By Kaisar Andrabi
The Central Board of Indirect Taxes and Customs (CBIC), under the finance ministry, on August 8 notified the 'Passenger Name Record Information Regulations, 2022', directing all international airlines to mandatorily share PNR (passenger name record) details of all passengers with the National Customs Targeting Centre-Passenger (NCTC -P), 24 hours prior to departure of flights.
The regulations are aimed at "risk analysis" of passengers to prevent economic and other offenders from fleeing the country, as well as check any illicit trade, such as smuggling.
However, tech experts believe that this move will breach the privacy of passengers as this comes while the data protection bill was withdrawn on August 3 by the government. In effect, it means, that India currently lacks a law which could protect the data of individuals.
As per the notification issued by CBIC, airlines will have to share 19 data points with the authorities prior to 24 hours. This includes the name of the passenger, date of intended travel, all available contact details, all available payment or billing information such as credit card numbers; travel status of the passenger, including confirmation and check-in status, baggage information, seat information, and travel agency or agent from where the ticket was issued.
Further, the notification states that every aircraft operator will have to seek registration with Customs for its implementation and will have to transfer all the passenger details prior to 24 hours before the departure time; or at the departure time – wheels off.
In case of non-compliance by an aircraft operator or its authorised agent, the NCTC-P can impose a penalty between Rs 25,000-50,000, for each act of non-compliance.
What Is The Aim Of The Move?
A former senior officer of CBIC wishing anonymity explained BOOM that the sharing of data of international passengers will help the custom officials to examine the goods and will ease travelling. "It is simply like giving information in advance for better risk profiling," he said.
Prior to the order, passengers were sharing their personal details with immigration officials and airlines before travelling abroad. "The information was not passed to Customs and it was taking a long time to clear a passenger as we had no input of the traveller," he said.
The officer explained that it is the international practice that India will follow now. He added that the primary source for Customs was airlines and secondary was immigration officials. "The passengers would earlier share the details with airlines, that same details would be passed to us (Customs). Now the Customs don't need to ask passengers to repeat the same process because it will help them to audit in advance. The policy is meant for better facilitation," he told BOOM.
The customs department would know who are the passengers travelling and it would minimise the number of checks the passenger has to go through, he said. Earlier, the Immigration data was available only after the arrival or departure of passengers.
"They (Customs) can do the targeted check if they find anything suspicious. Earlier, the department was doing random checking. We used to do checking based on our experience and analysis."
Following the new policy, India joins a list of over 60 countries, including the United States, that have regulations on sharing of advanced passenger information with Customs and border control authorities.
Privacy Infringements
As per the policy, the NCTC-P will store, process and disseminate passenger name record information along with "any other information relevant for risk analysis of passengers". In case of a technical failure, the regulations allow for the information to be transferred "by any other appropriate means" as may be directed by the NCTC-P.
Speaking to BOOM, Tejasi Panjiar, Associate Policy Counsel, at Internet Freedom Foundation said that there is "no justification" for the rule, especially how that is going to be implemented. "In some clauses of the notice they (NCTC-P) are claiming that there will be strict privacy concerns that would be followed but they aren't elaborated on," Panjiar said.
She believes that the ambiguity is more concerning as clause seven of the order (privacy and protection of information), notes that all of the information will be subject to "strict information privacy and protection in accordance with the provisions of any law for the time being in force."
She added that the lack of data protection law in the country makes it a "serious concern". "The kind of data breaching India is witnessing is bound to happen considering the growing digitalisation and data that the government is storing. All of it is happening in the absence of data protection laws," Panjiar told BOOM.
Can The Data Be Used Later?
Internet Freedom Foundation has raised other concerns about the policy. One of the clauses in the policy notes that the data of passengers will be stored for five years. However, after five years, the data will not be deleted. Instead, the data will be masked and can be re-personilised or unmasked again in case they (Customs) find anything threatening or risky.
Panjiar told BOOM that the provision to retain data for a maximum of five years is "very extensive and not well-reasoned." She believes that there is a lot of ambiguity around these rules because the Customs can unmask or re-personalise the data of any passenger anytime later which can have impacts like profiling or surveillance of any individual.
Clause 10 of the policy mentions that NCTC-P may share the information of a passenger related to any offence with other law enforcement agencies or government departments of India or any foreign states on a 'case-to-case basis.'
However, Panjiar explains that the policy doesn't specify reasons for how these cases will be selected and on what grounds the cases will be shared. The policy only mentions that the agencies or departments have to specify the purpose of seeking information with the Customs for any case.
"They have not defined on what sort of data will be shared and on what grounds it will be shared with other agencies or foreign states. For instance, the data could be shared on grounds such as terrorism or any specific reasons. But when they have not defined or elaborated, it can be easily misused when there are no checks and balances for such policies," she said.
Notably, the move to gather the data comes after the Union government had to reject its proposed personal data protection framework in favour of a new set of legislation.
What Do Airlines Say?
Airline officials said that the move will create a standardised process of passenger data sharing with the Customs department because non-standard requests for passenger data could lead to potential privacy infringements.
Earlier this year, the International Air Transport Association (IATA) – a trade body representing global airlines – wrote to the Ministry of Civil Aviation flagging non-standard requests seeking passenger details by law enforcement and investigative authorities.
Is The Policy To Prevent Bank Loan Defaulters From Fleeing The Country?
In September 2020, the government in Lok Sabha shared that from January 1, 2015 to December 2019, 38 persons involved in cases registered by the Central Bureau of Investigation (CBI) related to financial irregularities with banks fled the country.
Following money laundering cases in the country, around 20 applications for Red Corner Notices (alerts to police worldwide about internationally wanted fugitives) under Prevention of Money Laundering Act, 2002, were filed, extradition requests were sent to various countries for 14 persons, and applications under Fugitive Economic Offenders Act, 2018 were filed against 11 persons.
Industrialist and former MP Vijay Mallya left the country in 2016, the day a clutch of public sector banks moved the Debt Recovery Tribunal to recover Rs 9,000 crore unpaid dues to his now-defunct Kingfisher Airline. Mehul Choksi, one of the prime accused in the alleged over Rs 13,000-crore PNB loan fraud case, too fled to Antigua and Barbuda just as ED and CBI zeroed in on him.
