Cleared for take-off: Privacy in aviation

India’s aviation sector is on the cusp of a historic transformation. By 2028–29, the country is set to become the world’s third-largest aviation market, propelled by surging passenger demand, the doubling of airports over the past decade, and record-breaking aircraft orders by Indian carriers. The long-term vision is even more ambitious, as by industry estimates, by 2047, India is projected to operate 400 airports (up from 164 today) and a fleet of 3,000 aircraft (nearly quadrupling the current ~850). These milestones reflect not just expansion, but a resounding vote of confidence in India’s aviation growth story, one that promises deeper connectivity and a far more complex domestic and international network.

Flying high on data, grounded in privacy: Key implications

Multi‑entity data ecosystem

window

Contracts

Airlines, airports, OTAs, and authorities must have clear contractual arrangements defining roles and responsibilities for data handling. Also ensuring data protection

window

Data principal request management

Each entity must be able to respond to data principal rights requests (such as access, correction, erasure and others)

Airport concessionaires and partners

window

Consent and transparency

Concessionaires must obtain valid consent for personalisation/upsell

window

Contracts

Airports must ensure partner compliance through binding agreements

window

Data retention

Limit storage of personal data/identifiers to the duration necessary for service delivery

Special Service Requests (SSRs) and passenger preferences requests

window

Specific and informed consent

Required for processing health, biometrics, religious or any other personal data of sensitive nature

window

Technical safeguards

Strong access controls and encryption to protect sensitive SSR data

window

Data minimisation

Collect only what is strictly necessary for service fulfillment

Global Distribution Systems (GDS)

window

Contracts

Airlines remain accountable for GDS compliance, contracts must enforce DPDP standards

window

Technical safeguards

Secure transmission and storage of PNRs and SSRs

window

Data retention

Define retention periods aligned with regulatory and operational needs

Codeshare and interline agreements

window

Cross-border data transfer rules

Sharing across carriers/jurisdictions requires compliance with DPDP’s requirements

window

Contracts

Interline agreements must embed DPDP obligations for lawful processing and passenger/customer rights. Binding agreements with overseas entities to ensure DPDP compliance

Frequent flyer and loyalty networks

window

Notice and consent

Passengers must be informed about data sharing with coalition partners

window

Contracts

Loyalty programme partners must adhere to DPDP obligations

window

Data principal request management

Systems must allow passengers to exercise rights across the partner network

Advance Passenger Information (API/PNR extracts)

window

Lawful basis

Sharing such data to immigration authorities across different countries, such sharing should only happen if there is a statutory requirement or law that mandates it

window

Data minimisation

Only necessary fields (passport/identity) should be transmitted

window

Technical safeguards

Secure channels for transmission to government systems

Cleared for take-off: Privacy in aviation

Aviation milestones reflect not just expansion but promises deeper connectivity and a far more complex domestic and international network

Download the report (1.79 MB)

Key Contacts

Akhilesh Tuteja

Partner & National Leader, Clients and Markets

KPMG in India

mail

Atul Gupta

Partner and Head - Digital Trust and Cyber

KPMG in India

mail

Nitin Shah

Partner – Digital Trust, Head – Cyber Security, Resilience and Privacy Strategy & Governance

KPMG in India

mail

Shikha Kamboj

Partner, Digital Trust, National Leader, Data Privacy and Ethics

KPMG in India

opens in a new tab

Jodhbir Sachdeva

Associate Partner, Aviation

KPMG in India

opens in a new tab

DPDP Act and rules : Implications across sectors

DPDP

DPDPA demands strong vendor oversight, data minimisation, clear consent, rapid breach response and protection across IoT and smart rooms

DPDP

Compliance evolves into a strategic edge, building trust, resilience, and customer empowerment in banking

DPDP

DPDP Act, 2023, with the 2025 Rules, set a strict framework for personal data governance for e-commerce and consumer enterprises

DPDP

DPDP Act 2023, through the 2025 Rules, defines a techno‑legal, enforceable framework for GCCs to safeguard digital personal data

DPDP

DPDP Act 2023 with the 2025 Rules set a strong privacy regime for India’s healthcare and life sciences sector handling highly sensitive health data

DPDP

DPDPA 2023 reshapes Media & OTT compliance, driving trust, safety, and strategic advantage in a competitive landscape

DPDP

DPDPA aims to strengthen the techno-legal framework for protection of digital personal data by providing necessary details and an actionable framework

DPDP

The DPDP Rules 2025 serves as a crucial extension to the DPDP Act 2023, providing operational clarity for entities processing digital personal data

How can KPMG in India help

We have a well-defined and robust approach to support our clients effectively across a spectrum of projects in business performance services, transaction services and tax and regulatory services including offset advisory.

Use cyber security to protect your future

New technologies. Sales channels. Customer experiences. Does your organisation have the confidence and agility to seize these kinds of opportunities, or are cyber threats holding you back?

Access our latest insights on Apple or Android devices

Click here for Google play

Click here for App Store