New Delhi: At a time when India’s digital infrastructure is expanding faster than its privacy protections, a case pending in the Delhi High Court has thrown up questions on who has ownership rights over citizens’ data.
The ensuing debate is on in the HC where the Digi Yatra Foundation (DYF) is litigating Data Evolve Solutions Pvt Ltd (DESPL) on who controls the private information collected on the Digi Yatra application used by domestic air travel passengers. DYF runs the optional facial-based air travel system, while DESPL had helped DYF build it.
DESPL is claiming its stake in the ownership of the data shared over the app between 2021 and 2023—the time when it was in partnership with DYF, which later terminated the contract with the Hyderabad-based software company after allegations of Rs 36 crore fund siphoning emerged.
Recently, a high court bench of Justice Prasad framed four key issues for trial to start mid-December.
The issues between DYF and its software ex-partner whether DYF is the rightful owner of the Digi Yatra Central Ecosystem under the 2021 Minimum Viable Agreement (MVA) with DESPL; whether DYF also holds intellectual property (IP) rights over the software and services developed by DESPL; whether DESPL infringed DYF’s rights; and whether DYF, in turn, misused any IP belonging to DESPL.
At stake is the ownership of the platform’s underlying code, software architecture, and database assets that process facial recognition data for millions of air passengers each month.
As advocate and data privacy expert Apar Gupta explains, “As per the framing of issues by the Delhi High Court, the title and ownership of the Digi Yatra ecosystem implicates contractual assignment of underlying IP assets (such as software code, architecture, user interface, database, etc). It may include based on the claims of the parties to this dispute any copyright (software), moral rights (if relevant), patents (if any inventive step), trade secrets, or even industrial designs.”
What is Digi Yatra?
The Digi Yatra Foundation was set up in 2019 as a Section 8 not-for-profit company under the Companies Act. The Airports Authority of India holds 26% shares and private airport operators, namely Delhi (DIAL), Mumbai (MIAL), Bengaluru (BIAL), Hyderabad (GHIAL) and Kochi (CIAL), own the rest.
The project was formally introduced by the Press Information Bureau in July 2022, describing Digi Yatra as a system designed for “contactless, seamless” airport processing through facial recognition technology (FRT). The Ministry of Civil Aviation emphasised that privacy safeguards were built in through a decentralised mobile wallet–based identity platform.
According to the Digi Yatra website, “The Digi Yatra process makes the ID, travel and other documents’ verification faster, completely seamless and hassle-free. Passengers do not have to hand over physical documents to CISF, airlines and other agencies, offering a health-risk-free process to all.”
By September 2025, Digi Yatra had reached 16 million users, with about 30,000 new sign-ups daily, according to government data.
How the system handles passenger data
The Digi Yatra Guidelines issued by the Directorate General of Civil Aviation (DGCA) through AIC No. 09/2022 dated 18 April 2022 form the backbone of the privacy framework. They establish a decentralised mobile-wallet identity management system, meaning passengers’ personal data is stored securely on their own devices and shared in encrypted form with departure airports.
Crucially, the data is designed to be purged within 24 hours after flight departure, minimising retention and potential misuse. The privacy policy also specifies that while user information may be processed for limited operational purposes including verification, events, or promotions, “the data collected under Digi Yatra cannot be used by any other entity since it is encrypted”.
While the Digi Yatra Foundation insists that passenger data is encrypted and purged within 24 hours of flight departure, privacy advocates have pointed out a troubling contradiction in this claim.
The government’s own Digi Yatra Biometric Boarding System Policy states that biometric data will indeed be deleted within 24 hours, yet other categories such as ‘travel data’, including the passenger’s Digi Yatra ID and travel credentials, may be retained for up to 30 days.
As the Internet Freedom Foundation (IFF) noted in its critique, this discrepancy exposes a deeper tension between stated privacy safeguards and the system’s actual data lifecycle—raising questions about whether “purging” refers only to airport-side records, while other forms of personal information continue to circulate or linger within the broader Digi Yatra ecosystem. In effect, the 24-hour deletion promise sounds more like a public assurance than a technical guarantee, underscoring the opacity and absurdity surrounding what data is truly erased—and what may still be retained, shared, or repurposed.
The court battle’s backstory
Digi Yatra Foundation had selected Data Evolve in 2021 through a government startup challenge under NITI Aayog’s Atal Innovation Mission to develop the Digi Yatra Central Ecosystem and mobile app. The two signed an MVA on 17 November 2021, followed by a Letter of Intent in April 2023.
According to DYF, the agreement stated that all intellectual property in the Digi Yatra platform, software, and derivative works would vest with DYF, while Data Evolve would retain rights over its pre-existing proprietary tools.
By late 2023, however, DYF cited allegations that Data Evolve’s promoter had been involved in diverting Rs 36.53 crore. DYF even issued a disengagement notice in January 2024, instructing the company to hand over the platform, source codes, and all system credentials.
