The DigiYatra scheme has been rolled out at the Delhi, Bengaluru, and Varanasi airports in the first phase. In the second phase, it will launch at the Hyderabad, Kolkata, Pune, and Vijayawada airports. However, how does your personal data fare under the scheme?
With an aim to make air travel paperless and hassle-free, the DigiYatra Scheme (“Scheme”) was launched by the Ministry of Civil Aviation on June 8, 2017 by the then Minister of State for Civil Aviation, Shri Jayant Sinha as per a press release from Press Information Bureau. The Scheme will facilitate the digital processing of passengers at the airports. According to the website of the Scheme, digital processing of passengers will be done by using facial recognition to check the identities of passengers at the entry point check, entry into the security check, self-bag drop, check-in and aircraft boarding. The Scheme has already been launched at the Delhi, Bengaluru, and Varanasi airports, and will be launched at the Hyderabad, Pune, Vijayawada, and Kolkata airports by March, 2023.
What does the policy say?
A. What data is being collected?
DYF collects personal data from an individual when it considers the personal information reasonably required for the relevant purposes underlying such processing. Examples of personal data which may be collected includes:
- Identity and contact data such as name, country of nationality or residence, national identification number, employment history, educational background, professional qualifications, job title and function, biometric data, and other personal data concerning provider of information relevant to DYF goods and services.
- Business information such as information provided during contractual relationship with user or user’s organisation and DYF, or otherwise voluntarily provided by user or user’s organisation.
- Profile, usage and technical data such as passwords to DYF platforms, user preference in receiving marketing information, communication preference, IP address, login data, browser type and version and device type.
- Video or image data, images or video provided or captured with consent on mobile apps, kiosks systems or e-gates at airport checkpoints etc. when individuals visit the airport or DYF premises
B. What will the collected data be used for?
- Improvement of products or services;
- Contact for survey or feedback which may be done using email or mail;
- To process user/customer requests (such as replying to queries);
- To comply with the laws and regulations of the Union Government; &
- For security purposes including to protect DYF customers, employees, websites, and apps.
C. Will the collected data be shared and/or sold further? Who will have access to the collected data other than the collecting agency?
Further, DYF may share the collected data with:
- DYF employees, advisers, agents and third parties who provide services on DYF’s behalf insofar as reasonably necessary for the purpose the information is sought for;
- DYF controlled affiliates and subsidiaries and other entities within the DYF, to assist them to reach out to user in relation to their programs or campaigns (including marketing and sales) and to process individual’s query/requests;
- Service-providers who assist in protecting and securing DYF systems and provide services to DYF;
- Successors or assignees to whom DYF may assign or transfer the functions for which the data was collected in whole or part.
D. What are the data protection mechanisms in place?
DYF claims to ensure security of personal information by adopting reasonable data protection practices such as:
- internal policies,
- periodic security audits,
- adherence to code of conduct,
- data security techniques,
- privacy principles,
- data privacy by design techniques,
- personal data guidelines and
- certification mechanisms.
To prevent unauthorised disclosure or access to personal information, DYF claims to have implemented physical and cyber security safeguards which are compliant with prevailing IT laws and for all the Aadhaar related transactions, compliant with Aadhaar (Targeted Delivery Of Financial and other Subsidies, Benefits And Services) Act, 2016. DYF employees responsible for handling personal information on behalf of a company or regulatory body are mandated to follow an ethical code of conduct when processing personal information which is considered sensitive and hence classified as confidential. Transmission channels are encrypted, and access to information is restricted to authorised individuals on a need-to-know basis.
E. How long is the collected data retained for?
C. Data may be shared further without consent: Data collected for the purpose of verification of identity at the airport may be shared further with DYF employees, advisers, agents and third parties who provide services on DYF’s behalf, DYF controlled affiliates and subsidiaries and other entities within the DYF for purposes such as marketing and sales, and service providers who provide services to DYF. Here, it is unclear notice will be given and consent will be taken for processing carried for these purposes. It is also unclear whether individuals can opt out of such processing.
Proceed with caution
As we have suggested in our previous posts on DigiYatra, the Scheme sounds too good to be true, because it is. In an interview, Avinash Komireddy, Founder and CEO of Dataevolve, has stated that the DigiYatra “algorithm has a success rate of 99 per cent”. To understand what this means let us take the example of Bengaluru’s Kempegowda International Airport which handled over 94,330 travellers on October 21, 2022 in a single day. Even assuming that the facial recognition technology being adopted under the Scheme has the claimed low inaccuracy rate of 1%, this would mean that over 940 passengers could face issues. Komireddy has also stated that “scaling on the blockchain network is very difficult”. DigiYatra uses the Aries Hyperledger blockchain platform. He added that “(o)nce you have, say 1,000 or 1,500 people registered at the same time, that's where no matter how big a server you throw at that computer, it's unable to respond … immediately.” Thus implying that the significant time-savings being espoused are transient and may balance out as adoption increases. Digiyatra if implemented, can result in multiple legal, technical and privacy problems, which the common passenger will have to bear the brunt of while failing to deliver on any of the promised convenience. Such problems have already started occurring and will only increase as the scale of the Scheme is expanded.
With the increasing footfall at airports, it is understandable that the Ministry of Civil Aviation and the Airports Authority of India are looking for solutions to improve customer experience. However, it is essential that such issues be tackled at multiple levels instead of trying to fix the issue with one solution such as DigiYatra (that ultimately may not even work). It is essential that the feasibility of this Scheme, alongwith its privacy issues be re-examined to assess whether it should be continued. However, in the meantime, it should be ensured that this Scheme remains opt-in, any person experiencing issues is given access to swift alternatives, and non-DigiYatra modes of access remain functional.