





























Digi Yatra is developing an electronic passport-based enrollment system for international travel that captures only the minimum necessary identity attributes required for verification, such as the passenger’s name, photograph, and passport-linked identifiers. MediaNama received this information from the Digi Yatra Foundation (DYF) in response to questions sent for an April 10 article on the platform’s planned expansion beyond domestic aviation.
Immigration outside scope: DYF said it has already “demonstrated technical interoperability for international travel through controlled trials at Bengaluru, including scenarios such as the Bengaluru–Doha corridor.” These trials “validated the core architecture, issuance, sharing, and verification of digital identity credentials across airline and airport systems,” and align with “global frameworks such as the IATA’s One ID initiative.”
However, the Foundation reiterated a key limitation: “these pilots excluded immigration processes, which would require separate regulatory approvals and coordination with multiple stakeholders.” It added that immigration and border control integration will depend on “bilateral or multilateral agreements, coordination with global aviation bodies, and ecosystem readiness.”
DYF did not provide a concrete rollout timeline or name partner countries, leaving those aspects unclear.
Token-based system: DYF described a decentralised, token-based architecture. It said personal data “remains encrypted and stored on the user’s device,” and that for each journey, “only a flight-specific, time-bound token along with the necessary information is shared to enable verification.”
The Foundation added that this shared data “is automatically deleted by the Airport Verifier within 24 hours of the flight’s scheduled time of departure.” It emphasised that the system “does not maintain any central repository of personal data”.
DPDP compliance and consent: DYF repeatedly anchored its design to the Digital Personal Data Protection Act (DPDP). It stated that the system is “strictly limited to enabling identity verification at airport checkpoints, and is not used for any purpose beyond facilitation of the passenger journey.”
According to the response, “users provide explicit consent at the time of enrollment and retain control over their data within the Digi Yatra app,” and “consent remains revocable.” The Foundation characterised its architecture as “privacy-by-design, consent-driven,” with “data minimisation, strong encryption and access controls, periodic security and compliance audits, and structured internal governance for data protection and risk management.”
Foreign nationals and legal framework: On whether Digi Yatra will process data of foreign travellers, DYF said its system “has been designed to support both Indian citizens and foreign nationals,” while ensuring that processing remains “minimal, consent-driven, and jurisdiction-compliant.”
It added that data handling will occur “through the established aviation regulations, data protection laws and international cross-border rules which apply to the situation,” and that the platform aligns with India’s DPDP Act as well as “relevant regulations in partner jurisdictions.”
Data sharing with airports and user rights: DYF clarified that passengers share “their flight-specific token and facial biometric information with the origin airport,” and that, in international scenarios, “similar sharing may extend to destination airport systems where interoperability is enabled.”
It stated that airports store this data “in secure environments” for operational use, but that it “gets deleted automatically after 24 hours of scheduled departure.” On user rights, DYF said individuals retain control because “their personal data stays on their device,” and that grievance redressal processes are “aligned with applicable regulatory requirements.”
The response did not detail specific mechanisms for access, correction, or erasure requests under DPDP.
Significant data fiduciary (SDF) status left unanswered: DYF declined to state whether it would be classified as an SDF. It said: “The classification of any organisation as a Significant Data Fiduciary is determined solely by the regulator under the Digital Personal Data Protection Act. Digi Yatra does not comment on or speculate about such classifications.”
Also read
For You
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。