully submit that the U.S. government’s actions—
i.e., its demonstrated capability to collect, process, and use accurate passenger contact
information with limited help from airlines—are critical to the assessment of the IFR.
1

2
3

4

A4A’s members are: Alaska Airlines, Inc.; American Airlines Group, Inc.; Atlas Air, Inc.; Delta Air Lines, Inc.;
Federal Express Corp.; Hawaiian Airlines; JetBlue Airways Corp.; Southwest Airlines Co.; United Continental
Holdings, Inc.; and United Parcel Service Co. Air Canada is an associate member.
85 Fed. Reg. 7,874 (Feb. 12, 2020) (hereinafter the “IFR”).
See Joint Comments of Airlines for America, the International Air Transport Association, the Regional Airline
Association, and the National Air Carrier Association (Mar. 13, 2020) (CDC-2020-0013) (hereinafter “March 13
Joint Comments”).
Comments to the IFR were due on March 13, 2020. We submit these Supplemental Comments through
[email protected] because we cannot submit comments through www.regulations.gov.

Supplemental Comments of A4A (CDC-2020-0013)
Page 2 of 8
Although the IFR comment period is closed, we submit that the CDC must consider the
information herein because such consideration is in the public interest , is necessary to complete
the administrative record, and will better inform the final rules. Additionally, the CDC’s
consideration of this information will not materially delay CDC’s finalization of the rules. 5 The
CDC will not be adversely impacted by considering these Supplemental Comments because we
are submitting them within days of the comment period closing, when the CDC is still in the
nascent stages of reviewing comments to the IFR. Additionally, the CDC’s consideration of
these Supplemental Comments is critical—failing to consider them will prejudice stakeholders,
particularly the airlines that are obligated to collect and transmit passenger contact information to
the CDC under the IFR, despite the U.S. government’s demonstrated capability of collecting this
information itself. 6
SUPPLEMENTAL COMMENTS
Just hours before the closure of the IFR’s comment period, and without any notice to the
airlines, the U.S. government announced that it will collect contact information from select
airline passengers. Although details of the collection were unclear at the time of the
announcement, we learned of the scope and details of this collection within 48 hours of the
comment period closing.
Based upon this new information, as well as CDC’s on-going passenger contact
information efforts, we respectfully submit that the U.S. government has been and is capable of
implementing near and long-term contact tracing solutions in a manner that would address the

5
6

The IFR is already effective. We respectfully submit that any additional time to consider the limited factual
information contained herein will not substantially delay any final rulemaking.
See Ad Hoc Metals Coalition v. Whitman, 227 F. Supp. 2d 134 (D.D.C. 2002) (rejecting the argument that a
month-late comment could be ignored and stating that “where highly relevant information comes to light one
month later because of an agency’s own initiative, prior to promulgation of a final rule and with a sufficient
amount of time remaining that the ultimate decision can be influenced, . . . such information should be included in
the record.”).

Supplemental Comments of A4A (CDC-2020-0013)
Page 3 of 8
goals of the IFR, specifically: (i) collecting accurate contact information directly from
passengers; (ii) timely processing of such information in material volumes and from paper forms;
and (iii) using such information by distributing it to state and local public health officials.
CDC’s demonstrated capability to perform contract tracing data collection calls into question the
CDC’s assertions in the IFR. 7 Moreover, the U.S. government can and has achieved this contact
tracing solution with limited assistance from airlines (i.e., passing out forms to passengers),
imposing far smaller obligations than those in the IFR, and within a significantly accelerated
timeframe compared to the (at-least) year-long time frame for the airline industry to modify
systems to collect unverified passenger contact information and transmit it to CDC under the
IFR. We also respectfully submit that the CDC can expand and improve upon its passenger
contact information procedures by implementing U.S. government-owned technological and
automated solutions—i.e., machine readable forms and online/mobile application collection.
A.

Background

As explained in our March 13 Joint Comments, U.S. airlines are compliant with the
CDC’s February 18th order regarding the disclosure of passenger contact information from
passengers that were flying to the United States and had been in China within 14 days prior to
entering or attempting to enter the United States (“Designated Passengers”). 8 It is currently
possible for airlines to complete this collection manual and transmit it to the CDC via Passenger
Name Records (“PNR”) only because of the de minimis number of passengers to whom it
applies. 9 Three days before the IFR comment period closed, the President issued a proclamation

See supra note 2, IFR at 7,876 (explaining that requiring individuals to provide information under 14 C.F.R.
§ 71.20 may not be adequate to address public health emergencies).
8
See supra note 3, March 13 Joint Comments at 10; CDC, Collection of Certain Data Regarding Passengers and
Crew Arriving From Foreign Countries by Airlines, 85 Fed. Reg. 10,439 (Feb. 24, 2020) (Agency order, issued on
February 18).
9
See supra note 3, March 13 Joint Comments at 18.
7