The disagreement soon became a two-city legal battle, with Data Evolve moving a Hyderabad court to protect its IP rights, while DYF approached the Delhi High Court to safeguard passenger data and prevent disruption of airport operations.
2024 order: Securing the platform
In March 2024, Justice Prathiba M. Singh issued an ad-interim ex-parte injunction that effectively restored control of Digi Yatra to DYF. She observed that the foundation had a “credible concern that the software company might misuse the data of millions of passengers” and could potentially block DYF’s operational access.
Calling Digi Yatra a “critical infrastructure platform” that serves millions daily, Justice Singh noted that any disruption could cause irreparable harm to public interest and India’s aviation ecosystem. She restrained Data Evolve from “using or transferring any data to third parties or making unlawful copies of the said data” and directed a full technical handover—including source codes (GUI and blockchain), AWS credentials, app-store access, domain certificates, and SMS gateway controls.
To ensure compliance, she appointed Joint Director (IT) Zameem Ahmad Khan and IT Head Sarsij Kumar from the Delhi High Court as Local Commissioners, authorising them to inspect Data Evolve’s Hyderabad premises, collect devices, and videograph proceedings with police assistance if needed.
The order restored DYF’s operational control but left the core question of ownership and data accountability to be determined at trial.
From courtroom to public concern: The privacy storm
The legal fight coincided with rising public unease about how Digi Yatra collects and uses biometric data. In December 2023, passengers reported that airport staff and CISF personnel were scanning boarding passes and taking photographs without explicit consent, effectively enrolling them into Digi Yatra without explanation. Some travellers even alleged their digital consent forms had been signed on their behalf.
In September 2024, on the issue of data security, Union Minister for Civil Aviation, Kinjarapu Rammohan Naidu at an inaugural launch reaffirmed the government’s commitment by saying “there is no central storage of passengers’ Personally Identifiable Information (PII). All passenger data is encrypted and stored securely in their smartphones, shared only temporarily with the origin airport, and destroyed within 24 hours of departure. Privacy of every traveller is paramount for us, and the Ministry of Civil Aviation would not compromise on it.”
In December 2024, in a starred question asked by Shashi Tharoor about the privacy concerns of the biometric data on the Digi yatra Policy in the Lok Sabha, the Ministry of Civil Aviation under the Indian government clarified the temporary sharing of the passenger’s biometric data with the airport of origin through DigiYatra, and its subsequent deletion within 24 hours of the flight departure.
Tharoor publicly raised further concerns regarding the status of the secondary use of personal data by Digi Yatra noting that “the policy states that users may provide consent for value-added services at the airport, for which the data is shared with cab operators, Digi Yatra Foundation (DYF) employees, agents, and even the third-party entities serving the DYF. How is this user data being processed and shared if not stored somewhere internally?”
Data, ownership & accountability
Beyond the courtroom, the Digi Yatra case exposes a fundamental tension in India’s digital governance model: When public services rely on private developers, who ultimately controls the citizens’ data they process?
India’s Digital Personal Data Protection (DPDP) Act, 2023 aims to make consent and limited data retention the rule. Yet, as the Digi Yatra dispute shows, these safeguards can become complicated when contractual IP rights and public data obligations overlap.
Advocate Gupta, who is also the Founder Director of the Internet Freedom Foundation (IFF) observes how a question on the ownership of Digi Yatra data leaves its “user’s privacy stranded”.
“The choice of the Civil Aviation Ministry to incorporate Digi Yatra as a Section 8 company that is privately held by airports has meant that this data has always been in private hands” as the RTI Act doesn’t apply to them. “Hence, the governance systems, responsibilities and protections which are applicable to public sector undertakings are absent with it. This practically means that sensitive flyer data and biometrics is right now being litigated in the High Court of Delhi as a commercial dispute.”
This litigation, he says, is “an outcome of the entity structure and the tendering processes which do not need to comply with checks necessary to public procurements”.
Specifically to this case, the Digi Yatra Foundation has conducted tenders by itself, which Gupta explains, may not require declarations by potential suppliers on existing litigation or blacklisting by other government departments. This is usually a standard clause in most government tenders and helps ensure that contractors with a good track record are qualified to participate. “This does not seem to be the case with how Digi Yatra Foundation chose Data Evolve.”
Raising concerns over the question of user privacy, Gupta explained, the DYF’s “private sector ownership and at the same time government sponsorship means air flyers did not often give their biometrics with consent. We do not know even if the data will remain with Digi Yatra, how does it secure it? Who does it share it with? When was the last audit conducted? What were its results and areas marked for improvement?”
“The debate over data privacy centres on balancing individual rights to privacy and control over personal information against the interests of businesses and governments in collecting and using that data.”
(Edited by Viny Mishra)
Also read: 6 reasons why privacy is a lost cause in India. Don’t wait for DPDP Act to fix it