The Indian Railways Catering and Tourism Corporation (IRCTC) has intentions to monetize its bank of passenger data for conducting business with public and private organisations, which raises privacy concerns regarding the commercial usage of passenger data on trains.
The Indian Railways’ ticketing division, IRCTC, has released a request for proposals to appoint a consultancy firm to create a road plan for monetizing the data. According to a PTI report, given that a data protection Bill has not been finalised, the tender may be revoked due to privacy concerns. The tender was still active on the IRCTC website at the time of publication, nevertheless.
The proposal states that passenger information, including name, age, mobile number, gender, email address, payment method, and “login/password,” among other things, might possibly be used to generate revenue. The chosen consultant will also be required to separate data that can be turned into a profit, determine its market viability, and create a final roadmap for doing so. According to the Economic Survey 2021–22, Indian Railways transported 1.25 billion passengers and 1.23 billion tonnes of freight in FY21.
“IRCTC is a repository for enormous volumes of digital data, opening up numerous potential for IRCTC to be monetized. IRCTC stated in the tender that it wished to take use of its market position and data assets to generate significant revenue growth. “IRCTC anticipates that the monetization of its digital assets will have the potential to generate Rs 1,000 crore in revenue. IRCTC wants to work with a consulting company to find, develop, and implement options for data monetisation.
Aside from other rules like the Information Technology Act of 2000 and the EU’s General Data Protection Regulation, the tender document states that the chosen consultant shall design the monetisation roadmap taking into account the “current Personal Data Protection Bill, 2018.” (GDPR).
It should be emphasised that India currently has no laws governing data protection, and the government just withdrew a draught Bill from the Parliament.
Even the most recent version of the bill that was withdrawn is not the data protection Bill that IRCTC mentions in the tender document. In response to a question about the potential privacy hazards of the IRCTC proposal, the Ministry of Electronics and IT (MeitY) did not provide a response.
Privacy advocates have expressed their outrage over the idea, claiming that IRCTC is trying to monetize passenger data in the absence of a privacy framework in the nation. The government-controlled monopoly IRCTC shouldn’t put its financial goals ahead of the rights and interests of its customers, according to a statement from the Delhi-based digital rights organisation Internet Freedom Foundation. Furthermore, the recent withdrawal of the Data Protection Bill, 2021, raises even more questions about such monetization. A “profit maximisation goal,” it continued, “would lead to additional incentives for data gathering, in violation of the principles of data minimization and purpose limitation.”
The Indian Railways has previously explored monetising the vast amount of data it collects. In 2016, then Railways Minister Suresh Prabhu had said that the organisation was exploring the possibility of monetising its data, software and some of the free services provided by Indian Railways, such as PNR enquiry.
The Indian Railways has looked into monetizing the enormous amount of data it gathers in the past. Suresh Prabhu, who was the railways minister at the time, had stated in 2016 that the organisation was investigating the possibilities of monetizing its data, software, and some of the free services offered by Indian Railways, such as PNR enquiry.
At least two previous attempts to commercialise government data were abandoned due to privacy concerns. The Ministry of Road Transport and Highways discontinued its Bulk Data Sharing Policy in 2020, which allowed it to sell private and public entities car registration data (Vahan) and driving licence data (Sarathi). Due to privacy concerns and potential exploitation of personal information, the policy was abandoned.
Data acquired by the Center that has “undergone value addition” can be sold in the open market for a “appropriate price,” according to a draught policy that the MeitY recently presented. After receiving harsh criticism for its suggestion to monetize government data, this draught was withdrawn.