The government wants to know how, when and where are you travelling and on whose money and hence directed airlines to start sharing this data. While the regulations of this system of this data sharing bridge have existed since 2022, it is now proposed to make it mandatory for all airlines to share the specified passenger data with the Customs Department from April 1, 2025. The department wants airlines to register for a new portal dubbed ‘NCTC-Pax‘ by January 10, 2025. A total of 19 different types of passenger information data like PNR, contact details, all available payment/billing information (example- credit card number), frequent flyer number, Travel itinerary for specific PNR, code share flight information, seat information including seat number, etc are to be shared by airlines to the government (Customs Department).
When it comes to sensitive identifiable passenger information like this, it is natural for people to worry about data privacy and security. Read below to find out what measures the government took in this regard and why this data is being collected.
Airlines have to register on NCTC-Pax portal by January 10, 2025 to share passenger data with government
The Central Board of Indirect Taxes and Customs (CBIC) has directed all scheduled and non-scheduled air transport service providers operating international flights from/to India to register on the The National Customs Targeting Centre-Passenger (NCTC-Pax) portal by January 10, 2025.
Once the registration process is finished, CBIC intends to start the data sharing bridge between airlines and government on a pilot basis with few airlines from February 10, 2025. The full scale operation is targeted to start from April 1, 2025 for all airlines. However for airlines intending to operate through the Global Distribution System (GDS) the desired full operational timeline is June 1, 2025.
“Every aircraft operator shall register with NCTC-Pax in the form prescribed in Annexure-I to PNR Information Regulations, 2022 by 10th January, 2025,” said CBIC in a letter.
Government intend to collect 19 types of passenger travel details from airline companies through the NCTC-Pax portal
According to the letter by CBIC available in public domain, this passenger data sharing bridge between the government and airlines will be implemented on a pilot basis with some airlines who have expressed willingness to participate in the same. “Every aircraft operator shall transfer the passenger name record information, as per list in Annexure II to PNRI Regulations, 2022 of passengers they have already collected such information in the normal course of business operations, to ATS-P,” CBIC said.
The said letter has details of Annexure B which said, “ANNEXURE – B: High-level details of Indian PNRGOV project”. The same letter also has details about Annexure II which states which are the 19 types of passenger details which the government will collect and store for up to 5 years.
What can be the reason behind collection and storage of such passenger data by the government?
Experts say the primary intention of the government is to put an end to the smugglers’ operations.
Prabhakar K S, Founder & CEO, Shree Tax Chambers, a Bengaluru-based International Tax and customs advisory, says “The move is in line with the new provisions – Section 30A: Passenger and crew arrival manifest and passenger name record information and Section 40A: Passenger and crew departure manifest and passenger name record information – inserted to the Customs Act, 1962 with effect from March 31, 2017, to enhance the Customs Department’s capabilities in early detection, timely prohibition and investigative capabilities. For instance, through meticulous investigation, the international airports in Mumbai, Delhi, Chennai, Kozhikode and Kochi have seen a rise in the smuggling of gold and other illicit goods.”
Government to run data analytics for these collected passenger data?
Experts say it can’t be ruled out that the government won’t run data analytics on this data for initiating further investigation into suspicious activities.
Prabhakar says: “By leveraging the data, the customs officials can analyse the travel patterns of frequent travellers to and from known for smugglings, such as Afghanistan, Bahrain, Bangladesh, France, Hong Kong, Kazakhstan, Kenya, Kuwait, Malaysia, Maldives, Myanmar, Nepal, Oman, Qatar, Saudi Arabia, Singapore, South Africa, Sri Lanka, Thailand, UAE, and UK and if found suspicious, they can initiate further investigation under stringent Customs law provisions.”
How secure is this data?
Since the government wishes to collect and process the passenger data through the NCTC-Pax portal, experts raise the question of security of the data which will stay in a centralised location.
Prabhakar says: “Though it was said that passengers’ details are subject to strict information privacy and legal obligations on the Customs, as a common man I have my apprehensions given the earlier instances of frequent data leakages by the dark web and threats by other countries’ cyber-attacks. I hope that the Customs department also steps ahead in time and ensures adequate safeguards are in place.”
