A petition has been submitted to the Delhi High Court, urging the Union government to implement measures guaranteeing the privacy of personal data collected by travel companies, especially those operating on an international scale, throughout the process of ticket booking.

The case is scheduled to be heard before a division bench of Acting Chief Justice Manmohan and Justice Manmeet Pritam Singh Arora. 

In the petition, the petitioner has raised concerns about the potential misuse of citizens' data, specifically Aadhaar and passport details, by three foreign corporations operating in India—MakeMyTrip, GoIbibo, and SkyScanner—which are either partially or wholly owned by Chinese investors.

Citing the Supreme Court's ruling in the case of Justice K.S. Puttaswamy (Retd.) vs. Union of India, the petitioner underscored the importance of government-issued identity cards and stressed the need for stringent regulations to govern their handling.

The petitioner emphasized that according to Section 3 of the Digital Personal Data Protection Act, 2023 (DPDP Act), the Act extends its jurisdiction to the processing of digital data both domestically and internationally, especially if goods or services are provided to individuals within the territory of India. Therefore, the plea asserted that the government must request clarification from travel companies, particularly those operating abroad, regarding the measures they have in place for data protect

The petitioner highlighted that according to the DPDP Act, any request for consent from a data principal must be accompanied or preceded by a notice from the data fiduciary. This notice should inform the data principal about the personal data being processed, the purpose of processing, and the method for exercising rights and lodging complaints. Section 8 of the Act imposes obligations on data fiduciaries to ensure the completeness, accuracy, and consistency of personal data. Furthermore, in case of a breach, data fiduciaries are required to notify the board and affected data principals, as stated in the plea.

Additionally, the petitioner asserted that fiduciaries are mandated to appoint a data protection officer located in India. The petitioner highlighted Section 11, which grants data principals the right to access a summary of their personal data, its usage, and the identities of all data fiduciaries and processors with whom data has been shared.

Case Title: Ashwini Kumar Upadhyay v Union of India & Others