Supplemental Comments of A4A (CDC-2020-0013)
Page 4 of 8
limiting travel from the European Union (“EU”). 10 The volume of passengers traveling from
Europe to the United States is substantially larger than the volume of Designated Passengers who
had recently traveled to China. 11 And thus, the manual collection and entry of passenger
information is not possible for the airlines at this magnitude.
On March 13, 2020 at 1601 PM EDT, the Department of Homeland Security’s Office of
Public Affairs (“DHS Notice”) issued the attached bulletin, Attachment 1, titled “Department of
Homeland Security Outlines New Process for Americans Returning from Certain European
Countries, China, and Iran.” The bulletin states:
Upon arrival, travelers will proceed to standard customs processing. They will then
continue to enhance entry screening where the passengers will be asked about their
medical history, current condition, and asked for contact information for local health
authorities. (emphasis added)

Although we were able to include this document in our March 13 Joint Comments, we did not
have any details regarding this collection of information (i.e., scope, process, storage, purpose,
etc.), nor a reasonable opportunity to obtain additional information from the U.S. government
regarding this collection of information before submitting our comments. Therefore, we did not
substantively comment on the bulletin in our March 13 Joint Comments. The comment period
closed without the U.S. government having disclosed any further details to the airlines about the
U.S. government’s plans regarding passenger contact information.
In the 48 hours following DHS’s issuance of the bulletin, the U.S. government provided
additional information about its passenger contact information efforts, explained below.

See Proclamation 9993, Suspension of Entry as Immigrants and Nonimmigrants of Certain Additional Persons
Who Pose a Risk of Transmitting 2019 Novel Coronavirus, 85 Fed. Reg. 15,045 (Mar. 16, 2020) (effective Mar.
11, 2020)
11
See K. Caralle, Trump Administration is Slammed by State Officials Amid Chaotic Airport Scenes as Thousands
of Returning Americans Face HOURS Waiting for Virus Screening and Risk Becoming Carriers, The Daily Mail
(Mar. 15, 2020) available at https://www.dailymail.co.uk/news/article-8114453/Trump-pleads-calmTHOUSANDS-Americans-herded-lines-hours-airports.html.
10

Supplemental Comments of A4A (CDC-2020-0013)
Page 5 of 8
B.

CBP JFK Notice

On March 14, 2020, the day after the IFR comment period closed, multiple airlines
received the attached U.S. Customs and Border Protection’s (“CBP”) New York Field Office,
JFK International Airport, Notice to Carriers for Passengers Arriving from the Schengen Region
(“CBP JFK Notice”), Attachment 2. The release of the notice was unexpected and
unannounced—no airline or trade association had any advance notice about the notice before it
was received by airlines.
The CBP JFK Notice states that DHS’s Countering Weapons of Mass Destruction Office
(“CWMD”) will conduct a modified screening of all passengers arriving from the Schengen
Region, including “distributing a Traveler Health Information packet to all passengers.” CMWD
will also “ensure that Medical / Contact Declarations are accurately completed” and “collect all
Medical / Contact Declarations” (emphasis added).
The airlines have received only limited information and official guidance after receiving
the CBP JFK Notice, limited to the teleconference with the U.S. government on March 14, 2020,
discussed in Section I.D below. From that teleconference, we understand that the Medical /
Contact Declarations is a reference to the United States Traveler Health Declaration (“THD”)
discussed in Section I.C below.
C.

United States Traveler Health Declaration

On March 14, 2020, CDC arrived at the 13 designated funneling airports 12 and provided
the attached United States Traveler Health Declaration (“THD”) form, Attachment 3, to
passengers to be completed by the passengers and delivered to U.S. government officials as the

12

DHS, Department of Homeland Security Outlines New Process for Americans Returning from Certain European
Countries, China, and Iran, (March 13, 2020), available at, https://www.dhs.gov/news/2020/03/13/departmenthomeland-security-outlines-new-process-americans-returning-certain.

Supplemental Comments of A4A (CDC-2020-0013)
Page 6 of 8
passengers underwent the enhanced screening procedures at the airport. 13 The form specifically
requires that a passenger provide: (i) family name; (ii) first (given) names; (iii) U.S. destination:
Address or hotel name, city, and state; (iv) email address; (v) telephone number in US, and
whether the telephone number is for a mobile phone. Explicitly acknowledged in the form, the
CDC requires that passengers provide the contact information pursuant to its legal authority
under Title 42 Code of Federal Regulations Section 71.20 to compel passengers to give the
requested information to the CDC, ensuring that CDC obtains accurate information. 14
We understand that the CDC has used the THD form for passengers that undergo
enhanced screening starting on March 14, 2020, and CDC continues to use the form at the time
these Supplement Comments are filed.
D.

Airline-U.S. Government Teleconference Regarding the THD

On March 14, 2020 at 1700 PM EDT, A4A participated in a teleconference with CDC,
CBP, the Transportation Security Administration (“TSA”), all of A4A’s member airlines, and
others regarding implementation of additional restrictions regarding travel to the United States
based upon the President’s proclamation, as well as the passenger screening process, including
distribution of the THD form and collection from passengers. During the teleconference—
•

TSA stated that it is requiring airlines that have direct service from the
Schengen Area to the U.S. to provide a physical copy of the THD for each
passenger to fill out and that TSA will incorporate the requirements to
distribute the form into an upcoming Security Directive.

