Digi Yatra, Facial Recognition Technology and Data Subjects

I whizzed past the queue of technologically inept individuals and wondered how far we had come. I was travelling to Delhi and on every occasion until then, the CISF personnel had taken their sweet time matching my face to an awfully old photograph on my identity card. However, this time, I barely had? a chance to look up from my phone screen before I was granted an entry to the heavily guarded premises.

Earlier this year, the Ministry of Civil Aviation published a report, stating that the number of users for the popular application, Digi Yatra ['Application'] has crossed over 45 lakh users across India as on February 20, 2024. The services made available through the Application, that were initially launched in December, 2022 to three major airports [Delhi, Bengaluru and Banaras], has now been extended to 10 more airports with plans of rapid expansion on the horizon. Initially introduced as a hassle-free and seamless facilitator of authentication/identification procedure at airports, however, like every other seemingly good use of technology, it has since come under the radar for its murky associations as well as the lack of accountability and transparency in its operations.

It is pertinent to note that the entity behind the Application, Digi Yatra Foundation ['Foundation'], a non-profit organisation is run by a consortium of 6 entities. With a 26% of the shareholding allocated to the Airport Authority of India, the rest of the 74% is owned by private entities that operate and manage 5 airports across India.

While people laud the effort behind the idea and are generally pleased with the over all success of the initiative, there are crucial issues that have cropped up since its inception that require a hard look by the authorities as well as the civil society. The biggest red flag of all is the lack of information and transparency with regards to the collection, processing and storage of this sensitive personal data. The Application runs its authentication based on the government issued identification document, the Aadhar, and has a central government authority as its biggest shareholder. However, interestingly enough, the Foundation is not covered under the ambit of the Right to Information Act, 2005.

Now, it would have been all roses if we had an effective and robust law working tirelessly to protect our data and uses thereof. However, the Digital Personal Data Protection Act, 2023 is yet to be enforced and its regulations are shrouded under a garb of mystery. Whether it will do its job or just end up becoming another law with no real powers is another qualm that plagues the hearts of those in the data privacy space.

The instant use case gains its importance in our list of worries, or it should, since it involves the processing of a type of data that is rather prone to misuse. The Application works on authenticating the identity of a user based on biometric data which is a type of personal information that can be used to uniquely identify an individual. In this fast paced environment of technological innovation, the use cases of biometric data are rapidly expanding and due to this sensitive aspect, it is often regulated with the strictest of measures around the world.

Currently, sensitive data processing activities by entities in India are governed by The Information Technology (reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 ['IT Rules, 2011']. As the name suggests, the regulation is rather outdated in its very perspective and offers little to no protection to the providers of such data ['Data Subjects']. An updated legislation is currently in the talks, however, looking at the track record for DPDPA and the time it took to see the light of the day, it would be flabbergasting to see developments towards the promulgation of the Digital India Bill any time soon.

Every time any concern regarding the processing of data by the Foundation is raised, there are reassurances all around. However, there are no public records specifying the measures undertaken by the Foundation. Recently, in March 2024, there was a sudden upheaval of backend technology of the Application and the users were soon asked to delete the Application and move to another one. This move was followed by the revelation that the earlier Application had ties to Dataevolve, a one person company whose head is being investigated by the enforcement directorate in a charge involving money laundering. Upon being probed about the allegation of unauthorised use of data by Dataevolve, the Foundation as well as the government have maintained their silence.

On the one hand we have our government agencies skirting blame and transparently collecting all kinds of data that could be misused. However, in another part of the world, the European Union recently published and adopted its 'Opinion 11/2024 on the use of facial recognition to streamline airport passengers’ flow (compatibility with Articles 5(1)(e) and(f), 25 and 32 GDPR' ['Opinion']. This Opinion goes into extensive details on what all data management systems could be adopted to ensure the highest level of compliance and ensuring that the ease of the service is aptly balanced with the rights of the Data Subjects. A bare perusal of the document reveals that the safest way to practice the use of facial recognition to streamline passengers' flow is to deploy all authority to initiate such processing in the hands of the Data Subject. The Opinion is wary of any arrangement that involves the entities storing such data for a longer than necessary time or using this data for any purpose other than the one specified. It further provides guidelines to ensure the? security of data and designing a secure mechanism for deploying the technology.

Worryingly enough, as per the CEO, Mr Suresh Khadakbhavi, the Foundation has its eyes set on integrating the Application and its technology to provide this seamless authentication for provision of various kinds of services including, hotel, transportation, etc. The Application has additionally faced flak for using the collected data for marketing purposes and sharing the same with unknown third-parties.

This particular situation leaves Indian citizens with hardly any autonomy over their data in a world that is hell bent on procuring as much of it as possible. A visit to the local grocer these days has the ability to leave a bad taste in ones mouth as the question is inevitably posed, 'Ma'am, what is your phone number?'. A phone number in itself does not hold the possibility of causing the Data Subject as much harm as misuse of biometric data, yet our hesitation stems from the annoyance of being subjected to a barrage of unnecessary information. What we, as complacent consumers of free services, need to understand is the gravity of the situation. Experts in the domain are immensely concerned about the use of facial recognition technology towards establishing a policed state. As much as the sci-fi movies would have you believe that a world in which each of your activity is tracked and surveilled is far off into the future, it is closer than it seems and Digi Yatra might just be the gateway.