Digi Yatra's case in a nut-shell

India’s airports are undergoing a quiet revolution with the Digi Yatra app. Every day, millions of passengers glide through check-in, security, and boarding gates using nothing more than their faces. No paper tickets. No repeated ID checks, just a quick facial scan.

This seamless experience is powered by Digi Yatra, the country’s flagship biometric travel platform. But behind the convenience lies a growing unease: who exactly controls the sensitive biometric and personal data of these passengers, and is it truly protected under India’s new data privacy law?

PIL filed in the Kerala High Court

The question has now reached the Kerala High Court. On 5 March 2026, a Division Bench comprising Chief Justice Soumen Sen and Justice Syam Kumar VM heard a Public Interest Litigation (PIL) filed by social activist and advocate CR Neelakandan. The petition highlights serious gaps in the handling of passenger data collected through Digi Yatra and similar digital systems at airports. The court has issued notice to the Digi Yatra Foundation and directed the Union of India, Airports Authority of India (AAI), and the Ministry of Electronics and Information Technology (MeitY) to file an affidavit disclosing the current status of the Data Protection Board under Section 18 of the Digital Personal Data Protection (DPDP) Act, 2023. The matter stands adjourned to 19 March 2026 for further consideration.

Digging deeper

It is crucial to understand the nature of the entity operating the Digi Yatra app. Digi Yatra is not a government body. It is set up by the Airports Authority of India and some other private players in the airline industry as a not-for-profit under the Companies Act.

The stakes are high

With over 140 airports handling more than 400 million passengers annually, Digi Yatra has already enrolled tens of millions of users. The biometric templates, travel histories, Aadhaar-linked details, mobile numbers, and even financial data flowing through the system represent one of the largest centralized collections of sensitive personal information in the country. Without a fully functional Data Protection Board to enforce the DPDP Act, passengers are left relying on voluntary guidelines and self-declared safeguards from a private not-for-profit entity. This PIL could force the government to plug those gaps and set a national precedent for biometric systems in public services.

What is Digi Yatra? The Biometric Revolution at Indian Airports

Digi Yatra was first conceptualised in 2017 by the Ministry of Civil Aviation as a “paperless, contactless, and seamless” travel experience. The official policy document released in 2021 formalised it as the Digi Yatra Biometric Boarding System (DYBBS). The platform uses facial recognition technology (FRT) to replace repeated document verification at multiple airport checkpoints.

How Digi Yatra Works

• The process begins with one-time registration. A passenger downloads the Digi Yatra app and links a government-issued ID (Aadhaar, passport, driving licence, or voter ID).

• A selfie is captured, converted into a secure biometric template (not the raw image), and stored in the passenger’s encrypted digital wallet on the app.

• For subsequent travel, the passenger simply looks into a camera at entry gates, security, or boarding— the system matches the live face with the stored template in real time.

The backend is managed through a central ecosystem that connects airlines, online travel agents (OTAs), airport operators, and immigration authorities.

As per the privacy policy of Digi Yatra, data flows via secure APIs with explicit consent at each stage. The entire architecture is designed to be “privacy-by-design,” with end-to-end encryption and claims of data minimisation.

Operationally, the system is run by the Digi Yatra Foundation (DYF), a Section 8 not-for-profit company incorporated under the Companies Act, 2013. Airports Authority of India(AAI) holds 26% stake, while private airport operators (Delhi, Mumbai, Bengaluru, Hyderabad, and Kochi) hold the remaining shares equally.

This private character means the Digi Yatra Foundation is not subject to the Right to Information (RTI) Act, a point repeatedly highlighted in RTIs and now in the ongoing PIL.

Personal Data Collection and Storage

The volume and sensitivity of data are substantial. At the time of registration, the app collects:

• Demographic details (name, date of birth, gender)

• Government ID numbers and scanned copies (Aadhaar, passport, etc.)

• Mobile number and email

• Facial biometric template

• Travel history and PNR details during journeys

For value-added services (hotel bookings, cab services, lounge access), passengers can optionally share contact details with Digi Yatra ecosystem partners.

The official policy of Digi Yatra Foundation claims strict safeguards as follows:

• Facial biometric data is purged from local airport systems within 24 hours of flight departure.

• Non-biometric travel logs are retained for only 30 days for audit purposes.

• The passenger’s primary personal data remains within their app wallet.

However, the PIL argues that these claims are not backed by enforceable contracts with third-party vendors since they lack cybersecurity clauses. Also, the app does not meet the stricter notice, consent, and reasonable security standards mandated by the DPDP Act and its 2025 Rules.

Critics also point out that while the Foundation describes itself as a “data fiduciary,” the absence of a functioning Data Protection Board means there is currently no independent regulator to verify compliance, conduct audits, or impose penalties for breaches.

A troubling picture of systemic gaps

A few key concerns were raised by the petitioner CR Neelakandan.

No overarching legislation compelling the collection of biometric data for air travel.

The entire system rests on a 2021 policy document and voluntary consent. Yet, passengers often report subtle coercion—longer queues for manual processing, staff pressure, or the impression that Digi Yatra is mandatory. The PIL cites multiple instances where data appears to have been shared commercially without fresh consent, and where private operators have integrated passenger data into loyalty or marketing programmes without transparent disclosure.

Lack of security commitments from partners and vendors

Agreements with private airport concessionaires and technology vendors allegedly lack mandatory data protection and cybersecurity clauses. The Foundation’s own policy references the old Information Technology (Reasonable Security Practices) Rules, 2011, but the DPDP Act now imposes higher standards—including purpose limitation, data minimisation, breach notification within 72 hours, and verifiable parental consent for minors.

The 3-fold test of balance prescribed by the Supreme Court

The petition invokes the landmark Justice K.S. Puttaswamy v. Union of India (2017) judgment. The Supreme Court laid down a strict three-fold test for any state or state-enabled action that infringes privacy:

1. It must be backed by legislation

2. It must serve a legitimate necessity

3. It must be proportionate

The PIL contends that Digi Yatra satisfies necessity (convenience and efficiency) but fails on legality (no statute mandates it) and proportionality (collection of sensitive biometrics without adequate safeguards or independent oversight).

The biometric nature of the data makes any breach irreversible, unlike passwords; a leaked facial data cannot be changed.

The petitioner has also sought permission to file a supplementary affidavit detailing specific breach instances, which the court has allowed.

Loooking for Data Privacy Advisory?

Request for a free 1-1 meeting with an expert Data Privacy Governance Consultant.

Our consultants can help you comply with global privacy data protection regulations in India (DPDP Act), The European Union (EU-GDPR) and other global jurisdictions