On July 18th, 2024, the Software Freedom Law Centre, India (SFLC.in) wrote to the Ministry of Civil Aviation (MoCA) and DGCA India about concerns regarding the implementation of the Digi Yatra in several Indian airports. Since January of this year, it has been widely reported that passengers are either being forced into or unknowingly enrolled in Digi Yatra. Passengers have further faced difficulties in case they opt out of Digi Yatra enrollment or are inconvenienced due to the limited availability of non-Digi Yatra gates at the Airports.
Compelling passengers to mandatorily register for Digi Yatra under the pretext that it is mandated under law is wholly misleading as well as illegal. In fact, MoCA has specifically reiterated that Digi Yatra is a purely voluntary scheme and that it does not mandate registration from passengers and condition their entry into the airport based on sharing of their facial biometrics for enrollment.
This obviates the voluntary nature of the scheme- as specified in the Digi Yatra Biometric Boarding System Policy, the Digi Yatra Privacy Policy, and the reply from the Ministry of Civil Aviation to a Right to Information application.
SFLC.in urged the MoCA and DGCA to look into the enrollment practices mandating Digi Yatra for passengers across airports in India to ensure strict compliance with the voluntary nature of the facility. Protecting the personal and sensitive personal data of passengers is of foremost priority in today’s data-driven environment.
Read the full letter here:
1. Letter to the MoCA:
18th July 2024
To,
Shri Kinjarapu Rammohan Naidu,
Minister of Civil Aviation
Government of India
Subject: Urgent Call for Action pertaining to issues with Digi Yatra
Respected Sir,
We are writing this letter due to concerns regarding the Digi Yatra enrolment process at Indian airports. It has been widely reported since January of this year that passengers are either being forced into or unknowingly enrolled for Digi Yatra. Passengers have further faced difficulties in case they opt out of Digi Yatra enrolment or are inconvenienced due to limited availability of non-Digi Yatra gates at the Airports. This obviates the voluntary nature of the scheme – as specified in the Digi Yatra Biometric Boarding System Policy (“the DYBBS Policy”), the Digi Yatra Privacy Policy (“Privacy Policy”) and the reply from the Ministry of Civil Aviation (‘MoCA’) to a Right to Information (“RTI”) application.
At the outset, it is understood that the Digi Yatra Foundation (“DYF”) is a non-profit company incorporated under Section 8 of the Companies Act, 2013 – to implement a digital ecosystem that streamlines air travel. Presently, DYF is co-owned by Airport Authority of India (26%), Cochin International Airport (14.8%), Bangalore International Airport (14.8%), Hyderabad International Airport (14.8%), Mumbai International Airport (14.8%) and Delhi International Airport (14.8%).
In light of recent events, we bring the following concerns in relation to the Digi Yatra facility –
1. Illegal and Involuntary Enrolment
Compelling passengers to mandatorily register for Digi Yatra under the pretext that it is mandate under law is wholly misleading as well as illegal. In fact, MoCA has specifically reiterated that Digi Yatra is a purely voluntary scheme and that it does not mandate registration from passengers and condition their entry into the airport based on sharing of their facial biometrics for enrolment. Additionally, the DYBBS Policy states that passengers will be provided with an alternate facility to enter the Airport Terminal through an automated travel document checking system (using Barcode/ Mobile QR code scan) on e-gates along with a manual ID card check.
Under the DYBBS Policy, the following has been expressly stated –
xi. Creation and use of the Digi Yatra ID Travel Credential by a passenger will be completely voluntary, and a one-time registration process using a Govt. ID is needed to enroll into the Digi Yatra Platform.
i. Users will also have an option, at any time, to opt-out and delete their profile.
(Page 12, DYBBS Policy)
In addition, the DYBBS Policy states that passengers will have the choice to register through any Government identification document –
xiii. The choice of Govt. ID used for enrolment is the choice of the passenger. Passengers can use any of the valid Government ID as per BCAS guidelines.