•

The CDC explained that—

In discussions with the U.S. government before the release of the IFR, the airlines recommended the use of paper
forms and offered to distribute those forms to passengers. See also Letter from Nicholas E. Calio, A4A, to Hon.
Alex M. Azar II, Secretary, Dep’t of Health & Human Svcs. (Feb. 13, 2020) (docket file OST-2020-0013-0002)
(stating that airlines are willing to hand out a U.S. government public health locator form for passenger flights).
14
See supra 3, March 13 Joint Comments 4 (“More fundamentally, forcing airlines to collect unverifiable passenger
contact information will not fulfill CDC’s public health mission to identify and contact passengers who may have
been exposed to COVID-19 or any future communicable disease; only the government has the sovereign authority
to require and enforce that passengers provide accurate contact information that is useful for CDC’s public health
follow-up purposes.”).
13

Supplemental Comments of A4A (CDC-2020-0013)
Page 7 of 8
o The THD form serves two purposes: (i) providing information to
travelers, and (ii) collecting contact tracing information which is
being entered into a secure database and shared with local public
health officials.
o The data entry from the THD form to the secure database is being
performed by U.S. government contract personnel.
o The use of the THD form is an “interim measure.”

o The CDC will modify the THD form to reflect future expansions
of travel restrictions to additional foreign countries.
•

A4A asked for further information regarding the form and secure
database, including whether it is being manually entered or machine read,
as well as any specifics about the database and where the collected data is
being stored. CDC did not answer any of A4A’s questions, claiming that
A4A’s requested information was beyond the scope of the call.

•

The CDC stated that the form is Office of Management and Budget
(“OMB”) approved.

We understand from the teleconference that the U.S. government will collect the THD during the
enhanced screening process of passengers upon arrival in the U.S. A4A also made
recommendations to improve the THD, specifically that the THD should have a control number
to ensure that airlines are using the correct form after changes are made to add foreign countries.
The CDC took note of the recommendations and agreed that a control number should be added.
E.

TSA Security Directives

To require the airlines’ participation in the U.S. government’s passenger contact
information efforts, the U.S. government leveraged TSA’s Security Directive and Emergency
Amendment authority. Specifically, from the evening of March 14, 2020 to the evening of
March 15, 2020, the TSA proposed and issued a Security Directive and Emergency Amendment
that require that airlines ensure that each person traveling from a country or jurisdiction that is
subject to travel restrictions receive the THD and that each passenger must provide the THD to a

Supplemental Comments of A4A (CDC-2020-0013)
Page 8 of 8
designated U.S. government representative upon arrival in the United States. 15 An OMBapproved version of the THD was made available, Attachment 4, and the CDC recommended
that airlines recite a pre-arrival script for COVID-19 screening, Attachment 5. Airlines have
been compliant with the TSA requirements, facilitating the U.S. government’s passenger contact
information efforts with the THD.
*

*

*

We greatly appreciate the opportunity to provide these comments and thank you for the
consideration.
Respectfully submitted,

_________________________________
Patricia Vercelli
Senior Vice President, General Counsel
and Secretary
AIRLINES FOR AMERICA
Dated: March 20, 2020

15

The Security Directive and Emergency Amendments are Sensitive Security Information and cannot be shared
publicly.

Joint Comments of A4A, IATA, RAA, and NACA
(CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181

Attachment B

Department of Health and Human Services
Centers for Disease Control and Prevention

OMB Control No. : 0920-1181
Expiration date : 05/31/2020

PUBLIC HEALTH PASSENGER LOCATOR FORM
To protect your health, public health officers need you to complete this form whenever they suspect a communicable disease
onboard a flight. Your information will help public health officers to contact you if you were exposed to a communicable disease.
It is important to fill out this form completely and accurately. Your information is intended to be held in accordance with
applicable laws and used only for public health purposes.
Thank you for helping us to protect your health.

English

‫ف ار س ی‬

한국어

Click below to go to an English
language version of the form.

‫برای رفتن به نسخه فارسی فرم از زیر کلیک‬
‫کنید‬.

한국어 버전의 양식으로 이동하려
면 아래를 클릭하십시오.

Go To Form

‫به فرم بروید‬

简体中文

Italiana

单击下面转到该表格的简体中文版
本

Fai clic di seguito per accedere a
una versione in lingua italiana del
modulo.

前往表格

Vai al modulo

양식으로 이동

CDC - Public Health Passenger Locator Form

Page 1 of 2

Department of Health and Human Services
Centers for Disease Control and Prevention

OMB Control No. : 0920-1181
Expiration date : 05/31/2020

PUBLIC HEALTH PASSENGER LOCATOR FORM
To protect your health, public health officers need you to complete this form whenever they suspect a communicable disease
onboard a flight. Your information will help public health officers to contact you if you were exposed to a communicable disease.
It is important to fill out this form completely and accurately. Your information is intended to be held in accordance with
applicable laws and used only for public health purposes.
Thank you for helping us to protect your health.

