The data monetization by the Indian Railways Catering and Tourism Corporation (IRCTC) is a welcome step for revenue generation. Still, experts believe that IRCTC must ensure that best industry practices for data anonymization and privacy standards are followed.
“The data should be completely anonymized, and IRCTC must transparently tell customers the anonymization level and processes followed for anonymity,” said Jiten Jain, Cyber Security expert and Director, Infosec Voyager.
IRCTC has already issued a tender to hire a consultant to assist it in the monetization process, and the public sector undertaking has set a revenue target of Rs 1,000 crore.
“Indian Railways desires to monetize the data in customer/vendor applications and internal applications of Indian Railways by conducting various businesses with both government and private sectors, viz. tours and travels, hotel, financing, infrastructure development, insurance sector, health sector, manufacturing sector, shipping, aviation, port developers, container operation, mining, energy, etc. for generating revenues and also to enhance facilitation and further improve services,” IRCTC said in its tender-inviting bids, which Moneycontrol reviewed.
Due to its status as the country’s only railway ticketing platform, IRCTC has an extensive database of every online ticket. This has also raised questions about the data protection of passengers and how IRCTC will work on it.
The tender states that the bidder “shall study various Acts or laws including IT Act 2000 and its amendments, User data privacy laws including GDPR (General Data Protection Regulation) and current ‘Personal Data Protection Bill 2018 of India’, and accordingly propose the business models for monetization of Digital Assets.”
But currently, India does not have a standalone data privacy law. The Data Privacy Bill introduced in 2019 was withdrawn in the monsoon session of the Parliament. The government said that it would be re-introduced after making the necessary changes.
“Personal Data Protection Bill 2018 and EU GDPR are not enforceable in India as the Indian Parliament didn’t pass them. Therefore, the new comprehensive data protection bill, which the government is currently drafting, must ensure that public and private sectors are adequately covered within its ambit,” Kamesh Shekar, Programme Manager, Privacy and Data Governance Vertical, The Dialogue, a policy think-tank on internet safety said.
“In the absence of any law or rules regarding the protection of personal data, the move such as that of IRCTC rings alarm bells. The data submitted by the individual passengers to the IRCTC was not explicitly for monetization,” Satya Muley, a lawyer at Bombay High Court, said.
Several instances of IRCTC’s data theft have surfaced in the past. In October 2019, it was reported that Dark Web risk monitoring firm Cyble had spotted data of over 900,000 users on the Dark Web.
In another data leak case, a 17-year-old school student, P Renganathan from Chennai, identified and helped the IRCTC fix a bug in its online-ticketing platform. Notably, the bug could have exposed millions of passengers and their private information. After Renganathan raised the alarm, the bug was fixed and was acknowledged by the IRCTC.
” Muley added, “Purpose of improving customer experience may also sound a bit rosy but also carries with it risks of data theft, once the data lands into the hands of third parties,” Muley added.
However, the government is reportedly framing a new data bill keeping in mind the suggestions and recommendations received in the last, now withdrawn, bill.
“The new comprehensive data protection bill, which the government is currently drafting, must ensure that public and private sectors are adequately covered within its ambit,” Shekar said.
However, until the new law is introduced, “data sharing or monetization should be done with the informed consent of customers,” Jain said.