Air India Data Breach: A Legal Analysis

The past one year of pandemic has witnessed several cyber-attacks worldwide and India has been no different. India rather has been one of the worst hits of such Cyber AttacksAfter one of the massive data breach incidents of MobiKwik, recently Air India announced that its servers were hacked leading to unethical access to their customer database. It further declared that approximately data of 45 lakh customers registered between 26th August 2011 and 3rd February 2021, has been sacrificed.  

The information including name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data as well as credit cards data has been compromisedIt has however been clarified that CVV/CVC numbers were not held by data processor of Air India and thus, the key information for executing transactions is not stolen.  

Relevant IT Provisions 

In India, we do not have a separate branch of law that regulates data protection or penalizes failure to do so. The Information Technology Act, 2000 (“IT Act”) is the parent Act under which specific rules have been drafted.  

Section 43A lays down that a body corporate shall be responsible for the implementation and maintenance of reasonable security practices and procedures and can be held liable for damages in case of negligence, where wrongful gain or wrongful loss is caused as a consequence of negligence. 

The Information technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”) lay down the procedures to ensure safety and security of sensitive personal information. Under these Rules, an entity that collects personal information is required to publish a privacy policy stating the purpose for which such information is collected. They are also required to have reasonable security practices in place in order to maintain the confidentiality of the Information.  

Under these SPDI Rules, the following form of data falls within the ambit of Sensitive Personal Data or Information 

  • Passwords;  

  • Financial information such as Bank account or credit card or debit card or other payment instrument details;  

  • Physical, physiological and mental health condition; 

  • Sexual orientation; 

  • Medical records and history; 

  • Biometric information;  

  • Any detail relating to the above clauses as provided to body corporate for providing service; and  

  • Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise. 

The SPDI Rules mandate that each Body Corporate shall provide policy for privacy and disclosure of information. This policy shall be compulsorily   implemented wherein such Body Corporate collects, receives, possess, stores, deals or handles information of provider of information 

Under rule 5, a body corporate is required to obtain prior consent from the information provider regarding the purpose of usage of the SPDI. Such information should be collected only if it is essential and required for a lawful purpose connected with the functioning of the body corporate. Such body corporate shall also obtain prior permission before disclosing any such SPDI unless required under contract or law.  

These Rules further make it mandatory for a body corporate to implement reasonable security measures in relation to the SPDI. These measures should commensurate with information being collected.  The Rules provide “The international Standard IS/ISO/IEC 27001 on "Information Technology – Security Techniques - Information Security Management System - Requirements" as one such standard. 

In cases of data breach, like in the present case of Air India, a person on its behalf shall now be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.  

In case of data breach, the body corporate shall be liable to pay damages or compensation to affected persons where in the case its proven that such body corporate possessing SPDI was negligent in protecting such information.  

The law further mandates that the data by such body corporates shall not be retained longer than required.  

Data Protection Bill: The Way Forward 

The Personal Data Protection Bill, 2019 (“the Bill”), has been put together by the committee constituted by the Ministry of Electronics & Information Technology, and chaired by Justice SrikrishnaThe Bill shall be applicable to the processing of personal data that has been collected, disclosed, shared or otherwise processed within the territory of India. Further such Bill shall be applicable on government, any Indian Company, any citizen of India or any person or body of persons incorporated in India. However, in cases where a Foreign Company deals with personal data of individuals in India, the Bill shall be applicable. 

Further, the Bill mandates that the data shall be collected for clear and lawful purposes and shall be deleted after the such purpose has been fulfilled.  The Bill also constitutes a Data Protection Authority which shall ensure adherence to the provisions of the Bill, promote data protection awareness and adjudicates rights of individuals.  The Bill imposes huge penalties (in Crores) where such data is not protected by the entity responsible (“data fiduciary”) or is processed without the consent of the individual.  

The Bill seeks to solidify and implement stringent laws with regards to Data Privacy which, until now were only regulated by several loosely enforced regulations. The Bill is at par in its legal framework with the General Data Protection Regulation implemented in the European Union. 


The August 2017 judgement of supreme court, in Puttuswamy v. Union of Indiathat declared the right to privacy as a fundamental right under the Constitution, set the ball rolling for implementation of Data Protection Laws. In current scenario, it would imply that any passenger’s privacy who travels by airlines and submits their data shall be subject to the prevailing privacy laws and it shall be regarded as their fundamental right. The airlines would need to comply with the laws before putting the passengers’ information to use or disclosing such information to a third party. Further, the airlines would also need to be responsible for protection of such information provided and also for putting the required infrastructure in place.  

Protection of information is a challenge faced by the businesses which must be facilitated by technology. The organizations do not focus on preventing their data, which is the raw material on which the entire organizational machinery feeds.  

It is a commonly known fact that putting the infrastructure for data protection in place comes with a heavy cost, but like its often said, “Prevention is better than Cure”, protection of data beforehand is a much less meticulous and expensive task than curing the effect of any data breach caused. With a team of experts, both in the field of technology and law, a full- proof data protection strategy can be implemented. 

Leave a Comment