• One form should be completed by an adult member of each family.
• Only letters, numbers, '-', and '@' are allowed for text entry.

Flight
Airline *
--Select Airline--

Flight Number *

Seat Number *

Arrival Date *



05/15/2020

Personal
Last (Family) Name *

First (Given) Name *

Middle Initial

Primary Phone (While In US)

Secondary Phone (While In US)

Have Phone

Email
Have Email

Address In United States
Number and street

Apartment Number

City *

State *



--Select State--

+ Add Family Members

Submit

I'm not a robot
reCAPTCHA
Privacy - Terms

Public reporting burden of this collection of information is estimated to average 5 minutes per response, including the time for
reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing
the collection of information. An agency may not conduct or sponsor, and a person is not required to respond to a collection of
information unless it displays a currently valid OMB Control Number. Send comments regarding this burden estimate or any other
aspect of this collection of information, including suggestions for reducing this burden to CDC/ATSDR Reports Clearance Officer,
1600 Clifton Road NE, MS D-74, Atlanta, Georgia 30333; ATTN: PRA 0920-1181

https://tdc.cdc.gov/PassengerLocator/Index?lan=English

5/15/2020

Joint Comments of A4A, IATA, RAA, and NACA
(CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181

Attachment C

Search:

Agenda

Reg Review

ICR

Display additional information by clicking on the following:  All  Brief
 Abstract/Justification  Legal Statutes  Rulemaking  FR Notices/Comments  IC List  Burden  Misc. 

Common Form Info.  Certification
View Information Collection (IC) List

View Supporting Statement and Other Documents

View ICR - Agency Submission
OMB Control No: 0920-1181
ICR Reference No: 202003-0920-003
Status: Received in OIRA
Previous ICR Reference No: 201610-0920-015
Agency/Subagency: HHS/CDC
Agency Tracking No:
Title: Airline and Traveler Information Collection: Domestic Manifests and the Passenger Locator Form (42 CFR Part 70 and 71)
Type of Information Collection: No material or nonsubstantive change to a
Common Form ICR: No
currently approved collection
Type of Review Request: Regular
Date Submitted to OIRA: 03/04/2020
Expiration Date

Requested
05/31/2020

Previously Approved
05/31/2020

2,701,629

2,701,629

225,308

225,308

0

0

Responses
Time Burden (Hours)
Cost Burden (Dollars)

Abstract: This information collection ensures that, consistent with the authorities in the Public Health Service Act and in Code of Federal Regulations (CFR), CDC can
collect conveyance, passenger and crew member manifest information (manifests) and Passenger Locator Forms (PLF) in the event an individual with a confirmed or
suspected case of a communicable disease is known to have traveled on an interstate flight while infectious or potentially infectious and presented a risk of spread to
other passengers or crew. This is collected so CDC can initiate the process of contact tracing or provision of other public health follow up to prevent further disease
spread. The Non-Substantive Change Request, is submitted for the addition of a web-based version of the PLF.
Authorizing Statute(s): Statute at Large: 42 Stat. 70 Name of Statute: Interstate Quarantine
Statute at Large: 42 Stat. 71 Name of Statute: Foreign Quarantine
US Code: 42 USC 264 Name of Law: Public Health and Welfare
Citations for New Statutory Requirements: None
Associated Rulemaking Information
RIN:
Stage of Rulemaking:
Not associated with rulemaking

Federal Register Citation:

Federal Register Notices & Comments
60-day Notice:
Federal Register Citation:
81 FR 60702
30-day Notice:
Federal Register Citation:
81 FR 78165
Did the Agency receive public comments on this ICR? No

Date:

Citation Date:
09/02/2016
Citation Date:
11/07/2016

Number of Information Collection (IC) in this ICR: 5
IC Title
Domestic TB Manifest Template or Informal
Manifest Request

Form No.

Form Name

Domestic non-TB Manifest Template and Informal
Manifest Request
Passenger Locator Form - limited onboard
exposure int'l flights

none

Passenger Locator Form

Passenger Locator Form - domestic flights

none

Passenger Locator Form

Passenger Locator Form - outbreak of PH
significance int'l flights

none, 09201181

Passenger Locator Form , Passenger Locator
Form (Web-based)

ICR Summary of Burden
Total Request

Previously Approved

Change Due to New
Statute

Change Due to Agency
Discretion

Change Due to
Adjustment in
Estimate

Change Due to
Potential Violation of
the PRA

Annual Number
of Responses

2,701,629

2,701,629

0

0

0

0

Annual Time
Burden (Hours)

225,308

225,308

0

0

0

0

0

0

0

0

0

0

Annual Cost
Burden
(Dollars)

Burden increases because of Program Change due to Agency Discretion: No
Burden Increase Due to:
Burden decreases because of Program Change due to Agency Discretion: No
Burden Reduction Due to:
Short Statement:
Annual Cost to Federal Government: $355,282