(Page 13, DYBBS Policy)
GOVT. OF INDIA IDENTITY DOCUMENTS ACCEPTED FOR DIGI YATRA ID TRAVEL CREDENTIAL (AS PER BCAS REGULATIONS AND GUIDELINES)
a. For the Purpose of registering for Digi Yatra ID, the passenger can use Govt. of India issued Photo Identity Cards as follows (Not exhaustive)
i. AADHAAR ID: Fully self service
ii. Driving License: Fully self service
Passport: With manual validation at the airport registration kiosk
IV. PAN: With manual validation at the airport registration kiosk
V. Voter ID: With manual validation at the airport registration kiosk
vi. Student ID: With manual validation at the airport registration kiosk
(Page 21, DYBBS Policy)
However, the FAQs clearly state that Aadhaar IDs are the only form of identification integrated with the Digi Yatra app. This practice is not consistent with the DYBBS Policy — which mentions that passengers will be able to produce a Govt. ID of their choice.
According to the Policy, Digi Yatra allows passengers to share the data with various stakeholders such as –
i) Airlines
ii) Online Travel Agents (OTAs)
iii) Airports
iv) Immigration authorities
Once registered, the passenger should have access to all data (Travel details, Identity details etc.) in a secure wallet within the Digi Yatra ID App – on their smartphone. The DYBBS Policy states that the DYF will be given a license to act as an Authentication User Agency (“AUA”).
Importantly, the DYBBS Policy states that facial biometrics shall be collected or stored in the system. However, this will not involve the storage of any other core biometrics like iris/fingerprints. The Privacy Policy states that such data might be shared with DYF controlled affiliates and subsidiaries and other entities (within the DYF). However, such affiliates and subsidiaries have not been mentioned in the DBBS Policy or the Privacy Policy.
2. DYF Data Processing Practices
The High Level Data Privacy Guidelines’ (“Guidelines”) outlined in the DYBBS Policy mentions various privacy principles, however, still contain certain gaps and vulnerabilities:
i) Lawfulness of Processing: The Privacy Policy states that the data collected is hosted within India and DYF ensures that the data collected is processed according to the provisions of the applicable laws in India. However, since the Digital Personal Data Protection Act of 2023 has not been enforced yet and in the absence of specific rules prescribing procedure, processing customer data must be restricted. The Guidelines outlined in the DYBBS Policy are also unenforceable against any private or public authority because it lacks legal backing or a substantial legal framework. The DYBBS Policy is broad in nature as there are provisions that allow for change in data storage settings based on security requirements on a “need basis” and has broad exemptions for data sharing with government agencies. Absence of legal backing raises concerns for potential violations of fundamental rights granted by the Constitution, including the right to privacy and right to free movement.
ii) Data Minimisation and Purpose Limitation: The Digital Personal Data Protection Act of 2023 emphasizes on data minimisation and purpose limitation as core principles of data collection. However, the type of data collected under DYF is broadly categorized into “identity and contact data, business information, profile, usage and technical data and video or image data”. The Privacy Policy or the DYBBS Policy fails to mention specific purposes sought to be achieved by collection of data from each of these categories. Further, it also fails to establish a reasonable nexus for which certain data, such as contact data (i.e. employment history, educational background, professional qualifications, job title and function, biometric data), business information, technical data (i.e. passwords to DYF platforms) is necessary for the objective DYF intends to serve i.e., facilitate seamless air travel. The principle of data minimisation must be meaningfully followed to collect data that is absolutely required to facilitate the purpose it intends to serve. Moreover, the purposes for collection also include marketing campaigns, events, programs and promotions. For instance, “Digi Yatra partners” as per the Privacy Policy includes “airports, airlines and other concessionaires that conduct business for delivering services to passengers”. Sharing travel data with such partners could lead to targeted advertising, dynamic pricing, financial scams by airlines, cab, hotel or lounge services and other privacy intrusions which may lead to unwanted interference with passengers’ privacy and autonomy. As a result, such wide collection of data seems over-broad and contradictory to the concept of purpose limitation.
