304 North Cardinal St.
Dorchester Center, MA 02124
Customs Department mandating airlines to share personal data of international flyers, Civil Aviation Ministry’s DigiYatra facial recognition system, MeitY’s proposal to share non-personal data collected by government with start-ups and researchers, CERT-In mandate requiring Virtual Private Network (VPN) Service Providers to stored their users’ data: this is among a growing number of moves by central government and its agencies to collect and process citizens’ data – all in the absence of data protection law.
Experts have expressed concern over the trend and questioned the government’s data collection and monetization efforts in the absence of a basic data protection regime. Earlier this month, the Center withdrew the Data Protection Bill, 2021, saying it would soon come up with a “comprehensive legal framework” for the online ecosystem.
The bill, which has been in the works for more than four years, has gone through several iterations, including review by a joint parliamentary committee. While it had significant exemptions for the Center and its agencies, it set out a framework for mechanisms related to consent before data collection, how personal data is supposed to be handled by different entities, and a redress mechanism in the event that an individual’s data is compromised.
In connection with the withdrawal of the bill, which took place this year, a number of central government institutions and related entities – from the Ministry of Electronics and Information Technology (MeitY), Central Board of Indirect Taxes and Customs (CBIC), Ministry of Civil Aviation, cyber security regulator CERT- In and the Indian Catering and Tourism Corporation (IRCTC), among others, have introduced new types of data collection or monetization plans. While some of them eventually backed down under criticism and withdrew their proposals, the initial efforts and the underlying idea of monetization are undeniable, experts say.
Last month, IRCTC floated a tender detailing its plans to monetize its bank of passenger data to do business with government and private entities. According to the tender, customer data that could potentially be monetized includes passenger name, age, mobile number, gender, email address, payment method, “login/password” among others. However, last Friday, the company withdrew the tender in view of the absence of a data protection law in the country.
In February, MeitY submitted a draft of India’s Data Access and Use Policy, which suggested that data collected by the center that had “passed value addition” could be sold in the open market at a “reasonable price”. That proposal was withdrawn after facing severe criticism for its proposal to monetize government data, and MeitY is now coming up with a proposal for a data governance framework that seeks to make use of non-personal data, i.e. data that cannot identify an individual.
Experts believe there is a fundamental problem in treating citizens’ data as a “source of wealth”.
“There is a fundamental problem with our approach of trying to treat data as a ‘source of sovereign wealth’, which then creates incentives to try to collect and then monetize large volumes of data. As long as this lens persists, we can expect more efforts to monetize citizens’ data, even without any additional safeguards,” said Prateek Waghre, director of policy at the Delhi-based Internet Freedom Foundation.
“Government’s primary concern should be the provision of services and the protection of the information it collects from citizens for this purpose. Its main objective should not be to monetize this data for profit.
“The Economic Survey of India 2018-19 has identified data as a ‘public good’. By definition, this means it should be treated as a ‘non-excludable and non-rivalrous public good’ and should not be traded as if it were a commodity,” he added.
There are earlier precedents within the Center for scrapping active policies that monetized citizens’ data due to privacy concerns.
In 2020, the Ministry of Road Transport scrapped its bulk data sharing policy, under which the ministry sold vehicle registration data (Vahan) and driving license data (Sarathi) to private and public entities. The policy has been revoked due to potential misuse of personal information and privacy concerns.
In addition to monetization, the Center has also increased emphasis on authorizing entities to collect new types of citizen data and, in some cases, share it with the government.
With its new Passenger Name Record Information Regulations 2022 issued earlier this month, the CBIC has asked airlines to compulsorily share the PNR (Passenger Name Record) data of all international passengers with the National Customs Passenger Targeting Center 24 hours before by departure. flights.
For the purpose of “risk assessment”, the data to be shared include the passenger’s name; Date of intended trip; all available contact details; any available payment or billing information, such as credit card numbers; the passenger’s travel status, including confirmation and check-in status; baggage information; seat information; and the travel agency or agent where the ticket was issued. While the announcement says the data will be subject to “strict information privacy, it will be stored for five years.
In the aviation sector, there are more instances of data collection – under the Civil Aviation Ministry’s DigiYatra initiative, facial recognition technology and scanners will be used at various airport checkpoints such as security and boarding to verify the identity of passengers. Earlier this month, Delhi International Airport launched an initiative and launched the beta version of its app for Android platforms. The policy outlining how the initiative will be implemented states that the facial scanner will have the ability to change data cleansing settings based on “security requirements” and security and government agencies could have access to passengers’ facial data.
In April, India’s CERT-In issued a set of cybersecurity guidelines that ordered VPNs, cloud service providers and data centers to store information about users such as their IP address, email, address and contact numbers, among others. These are data points that an agency could potentially access if an entity faces a cyber security incident.
In December 2021, the Department of Telecommunications (DoT) amended the Unified License Agreement and asked telecom operators and ISPs, as well as all other telecom licensees, to keep business records and call detail records for at least two years, instead of the then-current record. – years of experience. DoT sources had earlier told this paper that the amendment was based on requests from several security agencies.
Queries sent to IRCTC, MeitY, CBIC, CERT-In, Ministry of Civil Aviation and DoT did not elicit a response till press time.
Before all this, the government launched the contact-tracing app Aarogya Setu in 2020 – downloaded by millions of Indians at the height of the coronavirus pandemic – collecting data such as their names, phone numbers and locations. In its early days, the app was required to access a range of services including flights, until the Karnataka High Court ruled in October 2020 that the app could not be made mandatory. The app also raised privacy concerns because it had access to people’s personal data, and in response the government released a data sharing protocol for the app. And now that the app is moving towards becoming a health app of sorts, the protocol has expired and the IFF’s right to request information has been exposed.
All these developments come at a time when India continues to lack basic data protection legislation. But government sources said the new bill would include broader data protection ideas, as recommended by the Joint Parliamentary Committee, and would be in line with a landmark 2017 Supreme Court judgment that deemed privacy a fundamental right.