Data PrivacyImpact of Data Privacy on the Aviation Sector

INTRODUCTION

In the age of digital transformation, the aviation sector finds itself at a crossroads where technological advancements meet the imperative of safeguarding sensitive information. The convergence of aviation and data has unlocked unparalleled possibilities for enhancing passenger experiences, optimizing operations, and ensuring safety. However, this surge in data utilization also ushers in significant challenges pertaining to data protection, especially with regard to Personally Identifiable Information (hereinafter “PII”) and Sensitive Personal Identifiable Information (hereinafter “SPII”).

PII encompasses data such as names, addresses, phone numbers, and passport details. SPII, a subset of PII, includes data elements such as biometric data, health records, and financial information. As the aviation sector increasingly relies on such information to provide seamless services and optimize operations, during and after Covid-19, the aviation industry has also collected health records and biometric data of its passengers, so the need for robust data protection mechanisms becomes more crucial than ever before.

Data exchanges in the aviation sector flow from airline to airline, airline to service providers and in many cases from airline to Government. Data collection is a crucial aspect in the industry, the sheer volume of personal and sensitive data being collected and transmitted creates vulnerabilities that can be exploited by malicious actors. The urgency to protect this information is underscored by high-profile incidents, such as the Air India data leak in 2021 that left individuals vulnerable to identity theft and fraud. Such incidents not only erode passenger trust but also result in substantial financial and reputational losses for the organizations involved. Thus, data protection measures must be taken up by the industry and in light of the new Digital Personal Data Protection Act of 2023 (hereinafter, “DPDP Act”), compliances shall follow accordingly.

KEY STAKEHOLDERS

Airlines

Airlines collect a significant amount of passenger data during the booking process and throughout their travel journey. Personal data, including sensitive data are collected for various purposes. Further, the airline needs certain information pertaining to a passengers age and occupation to gauge the benefits that can be availed by them, other such data collected can be contact numbers, email address, meal preferences (which may unintentionally disclose personal information), physical health conditions etc. They are responsible for ensuring the security and proper handling of passenger information.

 Airports

Airports collect data from passengers during check-in, security screening, and immigration processes. This data also comes under the ambit of sensitive data as it would also involve the nationality of the passengers. Airports need to maintain data security to protect sensitive passenger and operational information.

Booking Service Providers

Agencies that facilitate booking services for flights also collect and transfer personal passenger data to various business entities such as the airlines, hotels etc. The data collected by them can range from personal information of the passengers including financial details, family details, travel history and even medical conditions to facilitate payment of such bookings.

Aviation Technology Providers

Companies that provide aviation technology solutions, such as reservation systems and passenger management systems, are involved in data collection and processing. They play a role in maintaining data security.

LEGAL FRAMEWORK

The aviation industry handles passengers’ personal data during the booking process and beyond, these entities are required to adhere to prevailing data protection laws in India. While the aviation industry doesn’t have sector-specific laws with respect to data protection, the handling of passenger data does fall under the broader umbrella of various data protection regulations.

This entails compliance with pertinent legal requirements to ensure that passenger rights are respected and their personal information is safeguarded due to them being a heavily data driven sector. Following are the legislations/regulations in reference to data protection which will apply to the aviation industry:

• Digital Personal Data Protection Act, 2023
• Information Technology Act, 2000
• Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter “SPDI Rules”)
• Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functioning Functions and Duties) Rules, 2013   (hereinafter “CERT Rules”)
• Passenger Name Record Information Regulations, 2022

IMPLEMENTATION OF DPDP ACT, 2023

The DPDP Act will apply on entities involved in the aviation industry that collect and process personal data of the passengers for which consent is obtained and/or is for a legitimate purpose, and is in the digital form. Thus, various entities/stakeholders as seen above will fall under the ambit of the DPDP Act as they collect and utilize personal and sensitive personal data of their passengers and/or employees. The DPDP Act lays down definitions and compliance requirements for “Data Fiduciary, “Data Processor “and “Data Principal”. In context of the aviation industry:

• A Data Fiduciary who determines the purpose and means of processing of personal data would primarily be the Airlines and Airports.
• Data Processor who processes personal data on behalf of a Data Fiduciary would be the Aviation Technology Providers or in certain cases the airline themselves if certain processing of the data is done internally and a
• Data Principal, an individual to whom the personal data collected by the Data Fiduciary relates would be the passengers.

The following are the ways in which the DPDP Act will apply and be implemented in the aviation industry:

A. Notice & Consent

The DPDP Act mandates that before the collection of data by a Data Fiduciary, a request for obtaining consent of the Data Principal whose data is being collected must be accompanied by a clear specific notice.

Thus, before collecting a passenger’s data in the process of online booking, the website of the airline or the airport authority whilst collecting data during screening process will have to give/display a notice requesting consent for the collection of data and specify the information which the Fiduciary seeks to collect.