iii) Data Sharing: The Privacy Policy allows collecting, storing, processing, transferring, and sharing a passenger/user’s personal information (including sensitive personal information) with third parties or service providers for the purposes set out in the Privacy Policy. At the same time, according to the press statement released by MoCA there is no central storage of passengers’ personally identifiable information (PII) data. All passengers’ data is encrypted and stored in the wallet of their smartphone and data cannot be used by any other entity since it’s encrypted. It is stated that the data is shared by passengers directly, only when they travel and only to the origin Airport. This contradictory approach to data sharing practices necessitates clarity and certainty with respect to the types of data stored with DYF and shared with third-parties.
3. DYF Data Erasure Practices
According to the DYBBS Policy, the airport operator shall retain travel data for a duration of 30 (thirty) days from the date of travel after the Passenger’s Flight departs for the purpose of any audit/ forensic analysis by authorized government agencies. However, according to the press statement released by MoCA all data collected is purged from the airport’s systems within 24 (twenty four) hours of flight departure. In light of these inconsistent statements we seek clarity regarding the data erasure procedures followed for each category of data collected by DYF.
4. Procedure for Customers to Opt Out of Digi Yatra
According to DYBBS Policy, obtaining user consent is a prerequisite for “sharing of face biometric data for the airport checkpoints.” The DYBBS Policy also states that airports may be permitted to “create profiles of users” only based on “explicit consent” from the user for marketing purposes. The Privacy Policy clearly states that registering for Digi Yatra services is voluntary. Despite such policy, there have been instances where customers have been forcefully enrolled.
Considering such incidents, we urge the MoCA to take a call for action against such enrolment practices being carried out at airports. Such practices are not only violative of the Digi Yatra policies but also the Fundamental Right to Privacy – as recognised by the Supreme Court of India in KS Puttaswamy vs Union of India (2017) 10 SCC 1.
5. Good Data Governance Practices for Digi Yatra
At the outset, MoCA should direct airport authorities and employees to provide comprehensive and clear information about the voluntary nature of the Digi Yatra service. Based thereon, passengers would be able to provide informed and meaningful consent for obtaining Digi Yatra services. Such consent form/Digi Yatra App should provide sufficient information on the data collection, storage and sharing practices to inform the users.
Secondly, MoCA should urge DYF to implement data protection measures such as end-to-end encryption for all kinds of data collected, restrict data sharing activities and ensure timely deletion. These processes must also be laid down in the Privacy Policy. Further, the principle of data minimization must be followed, DYF must minimize collection of data for absolutely necessary functions required for smooth check-in process. Further, the Privacy Policy should clearly inform the passengers of the kinds of personal data being collected and the purpose sought to be achieved by such collection.
Thirdly, it is suggested that passengers who opt to enroll for Digi Yatra should be given an option to produce any government issued ID of their choice. Currently, the Digi Yatra-Aadhaar integration dilutes the voluntary nature of Digi Yatra scheme as it compels users to divulge sensitive biometric information to enroll for Digi Yatra.
Lastly, adequate logistical measures must be in place for non-Digi Yatra passengers, such as having an equal number of non-Digi Yatra gates at airports. Airport ground staff and airline staff must be trained and sensitized about the voluntary use of Digi Yatra and maintain a neutral approach towards passengers who choose not to use Digi Yatra.
We urge the Ministry of Civil Aviation to look into the enrollment practices mandating Digi Yatra for passengers across airports in India to ensure strict compliance with the voluntary nature of the facility. Protecting the personal and sensitive personal data of passengers is of foremost priority in today’s data driven environment.
We would be obliged to meet and engage in dialogue over such critical issues at a time and venue convenient to the Ministry.
