Flight safety 2.0: Online booking platforms must guard the privacy of our personal data

Services such as MakeMyTrip and Goibibo that allow one to make bookings online, as well as the websites of airlines like Indigo, Air India, etc, have transformed how people plan and book a trip. These websites deal with and store private information that includes names, contact details, travel plans, payment method details and even data from official identity-proof documents such as passports and PAN or Aadhaar cards. 

Also Read: Use verifiable credentials to grant us agency over our digital data 

All these pieces of information fall under the definition of ‘personal data’ under Section 2(t) of the DPDP Act because they can be used to identify the person to whom it belongs. Even though online reservations are convenient, they raise privacy concerns. There are risks of mass data breaches and the unauthorized use of an individual’s data stolen from these databases.

Data minimization: Under Section 4 of the DPDP Act, online platforms for flight bookings, classified as ‘data fiduciaries,’ must seek the express and informed consent of users before they process their personal data. The Supreme Court, in its K.S. Puttaswamy vs Union of India judgment, held that privacy is a basic constitutional right flowing from Article 21 of the Constitution. 

This necessitates not only explicit consent, but also data minimization, the principle of which entails collecting, processing and storing only the least personal data required for a specific purpose. 

Online travel agencies often collect a huge amount of information, even though some of it may not strictly be required for reservations. For instance, the details of a user’s occupation are often requested for profession-based discount offers. But under the DPDP law, the right to privacy demands that only necessary data shall be procured and processed.

Also Read: Private companies can use Aadhaar infrastructure for identity checks again

Security and accuracy: Section 8 of the DPDP Act places an obligation on data fiduciaries like online travel agencies to ensure the security and accuracy of personal data collected. The security measures that are required to be implemented include encryption as well as secure payment gateways for customers to pay, in addition to periodic audits. In Google India Pvt Ltd vs Visakha Industries Ltd (2019), the Supreme Court clarified the liability of intermediaries to safeguard the data of their users.

Data erasure: Section 12 of the Act grants people a number of rights, including the right to correct, complete, update or erase their data. This will mean that customers can ask an airline or travel agency to delete their data after the end of their journey (or whenever required). This is in line with directives provided by various court judgments, like the landmark judgment of K.S. Puttaswamy and the 2023 case of Mrs. X vs Union of India, where the court emphasized the need for people to be in control of their personal data.

Penalties: The DPDP Act prescribes stringent punishments. It imposes a large fine for a failure to secure personal data, especially in case of a data breach. This measure is expected to make airlines and reservation systems tighten their internal data security systems and thereby decrease the possibility of data breaches. In 2018, the UK Information Commissioner’s Office imposed a fine of £20 million on British Airways after the details of over 400,000 clients were leaked through a breach. This could happen with any airline. In fact, in the Air India data breach of 2021, the personal data of approximately 4.5 million individuals was reportedly compromised, an event that led the air carrier to establish stricter internal security measures.

Also Read: Mint Quick Edit | Digital access: A welcome new basic right

Cross-border data transfers: Another major challenge could be the cross-border transfer of data in case of international travel via foreign airlines through bookings done on domestic platforms. 

The movement of personal information across national boundaries poses a problem, as different jurisdictions follow different laws. For instance, the EU’s General Data Protection Regulation has stringent norms for cross-border data transfers and requires additional safeguards, whereas India’s DPDP law is a bit more lenient and permits cross-border transfers unless explicitly prohibited. 

The law gives the Indian government the authority to blacklist countries for data transfers. As a result, companies in the civil aviation sector will have to navigate varying regulatory requirements and adjust their policies accordingly whenever a country is blacklisted.

Also Read: We finally have clarity on the role of consent managers under India’s privacy law

Flight safety 2.0: The DPDP Act is aimed at providing an environment of openness and trust in digital services, as it endeavours to protect personal data through well-defined rules related to data protection. Online booking platforms will have to revise and refine their procedures for collecting, storing and processing data in order to comply with the law.

Such adjustments will likely lead to higher expenditure, as online platforms will be required to implement robust cyber security protocols, conduct regular employee training and periodically review the digital systems procured from third-party vendors to ensure compliance. 

Overall, these measures will not only enhance the security and reliability of travel booking platforms, but also foster greater confidence and trust among their users.

The author is a former member of the Rajya Sabha, former CAG bureaucrat and founding partner of A&N Legal Solutions LLP.