introduction
On any given day, there are a whopping 4,00,000 to 5,00,000 people boarding and de-boarding Domestic and International flights across 70 airports all over the country.[1]While these numbers are paltry when compared to the population of India, it is surprising that this footfall is enough to classify our country as the 3rd largest domestic civil aviation market in the world.[2] To further this, Aviation Minister Jyotiraditya Scindia recently announced the roll-out of the Digi-Yatra Biometric Boarding System in 7 seven around the country from March 2023.[3] With this, air travel is going to become a lot more efficient and convenient. But it remains to be seen whether this convenience should come at the cost of risk to Personally Identifiable Information or PII.
WHAT IS DIGI-YATRA?
The Digi-Yatra Platform or the Digi-Yatra Biometric Boarding System is not a new concept. In the works for the last 5 years, it was envisaged by the Ministry of Civil Aviation through a policy paper with the aim of using technology, primarily Face Recognition technology, to deliver a seamless and hassle-free boarding experience to passengers.[4] It is projected to have a litany of benefits, not only to passengers but also to airport authorities as well in terms of efficiency and security standards. Digi-Yatra and its travel convenience extend only to passengers that create a Digi-Yatra ID, which will be backed by verifiable documents like AADHAR, Passport, OCI cards, and others. It involves the integration of facial recognition at entry, baggage drop-off, security check, and boarding gates, and eventually, even immigration will be without the need for human intervention or long lines. The Digi-Yatra ID can be created by providing the relevant details like name, email ID, mobile number and identification document.
DATA COLLECTION AND STORAGE
The policy paper released by the Government strictly mandates that the platform must take the consent of the user with respect to sharing and analysis of face data and any other form of consent as may be required once allied services that use the platform take off. The creation of a Digi-Yatra ID is purely voluntary and users will also have the option to erase their profiles and opt out of the platform. While airports are allowed to use the PII collected by the platform for the purpose of targeted services and brand marketing, users will have the option to not subscribe to it, and airports are obligated to take separate consent to use this data.[5]The Aviation Minister also assured that no PII collected in pursuance of the platform will be stored centrally. This data will exist only on the Digi-Yatra App in a secure wallet. All copies of the same collection at the airport will also be purged within 1 hour of the passenger’s flight taking off.[6] The policy paper also enumerates that the platform will conform to the rules and regulations put forward by the IT Act of 2000, the IT Amendment Act of 2008 and the UIDAI Act of 2016 with respect to data protection and privacy. It also has specific guidelines regarding the handling of personal data, with regular audits to check compliance with the prevalent data protection laws of the time.[7]
SO, WHAT IS THE PROBLEM?
While the policy paper driving the implementation of the Digi-Yatra Platform seems to cover all aspects of data protection, it is left wanting more, partly due to the state of the data protection laws in the country and partly due to the inadequacy of the paper itself. Since 2018, Indian legislators have been mulling over the Draft Data Protection Bill and it is yet to be passed into law. Without the stringent provision listed in the Bill,[8] penalties and punishment for a breach in following the guidelines set out for data protection are practically non-existent. Section 72 of the IT Act does provide for punishment and penalties when there is a breach of confidence, but this is available only against private corporations.[9] Section 69[10] of the same act provides wide powers to the government to intercept, store and use this data as long they can provide a reasonable explanation, which in itself is a privacy concern.
One more predicament with the full-scale implementation of the Digi-Yatra Platform is the policy paper itself. It is settled law that guidelines and policy papers unless issued under a specific statute, have no legally binding character in a court of law.[11] The policy paper in the current discussion would fall under this category, as it is not issued under any statute. Moreover, the paper also contains a clause, namely clause 11 under the Personal Data Guidelines[12], which allows the government to gain access to the PII of passengers subject to existing or current data protection statutes. This clearly shows that enforcement of the guidelines hinges not only on the enforceability of the paper itself but also on stringent data protection laws, which at the moment don’t exist.
Hence, even though the paper makes a valiant attempt at giving a well-rounded approach to data protection of passengers using organisational measures, it is inherently weak due to unenforceability.
CONCLUSION
The Digi-Yatra Biometric Boarding System is an innovative way that dares to stray away from the well-worn paradigm of enlarging operations and services to cater to more users by harnessing the power of technology instead. While the idea and the platform are certainly not half-baked in terms of technical and practical expertise, any platform, database, website, etc. on the internet is a danger to an individual’s privacy if the law of the land doesn’t protect them. It is more prudent to first polish the Data Protection Bill and take steps to make it law than introduce a catena of digitally driven schemes that makes exploitation of data very easy due to the lack of penalties. The exploitation of Data can cause irreparable damage to the reputation and well-being of a person through offenses like identity theft and also has serious ramifications on the Right to be forgotten. It all cycles back to the same old adage once again, “It is better safe than to be sorry”
Author(s) Name: Abhigyaan AH (NALSAR University of Law, Hyderabad)
References:
[1] Ministry of Civil Aviation, ‘Domestic Traffic’ (Civil Aviation) <https://www.civilaviation.gov.in> accessed 07 December 2022
[2]‘India Third Largest in Domestic Air Traffic in World: Aviation Minister’ (NDTV, 19 November 2021) <https://www.ndtv.com/india-news/india-third-largest-in-domestic-air-traffic-in-world-aviation-minister-jyotiraditya-scindia-2616631> accessed 08 December 2022
[3] ‘Union Minister for Civil Aviation Shri Jyotiraditya Scindia launches Digi Yatra for Three Airports in the Country’ (Press Information Bureau) <https://pib.gov.in/PressReleasePage.aspx?PRID=1880272> accessed 08 December 2022
[4] Ministry of Civil Aviation, ‘Digi Yatra, Reimagining Air Travel in India’ Policy Paper Version 5.2.
[5]Ibid
[6]Ojha EBS, ‘Paperless Entry at Delhi, Bengaluru, Varanasi Airports. Process, Other Details’ (Mint, 01 December 2022) <https://www.livemint.com/news/india/digi-yatra-paperless-entry-at-delhi-bengaluru-varanasi-airports-know-process-other-details-here-11669879602243.html> accessed 09 December 2022.
[7]Ministry of Civil Aviation (n 4) 12
[8]Bhargava Y, ‘Revised Personal Data Protection Bill Proposes Hefty Fines, Eases Cross-Border Data Flow’ (Return to frontpage, 22 November 2022) <https://www.thehindu.com/news/national/months-after-withdrawal-govt-reintroduces-draft-data-protection-bill-for-public-comments/article66152815.ece> accessed 10 December 2022
[9]Information Technology Act 2000, s 72
[10]Information Technology Act 2000, s 69
[11]GJ Fernandez v State of Mysore & Ors.(1967) AIR SC 1753
[12]Personal Data Guidelines, c 11
