In 1999 I wrote a paper with a similar title (Bennett 1999) based on a series of case studies for the European Commission on the collection, processing and dissemination of personal data by multi-national businesses, including the international airline industry (Raab et al. 1998). The paper traced the flows of data from the time of booking an airline ticket, through the check-in process, to the flight and the landing.1 The case study examined the flows of data through an increasingly complex series of scenarios concerning the identity and tastes of the traveller, his ‘frequent flyer status’ and the nature of the ticketed route. The study allowed me to draw some tentative generalizations about the practices of typical international air carriers with regard to the processing of personal information, the characteristics of the larger surveillance network and the prospects for international regulation.