Planning to use Digiyatra? Read this first!
tl;dr
The DigiYatra scheme has been rolled out at the Delhi, Bengaluru, and Varanasi airports in the first phase. In the second phase, it will launch at the Hyderabad, Kolkata, Pune, and Vijayawada airports. However, how does your personal data fare under the scheme?
Background
With an aim to make air travel paperless and hassle-free, the DigiYatra Scheme (“Scheme”) was launched by the Ministry of Civil Aviation on June 8, 2017 by the then Minister of State for Civil Aviation, Shri Jayant Sinha as per a press release from Press Information Bureau. The Scheme will facilitate the digital processing of passengers at the airports. According to the website of the Scheme, digital processing of passengers will be done by using facial recognition to check the identities of passengers at the entry point check, entry into the security check, self-bag drop, check-in and aircraft boarding. The Scheme has already been launched at the Delhi, Bengaluru, and Varanasi airports, and will be launched at the Hyderabad, Pune, Vijayawada, and Kolkata airports by March, 2023.
We have previously looked at the Scheme and the DigiYatra Policy extensively through two posts. In this explainer, we will be analysing the privacy policy of the DigiYatra Foundation (DYF).
What does the policy say?
In order to understand whether a privacy policy adequately protects your personal data it is essential to check certain features:
A. What data is being collected?
DYF collects personal data from an individual when it considers the personal information reasonably required for the relevant purposes underlying such processing. Examples of personal data which may be collected includes:
- Identity and contact data such as name, country of nationality or residence, national identification number, employment history, educational background, professional qualifications, job title and function, biometric data, and other personal data concerning provider of information relevant to DYF goods and services.
- Business information such as information provided during contractual relationship with user or user’s organisation and DYF, or otherwise voluntarily provided by user or user’s organisation.
- Profile, usage and technical data such as passwords to DYF platforms, user preference in receiving marketing information, communication preference, IP address, login data, browser type and version and device type.
- Video or image data, images or video provided or captured with consent on mobile apps, kiosks systems or e-gates at airport checkpoints etc. when individuals visit the airport or DYF premises
B. What will the collected data be used for?
The DYF privacy policy states that the purpose of the data collection and processing is to establish your identity, validate your travel document and any other requirements for your travel as needed from time to time subject to the protection of High Level Data Privacy Guidelines as per the Digi Yatra Policy issued by the MoCA. However, the privacy policy also states that personal information shared while registering or subscribing to a service or product on the Digi Yatra Central Ecosystem platforms may be used for the following reasons:
- Improvement of products or services;
- Contact for survey or feedback which may be done using email or mail;
- To process user/customer requests (such as replying to queries);
- To communicate for activities such as marketing campaigns, events, programs, and promotions (for which consent will be taken appropriately as per the privacy policy);
- To comply with the laws and regulations of the Union Government; &
- For security purposes including to protect DYF customers, employees, websites, and apps.
C. Will the collected data be shared and/or sold further? Who will have access to the collected data other than the collecting agency?
According to the privacy policy, DYF does not disclose personal information to others without obtaining appropriate consent. However, DYF may disclose personal information without the user's consent if required by law to disclose information or where the information is required to prevent or detect a crime.
Further, DYF may share the collected data with:
- DYF employees, advisers, agents and third parties who provide services on DYF’s behalf insofar as reasonably necessary for the purpose the information is sought for;
- DYF controlled affiliates and subsidiaries and other entities within the DYF, to assist them to reach out to user in relation to their programs or campaigns (including marketing and sales) and to process individual’s query/requests;
- Service-providers who assist in protecting and securing DYF systems and provide services to DYF;
- Successors or assignees to whom DYF may assign or transfer the functions for which the data was collected in whole or part.
D. What are the data protection mechanisms in place?
DYF claims to ensure security of personal information by adopting reasonable data protection practices such as:
- internal policies,
- periodic security audits,
- adherence to code of conduct,
- data security techniques,
- privacy principles,
- data privacy by design techniques,
- personal data guidelines and
- certification mechanisms.
