#PrivacyOfThePeople: The flight is about to take off…. with your luggage and data!

tl;dr

On August 08, 2022, the Central Board of Indirect Taxes and Customs (“CBITC”) under the Ministry of Finance recently notified the Passenger Name Record Information Regulations, 2022 (“Regulations”) under the Customs Act, 1962. As per the Regulations, all registered airlines will have to mandatorily provide details of all international passengers, flying to or from India, to the Customs department. The details to be shared include a total of 19 passenger data points listed under ‘Annexure-II’ of the Regulations, several of which fall under the category of personal data as defined by the General Data Protection Regulation (“GDPR”). Such over-broad sharing of personal data and non-personal data, i.e., at scale, raises several privacy concerns, especially given the recent withdrawal of the draft Data Protection Bill (“DPB”), 2021.

Why should you care?

The Privacy of the People series was started back in 2021 to assess the impact of the Personal Data Protection Bill (“PDPB”), 2019 and subsequently the DPB, 2021 on different sections of society. Through this series, we identified the threats to our fundamental right to privacy posed by the Bill, with the expectation that the Government would in the future pass the bill in the Parliament, sooner rather than later. However, much to our surprise, the Government withdrew the DPB, 2021 on August 03, 2022. Today, there exists no piece of legislation on data protection, even in the form of a bill, and thus limited scope to assess its impact on our rights as well as to protect these very rights. In the absence of a data protection regime in India, the privacy concerns around the recent Regulations become even direr.

Fasten your seatbelts, your right to privacy is facing some turbulence

Annexure II of the Regulations list 19 data points that are to be provided by all airlines for all passengers, which includes name, all available contact details, all available payment/ billing information, Available Passenger Information (“API”) such as passport number, date of birth, and gender, etc.

The CBITC states “prevention, detection, investigation and prosecution of offences” as the justification for the ‘National Customs Targeting Centre-Passenger’ (NCTC-P) to receive, store, process and disseminate passenger name record (“PNR”) information along with “any other information relevant for risk analysis of passengers”. The Regulations however fail to elaborate on the method to be used for such risk analysis, i.e., whether it will be conducted by a human, by a machine using Artificial Intelligence, or both. There is sufficient evidence which points to the possibility of human biases creeping into algorithms, which can further aggravate these biases by deploying them at scale, thus putting people, especially those belonging to marginalised communities at risk.

The Regulations require every registered airline to share the listed passengers details with the NCTC-P, not later than twenty-fous hours before the departure time, or at the departure time. The Board also intends to subject the Regulation to “strict information privacy and protection in accordance with the provisions of any law for the time being in force.” In case of non-compliance by an aircraft operator or its authorised agent, the NCTC-P can impose a penalty between Rs 25,000 - 50,000, for each act of non-compliance. Given that the DPB, 2021 was recently withdrawn, India currently lacks a law which could protect passengers data.

As per the Regulations, the PNR information will be accessible only to the duly authorised officers, for which the NCTC-P is expected to establish robust procedures in order to protect the privacy of passengers and crew members. In order to prevent any misuse of the PNR information, the Regulations also call for an extensive independent system audit and security audit on an annual basis. While this is somewhat comforting, a subsequent provision allows the NCTC-P to share “relevant information on a case-to-case basis” with other law enforcement agencies (“LEA”) or government departments of not just India but any other country as well. While the respective LEA or department would be expected to specify the purpose for seeking such information, the CBITC doesn’t provide any reasoning or grounds for deciding on these “cases”. Without any means to enforce purpose limitation, such a data sharing framework envisaged under the Regulations could lead to profiling and surveillance.

Our concerns with a subsequent provision that allows data to be retained for a maximum period of 5 years is that it is over-broad, excessive and not well-reasoned. To the further detriment of our rights, the Regulations allow for retention of data even after expiration of the five year period, post which it will be “disposed of by depersonalisation or anonymisation through masking out the relevant (identifiable) information.” The Regulations overlook the concerns around de-anonymisation of personal data. The Committee of Experts on Non-Personal Data Governance Framework in its draft report noted the threat of de-anonymization, and advised the maintenance of adequate barriers against it. Moreover, international studies have shown that “current methods for anonymising data leave individuals at risk of being re-identified” and that, “99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes”. These studies highlight the likelihood of re-identification through de-anonymisation of anonymised or non-personal data. This situation is made worse by India’s lack of a data protection law or any protection against such re-identification, which could lead to severe violations of privacy of the citizens.

