Explained | Why will airlines have to share PNR data? 

The story so far: The Passenger Name Record Information Regulations, 2022, notified by the Central Board of Indirect Taxes and Customs (CBIC) under the Ministry of Finance, on August 8, requires airlines to mandatorily provide details of all international passengers on flights arriving into and departing from India to the Customs department. This is for preventing and prosecuting offences under the Customs Act, 1962 relating to “smuggling of contraband such as narcotics, psychotropic substances, gold, arms & ammunition etc that directly impact national security.”

What is the process?

Airlines will have to transfer the “passenger name record information” from their reservation system to the database of the Customs department. This includes details such as PNR (Passenger Name Record) locator code, date of reservation, date of intended travel, all available contact, billing information including credit card number, seat information as well as historical changes to the PNR.

The CBIC will set up a database, the National Customs Targeting Centre-Passenger (or the database set up by CBIC), to collect passenger information for their “risk analysis”. Such data can also be sought by other law enforcement agencies or government departments of India or any other country. The information will have to be shared at least 24 hours before departure and failure to comply will invite a minimum penalty of ₹25,000 and maximum of ₹50,000 for every act of non-compliance.

How has it been received by airlines?

The regulations come five years after the Finance Bill, 2017 proposed amending the Customs Act, 1962 to allow exchange of passenger data. The International Air Transport Association (IATA), a trade association representing 290 airlines globally, says it “welcomes the notifying of the PNR regulations by the CBIC, thereby establishing a proper legal framework for the implementation of the PNR data program for India.” It adds that this should now “bring an end to the non-standard passenger data requests from the airlines, by multiple agencies at various airports/stations.” Airlines say the government must hold consultations, frame detailed guidelines and provide a feasible timeline for implementation. They also say that since they only pass on the information submitted by passengers, if data fields are missing or if details provided are fake, they should not be penalised.

How were Indian agencies collecting passenger information earlier?

Earlier, the Bureau of Immigration collected passenger details under Advance Passenger Information System (APIS) following an amendment in 2008 by the Ministry of Home Affairs to the Foreigners Act, 1946. This allowed collection of data pertaining to foreigners, but not Indian citizens traveling in and out of the country. The APIS is contained in the Departure Control System of an airline and captures data when passengers check-in at airports and transfers the details to the destination country 15 minutes before flight departure.

But PNR information is captured by the airline’s reservation system from the time a passenger buys a ticket and offers richer data for risk management such as whether a passenger is travelling alone, or whether s/he paid in cash and if there were multiple changes in a passenger’s itinerary. Such information can be shared 24 to 48 hours before departure allowing intelligence agencies enough time to carry out risk analysis.

Industry experts say globally Customs is the lead agency for collecting PNR-related information, and is better suited than immigration agencies because of the organised nature of crimes and terrorist activities. Moreover, the Customs department in India is considered to be far ahead in their use of IT systems for risk assessment.

What happens to the privacy of passengers?

The CBIC says the format for data exchange between airlines and the Customs systems is a standard electronic message format endorsed jointly by the World Customs Organisation (WCO), International Civil Aviation Organisation (ICAO) and the IATA. Such data will be retained for a maximum period of five years after which it will be disposed of by de-personalisation or anonymisation but can be “re-personalised and unmasked when used in connection with an identifiable case, threat or risk for the specified purposes,” says the CBIC.

“Collecting data on everyone to then do an undetermined risk analysis, rather than selecting a few passengers is problematic. De-anonymising data is a big area of concern on two grounds — it raises questions about the type of anonymisation which can be easily reversed; secondly, there needs to be a high barrier for permitting de-anonymisation and has to be done only on very serious grounds. Moreover, all of this is happening when there is no line of sight on a data protection law and what happens to passengers if the data is breached,” says Prateek Waghre, Policy Director, Internet Freedom Foundation. The Centre on August 3 withdrew the Personal Data Protection Bill, 2019 three years after it was tabled in the Lok Sabha in December 2019.