To prevent unauthorised disclosure or access to personal information, DYF claims to have implemented physical and cyber security safeguards which are compliant with prevailing IT laws and for all the Aadhaar related transactions, compliant with Aadhaar (Targeted Delivery Of Financial and other Subsidies, Benefits And Services) Act, 2016. DYF employees responsible for handling personal information on behalf of a company or regulatory body are mandated to follow an ethical code of conduct when processing personal information which is considered sensitive and hence classified as confidential. Transmission channels are encrypted, and access to information is restricted to authorised individuals on a need-to-know basis.
E. How long is the collected data retained for?
DYF claims to retain personal information only for a minimum duration of time as prescribed in the Digi Yatra Policy. The duration of time for which information will be retained is decided based on whether it is necessary for the stated purpose, and/or for compliance with legal requirements under applicable laws. Further, the privacy policy states that when the personal information collected is no longer required, DYF and its partners will destroy or delete it in a secure manner.
Our issues
A. Excessive data collection: The categories of data listed for collection are extremely sensitive and wide. However, the privacy policy fails to mention the specific purposes for which they may need to be collected. Such excessive data collection violates the data processing best practice of data minimisation which states that data collection should be adequate, relevant and limited to what is necessary in relation to the purposes for which the personal data is being processed.
B. Function creep: The privacy policy states that the purpose for which the collected data will be used is to establish the identity of the individual, validate the travel document and any other requirements for their travel. However, it goes on to say that the collected data may also be used for purposes other than those such as improvement of products, contacting for surveys, and to process user/customer requests among others. Such use shows a clear function creep by the DigiYatra Foundation. Function creep occurs when collected data is used for purposes other than the purpose to which the individual has consented to and is a clear violation of the data processing best practice of purpose limitation.
C. Data may be shared further without consent: Data collected for the purpose of verification of identity at the airport may be shared further with DYF employees, advisers, agents and third parties who provide services on DYF’s behalf, DYF controlled affiliates and subsidiaries and other entities within the DYF for purposes such as marketing and sales, and service providers who provide services to DYF. Here, it is unclear notice will be given and consent will be taken for processing carried for these purposes. It is also unclear whether individuals can opt out of such processing.
Proceed with caution
As we have suggested in our previous posts on DigiYatra, the Scheme sounds too good to be true, because it is. In an interview, Avinash Komireddy, Founder and CEO of Dataevolve, has stated that the DigiYatra “algorithm has a success rate of 99 per cent”. To understand what this means let us take the example of Bengaluru’s Kempegowda International Airport which handled over 94,330 travellers on October 21, 2022 in a single day. Even assuming that the facial recognition technology being adopted under the Scheme has the claimed low inaccuracy rate of 1%, this would mean that over 940 passengers could face issues. Komireddy has also stated that “scaling on the blockchain network is very difficult”. DigiYatra uses the Aries Hyperledger blockchain platform. He added that “(o)nce you have, say 1,000 or 1,500 people registered at the same time, that's where no matter how big a server you throw at that computer, it's unable to respond … immediately.” Thus implying that the significant time-savings being espoused are transient and may balance out as adoption increases. Digiyatra if implemented, can result in multiple legal, technical and privacy problems, which the common passenger will have to bear the brunt of while failing to deliver on any of the promised convenience. Such problems have already started occurring and will only increase as the scale of the Scheme is expanded.
With the increasing footfall at airports, it is understandable that the Ministry of Civil Aviation and the Airports Authority of India are looking for solutions to improve customer experience. However, it is essential that such issues be tackled at multiple levels instead of trying to fix the issue with one solution such as DigiYatra (that ultimately may not even work). It is essential that the feasibility of this Scheme, alongwith its privacy issues be re-examined to assess whether it should be continued. However, in the meantime, it should be ensured that this Scheme remains opt-in, any person experiencing issues is given access to swift alternatives, and non-DigiYatra modes of access remain functional.
