By Sukriti
Introduction
Digiyatra is a facial recognition technology (“FRT”) based system, which aims to offer a quick and hassle free experience for travellers at airports. It intends to ensure a paperless and contactless entry through all airport checkpoints by verifying identity through a facial scan. Passengers can register on the Digiyatra application through their Aadhaar number and travel details to facilitate document-free travel through the use of FRT. It was first launched in 2022 and is currently in operation at thirteen airports in the country – Delhi, Bengaluru, Varanasi, Hyderabad, Kolkata, Vijayawada, Pune, Mumbai, Cochin, Ahmedabad, Lucknow, Jaipur, and Guwahati. The Ministry of Civil Aviation (“MoCA”) released the first Digiyatra policy in 2018 and an updated policy in 2021.
Currently, Digiyatra is being implemented by a Joint Venture called Digiyatra Foundation (“DYF”), which consists of the Airport Authority of India, with a 26% stake and Bengaluru Airport, Delhi Airport, Hyderabad Airport, Mumbai Airport and Cochin International Airport with the remaining 74% stake.
Although the use of Digiyatra is supposed to be voluntary, recent reports indicated passengers being coerced to sign up for Digiyatra by airport personnel, despite their protests. After receiving several complaints, the MoCA clarified that the service remains voluntary and the airport personnel have been instructed to obtain consent of passengers for using Digiyatra.
This blog will explore and question the idea of ‘consent’ sought for availing such services. It argues that Digiyatra is based on a defective model of consent and results in compromised autonomy. In employing FRT, Digiyatra exposes the limits of ‘consent’ for data protection and privacy. This blog will analyse how, despite masquerading as a voluntary service, Digiyatra is exploitative of consent.
Citizen’s perception of State and Diminished Choice
DYF has been claimed to be a private entity and therefore out of the scope of the Right to Information Act, 2005 (“RTI”). However, this assertion can be challenged. Albeit the shareholding of Digiyatra makes it a private entity, whether or not an entity falls within the purview of RTI does not necessarily depend on the same. The Supreme Court has held that an entity can fall within the purview of RTI if there is substantial financial support by the government which should be determined on a case-to-case basis. Thus, the extent of shareholding of the government is not a necessary indicator of the financial influence of the government. Further, information pertaining to a private entity may also fall within the scope of RTI if the government has access to such information (Rajeshwar Majoor Kamgari Sahakari Sanstha Ltd. vs. State Information Commissioner, 2011 SCC OnLine Bom 707). Hence, Digiyatra could fall within the scope of RTI.
Determination of DYF as State or State instrumentality under Article 12 of the Constitution is also a fact-based assessment that depends on an array of factors and private nature alone may not disqualify the DYF from Article 12.
Regardless of its status as a ‘State’ instrumentality, given that Digiyatra is an initiative of the MoCA, the public perception towards the initiative can distort individual consent.The context in which people make a choice may subject it to distortion. A perception of state-sponsored initiative taps into citizen’s trust in the State in offering welfare services of public utility. This can impact individual discretion in disclosing personal data, given that there is little awareness or understanding of potential implications of disclosing personal data for FRT-based technologies. Additionally, airports are placed with logistical barriers to drive more people to opt for it. For instance, almost all terminal gates at the Indira Gandhi International Airport at New Delhi and the Kempegowda Airport at Bengaluru employ Digiyatra, which makes the non-Digiyatra option cumbersome and inconvenient, thus narrowing and manipulating available choices. To illustrate this point, while travelling from the Bengaluru Airport, upon asking for the non-Digiyatra option, only one entry gate was made accessible, which is the very last entry gate. Even then, non-Digiyatra entry at that gate was allowed by opening a separate spot.
Considering the above subjective behaviour of citizens, one cannot consider a requirement of consent for Digiyatra as meaningful or free.
Limits of consent and implications for data protection
Use of FRT has been argued to have various implications for data protection and surveillance. Even as the MoCA reassured that the data collected for Digiyatra is purged within 24 hours, the Digiyatra Policy of 2021 creates exemptions to the same, while allowing access to “any Security Agency, GOI [Government of India] or other Govt. Agency… to the passenger data based on the current/ existing protocols prevalent at that time”. Apart from the dearth of public awareness on the issue that influences willingness to give consent, as argued above, FRT also arguably has a “fatal consent problem”. Selinger and Hartzog have argued that consent is a “broken regulatory mechanism” for facial surveillance, within which they include systems such as Digiyatra. They argue that the logic of consent for facial recognition is dodgy because an individual is never fully aware of the threats that facial recognition carries for their autonomy.
They further argue that FRT compromises “obscurity”. Obscurity is the idea that refers to the “ease or difficulty of finding information and correctly interpreting it”. Selinger and Hartzog explain, “the harder it is to locate information or reliably understand what it means in context, the safer, practically speaking, the information is.” Obscurity is important because it furthers individual autonomy since privacy is presupposed in society to mean that information is disclosed to some audiences but not everyone, unlike anonymity, which means “nobody knows who you are”. Obscurity furthers this through “structural constraints”, which are technological limitations that make access and identification of individual movements and behaviours difficult and expensive. As per Selinger and Hartzog, in order to enable people to give valid consent for FRT, they should have an awareness of how they presume obscurity to protect privacy and the implications for obscurity by use of FRTs.
However, Selinger and Hartzog ask, “what good is recognising the value of obscurity if it is unobtainable?” They suggest that since obscurity is inevitably lost, the privacy regulatory regime should provide for “meaningful obscurity protections.”
In the case of Digiyatra, because of the use of FRT, the above concerns remain true, rendering it “inconsentable”. However, the concerns are aggravated because of the absence of any statute in India regulating the use of FRT and the legal vacuum within which Digiyatra operates, which is a mere standalone policy document. Moreover, the exemption of Digiyatra from RTI leads to a severe lack of transparency. Even if it was not considered exempt under RTI, the government could exempt it under the Digital Data Protection Act, 2023 from disclosing any information under RTI by qualifying Digiyatra as a State instrumentality.
Despite the 24-hour data purge policy, the personal data of individuals may still remain at risk as the Digiyatra Policy of 2021 plans on allowing users to use ‘Digiyatra value-added services’, which will allow users to avail third party services from “Digiyatra ecosystem stakeholders/partners”. These could include cab, hotel or lounge services. The sample consent notice for the same requires consent to the use of the passenger’s phone number, email ID, Ticket/Boarding Pass Data and Face Biometric data to avail these services. This could lead to loss of autonomy over data leading to risks of data aggregation, data monetisation, and profiling.
The impact of citizen’s perception of the State in deciding consent as well as the limitation in the idea of consent itself with regard to FRT together operate to compound the problem of consent for Digiyatra. It is important that Digiyatra remains a strictly voluntary service. For Digiyatra to be truly voluntary as a service, the current model of implementation needs an overhaul.
The CCG Blog 