About SFLC.in
SFLC.in is a donor supported legal services organization that brings together lawyers, policy analysts, students, and technologists to protect freedom in the digital world. SFLC.in promotes innovation and open access to knowledge by helping developers make great Free and Open Source Software, protect privacy and civil liberties for citizens in the digital world by educating and providing free legal advice and help policy makers make informed and just decisions with the use and adoption of technology. SFLC.in has been granted Consultative Status with the Economic and Social Council of the United Nations (ECOSOC).
Regards,
Prasanth Sugathan
Legal Director,
SFLC.in
Copy to:
Shri Murlidhar Mohol, Minister of State for Civil Aviation
2. Letter to DGCA:
18th July 2024
To,
Shri Vikram Dev Dutt,
Director General
Directorate General of Civil Aviation
Ministry of Civil Aviation
Subject: Urgent Call for Action pertaining to issues with Digi Yatra
Respected Sir,
We are writing this letter due to concerns regarding the Digi Yatra enrolment process at Indian airports. It has been widely reported since January of this year that passengers are either being forced into or unknowingly enrolled for Digi Yatra. Passengers have further faced difficulties in case they opt out of Digi Yatra enrolment or are inconvenienced due to limited availability of non-Digi Yatra gates at the Airports. This obviates the voluntary nature of the scheme – as specified in the Digi Yatra Biometric Boarding System Policy (“the DYBBS Policy”), the Digi Yatra Privacy Policy (“Privacy Policy”) and the reply from the Ministry of Civil Aviation (‘MoCA’) to a Right to Information (“RTI”) application.
At the outset, it is understood that the Digi Yatra Foundation (“DYF”) is a non-profit company incorporated under Section 8 of the Companies Act, 2013 – to implement a digital ecosystem that streamlines air travel. Presently, DYF is co-owned by Airport Authority of India (26%), Cochin International Airport (14.8%), Bangalore International Airport (14.8%), Hyderabad International Airport (14.8%), Mumbai International Airport (14.8%) and Delhi International Airport (14.8%).
In light of recent events, we bring the following concerns in relation to the Digi Yatra facility –
1. Illegal and Involuntary Enrolment
Compelling passengers to mandatorily register for Digi Yatra under the pretext that it is mandate under law is wholly misleading as well as illegal. In fact, MoCA has specifically reiterated that Digi Yatra is a purely voluntary scheme and that it does not mandate registration from passengers and condition their entry into the airport based on sharing of their facial biometrics for enrolment. Additionally, the DYBBS Policy states that passengers will be provided with an alternate facility to enter the Airport Terminal through an automated travel document checking system (using Barcode/ Mobile QR code scan) on e-gates along with a manual ID card check.
Under the DYBBS Policy, the following has been expressly stated –
xi. Creation and use of the Digi Yatra ID Travel Credential by a passenger will be completely voluntary, and a one-time registration process using a Govt. ID is needed to enroll into the Digi Yatra Platform.
i. Users will also have an option, at any time, to opt-out and delete their profile.
(Page 12, DYBBS Policy)
In addition, the DYBBS Policy states that passengers will have the choice to register through any Government identification document –
xiii. The choice of Govt. ID used for enrolment is the choice of the passenger. Passengers can use any of the valid Government ID as per BCAS guidelines.
(Page 13, DYBBS Policy)
GOVT. OF INDIA IDENTITY DOCUMENTS ACCEPTED FOR DIGI YATRA ID TRAVEL CREDENTIAL (AS PER BCAS REGULATIONS AND GUIDELINES)
a. For the Purpose of registering for Digi Yatra ID, the passenger can use Govt. of India issued Photo Identity Cards as follows (Not exhaustive)
i. AADHAAR ID: Fully self service
ii. Driving License: Fully self service
Passport: With manual validation at the airport registration kiosk
IV. PAN: With manual validation at the airport registration kiosk
V. Voter ID: With manual validation at the airport registration kiosk
vi. Student ID: With manual validation at the airport registration kiosk
(Page 21, DYBBS Policy)
However, the FAQs clearly state that Aadhaar IDs are the only form of identification integrated with the Digi Yatra app. This practice is not consistent with the DYBBS Policy — which mentions that passengers will be able to produce a Govt. ID of their choice.
