Earlier this August (August 8, 2022), the Government of India notified the Passenger Name Record Information Regulations, 2022 (“PNR Regulations“) in order to provide a defined framework for collection of specified details relating to international passengers travelling by air. These regulations are meant to enhance detection, interdiction and investigative capabilities of the Indian customs authorities using non-intrusive techniques for combating offences related to smuggling of contraband such as narcotics, psychotropic substances, gold, arms & ammunition, etc. that directly impact national security.
The PNR Regulations mandate airlines to share passenger name record (PNR) information of passengers (being persons other than crew members, in transfer or transit, carried or to be carried, in an aircraft on an international flight) with the National Customs Targeting Centre-Passenger at least 24 hours in advance of the departure time of each flight. Passenger name record information includes data such as the name of the passenger along with other co-passenger names on the same PNR, date of issue of tickets, date of travel, frequent flyer information, available contact information, details of payment/billing methods including credit card details, seat number, travel itinerary, baggage details, etc. Pursuant to the PNR Regulations, every airline will have to transfer such PNR information from their reservation system to the database of the Indian customs department for every international flight departing from India or arriving in the country.
The PNR Regulations further provide that when the PNR information relates to any offence at national or international level, under any law for the time being in force, the National Customs Targeting Centre – Passengers may share the relevant information on a case-to-case basis with other law enforcement agencies or government departments of India or any other country. Any agency/department seeking such information will need to explicitly specify the purpose for which such information is being sought. Additionally, sharing of such relevant PNR information will need to be subject to maintenance of the same level of information privacy and protection of information and safeguards.
From a data privacy perspective, the PNR Regulations provide that all PNR information record received by the Indian Customs department will need to be subject to strict information privacy and protection regulations in accordance with the provisions of any applicable law for the time being in force. Furthermore, all PNR information collected can only be retained for a maximum period of 5 years from the date of receipt, unless required in the course of an investigation, prosecution, or any judicial proceeding. After the expiry of 5 years, the PNR information is to be disposed of by depersonalisation or anonymisation through masking out the relevant information which can serve to directly identify the passenger to whom the PNR information relates.
Additionally, the PNR Regulations aim to prevent the misuse of PNR information by strictly prohibiting processing of PNR information to reveal the race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation of any passenger. While the PNR Regulations do attempt to safeguard the privacy of PNR information, the recent (August 3, 2022) withdrawal of India’s Data Protection Bill, 2021 and the absence of a specific law on the subject poses a serious question mark on the privacy of the PNR information. The PNR Regulations have raised privacy concerns amongst many and the government has since repeatedly attempted to allay such concerns and assure passengers that PNR information collected will be protected from a privacy standpoint. The basic premise of the PNR Regulations was floated and announced in the Union budget released almost 5 years ago, however the framework has only now been prepared. Despite the privacy concerns amongst passengers, with the notification of the PNR Regulations, India joined a host of approximately 60 countries including the UK, EU, Canada and USA that collect data of international air passengers for similar purposes.
While the PNR Regulations provide for monetary penalties to be levied on airline operators for their failure to share the PNR information amounting to a minimum of Rs. 25,000/- and a maximum amount of Rs. 50,000/- for each act of non-compliance, the lack of an overarching domestic data protection regime certainly may raise some cause for concern amongst travellers. The PIB, in a statement, opined that the PNR Regulations “strike a good balance between the needs of privacy and the imperatives of security,” however, the onus is on the Central Board of Indirect Taxes and Customs to put in place safeguards to ensure that the PNR information collected in accordance with the regulations has been done to further legitimate purposes.