Kerala High Court seeks status of Data Protection Board after plea filed for securing passenger data on Digi Yatra

A plea raising concerns about the security of passenger data collected at airports through the Digi Yatra platform has led the Kerala High Court to seek information on whether a Data Protection Board has yet been constituted under Section 18 of the Digital Personal Data Protection Act, 2023 (DPDP Act) [CR Neelakandan v Union of India & ors]..A Division Bench of Chief Justice Soumen Sen and Justice Syam Kumar VM on March 5 directed the Central government to place details about the Board's constitution by way of an affidavit.The Court has also sought the Digi Yatra Foundation's response to the plea, which raises concerns that passenger data uploaded on Digi Yatra and other such digital interfaces is not properly secured in line with the DPDP Act. "Issue notice to the fifth respondent (Digi Yatra Foundation). We request the learned counsel appearing for respondent Nos.1 and 3 (Central government, Airports Authority of India and MEITY) to ascertain whether a Board has been constituted under Section 18 of the Digital Personal Data Protection Act, 2023 by the adjourned date and in the event such Board has been constituted, the constitution of the said Board shall be disclosed by way of an affidavit on the adjourned date," the Court ordered.The matter has been posted for further consideration on March 19, 2026.The Court also permitted the petitioner to file an affidavit disclosing alleged instances where the confidentiality of passenger data was breached. .The Court was dealing with a public interest litigation (PIL) petition filed by social activist and advocate, CR Neelakandan.Neelakandan (petitioner) has raised concerns about the manner in which sensitive personal data of air travellers was being collected, processed and stored at airports across the country.According to the petition, airports function as essential public utilities, handling massive volumes of personal data of passengers at multiple checkpoints.The Airport Authority of India (AAI) manages over 130 airports and handles hundreds of millions of passengers annually, engaging several private concessionaires and technology providers to operate commercial and digital services within airport premises, the plea notes. The plea further states that passengers are often compelled to disclose highly sensitive personal information, including biometric data, at various stages of air travel, through the 'Digi Yatra' platform, passport particulars, Aadhaar-linked information, travel history, mobile numbers, financial transaction data, etc.'Digi Yatra' is a biometric-based system that enables contactless airport entry and passenger processing, using facial recognition technology. The platform is operated by the Digi Yatra Foundation, a not-for-profit company incorporated under the Companies Act, 2013, as a joint initiative of the AAI and some private airport operators, to implement the seamless and contactless passenger movement at airports..According to the petitioner, passenger data is not only collected by government authorities but also by numerous private entities and service providers who are operating within airport premises.The petition claims that there is no transparent framework governing how this data is stored, processed, retained or shared, nor do the agreements governing these engagements contain any safeguards on data protection or cybersecurity standards, despite the enactment of the DPDP Act.The petition also relied on the Supreme Court's decision in KS Puttaswamy v Union of India (right to privacy case) to argue that the existing system of large-scale data collection at airports fails to satisfy the constitutional requirements of legality, necessity, and proportionality. The petitioner thus seeks directions to the Central government and airport authorities to formulate and implement binding guidelines governing the collection, storage, processing and protection of passenger data at airports in compliance with the data protection laws.He also seeks interim directions restraining commercial operators and service providers at airports from sharing or commercially exploiting passenger data until a judgment is delivered on the plea. Additionally, the plea seeks a stay on pending tender processes involving private entities that handle passenger data until appropriate data protection clauses are incorporated in the DPDP Act and its rules..Senior counsel Santhosh Mathew along with advocate Jayasankar R appeared for the petitioner.Deputy Solicitor General OM Shalina along with central government counsel Arjun Venugopal and advocate Venkatesan Krishnamacharry, appeared for the Union of India..[Read Order].Follow Bar and Bench channel on WhatsAppDownload the Bar and Bench Mobile app for instant access to the latest legal news.