Does this IC contain surveys, censuses, or employ statistical methods? No
Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's
privacy program when making this determination. Yes
Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when
making this determination. Yes
Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No
Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No
Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No
Agency Contact: Jeffrey Zirger 404 639-7118 [email protected]
Common Form ICR: No
On behalf of this Federal agency, I certify that the collection of information encompassed by this request complies with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding the proposed collection of information, that the certification covers:


(a) It is necessary for the proper performance of agency functions;



(b) It avoids unnecessary duplication;



(c) It reduces burden on small entities;



(d) It uses plain, coherent, and unambiguous language that is understandable to respondents;



(e) Its implementation will be consistent and compatible with current reporting and recordkeeping practices;



(f) It indicates the retention periods for recordkeeping requirements;



(g) It informs respondents of the information called for under 5 CFR 1320.8 (b)(3) about:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control number;



(h) It was developed by an office that has planned and allocated resources for the efficient and effective management and use of the information to
be collected.



(i) It uses effective and efficient statistical survey methodology (if applicable); and



(j) It makes appropriate use of information technology.

If you are unable to certify compliance with any of these provisions, identify the item by leaving the box unchecked and explain the reason in the Supporting Statement.
Certification Date: 03/04/2020

About Us

Related Resources

Disclosure

Accessibility

Privacy Policy

Contact Us

Joint Comments of A4A, IATA, RAA, and NACA
(CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181

Attachment D

Search:

Agenda

Reg Review

Display additional information by clicking on the following:  All  Brief
 Abstract/Justification  Legal Statutes  Rulemaking  FR Notices/Comments  IC List  Burden  Misc. 

Common Form Info.  Certification
View Information Collection (IC) List

View Supporting Statement and Other Documents

View ICR - Agency Submission
COMMENT

OMB Control No: 0920-1181
ICR Reference No: 202004-0920-009
Status: Received in OIRA
Previous ICR Reference No: 201610-0920-015
Agency/Subagency: HHS/CDC
Agency Tracking No:
Title: Airline and Traveler Information Collection: Domestic Manifests and the Passenger Locator Form (42 CFR Part 70 and 71)
Type of Information Collection: Revision of a currently approved collection
Common Form ICR: No
Type of Review Request: Regular
Date Submitted to OIRA: 05/13/2020
Expiration Date

Requested
36 Months From Approved

Previously Approved
05/31/2020

2,702,100

2,701,629

228,134

225,308

0

0

Responses
Time Burden (Hours)
Cost Burden (Dollars)

Abstract: The goal of this information collection is to ensure that, consistent with the authorities in the Public Health Service Act and in Code of Federal Regulations
(CFR), CDC can collect conveyance, passenger and crew member manifest information (aka manifests) and Passenger Locator Forms (PLF) in response to notification
of an ill traveler who poses a risk to co-travelers, and that CDC can share useful contact information with health departments.
Authorizing Statute(s): Statute at Large: 42 Stat. 71 Name of Statute: Foreign Quarantine
US Code: 42 USC 264 Name of Law: Public Health and Welfare
Statute at Large: 42 Stat. 70 Name of Statute: Interstate Quarantine
Citations for New Statutory Requirements: None
Associated Rulemaking Information
RIN:
Stage of Rulemaking:
Not associated with rulemaking
Federal Register Notices & Comments
60-day Notice:
Federal Register Citation:
84 FR 59380
30-day Notice:
Federal Register Citation:
85 FR 23357
Did the Agency receive public comments on this ICR? No

Federal Register Citation:

Date:

Citation Date:
11/04/2019
Citation Date:
04/27/2020

Number of Information Collection (IC) in this ICR: 5
Form
No.

IC Title

Form Name

Domestic TB Manifest Template or Informal
Manifest Request
Domestic non-TB Manifest Template and Informal
Manifest Request
Domestic TB Manifest Template or Informal
Manifest Request

09201181

Domestic TB Manifest Order Template

Passenger Locator Form - outbreak of PH
significance int'l flights

none

Passenger Locator Form

Passenger Locator Form - limited onboard
exposure int'l flights

none

Passenger Locator Form

Passenger Locator Form - domestic flights

none

Passenger Locator Form

Public Health Passenger Locator Form: limited
onboard exposure† (international flights

09201181

Public Health Passenger Locator Form: limited onboard
exposure(international flights)

Public Health Passenger Locator Form: limited
onboard exposure† (domestic flights)

09201181

Public Health Passenger Locator Form: limited onboard
exposure(domestic flights)

Domestic Non-TB Manifest Template or Informal
Manifest Request

09201181

Domestic Non-TB Manifest Order Template

Public Health Passenger Locator Form: outbreak
of public health significance* (international flights)

09201181

Public Health Passenger Locator Form: outbreak of
public health significance* (international flights)

ICR Summary of Burden
Total Request

Previously Approved

Change Due to New
Statute

Change Due to Agency
Discretion

Change Due to
Adjustment in
Estimate

Change Due to
Potential Violation of
the PRA

ICR

Annual Number
of Responses
Annual Time
Burden (Hours)
Annual Cost
Burden
(Dollars)