According to the Policy, Digi Yatra allows passengers to share the data with various stakeholders such as –
i) Airlines
ii) Online Travel Agents (OTAs)
iii) Airports
iv) Immigration authorities
Once registered, the passenger should have access to all data (Travel details, Identity details etc.) in a secure wallet within the Digi Yatra ID App – on their smartphone. The DYBBS Policy states that the DYF will be given a license to act as an Authentication User Agency (“AUA”).
Importantly, the DYBBS Policy states that facial biometrics shall be collected or stored in the system. However, this will not involve the storage of any other core biometrics like iris/fingerprints. The Privacy Policy states that such data might be shared with DYF controlled affiliates and subsidiaries and other entities (within the DYF). However, such affiliates and subsidiaries have not been mentioned in the DBBS Policy or the Privacy Policy.
2. DYF Data Processing Practices
The High Level Data Privacy Guidelines’ (“Guidelines”) outlined in the DYBBS Policy mentions various privacy principles, however, still contain certain gaps and vulnerabilities:
i) Lawfulness of Processing: The Privacy Policy states that the data collected is hosted within India and DYF ensures that the data collected is processed according to the provisions of the applicable laws in India. However, since the Digital Personal Data Protection Act of 2023 has not been enforced yet and in the absence of specific rules prescribing procedure, processing customer data must be restricted. The Guidelines outlined in the DYBBS Policy are also unenforceable against any private or public authority because it lacks legal backing or a substantial legal framework. The DYBBS Policy is broad in nature as there are provisions that allow for change in data storage settings based on security requirements on a “need basis” and has broad exemptions for data sharing with government agencies. Absence of legal backing raises concerns for potential violations of fundamental rights granted by the Constitution, including the right to privacy and right to free movement.
ii) Data Minimisation and Purpose Limitation: The Digital Personal Data Protection Act of 2023 emphasizes on data minimisation and purpose limitation as core principles of data collection. However, the type of data collected under DYF is broadly categorized into “identity and contact data, business information, profile, usage and technical data and video or image data”. The Privacy Policy or the DYBBS Policy fails to mention specific purposes sought to be achieved by collection of data from each of these categories. Further, it also fails to establish a reasonable nexus for which certain data, such as contact data (i.e. employment history, educational background, professional qualifications, job title and function, biometric data), business information, technical data (i.e. passwords to DYF platforms) is necessary for the objective DYF intends to serve i.e., facilitate seamless air travel. The principle of data minimisation must be meaningfully followed to collect data that is absolutely required to facilitate the purpose it intends to serve. Moreover, the purposes for collection also include marketing campaigns, events, programs and promotions. For instance, “Digi Yatra partners” as per the Privacy Policy includes “airports, airlines and other concessionaires that conduct business for delivering services to passengers”. Sharing travel data with such partners could lead to targeted advertising, dynamic pricing, financial scams by airlines, cab, hotel or lounge services and other privacy intrusions which may lead to unwanted interference with passengers’ privacy and autonomy. As a result, such wide collection of data seems over-broad and contradictory to the concept of purpose limitation.
iii) Data Sharing: The Privacy Policy allows collecting, storing, processing, transferring, and sharing a passenger/user’s personal information (including sensitive personal information) with third parties or service providers for the purposes set out in the Privacy Policy. At the same time, according to the press statement released by MoCA there is no central storage of passengers’ personally identifiable information (PII) data. All passengers’ data is encrypted and stored in the wallet of their smartphone and data cannot be used by any other entity since it’s encrypted. It is stated that the data is shared by passengers directly, only when they travel and only to the origin Airport. This contradictory approach to data sharing practices necessitates clarity and certainty with respect to the types of data stored with DYF and shared with third-parties.
