Data Privacy: The 2006 Winter Olympics

  By Michele DeMaree

Data Privacy and the 2006 Winter Olympics

(This article originally appeared in the May 2006 edition of the Privacy Advisor, the Official Newsletter of the International Association of Privacy Professionals)

The aspiring athletes, medal-winners, spectators and media have long since left Torino, Italy. But despite the eerie quiet that fills the Olympic villages that once bustled with the energy and the activity generated by the XX Olympic Winter Games, a valuable trove of personal data remains long after the triumphs and heartaches from this international mega-event have faded into Olympic lore.

Most of the media reports leading up to the XX Olympic Winter Games focused on the physical security of the 2,500 athletes and spectators. With the taint of terrorism-related violence in the Olympics' past history and the daily threat of terrorism evident since Sept. 11th, it is understandable why the media would focus on data security - especially after data breaches have become so prevalent in our marketplace. For example, what happens to all of the consumer data collected by the Olympic ticket agents, hotels, airlines and the State Department from the more than one million spectators who attended the games? With whom is this information stored and shared? Which countries' privacy laws prevail? This article will explore these issues from the perspective of a privacy professional who attended the Olympics, partly to discover the answers to these questions.  

Ticket purchases

There were two ways to purchase tickets online for the 2006 Winter Olympic events: the CoSport website or the Jet Set Sports website. According to its site, CoSport was the official ticket sales agent of the U.S. Olympic Committee and had the exclusive right to market and sell individual tickets and ticket packages to residents of Canada, Italy, Poland, Slovak Republic, Bulgaria and the U.S.

CoSport is based in New Jersey, and although they accepted purchases from California residents, their web site had no published privacy policy or separate link informing users of their rights under California's Online Privacy Law. In the site's Terms and Conditions of Sale, they had a small paragraph entitled "Privacy Policy/Customer Information." According to this paragraph, the "customer's personal information will only be handled by CoSport, TOROC (the Organizing Committee of the XXth Torino 2006 Winter Games) and the National Olympic Committees (NOCs) of the Customer's country of residence." There are no statements as to how this information will be used (by CoSport or those with whom they share this information).  However, after speaking with the company president, he stressed that the company does not sell marketing lists to other companies. He added that as an agent of the USOC, the company took reasonable precautions regarding the data.

The Terms and Conditions also stated that in addition to sharing the customer information with the above-mentioned parties, the "customer acknowledges that ...  CoSport may disclose to other organizing bodies or governmental entities as may be required, information regarding Customer, including type of package purchased, name, address, email address and other information." While the paragraph contained no information about the security of the confidential customer information (either while transmitted to the site, nor after the transmission occurred), the company president said that this information is kept on secure servers and that there have been no security issues or breaches to date.

Since CoSport also sold accommodation packages for the Olympic events, it also shared personal information with the transportation and accommodation providers, although they were not specifically mentioned as providers who would also receive consumers' personal information. Additionally, the site does not indicate what the consumer's rights are regarding access to their information.

According to the site, New Jersey state law governs the Terms and Conditions (and therefore, by implication, the privacy statement). Upon reading the TOROC Spectator Policies contained on the site, however, it appeared that any disputes about the purchase of the Olympic tickets were interpreted and/or regulated in accordance with Italian law (listing the Turino Law Court as the sole place of jurisdiction for resolving disputes connected to the terms and conditions.)

In summary, purchasers of tickets and packages through this site were not provided much notice about what will happen to their personal information. They were not told how they might access this information, what their choices were regarding use of it, how this data will be secured, and how this small paragraph will be enforced.

Another option for purchasing individual tickets was the Jet Set Sports web site.  Owned by the same company as CoSport, it was also an official sponsor and ticket agent of the 2006 Winter Olympics. The Jet Set site also did not have a separate link to its privacy policy, nor was there a link educating California residents about their privacy rights. Instead, in the Terms and Conditions of Sale, there was the following sentence about privacy/customer information: "Customer acknowledges that Jet Set will collect and may disclose to organizing bodies or governmental entities as may be required, information regarding Customer, including type of tickets purchased, name, address, email address and other information."