2,702,100

2,701,629

0

2,702,100

-2,701,629

0

228,134

225,308

0

228,134

-225,308

0

0

0

0

0

0

0

Burden increases because of Program Change due to Agency Discretion: Yes
Burden Increase Due to: Miscellaneous Actions
Burden decreases because of Program Change due to Agency Discretion: No
Burden Reduction Due to:
Short Statement: No increased burden is requested. CDC is asking for easily accessible information from airlines concerning crew contact information, a number of
passengers on a flight, and where the crew worked during the flight to enhance risk analysis capabilities and determine which passengers need public health to follow up.
Annual Cost to Federal Government: $818,871
Does this IC contain surveys, censuses, or employ statistical methods? Yes Part B of Supporting Statement
Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's
privacy program when making this determination. No
Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when
making this determination. No
Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No
Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No
Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No
Is this ICR related to the Pandemic Response? No
Agency Contact: Odion Clunis 770 488-0045 [email protected]
Common Form ICR: No
On behalf of this Federal agency, I certify that the collection of information encompassed by this request complies with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding the proposed collection of information, that the certification covers:


(a) It is necessary for the proper performance of agency functions;



(b) It avoids unnecessary duplication;



(c) It reduces burden on small entities;



(d) It uses plain, coherent, and unambiguous language that is understandable to respondents;



(e) Its implementation will be consistent and compatible with current reporting and recordkeeping practices;



(f) It indicates the retention periods for recordkeeping requirements;



(g) It informs respondents of the information called for under 5 CFR 1320.8 (b)(3) about:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control number;



(h) It was developed by an office that has planned and allocated resources for the efficient and effective management and use of the information to
be collected.



(i) It uses effective and efficient statistical survey methodology (if applicable); and



(j) It makes appropriate use of information technology.

If you are unable to certify compliance with any of these provisions, identify the item by leaving the box unchecked and explain the reason in the Supporting Statement.
Certification Date: 04/27/2020

About Us

Related Resources

Disclosure

Accessibility

Privacy Policy

Contact Us

Joint Comments of A4A, IATA, RAA, and NACA
(CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181

Attachment E

April 20, 2020
Jeffrey M. Zirger
Acting Lead
Information Collection Review Office
Office of Scientific Integrity, Office of Science
Centers for Disease Control and Prevention
1600 Clifton Road NE, MS-D74
Atlanta, GA 30329
Via OMB Docket at: www.reginfo.gov/public/do/PRAMain
Re:

Request for Information Related to Agency Forms Undergoing Paperwork
Reduction Act Review and Extension of Comment Period (OMB Control No. 09201180)

Dear Mr. Zirger:
Airlines for America (“A4A”), on behalf of its members, 1 appreciates the opportunity to
provide comments regarding the Centers for Disease Control and Prevention (“CDC”) Agency
Forms Undergoing Paperwork Reduction Act Review (“PRA Review”) for the Airline and
Vessel Traveler Information Collection (42 CFR part 71) (“Traveler Information Collection”). 2
To provide comprehensive and invaluable input to improve the CDC’s information collection,
we respectfully request: (i) a copy of publicly available information and documents related to the
PRA Review, as further described below; and (ii) the required 30-day extension of the comment
period PRA Review for the Traveler Information Collection related to CDC’s February 7, 2020
interim final rule, Control of Communicable Diseases; Foreign Quarantine (“IFR”). 3
Request for Information and Documents
The PRA Review states “[t]o request additional information on the proposed project or to
obtain a copy of the information collection plan and instruments, call (404) 639-7570.” As the
CDC instructed during our inquiries for such information, 4 we are submitting this written
1 A4A’s members are Alaska Airlines, Inc.; American Airlines Group, Inc.; Atlas Air, Inc.; Delta Air Lines; Federal Express
Corp.; Hawaiian Airlines; JetBlue Airways Corp.; Southwest Airlines Co.; United Continental Holdings, Inc.; and United Parcel
Service Co. Air Canada is an associate member.
2 CDC Agency Forms Undergoing Paperwork Reduction Act Review, 84 Fed. Reg. 21,235 (Apr. 16, 2020) (hereinafter “PRA
Review”).
3 See CDC, Control of Communicable Diseases; Foreign Quarantine, 85 Fed. Reg. 7,874 (Feb. 12, 2020) (hereinafter “IFR”).
4 The undersigned called the number listed on the PRA Review on April 15, 2020 at 11:25 AM ET and was transferred to your
office, at which time a voice message was left requesting information and a request to be contacted. We have not received a
response to that message. On April 17, 2020 at approximately 1:15 PM ET, we spoke with the CDC Agency Contact listed in

A4A Letter to J. Zirger (CDC)
OMB Control No. 0920-1180
Page 2
request. Without an opportunity to review the information collection plan, instruments, and the
requested additional information on the proposed project, A4A cannot provide meaningful
comment to the PRA Review. Therefore, we request the following:
•

The “information collection plan” for the Traveler Information Collection;

•

To the extent not available in the online ICR – Agency Submission, 5 all
“instruments” for the Traveler Information Collection;

