[The Viewpoint] PNR Regulations: Preventing flight risk or risk to privacy?

The PNR Information Regulations seem to introduce a continuous surveillance regime, which is untargeted and systematic, and leads to collection and processing of a very broad range of data.
Mohit Kapoor and Ruchita Krishnan
Mohit Kapoor and Ruchita Krishnan

On August 8, 2022, the Central Board of Indirect Taxes and Customs (CBIC) notified a defined framework for collection of data relating to Passenger Name Record (PNR) details of all individuals travelling to international destinations by air by issuing the Passenger Name Record Information Regulations, 2022 (PNR Information Regulations).

According to the new PNR Information Regulations, CBIC establishes the National Customs Targeting Centre-Passenger (NCTC-P) to which all international airlines would need to submit information in a prescribed format at least 24 hours before the departure time of each flight. This, in turn, shall be submitted by CBIC to other law enforcement agencies in accordance with a risk analysis being carried out by the CBIC database.

All information shall be stored in the CBIC database for the next five years. The ultimate aim of the PNR Information Regulations is to carry out a ‘risk analysis,’ with the ultimate goal of curbing smuggling and identifying, tracking and prosecuting terrorists and criminals as well as other economic offenders.

Following the PNR Information Regulations, India joins 60 other countries which have a similar system in place and are already involved in collecting PNR data of international passengers. This type of digital frisking of passengers shall be conducted indiscriminately whether or not they are suspected of a crime. These PNR Information Regulations are similar to the directives issued by the European Union (EU) regarding transmission of passenger data from airline operators to competent authorities.

The PNR Information Regulations seem to introduce a continuous surveillance regime, which is untargeted and systematic, and leads to collection and processing of a very broad range of data. The transfer, processing, and retention of PNR data provided for by the regulations must be limited to what is strictly necessary for the purpose of combating crime.

In 2019, the Court of Justice of the European Union (CJEU) analysed the legality of PNR directives from the Constitutional Court of Belgium, where the case was initially filed. Ligue des droits humains, an NGO which served as the applicant, argued that the directive infringes upon the right to respect for private life and the right to the protection of personal data guaranteed under Belgian and EU law. Although the Court upheld the validity of the law, it restricted the powers of the directive. A comparison of the annexures of the EU directive and the subject regulations show that they are largely identical; therefore the question of infringement of rights as raised in the EU case may also be applicable in the Indian context.

Annexure-II of the PNR Information Regulations enlists the categories of data that need to be provided by airline operators to the CBIC. The list envisages a plethora of data and information to be submitted by the airline operators. This does not demarcate the amount of data to be gathered and keeps it open for interpretation, which may interfere with an individual’s right to privacy.

While the PNR Information Regulations provides for privacy and protection of information, the same only envisages that the passenger information received by CBIC shall be subject to the strict information privacy and protection in accordance with the provisions of any law for the time being in force. However, in light of the recent withdrawal of the Data Protection Bill, 2021 and absence of a codified law for protection of privacy and data, the fate of the security of information is in question. As the Data Protection Bill, 2021 did not see the light of the day and was withdrawn after a period of four years, the CBIC is required to implement the PNR Information Regulations in a safe and secure manner that does not compromise with the personal data of passengers.

Just as the CJEU has laid down rules to protect the privacy of passengers, it is imperative for the authorities to provide clear code of conduct and rules with regard to collection, storage, handling and use of data under the PNR Information Regulations. Given the absence of a data protection law in India, this will be crucial to prevent misuse of personal information and data.

Mohit Kapoor is a Senior Partner and Ruchita Krishnan is an Associate at Universal Legal.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.

Bar and Bench - Indian Legal news