Privacy prick-point: IRCTC bid to monetise passenger data

IRCTC, the ticket booking arm of the Indian Railways, has floated a tender to empanel a consulting firm to prepare a road map to monetise the data. As per a PTI report, the tender may be withdrawn over privacy concerns given that a data protection Bill has not been finalised. However, at the time of publishing, the tender was still live on IRCTC’s website.

According to the tender, customer data that could potentially be monetised includes passengers’ name, age, mobile number, gender, email address, payment mode, “login/password”, among other things. The selected consultant will also have to segregate monetisable data, identify its market potential and prepare a final roadmap for the monetisation of this data. The Economic Survey 2021-22 noted that in FY21, Indian Railways carried 1.23 billion tonnes of freight and 1.25 billion passengers.

“IRCTC is a reservoir of huge amounts of digital data which opens several opportunities for IRCTC for monetisation. IRCTC wishes to leverage its data assets and market position to drive strong growth in revenues,” the Corporation said in the tender. “IRCTC envisages a revenue generation potential of Rs 1,000 crore through monetisation of its digital assets. IRCTC wishes to engage a consulting firm to help in identification, design, and development and roll-out of data monetisation opportunities.”

Incidentally, the tender document says that the selected consultant should prepare the monetisation roadmap keeping in mind the “current Personal Data Protection Bill, 2018” along with other laws like the Information Technology Act, 2000 and EU’s General Data Protection Regulation (GDPR).

It is to be noted that India currently has no data protection rules and a draft Bill was recently withdrawn by the government from Parliament.

The data protection Bill that IRCTC has mentioned in the tender document is not even the latest version of the Bill that was withdrawn. The Ministry of Electronics and IT (MeitY) did not respond to a query asking the potential privacy risks of IRCTC’s proposal.

The proposal has drawn the ire of privacy activists who have complained that IRCTC is looking to monetise passengers’ data in the absence of a privacy framework in the country. In a statement, Delhi-based digital rights group Internet Freedom Foundation said, “IRCTC, a government-controlled monopoly, must not prioritise perverse commercial interests over the rights and interests of citizens. And given the recent withdrawal of the Data Protection Bill, 2021, such monetisation becomes even more concerning”. It added that a “profit maximisation goal” will result in “greater incentives for data collection, violating principles of data minimisation and purpose limitation”.

Alerting the stock exchanges of its monetisation plan, IRCTC said that as a commercial entity, it explores business opportunities for new areas. “As other business tenders, this tender has also been floated merely to appoint a consultant,” it said, adding that “The consultant will guide IRCTC and the Indian Railways on monetisation activities and advise on monetisation value of digital assets … Further, being a government company, it is a regular practice to float tenders.”

The Indian Railways has previously explored monetising the vast amount of data it collects. In 2016, then Railways Minister Suresh Prabhu had said that the organisation was exploring the possibility of monetising its data, software and some of the free services provided by Indian Railways, such as PNR enquiry.

In the past, there have been efforts to monetise government data, at least two of which have been scrapped over privacy issues. In 2020, the Ministry of Road Transport and Highways scrapped its Bulk Data Sharing Policy, under which it used to sell vehicle registration data (Vahan) and driving licence data (Sarathi) to private and public entities. The policy was scrapped over potential misuse of personal information and privacy issues.

More recently, the MeitY had floated a draft India Data Accessibility and Use Policy that proposed that data collected by the Centre that has “undergone value addition” can be sold in the open market for an “appropriate price”. This draft was withdrawn after it faced severe criticism over its proposal to monetise government data.