•

Information and documents that support the following assertions in the PRA
Review, including the methodology and assumptions that the CDC used to make
such assertions:
o

“The total estimated hourly burden to respondents as a result of this
information collection is 1,835,134 hours per year.” 6

o

“CDC does not anticipate any cost burden to respondents under the
manifest process as outlined in 42 CFR 71.4(a) and (b), as this only
requires airlines to provide the information if it is available and
maintained.” 7

o

“Under the February 7, 2020 IFR, CDC anticipates that some 12 US major
carriers and 61 major foreign carriers will modify their data systems, or
contract with third party reservation system providers, to ensure that the
information required under the IFR is transmitted using existing
mechanisms to CBP (e.g., PNR, APIS, eAPIS).” 8

o

“CDC estimates that these changes will cost approximately $700,000 per
carrier for a total cost of $51,100,000.” 9

o

For Form “International Non-TB Manifest Template”: 10

Number of respondents – 249

Average burden per response (in hours) – 360/60

o

For International Passengers (3rd party disclosure) (No Form): 11

Number of Respondents – 110,000,000

Average burden per response (in hours) – 0.5/60.

OMB ICR – Agency Submission, requesting available information, and was directed to submit a request for information and
documents in writing to the CDC (via the OMB docket).
5 Available at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202003-0920-014.
6 See supra note 2, PRA Review at 21,236.
7 Id.
8 Id.
9 See supra note 2, PRA Review at 21,236.
10 Id. at 21,237.
11 Id.

A4A Letter to J. Zirger (CDC)
OMB Control No. 0920-1180
Page 3
o

For Airline staff (No Form): 12

Number of Respondents – 110,000,000

Average burden per response (in hours) – 0.5/60.

The CDC may provide the information and documents by email to [email protected]. 13
Given the limited time available to comment on the PRA Review, we respectfully request that
the CDC provide information and documents as they are identified and not delay to send
together.
Request for Comment Period Extension
Generally, the Paperwork Reduction Act (“PRA”) and the Office of Management and
Budget’s (“OMB”) implementing regulations require that agencies first seek public comment
concerning proposed collections of information through a published 60-day Federal Register
notice. 14 The 30-day comment period provided by the CDC for the PRA Review for the
Traveler Information Collection related to the IFR does not meet this standard and no exception
is available.
The PRA and OMB’s regulations provide two for exceptions to the 60-day comment
period, neither of which apply to the IFR related Traveler Information Collection. First, the
OMB has not granted the CDC an exemption from the 60-day requirement. 15
Second, a separate 60-day comment period is not required for a proposed collection of
information contained in a proposed rule, if the notice and comment period for the proposed rule
has the same purpose to solicit comment on the proposed information collection. To qualify for
this exception, the agency must “provide notice and comment through the notice of proposed
rulemaking for the proposed rule and such notice specifically includes the solicitation of
comments for the same purposes,” which are: 16
(i) evaluate whether the proposed collection of information is necessary for the proper
performance of the functions of the agency, including whether information shall have
practical utility;
(ii) evaluate the accuracy of the agency’s estimate of the burden of the proposed
collection of information;
(iii) enhance the quality, utility, and clarity of the information to be collected; and
(iv) minimize the burden of the collection of information on those who are to respond,
including through the use of automated collection techniques or other forms of
information technology. 17

12

Id.
If another method of transmission is required, please contact the undersigned at [email protected]
14 See 44 U.S.C. § 3506(c)(2); 5 C.F.R. § 1320.8(d)(1).
15 See 44 U.S.C. §§ 3506(c)(2) and 3507(j); 5 C.F.R. §§ 1320.8(d)(4) and 1320.13.
16 5 C.F.R. § 1320.8(d)(3).
17 See 44 U.S.C. §§ 3506(c)(2)(A) - (B); 5 C.F.R. § 1320.8(d)(1) and (3).
13

A4A Letter to J. Zirger (CDC)
OMB Control No. 0920-1180
Page 4
Because the IFR did not have the same purpose as provided under the PRA Review (i.e., to
solicit comments on the enumerated purposes), the comment period for the IFR does not qualify
the PRA Review for the exception to the 60-day rule. In fact, in the IFR, the OMB incorrectly
determined that “there is no new information collection requiring a submission of a new
information collection request under the Paperwork Reduction Act, (44 USC Chapter 35).” 18 In
other words, the IFR did not solicit comment on the purposes in (i) through (iv) above because
OMB had incorrectly determined no new collection of information existed. Moreover, the IFR
did not contain the same information regarding the additional burden on respondents that is
contained in the PRA Review to give the public an opportunity to comment. Last, the
amendment of the PRA Review to include the Traveler Information Collection related to the IFR
is an implicit acknowledgement that the IFR notice and comment period were inadequate and do
not qualify to meet the exception.
Accordingly, to correct this procedural infirmity, we respectfully request that the CDC
extend the comment period by 30 days to the required 60-day period.
Thank you for your consideration. We look forward to providing the CDC with
comprehensive and well-informed comments for the PRA Review. Please send any questions
regarding these requests to [email protected].
Respectfully submitted,

