Handle personal data with care
The new rule on international passengers must be rolled out carefully and further checks built in
The government on Monday notified the Passenger Name Record (PNR) Information Regulations, 2022, making it mandatory for any operating flight to share details of international travellers with a customs agency. Among these are details of a person’s ticket — when it was booked, date of travel and billing information — and data about their travel, such as origin, destination, and how many bags they are carrying. Also included will be their seat numbers and copassenger data. The government, in the notification, said the objective is to create an advance risk assessment to combat crimes under the excise law and for sharing of intelligence with other law enforcement agencies. As safeguards, the notification says such data will be subject to privacy laws in force, avoid certain types of information (like race and religion) and be processed only within a secure system.
India isn’t the first country to set up such as system. In 2016, the European Union (EU) adopted the PNR Directive for all its member countries. Even before the directive, the EU and the United States (US) signed a pact in 2011 to share PNR records. A veritable data dragnet, such systems became expedient in the aftermath of the September 11 attacks in 2001 and the terror strikes that followed in parts of Europe later that decade. The US operates an even more sophisticated system called the Automated Targeting System. While little is known about the American system, the data sought by India suggests Delhi’s requirements may lie somewhere in between the European and the American models in terms of scope.
Experts in India rightly point out that the purpose and safeguards of the country’s new model need to be better explicated, at least for two factors. First, the nature of the data sought qualifies as personal information and at times even as sensitive personal information. The EU rules require data protection officers to oversee the functioning of PNR-sharing systems and have a provision for an independent supervisory mechanism to mitigate the scope of abuse and harm that such databases can lead to. Second, five years ago, this month, the Supreme Court laid down a broad principle that personal data can be accessed by the State only in manners that are “just, fair and reasonable”. With no statute still in place to codify this, the new rules may need to be implemented carefully, and further checks built in.