The notice shall specify which data will be collected and for what purpose will it be used. In the aviation industry airlines in the booking process will be required to collect personal information such as name, address, contact numbers, occupation, date of birth, meal preferences any medical/special requirements, airports will collect information such as biometric identifiers for security and boarding purposes (fingerprints, facial recognition) and previous travel history. As data collected herein also includes ‘sensitive’ data, consent is a must.

 B. Withdrawal of consent

The DPDP Act contains provisions where a Data Principal has the option to withdraw their consent so as to erase and stop the processing of their personal data. In the context of aviation sector, withdrawal of consent may pose an issue in its implementation, as airlines and airports rely on passenger data for various operational processes such as check-in, security screening, and boarding.

Once consent is withdrawn, the Data Fiduciary is obligated to erase the data from all servers of all entities to have stored that data but this might pose certain issues as for security purposes certain data should be present with the airline/airport authority in cases of emergency/national threats.

C. Correction and Retention of Data 

Corrections must be allowed but up until a certain stage so as to maintain security. The DPDP Act also mentions that there should be no retention of data when consent is withdrawn or when the specified purpose of processing the data has diminished. Clarification as to which data shall be/shall not be retained and the period of retention must be ascertained.

D. Significant Data Fiduciary and Data Protection Officer

The DPDP Act provides certain criteria, from which it can be ascertained whether a Data Fiduciary falls under the category of a Significant Data Fiduciary, one of which is the volume and sensitivity of the personal data.

As airlines/airports collect sensitive data such as biometrics, financial information such as bank account or credit card or debit card or other payment instrument details, physical health conditions etc. are collected of thousands of incoming and outgoing passengers every day, they are likely to be categorized as Significant Data Fiduciaries.

Therefore they will be mandated to appoint a special Data Protection Officer (hereinafter “DPO”) whose duties will be to carry out an independent data audit or appoint an independent data auditor to achieve the same and conduct periodic Data Protection Impact Assessments (hereinafter “DPIA”) as defined under the DPDP Act.

E. Grievance Redressal 

The DPDP Act states that Data Fiduciaries shall set up their own grievance redressal mechanisms. Thus airlines and airport authorities would need a redressal system to cater to the passengers which may want their personal data erased or receive a log of all the data that is stored by the airline and/or airport authorities. After exhausting the redressal system setup by them the passenger may approach the Data Protection Board formulated under the DPDP Act, if they are still aggrieved.

F. Right to access information

The DPDP Act provides a right to the Data Principals to request information relating to their individual personal data. The passengers in the same manner shall have rights to demand upon request information relating to a summary of their personal data that is being processed, identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared, and any other query that they may have in question.

G. Penalties under the DPDP Act

The DPDP Act stipulates some of the highest penalties imposed. If a Data Fiduciary, such as the airlines/airport authorities, fails to implement adequate security measures to prevent a breach of personal data belonging to Data Principals under Section 8(5), the penalty could potentially reach up to Rs. 250 crore.

In the event of a breach by a Significant Data Fiduciary, the potential penalty could extend to 150 crore rupees. Furthermore, any breach of responsibility by a Data Principal as outlined in Section 15 might lead to a penalty of up to ten thousand rupees.

GREY AREAS

The data collected by the airlines and airport authorities are sensitive in nature and can be used to commit identity theft, fraud, or other crimes. In India, there are no specific regulations for the aviation industry in terms of data protection and processing.

Some of the specific problems with data protection in the aviation industry include:

a. Cross border transfer of data: Given the global nature of air travel and airlines, the movement of passenger information across national boundaries is commonplace, yet it introduces a range of intricate issues. Diverse data protection laws, such as the European Union’s GDPR and now the new Indian DPDP Act, create a regulatory landscape that demands compliance with the strictest standards.

This becomes especially complex when considering potential conflicts between differing regulatory frameworks, potentially leaving airlines and airports in a quandary. It is important to mention that under the DPDP Act, the Government has the authority to restrict cross border transfers, the implications of this in the aviation industry will be complicated.

b. Passenger rights vs. Security: Another grey area to be dealt with is whether more importance must be given to passenger rights or security. It is the passengers right to withdraw consent and erase their data but in the context of the aviation industry security measures must be given importance too, airports have a looming threat and thus security measures and surveillance at airports becomes a mandate. 

c. Data minimization: Data minimization is a fundamental principle of data protection that involves collecting, processing, and retaining only the minimal amount of personal data necessary to achieve a specific purpose. In the aviation sector, which deals with a wide range of passenger information and operational data, translating data minimization into practice presents challenges. To facilitate their services and operations, minimization of data is a challenge and if national security is taken into account, data minimization may not prove beneficial.

d. Data retention: The challenge lies in defining appropriate retention periods for different data types, factoring in operational needs, legal requirements, and passenger privacy expectations. Moreover, the aviation industry’s global operations involve cross-border data transfers, potentially triggering conflicts between local and international data protection laws. As various stakeholders—airlines, airports, and regulatory authorities—interpret data retention differently, harmonizing policies across the ecosystem becomes intricate. Striking a balance between operational necessity and passenger privacy, especially with technologies like AI and machine learning entering the picture, adds further complexity.

