In a recent Public Interest Litigation (PIL) addressed by the Delhi High Court, Ashwini Kumar Upadhyay v Union of India, a critical spotlight was cast on the practices of foreign-owned companies that collect personal information through travel booking platforms in India.
This judgment underscores the significant challenges and stringent requirements for personal data protection under Indian law, emphasizing the need for all international corporations to adhere closely to Indian personal data protection regulations.
In early 2024, a PIL was filed by Ashwini Kumar Upadhyay (Ashwini), highlighting concerns about the collection of personal data (including Aadhaar – India’s unified identification system that contains demographic and biometric data, and passport details) by foreign-owned travel companies operating in India. This extensive reach of data collection extends to both ordinary citizens as well as high-profile individuals such as legislators, ministers, judges, military personnel, government officials, and their families. Furthermore, several of these companies are partially or fully owned by Chinese investors raising concerns of potential misuse of personal data. The PIL therefore, pressed for enhanced privacy protection of personal data, both domestic and foreign, amassed by travel companies during booking processes.
Referring to the 2017 Justice K.S. Puttaswamy (Retd.) vs Union of India case, which established privacy as a fundamental right under Article 21 of the Indian Constitution, the petition reinforced the fundamental right of privacy. Notably, Section 3 of the Digital Personal Data Protection Act, 2023 (DPDPA) was also highlighted in the petition, which extends its jurisdiction to handling digital data within India, regardless of where it is processed.
However, in the decision dated April 3, 2024, the Division (two-judge) Bench disposed of the petition without delving into the specific complaints, reasoning that Ashwini had not filed any representation with the Union of India –– which is typically required before approaching the Court. The Court thus allowed Ashwini the liberty to raise this grievance with the government. Additionally, the Court clarified that it has not commented on the merits of the issue.
While the Court’s decision to not delve into the merits of the case leaves many questions unanswered, it signals the pressing need for a comprehensive administrative and legal framework to ensure the protection of personal data across the wide spectrum of both domestic and international businesses. It highlights the need for businesses to comply with data protection laws and the potential reputational risks associated with the mishandling of personal data. For policymakers, this case is a reminder to tighten data privacy laws and ensure the robustness of their implementation to address challenges arising from businesses handling large volumes of personal data.
Milind Yadav and S Chandrasekhar are colleagues from K&S Digiprotect Services Pvt. Ltd, an affiliate of K&S Partners which delivers premier consultancy in data privacy, information security, and digital estate management.