PIL in Delhi HC Seeks Data Confidentiality from Travel Companies

Read Time: 05 minutes


Petitioner Advocate Ashwini Kumar Upadhyay highlighted that these foreign travel entities not only gather information from ordinary citizens but also from officials such as lawmakers, ministers, judges from the Supreme Court and High Court, defense personnel, civil servants, and their relatives.

A petition has been filed before the Delhi High Court, seeking directions against the Union to enact measures ensuring the confidentiality of personal data amassed by travel companies, particularly those operating internationally, during ticket booking. 

The case is listed before the bench headed by Acting Chief Justice Manmohan and comprising Justice Manmeet Pritam Singh Arora on April 3, 2024. 

In the petition, the petitioner expressed apprehension regarding the potential misuse of citizens' data, particularly Aadhaar and passport details, by three foreign corporations—MakeMyTrip, GoIbibo, and SkyScanner—functioning in India, with either partial or complete ownership by Chinese investors.

Referring to the Supreme Court's verdict in the case of Justice K.S. Puttaswamy (Retd.) vs. Union of India, the petitioner emphasized the significance of government-issued identity cards and the necessity for robust regulations governing their handling.

The petitioner underscored that as per Section 3 of the Digital Personal Data Protection Act, 2023 (DPDP Act), the Act applies to the processing of digital data both within and outside India if goods or services are offered to data principals within Indian territory. Consequently, the Centre must seek clarification from travel companies, particularly those overseas, regarding measures for data protection, the plea asserted.

The petitioner underscored that the DPDP Act mandates that any request for consent made to a data principal must be accompanied or preceded by a notice from the data fiduciary informing the data principal about the personal data being processed, the purpose of processing, and the method for exercising rights and lodging complaints. Section 8 obligates data fiduciaries to ensure the completeness, accuracy, and consistency of personal data and to notify the board and affected data principals in case of a breach, as per the plea.

Moreover, the petitioner asserted that fiduciaries are required to appoint a data protection officer based in India. Emphasis was placed on Section 11 which entitles data principals the right to obtain a summary of their personal data, its usage, and the identities of all data fiduciaries and processors with whom data has been shared.

The petitioner prayed the court following directions: 

a)   Direct the Centre to take steps to ensure that the Travel Companies, particularly Foreign Travel Companies, which collect personal data - Name, Adress, Phone Number, AADHAAR, Passport Details etc during ticket booking are totally confidential and not shared with anyone.

b)    Pass such other directions as this Hon’ble Court deems fit and proper to secure the Citizen’s Data in spirit of the DPDP Act 2023”. 

Case Title: Ashwini Kumar Upadhyay v Union Of India & Others