Delhi HC dismisses plea seeking enhanced data protection by travel firms

The Delhi high court on Wednesday dismissed a plea that sought directives for the Centre to implement measures ensuring the confidentiality of personal data collected by international travel companies during ticket bookings.

The plea raised concerns about the potential misuse of Indian citizens' data, including Aadhaar and passport details, by three foreign-owned corporations: MakeMyTrip, GoIbibo, and SkyScanner.

It was pointed out that some of these companies have partial or complete Chinese investment, raising concerns about the security of sensitive personal information.

The plea, filed by advocate Ashwini Kumar Upadhyay, was rejected on the grounds that the petitioner should have approached the government with his concerns rather than directly petitioning the court.

The petition underscored the need for stringent data protection measures in accordance with a Supreme Court ruling.

Citing the Digital Personal Data Protection Act, 2023 (DPDP Act), the plea said that the Act's jurisdiction extends to the processing of digital data both within India and abroad, especially concerning goods or services offered to individuals in India.

The petitioner argued that the government should demand clarity from these travel companies about their data protection practices, particularly for international operations.

It also cited provisions of the Act which require data fiduciaries to inform data principals about the collection, use, and rights concerning their personal data.

It emphasized the obligations of data fiduciaries to maintain data accuracy and notify relevant parties promptly in case of a data breach.

The Act also mandates the appointment of a data protection officer based in India and allows individuals the right to access summaries of their data, how it's used, and who it's shared with.

These provisions, the plea said, were essential for safeguarding individual privacy and data security in the digital era.