3. DYF Data Erasure Practices
According to the DYBBS Policy, the airport operator shall retain travel data for a duration of 30 (thirty) days from the date of travel after the Passenger’s Flight departs for the purpose of any audit/ forensic analysis by authorized government agencies. However, according to the press statement released by MoCA all data collected is purged from the airport’s systems within 24 (twenty four) hours of flight departure. In light of these inconsistent statements we seek clarity regarding the data erasure procedures followed for each category of data collected by DYF.
4. Procedure for Customers to Opt Out of Digi Yatra
According to DYBBS Policy, obtaining user consent is a prerequisite for “sharing of face biometric data for the airport checkpoints.” The DYBBS Policy also states that airports may be permitted to “create profiles of users” only based on “explicit consent” from the user for marketing purposes. The Privacy Policy clearly states that registering for Digi Yatra services is voluntary. Despite such policy, there have been instances where customers have been forcefully enrolled.
Considering such incidents, we urge the MoCA to take a call for action against such enrolment practices being carried out at airports. Such practices are not only violative of the Digi Yatra policies but also the Fundamental Right to Privacy – as recognised by the Supreme Court of India in KS Puttaswamy vs Union of India (2017) 10 SCC 1.
5. Good Data Governance Practices for Digi Yatra
At the outset, MoCA should direct airport authorities and employees to provide comprehensive and clear information about the voluntary nature of the Digi Yatra service. Based thereon, passengers would be able to provide informed and meaningful consent for obtaining Digi Yatra services. Such consent form/Digi Yatra App should provide sufficient information on the data collection, storage and sharing practices to inform the users.
Secondly, MoCA should urge DYF to implement data protection measures such as end-to-end encryption for all kinds of data collected, restrict data sharing activities and ensure timely deletion. These processes must also be laid down in the Privacy Policy. Further, the principle of data minimization must be followed, DYF must minimize collection of data for absolutely necessary functions required for smooth check-in process. Further, the Privacy Policy should clearly inform the passengers of the kinds of personal data being collected and the purpose sought to be achieved by such collection.
Thirdly, it is suggested that passengers who opt to enroll for Digi Yatra should be given an option to produce any government issued ID of their choice. Currently, the Digi Yatra-Aadhaar integration dilutes the voluntary nature of Digi Yatra scheme as it compels users to divulge sensitive biometric information to enroll for Digi Yatra.
Lastly, adequate logistical measures must be in place for non-Digi Yatra passengers, such as having an equal number of non-Digi Yatra gates at airports. Airport ground staff and airline staff must be trained and sensitized about the voluntary use of Digi Yatra and maintain a neutral approach towards passengers who choose not to use Digi Yatra.
We urge the Ministry of Civil Aviation to look into the enrollment practices mandating Digi Yatra for passengers across airports in India to ensure strict compliance with the voluntary nature of the facility. Protecting the personal and sensitive personal data of passengers is of foremost priority in today’s data driven environment.
We would be obliged to meet and engage in dialogue over such critical issues at a time and venue convenient to the Ministry.
About SFLC.in
SFLC.in is a donor supported legal services organization that brings together lawyers, policy analysts, students, and technologists to protect freedom in the digital world. SFLC.in promotes innovation and open access to knowledge by helping developers make great Free and Open Source Software, protect privacy and civil liberties for citizens in the digital world by educating and providing free legal advice and help policy makers make informed and just decisions with the use and adoption of technology. SFLC.in has been granted Consultative Status with the Economic and Social Council of the United Nations (ECOSOC).
Regards,
Prasanth Sugathan
Legal Director,
SFLC.in
Copy to:
Shri Sanjeev Kumar, Chairman, Airports Authority of India