Jet Set's choice of law provision also indicated that any claims arising out of the sale of the tickets shall be governed by the Italian laws. The spectator policies were similar to those found on the CoSport site, and stated that ticket-holders consent to security inspections before and during the entry to the venues. In addition, they consented to be photographed, filmed or taped, by TOROC, by the International Olympic Committee (IOC) or by third parties appointed by them. There was no mention of why ticket-holders may be photographed, filmed or taped - just that they may be broadcasted, published, licensed or used without any compensation to the ticket-holder. Other than these statements, ticket purchases were not informed when they bought tickets about the security during the events, nor exactly what will happen with the information collected on or about them. USA Today reported in December of 2005 that at least 700 people were under surveillance by Italian authorities. The monitoring was reported to include telephone wiretaps and other forms of interceptions.   

Spectators

The Department of State, in its Winter Olympics 2006 Fact Sheet, urged Olympic spectators to register with the U.S. Embassy in Rome via its Web-based form, prior to traveling to Italy. The travel registration page had the following privacy statement, "The data that you provide the Department of State is subject to the provisions of the Privacy Act. This means that the Department of State will not disclose the information you provide us in your registration application to any third parties unless you have first given us written authorization to do so, or unless the disclosure is permitted by the Privacy Act. "

The registration page required travelers to fill out their name, date of birth and one form of contact information. The following itinerary information was also required: destination, date of arrival, date of departure and country, and the traveler must check that they have read the Privacy Act Notice. Part of that notice indicated that the information collected may be made available as a routine use to appropriate agencies (local, state, federal, or foreign to assist the State Department in the evacuation or provision of emergency service to citizens, or for law enforcement and administration purposes or pursuant to a court order.)

Upon arriving at hotels, guests were required to submit their passport, as well as when accessing and using the Internet at either hotels or Internet cafés. In July 2005, Italy passed an antiterrorism package which required Internet café managers to collect their clients' passports and track the websites they visited. While Americans would most likely object to this type of surveillance and tracking, to date, there have been no major protests in Italy to the new law.

As a spectator at the events, it was interesting to note how efficient the security was. I was impressed with how quickly everyone got through the security lines. While there were large numbers of security and police present throughout the Olympic venues, it was not overwhelming and did not appear to detract from the games. According to publications from the Organizing Committee for the XX Olympic Winter Games, they expected 2,500 athletes, 2,500 trainers and assistants, 2,300 IOC, NOC and Federation members, 650 judges and referees, 10,000 journalists, 6,000 sponsor guests, 40,000 volunteers, 10,000 torch-bearers and 1 million spectators.  With 19 venues to protect within seven towns, including three Olympic villages, this was not an easy task to accomplish.  

U.S. Olympic Committee

In addition to attending the Olympic games, there were several other ways to support the U.S. Olympics. When purchasing clothing and accessories, there were several privacy policies that may have applied. The USOC web site contained a privacy policy which explained the types of personal information they collected, for what purposes they collected it, with whom they shared this information and how they secured it.  Their site offered contests, sweepstakes and other promotions.

When making a purchase from the USOC's online store, another privacy policy applied. Foot Locker ran its e-commerce site for Olympic clothing and accessories, and the privacy policy that appeared on this site was similar to the Foot Locker site policy.  The USOC allowed Foot Locker to send marketing materials to purchasers of Olympic merchandise, as is clearly spelled out in the applicable privacy policy. There was, however, no notice provided when transferring from the USOC site to their e-commerce site (hosted by Foot Locker). Neither of the sites mentioned above indicated that California residents have additional privacy rights. The USOC declined to comment on the data security and privacy issued raised in this article.  

Conclusion

There were, and continue to be, many ways to support the U.S. Olympic teams. As with all web sites, however, it would be wise to review the applicable privacy statement to determine what will happen to personal information, and what rights and obligations may ensue. Since no further information was found regarding what the Organizing Committee or the National Olympic Committees will do with the consumer information collected during online ticket purchases through its Web sites, it appeared the focus remained on physical security of the athletes, spectators, and other parties who attended the games. 

While the physical security deserves high praise, this judge would have to give the Olympics' data privacy practices less than a perfect 10.

XX Olympic Winter Games: Security was tight in Torino, Italy, to protect 2,500 athletes, one million spectators and thousands of others associated with the Games, which were held in 19 venues within seven towns, including three Olympic villages. This was taken outside the Stadio Olympico, immediately following the U.S. men's hockey team against Latvia.

For more information about Privacy Issues, go to: www.DeMareeConsulting.com