Explained: IRCTC's passenger data sale 'plan', the outrage, the denial
Reports suggested IRCTC is looking to monetise passenger and freight data; as privacy advocates cried foul, the organisation issued a strong denial
Indian Railways Catering & Tourism Corporation Ltd (IRCTC), which sells railway tickets and food on trains, is set to sell passenger and freight data to third parties, media reports claimed. This set forth a volley of questions on data privacy and outrage from digital rights advocates, and IRCTC had to put out a statement saying the claims were not true.
Media reports said IRCTC was employing a consultant, and both the company and the government plan to monetise passenger and freight customer data. They suggested the objective was to generate Rs 1,000 crore in revenue through this route.
The reports were published in print media and online, and did the rounds on social media platforms. and received a severe backlash from those advocating digital rights. Within a day or two, IRCTC released its statement.
No such plan, says IRCTC
A senior official at the IRCTC quoted by ANI claimed that the media reports were totally fictitious; that the company did not sell data and neither was there any intention to do so.
The official also said that IRCTC does not store any financial data of its customers on its system server, as at the time of online payment for its various services, control is passed on to the respective payment gateway or bank for the payment.
Also read: IRCTC update: You can now book up to 24 train tickets a month
The reports had claimed that a consultant of international repute was expected to study the data of IRCTC’s passenger, freight and parcel business as well as any vendor-related data from applications of Indian Railways. Rejecting the claims, the IRCTC official said the consultants were being hired to improve existing businesses and advise on new business lines which the organisation may adopt in the near future.
Controversial tender
According to the tender document, IRCTC had chalked up a plan to study and use customer data including “name, age, mobile number, gender, address, e-mail ID, class of journey, payment mode, login or password,” in addition to behavioural data such as payment and booking mode, frequency of journey, and so on.
The tender document, titled ‘The Scope of Work for Project A: For study of Monetization of Digital Data of Indian Railways (IR)’ had reportedly stated that the consultant, once finalised, will be provided the details of applications and the data collected thereon for conducting the study for ‘Monetization of Digital Data of Indian Railways’. It reportedly mentioned an August 29 deadline for the tender.
“IRCTC envisages a revenue generation potential of Rs 1,000 Cr through monetization of its digital assets. IRCTC wishes to engage a consulting firm to help in identification, design, and development and roll-out of data monetization opportunities,” it stated.
The document also said that the consultant will study various laws, including the IT Act, 2000, and its amendments, user data privacy laws, including the General Data Protection Regulation and the current ‘Personal Data Protection Bill, 2018’, and accordingly, propose the business models for monetisation of digital assets. It would prepare a roadmap for data monetisation of the digital data collected at various customer-facing and vendor-related applications which include zonal railways, divisions, and other units like CRIS, and PSUs like IRCTC, Railtel, etc.
Never planned or plan axed?
While the IRCTC official quoted by ANI said there were no plans ever to monetise passenger data, subsequent media reports suggested the organisation, a publicly listed commercial entity, did have such a plan. It axed the plan only because of public outrage, the reports said.
Several activists and NGOs had raised concerns over the tender and outlined its pitfalls on Twitter, especially the sweeping scope in the assessment the consultant was meant to carry out. Internet Freedom Foundation, a Delhi-based non-governmental organisation advocating digital rights and liberties, raised strong concerns over Railways’ plan. The NGO outlined the pitfalls of the plan in a series of tweets.
🚨ALERT: Hey train travellers, your data will soon be monetised by the govt. & that too, in the absence of a data protection legislation! @IRCTCofficial has uploaded a tender to appoint a consultant for digital data monetisation.🧵on what this means. 1/8https://t.co/YbyF0tazZi pic.twitter.com/x9vMfGlKxC
— Internet Freedom Foundation (IFF) (@internetfreedom) August 19, 2022
A day later, it tweeted that it was awaiting clarity on the tender.
UPDATE: We’re seeing contrasting official & unofficial statements based on news reports. IFF will formally write to @IRCTCofficial, seeking clarity & a recall of the tender that threatens the privacy of over 10 crore users.
👉https://t.co/ASqfvntVti
👉https://t.co/8PCN7fP5sz https://t.co/5V2ZJZ9H8f pic.twitter.com/M956khzaUQ— Internet Freedom Foundation (IFF) (@internetfreedom) August 20, 2022
A Times of India report quoted sources as saying necessary approvals were taken before IRCTC floated the tender. It was decided that only generic and anonymous data would be monetised, and no individual data or details would be monetised, the report added.
A PTI report quoting highly-placed sources said the plan was withdrawn “considering the fact that the Data Protection Bill has not been finalised”. If a new data privacy law is enacted (a new Bill is set to be tabled in the Winter Session of Parliament), and the monetisation plan is tailored around it, IRCTC may still go ahead with it.
