On 8 August this year, the Union government notified the Passenger Name Record Information Regulations, 2022 (the ‘Regulations’), which is meant to enhance the detection, interdiction and investigative capabilities of Customs authorities using non-intrusive techniques for combating offences related to smuggling of contraband such as narcotics, psychotropic substances, gold, arms & ammunition etc, which directly impacts national security. The Central Board of Indirect Taxes and Customs (CBIC) under the Ministry of Finance, which issued the regulations, made it compulsory for all airlines operating international flights to share the Passenger Name Record (PNR) details, a six-digit letter or letters- and number-based identifying system, in advance with the respective authorities.
It also said that failing to comply with these regulations would invite a penalty. This would mean that airlines will have to share some crucial data points with the CBIC authorities, including the name of the passenger, date of intended travel, contact details, payment and billing information, confirmation and check-in status, baggage information, seat information, and travel agent details from where the ticket was purchased. Till now, the airlines were required to share only the name, nationality and passport details of the international travelling passenger.
Withdrawal of Data Protection Law Isn't Good Timing
The risk analysis that the CBIC mentioned in the circular aims to prevent repeated economic offenders from fleeing the country and check illegal activities and smuggling. Not that the CBIC is asking for something additional from the passengers than what is being collected by the airlines now, but the approach to and the timing of the data protection debate that is happening across the country is raising some concerns.
The government is going ahead with another step towards collecting sensitive data when it has withdrawn the Personal Data Protection Bill that was languishing in Parliament for a long time. Further, in most other countries, PNR is the only important detail that needs to be shared with the government. India’s new regulation aims to take a different approach as it mandates the sharing of almost all the details of the passenger along with the PNR.
What Laws Do Other Countries Follow?
Following the 11 September 2001 attacks in the US, drastic changes were made in the aviation industry. From strict regulations on aviation safety to modifying aircraft, everything was changed and made stringent. In accordance with that, the United States, under The Aviation and Transportation Security Act of 19 November 2001, made it compulsory for airlines operating passenger flights to, from or through the US to provide the US Customer and Border Protection Federal Agency, upon request, with electronic access to PNR data contained in their reservation, arrival and departure control systems.
In the United States, PNR data obtained from commercial carriers are stored in the Automated Targeting System. The European Union (EU) has signed multiple agreements with countries such as the United States, Canada and Australia on data sharing, and among them, sharing PNR details is one of the most prolific elements.
The transfer of PNRs falls under the purview of the European Data Protection Law and the data could be transferred to countries with data protection laws comparable to that of the EU.
Just as in the European Union, PNRs are depersonalised after six months. In five years, records are moved to a dormant database, where they remain available for another ten years — for security purposes only. Similarly, even the United Kingdom has rules to share the PNR details with the Home Office under 27B of Schedule 2 to the Immigration Act 1971 and the Immigration and Police (Passenger, Crew and Service Information) Order 2008. The Home Office stated that the PNR data is used by the law and enforcement authorities and other government authorities in order to prevent, detect and investigate any prosecuting terrorist offences or serious crimes in the country.
More than 60 countries require airlines to collect advance passenger information (API), which includes data travellers having to reveal at the border control passport details, citizenship, place of residence, and even the address of the first night spent in the country, for travellers to the US.
Why PNR Is Sensitive Data
The PNR was first introduced by airlines across the world for their computerised database system. Later, this system was adopted by other businesses, including car rentals, hotels and railways, etc. PNR consists of mandatory data elements, optional data elements and secure flight passenger data (SFPD) details.
PNR is considered one of the most sensitive records of a passenger and it can even store the details of one’s religious meal preferences. Its sharing is considered a privacy issue in many jurisdictions today.
A reply given by the union government recently in the Parliament stated that a total of 38 economic offenders have fled India in the past five years. The CBIC, with advanced information, can apprehend such offenders. The question is whether these additional data being sought would worsen data privacy concerns. The CBIC has made it clear that the information collected is subject to strict information privacy and data protection practices and that there are adequate legal and administrative safeguards. The processing of the information to reveal ethnicity, race, religious or philosophical beliefs, health, etc, is strictly prohibited. The hardware and software necessary for data protection have already been envisaged. The information received can be used for further processing only by a senior officer of the rank of Principal Additional Director General/Additional Director General.
In a normal course, the data collected is stored only for five years, after which it is disposed of by depersonalisation or anonymisation. The new regulations provide for an extensive and independent system audit and security audit to prevent misuse of the information.
CBIC Doesn't Have Enough Legal Safeguards
However, the data under request and its processing would have to be dealt with via the provisions of the Information Technology Amendment Act, 2008, and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. These provisions apply to corporates and keep government agencies away from their purview. The now-withdrawn Personal Data Protection Bill would have government agencies under its purview, despite the many exclusions that the Bill offered to them.
Hence, the steps mentioned by the CBIC in announcing the new regulations become a very subjective matter. So, if the data are shared with other bodies or misused, there is no recourse for an individual. It is thus crucial for the government to bring in privacy laws so that all forms of misgivings are removed.
(Subimal Bhattacharjee is a commentator on cyber and security issues around Northeast India. He can be reached @subimal on Twitter. This is an opinion piece and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)