Furthermore, the Regulations allow for the depersonalised or anonymised information to be “re-personalised or unmasked” in case of an identifiable case, threat or risk. It is interesting to note that no time frame has been mentioned for retaining the re-personalised information. The anonymisation of data in lieu of deletion, coupled with re-personalisation of data, effectively means that the data of passengers may be retained indefinitely. Ambiguous and undefined grounds for re-personalising information, clubbed with the inadequate safeguards for data protection, raise grave privacy concerns.

We filed an RTI application regarding the newly notified Regulations on August 10, 2022. Earlier today (September 08, 2022), we received a response from the Directorate General of Analytics and Risk Management (DGARM). The information sought in the RTI was with respect to the privacy and protection to be used during data collection and storage [Rule 7(1)], ranks of the duly authorised officers [Rule 7(3)], and techniques used for anonymisation as well as deanonymisation [Rule 8(2)]. No information we asked for has been furnished, stating that "The PNR Information Regulations, 2022 have a deferred implementation and the details .....will be informed in due course". While the Regulations have gone into effect from the date of its publication in the Official Gazette, i.e., August 08, 2022, its implementation is delayed as per the RTI response. Furthermore, information regarding any feasibility and/or proportionality study conducted prior to notifying the Regulations as well as any legal opinion that may have been sought on the Regulations was also not shared, stating that the information pertained to the Ministry of Finance.

A tour around the world

Some states across the world consider PNR data critical for the threat assessment value that can be derived from the analysis of such data, particularly in relation to the fight against terrorism and serious crime. The following are some norms/ regulations for States that require aircraft operators to provide their public authorities with PNR data:

1. United States: In the immediate aftermath of the September 11, 2001 attacks, the Department of Homeland Security (“DHS”) was established and the Aviation and Transportation Security Act (“ATSA”) was enacted. One component of ATSA required airlines to systematically share PNR data of all international flights to and from the United States with the DHS. The data to be shared included passengers’ names, date of birth, sex, citizenship details, passport number and other such information which might be determined as “reasonably necessary to ensure aviation safety”. It is worth noting that the data points listed under the Regulations are much more broad than the ones listed under the ATSA.
   
2. Europe: Through the Directive (EU 2016/681) of the European Parliament and of the Council, dated 27 April 2016, the European Union (EU) aimed to create a legal framework for the protection of PNR data with regard to their processing by competent authorities for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Clause 8 of the Directive explicitly avoids imposition of any obligation on air carriers “to collect or retain any additional data from passengers or any obligation on passengers to provide any data in addition to that already being provided to air carriers.” Both the Regulations and the Directive mandate the sharing of similar data points. However, the Directive does recognise the need to adhere to the objectives of necessity and proportionality while doing so. Furthermore, it defines or refer to the existing definition of the two grounds for sharing data, i.e., terrorist offences and serious crime. As per the Directive, the PNR data to be shared must be legitimately required by public authorities and must protect the fundamental rights, in particular privacy, the protection of personal data, and the right to non-discrimination.

While the Directive allows a data retention period of 5 years, it mandates the deletion of data after the retention period expiry. Moreover, it mandatorily requires certain data elements to be de-personalised through masking after an initial period of 6 months. These data points include, inter alia, name, address and contact details, all forms of payment information, general remarks that could serve to identify the passenger and API data. The Regulations, on the other hand, doesn’t classify data into non-personal, personal and sensitive data. Furthermore, the EU also allows for transfer of PNR data as well as the result of processing such data to a country outside the EU, given that this transfer is necessary, and that the use of such data by the country is consistent with the Directive’s safeguards and conditions. Lastly, the Directive requires the data protection officer of the State to be informed each time the State transfers PNR data to a third country. These safeguards are visibly missing from the Regulations.

As per International Civil Aviation Organization’s ‘Guidelines on Passenger Name Record (PNR) Data (“Guidelines”), “PNR data consist of the information an individual provides to an airline electronic reservation system, including address, telephone and credit card numbers, and potentially sensitive information such as meal preferences or special needs that may indicate ethnic origin or religious belief”. It defines PNR data transfer as “the transfer of PNR data, from an aircraft operator’s system(s), to a State requiring such data or access by the State to PNR data from such system(s).” The Guidelines aim to establish uniform measures for the transfer and subsequent handling of the PNR data by the concerned States. It also endorses the compliance to principles of data minimisation, purpose and storage limitation,

The guidelines also outline the need to have the requirement for PNR data transfer governed by explicit legal provisions, such as appropriate laws or regulations of the State. It also requires an aircraft operator to observe the laws of both the State from which it transports passengers (State of departure) and the State to which these passengers are transported (destination State). In case of a dispute between the laws of the State of departure and the destination State, both States should enter into consultation, as soon as possible, to resolve this conflict. The public authorities must have the appropriate legal authority to process the PNR data requested from aircraft operators.