CBIC said: “The passenger name record information shall be received, stored, processed and disseminated in a secure system accessible only to the duly authorized officers by establishing robust procedure to protect the privacy of passengers and crew members by the National Customs Targeting Centre-Passenger.”
Vinay Butani, Partner at Economic Laws Practice, says: “Such a centralized data storage inherently carries cybersecurity risks, making it an attractive target for hacking, data breaches, or unauthorized access. While privacy safeguards are formally in place, the large-scale collection of personal data raises significant concerns about surveillance and potential misuse. This is especially relevant when evaluated against the principles of data minimization and purpose limitation under the Digital Personal Data Protection Act, 2023 (DPDPA). Furthermore, the extensive compliance burden placed on airlines to ensure seamless data sharing and reporting adds operational and financial strain. Thus, while the regulations aim to bolster national security, they simultaneously amplify privacy concerns and regulatory burdens, highlighting the need for careful oversight and transparency.
The Passenger Name Record Information Regulations, 2022, explicitly state that sensitive personal data—such as racial or ethnic origin, political opinions, or health information—shall not be processed. Access to passenger data is restricted to authorized officers of the NCTC-P, and data retention policies mandate that passenger information must be anonymized or depersonalized after a maximum period of five years.
Butani says: “However, it is increasingly acknowledged that true anonymization of personal data is almost impossible in the digital age. Modern re-identification techniques can leverage minimal data points to trace back to individuals, even after anonymization. Additionally, while access is nominally restricted to authorized officers, the regulations also permit data sharing with other law enforcement agencies or even foreign governments, subject to specified conditions. This raises valid concerns about potential misuse or overreach, especially since passengers have no option to opt out of sharing such sensitive data. As a result, these regulations, while framed as measures for national security and risk management, also provide mechanisms for heightened surveillance and monitoring of citizens’ travel patterns. This creates an imbalance between security imperatives and individual privacy rights under the DPDPA, 2023.”
What is the NCTC-Pax portal which will process and store the collected passenger data
According to the letter by CBIC, “The National Customs Targeting Centre-Passenger established by the Board to receive and process passenger name record information along with any other information relevant for risk analysis of passengers for the purpose of,-
(a) the prevention, detection, investigation and prosecution of offences under the Act and the rules and regulations made there under, or
(b) the law enforcement agencies or government departments of India or any other country may specify for the purposes of regulation 10.”
Period of retention of data
CBIC said in the letter: “The passenger name record information received in Customs designated system shall be retained for a maximum period of five years from the date of such receipt: Provided that the provisions under this sub-regulation shall not be applicable, if such information is required in the course of an investigation, prosecution, or any court proceeding..……”
Sharing of information with other law enforcement agencies or foreign states
CBIC said: “When passenger name record information relates to any offence, under any law for the time being in force, at national or international level, the National Customs Targeting Centre-Passenger, may share the relevant information on a case-to-case basis with other law enforcement agencies or government departments of India or any other country.
Provided that sharing of such relevant passenger name record information with other law enforcement agencies or government departments of India or any other country shall be subject to maintenance of same level of information privacy and protection of information and safeguards:
Provided further that such other law enforcement agencies or government departments of India or other countries shall, while seeking information, specify the purpose for which such information is being sought.”
Ameya Joshi, an aviation expert, says that information like API (Advanced Passenger Information) was sharable with immigration and law enforcement agencies worldwide earlier as well. When these regulations were notified in 2022, 19 specific information fields were listed out in the Gazette of India. These included available payment/billing information, ticketing information like ticket number, one-way tickets and Automated Ticket Fare Quote (ATFQ) fields.
Going ahead, every aircraft operator will have to transfer passenger name record information not later than twenty-four hours before the departure time; or at the departure time – wheels off.
Originally notified in 2022, a PIB press release dated August 8, 2022 said that the main objective of Passenger Name Record Information Regulations was to “enhance detection, interdiction and investigative capabilities of Customs Authorities using non-intrusive techniques for combating offences related to smuggling of contraband such as narcotics, psychotropic substances, gold, arms & ammunition etc. that directly impact national security”.
