Facing backlash, the Indian Railway Catering and Tourism Corporation (IRCTC) has decided to put the plan to monetise passenger data under review.
While it will not immediately shelve the exercise, IRCTC will relook several data-sharing provisions, before going forward with the move, Business Standard has learnt.
The review is likely to see clearer distinctions on the scope of data sharing, with all provisions of sharing of personal data slated to be completely excluded. The scope of work will be limited to sharing aggregated data and anonymous data for sharing with private and government companies, a senior ministry of railways official said.
However, “contrary to some media reports, there is no plan to completely do away with the data monetisation exercise”, the official said.
Business Standard had reported last week that the ticket-booking arm of the Indian Railways, in a first of its kind move, was looking to monetise its bank of passenger data while conducting business with private and government companies. IRCTC aims to raise Rs 1,000 crore through this exercise. In its tender document for hiring the consultant for the same, IRCTC cited a variety of sectors, such as hospitality, energy, infrastructure, and health, as potential customers for the passenger data.
“There is no concern with the proposal of monetising data itself. In fact, the broad contours of the plan were approved by the law ministry and ministry of electronics and information technology before the tender was floated.
However, in view of public feedback, we’ve decided to conduct a fresh review to make the proposal more watertight,” he added.
Another reason for pressing pause on the plan is the lack of clear data privacy guidelines, as the Personal Data Protection Bill was recently shelved after the Joint Parliamentary Committee suggested 81 amendments.
The ministry is now largely looking to leverage clustered metadata for its own business expansion and bulk sharing, without enabling access for external operators to individual data, which could be used for targeted marketing activity.
The tender document accessed by Business Standard said the scope of work for the consultant for this monetisation included studying data, such as name, age, mobile number, gender, address, e-mail ID, number of passengers, class of journey, payment mode, login and password, etc. These data sets may get shelved after the review, said official sources.
According to these sources, clustered data will be the core focus of this exercise. For example, businesses may have access to estimated footfalls in a particular location based on ticketing volumes bound for the location through IRCTC’s monetised data.
Digital rights advocates and data policy experts sounded the alarm on IRCTC’s move to monetise passenger data, primarily on these counts — the lack of a personal data legislation, the monopoly of IRCTC in the ticket-booking space leading to coerced consent, the absence of an opt-out mechanism, and the lack of informed consent on account of unclear privacy policies of the railways company.
A major concern echoed by digital rights advocates is on account of the element of user captivity, since users have no other option than IRCTC to book railway tickets. Prateek Waghre, policy director at Internet Freedom Foundation, had told Business Standard: “Even if the Railways plans to do this in a privacy preserving way, concerns would still be there, as we don’t have a necessary legal framework for the protection of user data. This is the reason so many civil society organisations are pushing for a Data Protection Bill in India.”
Both IRCTC and the Railways maintain that there will be special attention given to these aspects, as these are key deliverables for the consultant who will be appointed for this exercise.
IRCTC, in its tender, sought a thorough analysis of rules like the European General Data Protection Regulations and the now-shelved Personal Data Protection Bill, 2018, by the prospective consultant to ensure that the exercise is in line with legislative and Supreme Court’s directives on data privacy.