Both the EU directive and the ICAO Guidelines refer to the two possible methods of data transfer:

1. The ‘pull’ method: The competent authorities of the State requiring the PNR data can reach into/ access the aircraft’s reservation/ operator system and extract (‘pull’) a copy of the required PNR data from its database.
2. The ‘push’ method: Aircraft operators transfer (‘push’) the required PNR data to the authority requesting them, thus allowing aircraft operators to retain control of what data is provided.

The ‘push’ method is considered to offer a higher level of data protection and the ICAO Guidelines also endorses for it to be mandatory for all aircraft operators, as the latter acts as the guardian and controller of the PNR data. On a positive note, the Regulations also mandate the use of the “push method”. However, it is important to reiterate that pushing all passenger records to the Customs department instead of sharing the data on an ad-hoc basis offsets the perceived advantages of the ‘push’ method.

The Court has given its safety instructions:

The Court of Justice of the European Union (“CJEU”) has time and again challenged the compatibility of data sharing under PNR legislations or directives with the right to privacy and data protection. As part of a June 21, 2022 judgement delivered by the CJEU, it clarified that the Directive does not violate the EU’s Charter of Fundamental Rights. However, it also found key features in Belgium's national PNR legislation to be inconsistent with the Charter. The Court also shared its concerns regarding the Directive which, in its opinion, sought to introduce a “surveillance regime that is continuous, untargeted and systematic.” However, instead of scrapping the entire law, the judges decided to limit its key measures. As a result of the judgement, Member States of the EU are barred from allowing their border authorities to share PNR data with intelligence and security services for monitoring purposes. It also struck down the five year PNR data retention provision, as was authorised by Belgium’s law. It instead directed PNR data to be deleted after the initial six months, and allowed retention beyond it only on the grounds that the government has already linked an individual to terrorism or another serious crime. The CJEU also prohibited PNR data collection for all intra-EU flights, restricting it to only those routes and airports which could or is facing a terrorist or other serious threat. The Court acknowledged the risk of automated profiling and discrimination, and also expressed concerns with regard to the automated processing of personal data.

This is not the only time this debate of balancing between the safety of international air passengers with their right to privacy has taken place in the CJEU. A similar ruling was given by the CJEU on July 16, 2022, wherein it struck down the EU-US Privacy Shield Framework. As of today, the Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. This ruling has major geopolitical implications for the transatlantic data transfers, especially between the EU countries and the US. This is not the first time the CJEU has invalidated a widely used key US-EU agreement for transferring personal data for commercial purposes. The CJEU overturned the US-EU Safe Harbor Framework, the predecessor to Privacy Shield, in 2015. The CJEU has, while pointing to the deficiencies in privacy protection for non Americans under the US surveillance law, loudly and clearly voiced its reservations about the transatlantic data sharing framework. For any such framework to exist and be upheld in the future, the Court has clearly indicated the need to include provisions for “actionable rights” of redress for Europeans.

Crash landing on digital rights

The Regulations notified by the Ministry of Finance fail to prioritise (or uphold at the very least) the privacy of millions of international passengers travelling from and to India. The Regulations advocate for over-broad, wide and blanket collection of PNR information, leading to data grabbing, for the purpose of "risk analysis", as well as additional wide-ranging consequences that 'may' only reveal themselves over time. While such threats are uncertain and occur on a case to case basis, the grave intrusion into the privacy of passengers in the absence of a data protection law is unavoidable. The commercial gains of collecting and processing PNR data could incentivise entities to monetise such data, thus creating the risk of disproportionate and illegitimate data gathering beyond need or purpose. The CBITC must recognise these privacy concerns and strictly limit the collection, storage and processing of PNR data to situations of already-suspected criminality. It is time we ask this question: whether this approach of collecting, storing and processing data of each and every international passenger is proportionate to its objective of preventing crime and terrorism.

Important Documents:

1. The Passenger Name Record Information Regulations, 2022 (link)
2. The US Aviation and Transportation Security Act  (link)
3. EU Directive (link)
4. International Civil Aviation Organization’s ‘Guidelines on Passenger Name Record (PNR) Data (link)