Customs agency obliging airlines to share personal data of international passengers, the Civil Aviation Department’s DigiYatra facial recognition system, MeitY’s proposal to share government-collected non-personal data with start-ups and researchers, CERT-In’s mandate, which is a Virtual Private Network Requires (VPN) Service Providers to Store Data of Their Users: This is among a growing number of measures being taken by central government and its agencies to collect and process citizen data – all in the absence of one Data Protection Act.
Experts have raised concerns about this trend, questioning the government’s data collection and monetization efforts in the absence of a basic data protection regime. Earlier this month, the center withdrew the Data Protection Act 2021 and said it would soon come out with a “comprehensive legal framework” for the online ecosystem.
The bill, which had been in the works for more than four years, had gone through several iterations, including a review by a joint parliamentary committee. While there were significant exceptions for the Center and its agencies, it established a framework for consent-related mechanisms prior to data collection, how personal data should be handled by different entities, and provided a recourse mechanism in the event an individual’s data was compromised.
Against the backdrop of the draft law’s withdrawal so far this year, a number of central government institutions and their affiliated bodies — from the Department of Electronics and Information Technology (MeitY), the Central Board of Indirect Taxes and Customs (CBIC), the The Civil Aviation Department, the Cybersecurity regulator CERT-In and Indian Railway Catering and Tourism Corporation (IRCTC), among others, have introduced either new types of data collection or monetization plans. While some of them eventually caved in under criticism and withdrew their proposals, the initial effort and underlying idea of monetization is undeniable, experts claim.
Last month, IRCTC published a tender detailing its plans to monetize its database of passenger data for deals with government and private entities. According to the tender, customer data that can potentially be monetized includes passengers such as name, age, cell phone number, gender, e-mail address, payment method, “login/password”. However, last Friday the company withdrew the tender because there is no data protection law in the country.
In February, the MeitY published a draft Indian Data Accessibility and Use Policy, which proposed that data collected by the center that “has gained value” can be sold on the open market at a “reasonable price”. That draft was withdrawn after being heavily criticized for its proposal to monetize government data, and MeitY has now presented a draft data governance framework that aims to leverage non-personal data, i.e. data that individuals cannot can identify.
Experts believe there is a fundamental problem with treating citizen data as a “resource of wealth.”
“There is a fundamental problem with our approach of treating data as a ‘sovereign wealth resource’ which then incentivizes attempts to accumulate large amounts of data and then monetize them. Until this view persists, we can expect more efforts to monetize citizens’ data without additional safeguards,” said Prateek Waghre, policy director of the Delhi-based digital rights group Internet Freedom Foundation.
“The government’s primary concern should be the delivery of services and the protection of the information it collects from citizens for that purpose. Your primary goal should not be to monetize this data for profit.
“The Economic Survey of India 2018-2019 labeled data as a ‘public good’. By definition, this means it should be treated as a “non-excludable and non-competing public good” and not traded as a commodity,” he added.
There is past precedent within the center where an active policy that monetized citizen data was scrapped over privacy concerns.
The Ministry of Transport scrapped its bulk data sharing policy in 2020, under which the ministry used to sell vehicle registration data (Vahan) and driver’s license data (Sarathi) to private and public entities. The policy has been removed due to possible misuse of personal data and privacy issues.
Aside from monetization, the center has also upped the ante, commissioning entities to collect new types of citizen data and, in some cases, share it with the government.
With its new Passenger Name Record Information Regulations, 2022, issued earlier this month, the CBIC has required airlines to submit the PNR (Passenger Name Record) details of all international passengers to the National Customs Targeting Center-Passenger flights 24 hours before departure .
The data aimed at “Risk Assessment” includes the name of the passenger; date of intended travel; all available contact details; any available payment or billing information such as credit card numbers; Passenger’s travel status, including confirmation and check-in status; baggage information; seat information; and travel agency or agent that issued the ticket. While the notice states that the data is “subject to strict information secrecy, it will be retained for a period of five years.
There are other cases of data collection in the aviation sector – as part of the Civil Aviation Department’s DigiYatra initiative, facial recognition technology and scanners are being used at various airport checkpoints such as security and boarding to verify passenger identities. Earlier this month, Delhi International Airport soft-launched the initiative, rolling out the beta version of its app for Android platforms. The policy implementing the initiative says the face scanner will be able to change data sanitization settings based on “security requirements,” and security and government agencies could be given access to passengers’ facial data.
In April, the Indian Computer Emergency Response Team (CERT-In) released a set of cybersecurity guidelines that required VPNs, cloud service providers, and data centers to store user information such as their IP address, email, address, and phone numbers, among others . These are data points that the agency could potentially access should a company face a cybersecurity incident.
In December 2021, the Department of Telecommunications (DoT) had amended the Uniform Licensing Agreement, which required telecom operators and internet service providers, and all other telecom licensees, to retain business and call detail records for at least two years instead of the then-current -year practice. DoT sources previously told this newspaper that the change was based on requests from multiple security agencies.
Inquiries to IRCTC, MeitY, CBIC, CERT-In, Department of Civil Aviation and DoT have not resulted in a response as of press time.
Earlier in 2020, the government launched contact-tracing app Aarogya Setu – downloaded by millions of Indians at the height of the coronavirus pandemic – collecting data such as their names, phone numbers and locations. In its early days, the app was required to access a range of services including flights until October 2020, when the Karnataka High Court ruled that the app cannot be made mandatory. The app had also raised privacy-related concerns as it had access to people’s personal information, and in response the government had released a data-sharing protocol for the app. And now that the app is on its way to becoming some sort of health app, the protocol has expired, revealing a right to information request from IFF.
All of these developments come as India continues to lack basic data protection legislation. However, government sources have said that the new law will incorporate the broader ideas of privacy as recommended by the Joint Parliamentary Committee and will be in line with the Supreme Court’s landmark 2017 ruling in which it upheld privacy as a fundamental right.