Travel Agencies and DPDPA: Ensuring Traveller Data Security

Introduction

India’s tourism sector contributed 230 billion USD to the country’s economy in 2023, and the graph only goes upwards. The internet has made every corner of the world accessible, and travellers often place reliance on travel agencies for the entirety of their travel, and in most cases even before the beginning of their travel. Be it booking flights and hotels or seeking directions to the local markets, travel agencies help every step of the way. This makes it essential to understand the key developments related to the regulation of the digital economy in India, especially the data handling by the travel agencies and its regulation. This blog will dive deeply into the regulation of consumers’ data in possession of these agencies and how the DPDPA steps in to protect this data.

Obligations under DPDPA

At the outset, it is important to understand that the Act places certain responsibilities on the entity collecting data, regardless of its nature or the specifics of the industry. Section 2(k) defines such entities as Data Processors, which essentially means any person who processes personal data on behalf of the Data Fiduciary. Data Fiduciary, further, finds a place in section 2(i) and is defined to mean any person or group of persons who decide the purpose and means of processing personal data. The principles of Data Protection are outlined in section 4 and enshrine the core values that are meant to be followed by all entities. The section lays down the guiding values of the processing of personal data. These include Purpose Limitation, Data Minimization, and Accuracy. A Data Principal is defined in section 2(j) as the person whose personal data is collected.

As a Data Fiduciary, travel agencies owe certain duties to their consumers. These obligations include:

(a)   Obtaining valid consent (section 6): the nature of such consent must be free, specific, informed, unconditional, and unambiguous with clear affirmative action. There is also a requirement for such consent to signify an agreement to process the Data Principal’s personal data for the specified purpose, and the data must be used only as necessary.

This is an extremely important aspect of data processing that travel agencies must account for. The data collected by such agencies is of an extremely sensitive nature. Hence, consumers must be made aware that their collected data will not be used for any purpose for which they have not given their active consent.

(b)  Providing notice to Data Principals (section 5): every request made to a Data Principal under section 6 for consent is mandated to either be followed or preceded by a notice from the Data Fiduciary to the Data Principal. Such notice is required to inform the Data Principal of the purpose of such data collection, the manner in which the rights of the Data Principal can be exercised, and the details of grievance redressal systems.

If consent isn’t informed consent, it is no consent. This is why it is not sufficient for travel agencies to simply require consent from their consumers. They also have the duty to inform the consumers of the implications of such consent.

(c)   Data Security Safeguards (section 8): A Data Fiduciary is expected to implement technical and organisational measures to ensure that the act’s provisions are observed.

Given the varied diversity and large quantum of data possessed by travel agencies, it is pertinent that they ensure that they deploy the best data protection measures. This will inspire the confidence of consumers, who will feel more secure sharing their data.

The Principle of Data Retention

An important element to consider is the concept of Data Retention and Erasure. A Data Fiduciary is necessitated under DPDPA to erase personal data if the consent given by the Data Principal is withdrawn. It also includes situations where it can be reasonably assumed that the specified purpose has been reached or that the purpose is no longer being served. Whichever of the two occurs earlier, that timeline is considered. This means that organisations are expected to have swift mechanisms in place to delete or anonymise data when it no longer serves a legitimate purpose.

Travel agencies are entrusted by their consumers with data that can threaten their personal safety since every detail of their travel is shared, no matter how small or relevant. This comes with the accompanying risk of the consumer being put in a vulnerable position if such data is shared with third parties since their geographical location and itinerary might be shared. There is also a high susceptibility to targeted marketing to consumers, which might be misleading or manipulative, given that consumers are visiting unfamiliar places. There is also a high risk of fraud in the nature of data breaches, identity theft, and financial fraud caused by the personal data collected by such agencies due to the sensitive nature of data collected in the form of passport details, credit card information and other details.

To combat these risk factors, travel agencies can take certain steps to ensure the security of the data. These are best security practices to avoid data breach:

Access Controls: Restrict access to sensitive data to only those who need it. Use robust access control measures like multi-factor authentication and role-based permissions to prevent unauthorized access and ensure data security.

Regular Audits: Conduct frequent assessments and security checks to spot and fix any weaknesses in your data systems. These evaluations help maintain compliance with the DPDPA and update your security practices as necessary.

Employee Training: Educate staff on data protection protocols and the importance of adhering to the DPDPA. Regular training helps employees grasp their role in protecting personal data and the risks of not following proper procedures.

Third-Party Vendors: Ensure that your vendors and partners follow stringent data protection standards. Perform thorough checks and establish clear agreements to confirm their compliance, regularly reviewing their practices to reduce the risks associated with external data handling.

Conclusion

The travel industry’s growing reliance on digital data makes the protection of traveler information paramount. With the rise of online bookings and personalized travel experiences, travel agencies collect vast amounts of sensitive personal data. The Digital Personal Data Protection Act (DPDPA) ensures that this data is handled responsibly, protecting consumers from potential misuse.

Travel agencies, as Data Fiduciaries, have clear obligations under the DPDPA. They must obtain explicit and informed consent from travelers. This transparency builds trust and reassures travelers that their data is used only for the intended purposes.. By keeping travelers informed, agencies promote a culture of openness and accountability, making it clear how their data will be used and protected. Implementing robust data security safeguards is crucial. Travel agencies must adopt technical and organizational measures to prevent data breaches and unauthorized access.

The DPDPA provides a comprehensive framework for protecting traveler data. Travel agencies must embrace these regulations to safeguard personal information, build consumer trust, and contribute to a secure digital economy. By adhering to the principles of data protection, implementing robust security measures, and fostering a culture of transparency, travel agencies can ensure that travelers’ data remains safe and secure throughout their journeys.