LEGAL INSTRUMENTS

Information Technology Act, 2000

Two major provisions can be seen under the Information Technology Act, 2000 (hereinafter, “IT Act”) the first being Section 43A of the IT Act which mandates that if a body corporate which will also include stakeholders under the aviation sector, possessing, dealing, or handling personal/sensitive personal data or information is negligent in implementing and maintaining reasonable security practices, and as a result, causes wrongful loss or gain to any person, it shall be liable to pay compensation to the affected party.

The second is under Section 72 of the IT Act, which provides punishment with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both for disclosure of confidential information without consent of the data owner.

Other sections that refer to data/personal data can be seen in the IT Act such as:

1. Section 65 deals with tampering of computer source documents.

2. Sections 66A to 66F state various punishments for different cyber crimes, which include identity theft and violation of privacy.

3. Section 69 gives power to the Government to disclose information for public interest.

4. Section 72 provides penalty for disclosure of confidential information without consent.

SPDI Rules

The SPDI Rules are relating to matters of reasonable security practices and procedures and sensitive personal data or information under Section 43A of the IT Act.

Rule 3 defines the ambit of sensitive personal data. Airlines and Airports collect sensitive information such as financial information such as Bank account or credit card or debit card or other payment instrument details, sexual orientation, physical health conditions, biometric data etc. during the boarding and security screening process due to which they will fall under this category.

Rule 3 also provides that when collecting data from passengers, the entities must provide a notice that outlines why the data is being collected, who will have access to it, and the entity’s contact information. Airlines/airports must obtain the explicit consent of the passengers before collecting their sensitive personal data. The consent should be voluntary and obtained before any data is collected.

Rule 6 emphasizes that data collection should be limited to what is necessary for the purpose of collection and that the data provider should be made aware of the purpose of collection. Airlines and airport authorities must implement security measures to safeguard the sensitive data they collect from unauthorized access, breaches, or loss; the rules recommend the international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”.

CERT Rules

The CERT Rules aim to enhance cyber security and safeguard digital infrastructure across various sectors in India, including the aviation industry. The CERT Rules primarily provide guidelines and measures to prevent, detect, and respond to cyber threats and incidents.

Airlines and aviation organizations are required to report any cyber security incidents to CERT-In. This includes data breaches, cyber attacks, and other security breaches that could compromise passenger data. The rules establish a framework for incident reporting, investigation, and response to mitigate the impact of such incidents on data security. Additionally, CERT-In facilitates information sharing on cyber security threats and best practices.

Airlines and aviation entities can benefit from this exchange of information to strengthen their data protection strategies and stay informed about emerging threats. Organizations in the aviation sector need to conduct regular risk assessments to identify potential cyber security threats and vulnerabilities. This proactive approach helps prevent data breaches and ensures the protection of sensitive passenger information.

Passenger Name Record Information Regulations, 2022

On 8^th August 2022, the Government of India notified the Passenger Name Record Information Regulations, 2022 (“PNR Regulations“) in order to provide a defined framework for collection of specified details relating to international passengers travelling by air.

The PNR Regulations necessitate that airlines provide the National Customs Targeting Centre-Passenger with passenger name record  data for individuals who are not crew members and are either in transfer or transit, being carried or set to be carried, on international flights. This information sharing must occur a minimum of 24 hours before the scheduled departure time of each flight.

The PNR data encompasses various details, including the passenger’s name, the names of co-passengers on the same PNR, ticket issuance and travel dates, frequent flyer particulars, contact information, payment method specifics including credit card particulars, seat allocation, travel schedule, baggage particulars, and more.

In accordance with the PNR Regulations, each airline is obliged to transfer such PNR data from their reservation system to the Indian customs department’s database for every international flight originating from or arriving in India. Moreover, any gathered PNR data must be stored for a duration not exceeding five years from the date of its acquisition, except when necessitated during an inquiry, legal action, or any judicial process.

Upon the lapse of the five-year span, the PNR data should be eliminated through depersonalization or anonymization, achieved by concealing the pertinent details that could directly reveal the identity of the associated passenger.

AMLEGALS REMARKS

In conclusion, the intertwining of data protection and the aviation industry in India ushers in a new era of challenges as well as opportunities. While the introduction of the DPDP Act represents a significant step towards safeguarding individual privacy, its seamless integration into the aviation sector remains a work in progress.

As the sector grapples with the complex landscapes of data retention, cross-border transfers, erasure protocols, and security enhancements, it becomes evident that the journey towards robust data protection is ongoing. Navigating these intricacies necessitates collaborative efforts among aviation stakeholders, legal experts, regulatory bodies, and technological innovators.

By addressing these grey areas and continually adapting to emerging regulations and technologies, the aviation industry can not only fortify passenger trust but also exemplify a harmonious synergy between data protection and seamless travel experiences.

Team AMLEGALS assisted by – Ms. Kermina Patel (Intern)

For any query or feedback, please feel free to get in touch with tanmay.banthia@amlegals.com or mridusha.guha@amlegals.com