U.S. District Judge Michael W. Fitzgerald, in granting Delta’s motion to dismiss, agreed with Delta’s argument that the Airline Deregulation Act (ADA) preempted the plaintiff’s breach of contract claims and further stated that it was unclear on which “contract” the plaintiff had based her claim. The court was unmoved by the plaintiff’s argument that data breaches are a basic and foreseeable risk that obligate companies such as Delta to protect customer data and concluded that the plaintiff’s reliance on an “integrated contract” was unfounded.
As an initial matter, the court determined that the Contract of Carriage itself contains no self-imposed promise from Delta as to how it will handle customer data, nor does it promise what specific procedures third-party vendors of tickets that have access to such data will undertake. The contract specifically states:
The passenger recognizes that personal data has been given to carrier for the purposes of making a reservation, obtaining ancillary services, facilitating immigration and entry requirements, and making available such data to government agencies. For these purposes, the passenger authorizes carrier to retain such data and to transmit it to its own offices, other carriers, or the providers of such services, in whatever country they may be located.
Based on the foregoing, the court granted Delta’s motion to dismiss with leave to amend as to the breach of contract claim. The full text of the order in McGarry v. Delta Airlines, Inc. can be found here.
For questions and assistance regarding this topic, please feel free to contact any member of our Privacy and Data Security Team.