The Indian Railway Catering and Tourism Corporation’s move to explore data monetisation has raised concerns over data privacy amongst experts and passengers, and lawyers believe it could lead to potential lawsuits.

Referring to the tender floated by IRCTC to appoint a consultant for digital data monetisation, the Internet Freedom Foundation on Friday highlighted the absence of a data protection legislation.

In a series of tweets, IFF said, “The goal of profit maximisation will result in greater incentives for data collection, violating principles of data minimisation and purpose limitation. Past experiences from the misuse of Vahan database amplify fears of mass surveillance and security risks.”

IFF is an Indian digital liberties organisation that seeks to ensure that technology respects fundamental rights.

“IRCTC, a government-controlled monopoly, must not prioritise perverse commercial interests over the rights and interests of citizens. And given the recent withdrawal of the Data Protection Bill, 2021, such monetisation becomes even more concerning,” it said.

“Per the tender, customer data to be studied includes, inter alia, ‘Name, Age, Mobile No, Gender, address, E-Mail ID, No of Passenger, Class of Journey, Payment Mode, Login/ Password,’ in addition to behavioural data such as payment & booking mode, frequency of journey,” it noted.

The Congress party also tweeted on the issue, stating that when any data is sought from the government, the reply is ‘no data available’ and now personal data of individuals with a railway PSU will be sold to generate revenue.

Move at a preliminary stage: IRCTC

However, an IRCTC official said the move is at a preliminary stage.

“A tender has just been floated to appoint a consultant. The consultant will, in turn, have to suggest if the digital data monetisation can be done in line with the IT Act rules and Supreme Court judgements. IRCTC will ensure that all rules and procedures are followed, if it goes ahead with the move,” he said.

“We are a very responsible organisation. All passenger data is secure,” he stressed.

Possible litigation

Experts said it is an interesting proposition but could pose a challenge in implementation and could lead to possible litigation.

“Indian rules on data protection are applicable to government entities as well. In fact, in IRCTC’s case, it will have to go beyond what private companies do to ensure data protection as apart from current laws and Supreme Court rulings, the Constitutional provisions of the Puttuswamy case will also have to be kept in mind,” said Mathew Chacko, founding partner, Spice Route Legal.

For monetising the data, IRCTC will have to take the consent of passengers. “It would not be surprising if people approach courts over this issue,” he further said.

Subdued interest?

Another expert noted that it would be difficult for the railway PSU to find an Indian firm or consultant to work on the project given the complexities involved.

“It would be a challenge to find a firm in India that is well versed in issues of data privacy and personal data. Perhaps, IRCTC may have to look for an international firm that is conversant with GDPR and related issues,” he said.

Significantly, in a possible indication of little interest, IRCTC has had to extend the deadline for submitting bids from August 29 to September 8.

IRCTC has floated a tender for appointing a consultant for digital monetisation, which it expects will help generate ₹1,000 crore in revenue and also help improve the customer experience.

It stated in the tender that the consultant would give advice on how to monetise the data available while staying within the existing laws and Supreme Court judgements.

The implementation strategies would have to comply with various Acts or laws, including the IT Act 2000 and its amendments, user data privacy laws, including GDPR (General Data Protection Regulation), and the current ‘Personal Data Protection Bill 2018 , it further said.