DigiYatra Faces Heat Over Biometric Data Use, Transparency, and Missing Independent Audit

India’s facial recognition-based airport system, DigiYatra, is under scrutiny after a parliamentary standing committee flagged serious concerns about the handling of sensitive biometric data.  

The committee noted that DigiYatra collects highly sensitive personal data, particularly facial recognition information, yet no independent audit of the system has been conducted so far, raising a major oversight gap. With over 2 million registered users and operations across nearly 30 airports, the scale of data collection has intensified privacy risks.  

While DigiYatra has significantly streamlined airport processes and has reportedly been used over 86 million times, the panel emphasised a lack of transparency regarding how data is collected, stored, processed, and potentially shared. It also questioned whether the platform has delivered measurable improvements in passenger processing time, citing the absence of publicly verified data. 

To address these concerns, the committee has recommended: 

• An independent audit by a neutral cybersecurity agency 

  
  

• Review of user consent mechanisms 

  
  

• Clear policies on data storage and retention 

  
  

• Assessment of risks related to data breaches or misuse 

The report highlights a broader policy dilemma balancing technological efficiency with the fundamental right to privacy. Experts stress that biometric systems demand robust safeguards, continuous monitoring, and strict compliance frameworks. 

Source: Parliament Panel Flags Biometric Data Risks in DigiYatra System. 

News of the week: 

1. India Replaces Chinese Toll Cameras with Western Alternatives Over Security Concerns. 

India has decided to phase out Chinese-origin surveillance equipment at highway toll plazas, replacing them with alternatives from trusted international suppliers due to rising national security concerns. The move is part of a broader effort to modernise toll collection through high-speed camera systems that allow vehicles to pass without slowing down, improving traffic efficiency. However, authorities fear that cameras manufactured wholly or partially in China could pose surveillance risks, particularly in sensitive infrastructure, as such devices may potentially be exploited for intelligence-gathering during geopolitical tensions or conflicts. 

To address these risks, agencies like the National Highways Authority of India have shortlisted non-Chinese vendors, including VIVOTEK, Robert Bosch GmbH, and Motorola Solutions Inc., for deployment across nearly 1,150 toll locations. Although these alternatives are more expensive than Chinese counterparts, the government has prioritised security over cost efficiency.  

Further, India’s Standardisation Testing and Quality Certification Directorate has been tasked with rigorously testing and certifying all surveillance equipment. Only those devices that are verified to contain no critical Chinese components are being approved for use in tolling and other government applications. This layered approach of vendor diversification, stricter certification, and technological upgrades is India’s attempt to balance infrastructure modernisation with safeguarding data security and national sovereignty. 

Source: India bars Chinese cameras at toll ways on data security concerns.  

2. FDPPI Launches a body to prepare Industries for DPDP Act amid clarity Concerns. 

 The Federation of Data Protection Professionals of India has launched a new initiative to strengthen India’s data protection ecosystem ahead of the implementation of the Digital Personal Data Protection Act, 2023, which is set to come into force in May 2027. The move is aimed at building capacity and preparing a skilled pool of independent data auditors, whose appointment will be mandatory under the law. However, a key concern highlighted by industry experts is the lack of clarity around the exact roles, responsibilities, and scope of these auditors, which could lead to inconsistent compliance, weak enforcement, and increased risks of data breaches and regulatory penalties for businesses. 

FDPPI has emphasised that the initiative is forward-looking, seeking to establish a credible and well-trained auditing ecosystem before enforcement intensifies. The association is designed to be inclusive, allowing even freshers to join as probationary auditors, learn through collaboration, and gradually develop into qualified professionals.  

At a broader level, FDPPI aims to create a convergence platform that brings together data auditors, privacy auditors, and information security professionals, thereby bridging gaps between compliance demand and available expertise. It has also developed a framework to guide a jurisprudential interpretation of the DPDP Act, promoting a “compliance by design” approach among data fiduciaries. 

Source: DPDP Act 2026: FDPPI launches data auditors body to boost compliance. 

3. Most Indian Businesses Struggle with High Costs and Compliance Challenges Under DPDP Act 

 A recent study by Esya Centre highlights that a large majority of Indian businesses are struggling to comply with the Digital Personal Data Protection Act, 2023, primarily due to high costs, regulatory complexity, and lack of clarity. Around 85% of businesses are concerned about the expense of verifying data, with nearly 30% estimating compliance costs could exceed 10% of their revenue, potentially disrupting operations such as system upgrades and product development. The law also creates challenges for India’s AI ecosystem, as over 75% of companies rely on publicly available personal data for training models, which is now subject to stricter usage conditions. 

Compliance remains a key hurdle, with nearly 80% of firms finding it difficult to verify public data, and many describing it as nearly unworkable in practice. Additionally, 62% of businesses lack awareness of core provisions like Section 7, which governs non-consensual data use. Industry voices, point out that companies must overhaul existing systems to incorporate consent dashboards, breach notification mechanisms, and data localisation requirements, placing a disproportionate burden on MSMEs due to costs related to hiring data protection officers, conducting audits, and retraining staff. 

Source: According to a study by Esya Centre, 85% of businesses are concerned about the cost of verifying data. 

Want to know more?  

Learn more about India's data protection environment, compliance frameworks, and in-depth analyses of privacy policies at Tsaaro.com.