The Indian government has said that airlines will have to mandatorily provide details of all international passengers to the Customs Department for preventing and prosecuting offences under the Customs Act, 1962.
Every airline will have to transfer the ‘passenger name record information’ from their reservation system to the database of the Customs Department for every international flight departing from India or arriving in the country, according to the Passenger Name Record Information Regulations, 2022 notified by the Central Board of Indirect Taxes and Customs (CBIC) under the Ministry of Finance.
The information such as passenger name record (PNR), date of travel, credit card details and seat assigned will have to be shared at least 24 hours before departure and failure to comply will invite a minimum penalty of ₹25,000 and a maximum of ₹50,000 for every act of non-compliance, the regulations say.
The rules note that the National Customs Targeting Centre for Passengers or the database set up by the CBIC will collect the information for “risk analysis of passengers” for the purpose of “prevention, detection, investigation and prosecution of offences under the Act [Customs Act, 1962].”
Such data can also be shared with law enforcement agencies or government departments of India or any other country under regulation 10.
Regulation 10 states, “When the passenger name record information relates to any offence, under any law for the time being in force, at the national or international level, the National Customs Targeting Centre for Passengers may share the relevant information on a case-to-case basis.”
The details the airline will have to share include PNR (Passenger Name Record) locator code, date of reservation, date of intended travel, frequent flyer and information on other benefits such as free tickets and upgrades, all available contact information, billing information including credit card number, travel agency or agent, seat information as well as the history of changes to the PNR. Such data will be retained for a maximum period of five years after which it will be disposed of by depersonalisation or anonymisation but can be “re-personalised and unmasked when used in connection with an identifiable cause, threat or risk for the specified purposes”. On ensuring the privacy of such data, the rules say that it should be subject to “the provisions of any law for the time being in force” and that such information will only be “received, stored, processed and disseminated in a secure system accessible only to the duly authorised officers by establishing robust procedure.”