__________________________
Graham Keithley
Assistant General Counsel
AIRLINES FOR AMERICA
cc:

Jeffrey Zirger (CDC) via email
Odion Clunis (CDC) via email
[email protected]

18 See supra note 3, IFR at 7,879 – 880; Joint Comments of Airlines for America, the International Air Transport Association, the
Regional Airline Association, and the National Air Carrier Association (Mar. 13, 2020) (CDC-2020-0013) (noting the
information collection differences between the rules existing before the IFR (42 C.F.R. §§ 71.40(a) and (b)) and the IFR (42
C.F.R. §§ 71.40(d)); Comments of American Airlines, Inc. 18 - 19 (Mar. 13, 2020) (CDC-2020-0013)

Joint Comments of A4A, IATA, RAA, and NACA
(CDC-2019-0092 & CDC-2019-0100)
OMB Control Nos. 0920-1180 & 0920-1181

Attachment F

April 27, 2020
Jeffrey M. Zirger
Lead
Information Collection Review Office
Office of Scientific Integrity, Office of Science
Centers for Disease Control and Prevention
1600 Clifton Road NE, MS-D74
Atlanta, GA 30329
Via OMB Docket at: www.reginfo.gov/public/do/PRAMain
Re:

Request for Information Related to CDC’s Agency Forms Undergoing Paperwork
Reduction Act Review (OMB Control No. 0920-1181)

Dear Mr. Zirger:
Airlines for America (“A4A”), on behalf of its members, 1 appreciates the opportunity to
provide comments regarding the Centers for Disease Control and Prevention (“CDC”) Agency
Forms Undergoing Paperwork Reduction Act Review (“PRA Review”) for the Airline and
Traveler Information Collection: Domestic Manifests and the Passenger Locator Form (42 CFR
parts 70 and 71) (“Traveler Information Collection”). 2 To provide comprehensive and
invaluable input for the CDC’s information collection, we respectfully request a copy of publicly
available information and documents related to the PRA Review, as further described below. 3
Without an opportunity to review the information collection plan, instruments, and the
requested additional information on the proposed project, A4A cannot provide meaningful
comment to the PRA Review. Specifically, we request the following:
A4A’s members are Alaska Airlines, Inc.; American Airlines Group, Inc.; Atlas Air, Inc.; Delta Air Lines; Federal
Express Corp.; Hawaiian Airlines; JetBlue Airways Corp.; Southwest Airlines Co.; United Continental Holdings,
Inc.; and United Parcel Service Co. Air Canada is an associate member.
2
CDC Agency Forms Undergoing Paperwork Reduction Act Review, 85 Fed. Reg. 23,357 (Apr. 27, 2020)
(hereinafter “PRA Review”).
3
The PRA Review states “[t]o request additional information on the proposed project or to obtain a copy of the
information collection plan and instruments, call (404) 639-7570.” The undersigned called the number listed on the
PRA Review on April 27, 2020 at 09:25 AM ET, was instructed to call you your office, and called your office at
09:25 AM ET on April 27, 2020, leaving a voice message requesting the information requested herein and a request
to be contacted. As the CDC has previously instructed for our inquiries for information related to other Paperwork
Reduction Act reviews, we are submitting this written request. At the time that this request is submitted, the OMB
docket for the PRA Review does not have an option to provide comments online; therefore, we are submitting this
letter by email to [email protected], which is listed for the Agency Contact in the OMB docket. When possible to do
so, we will submit this request to the OMB docket 0920-1181.
1

A4A Letter to J. Zirger (CDC)
OMB Control No. 0920-1181
Page 2
•

The “information collection plan” for the Traveler Information Collection;

•

To the extent not available in the online ICR – Agency Submission, 4 all
“instruments” for the Traveler Information Collection;

•

Information and documents that support the following assertions, including the
methodology and assumptions that the CDC used to make such assertions:
o

o

“The total number of hours requested as part of this 225,734”; 5 and
Each number of respondents, number of responses per respondent, and
average burden per response (in hours)) in the PRA Review’s table titled
Estimated Annualized Burden Hours. 6

The CDC may provide the information and documents by email to
[email protected]. 7 Given the limited time available to comment on the PRA Review, we
respectfully request that the CDC provide information and documents as they are identified and
not delay to send together.
Thank you for your consideration. We look forward to providing the CDC with
comprehensive and well-informed comments for the PRA Review. Please send any questions
regarding these requests to [email protected].
Respectfully submitted,

__________________________
Graham Keithley
Assistant General Counsel
AIRLINES FOR AMERICA
cc:

Jeffrey Zirger (CDC) via email

Available at https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=202003-0920-003.
See supra note 2, PRA Review at 23,357.
6
See id. at 23,357 – 358.
7
If another method of transmission is required, please contact the undersigned at [email protected].
4
5


File Typeapplication/pdf
AuthorA4A
File Modified2020-05-16
File Created2020-05-16

© 2024 OMB.report | Privacy Policy