The government of India came up with revised PNR Information Regulations on August 8, 2022, for the prevention, detection, investigation and prosecution of major crimes including economic and terrorist offenses. Passenger Name Record (PNR) data are passenger-provided details that airlines gather to facilitate the booking and check-in procedures.

From the criminal intelligence perspective, the analysis of PNR data can give the authorities access to crucial information that enables them to spot suspicious travel patterns and identify the associates of terrorists and criminals, especially those previously undiscovered by law enforcement. As a result, processing PNR data has become a crucial tool for law enforcement. Such information can be used by the customs department to increase surveillance and assess the risk of passengers entering or leaving the country.

The revised policy entails the procedure to be followed by aircraft operators and/or authorised agents while transferring PNR information and what a PNR must contain. The main objective of the regulation is to curb and combat terrorism as well as other major crimes including smuggling, human trafficking, etc. Any form of non-compliance or contravention of the norms is liable to attract a penalty of ₹25,000-50,000.

Acquiring data

The Central Board of Indirect Taxes and Customs (CBIC) has set up in accordance with these regulations, a National Customs Targeting Centre-Passenger. It shall acquire and process passenger name record data which can be mapped against law enforcement databases and pre-established criteria to enable the identification of criminals, prevention of crimes, detection, investigation and prosecution. The regulations also mandate the registration of aircraft operators with a duly authorised officer.

It further elaborates that the transmission of information of passengers would include the list of PNR information fields from the departure control system to the database of the National Customs Targeting Centre-Passenger. Such transmission shall be made in PNRGOV EDIFACT message format, a messaging standard implemented by the European Union in 2018 when it introduced its EU PNR Regulations. 

Such PNR information should be transferred by every aircraft operator no later than 24 hours before the departure time. The onus of timely collection and transmission of such data has been imposed on the airline operators.. The revised regulations clarify that the PNR information shall not entail the collection of such data that might be subjected to potential misuse like a person’s race, political opinion, religious beliefs, health, or, sexual orientation. The policy has underscored the prescription for the protection of data so collected.

Retention of information

This information shall be received, stored, processed, and disseminated in a secure system accessible only to the duly authorised officers. Such data can be retained by the authorities for a maximum period of five years. This data shall be depersonalised by disguising the pertinent information which can be used to directly identify the passenger, after the expiry of five-year period. Such data and storage system shall be audited annually by an independent auditor so as to ensure that there is no misuse of information contained in passenger name records.

In case of transfer of PNR data to other law-enforcement agencies or government authorities of India or of other foreign nations, the notification has prescribed certain conditions and modes of transmission. The National Customs Targeting Centre-Passenger may share the pertinent information in cases where PNR information relates to any offence under any law currently in effect at the national or international level. Such request for transfer of PNR information must be backed with sufficient reasons. Furthermore, the authority seeking the data must undertake to protect the data in the same mode and manner.

However, the only alleged challenge to these regulations stands on grounds of data privacy. In the absence of any robust and comprehensive legislation governing data protection and the recent withdrawal of the Personal Data Protection (PDP) Bill, it is an uphill task to mitigate concerns regarding personal data privacy. Nonetheless, this onus lies on those vehemently opposing the PDP Bill, whereby the nation is left with absolutely no protection against any breach.

The writer is a legal professional and panelist at Harvard Business Review 

comment COMMENT NOW