A recent move by the Indian Railway Catering & Tourism Corporation (IRCTC), the Indian Railways ticket booking arm, has kicked up a controversy. It was planning to monetise its passengers' data to generate additional revenue that would enable the company to improve its margins, but, the government ended up with egg on its face. IRCTC has a number of businesses like rail ticketing, hotel booking, catering service, air ticketing, bus booking and retiring room booking on its own platform. The controversy has its origins in the public sector undertaking hiring a consultant to assist with the monetisation process, through which it had planned to raise Rs1,000 crore. IRCTC had identified sectors such as hospitality, health, energy and infrastructure as potential customers for the passenger data in its tender document for hiring the consultant. The Indian Railways has now put the plan on hold, after the news generated apprehension among millions of users of IRCTC, the country’s largest e-commerce website, as India still does not have a data protection law. To make matters worse, the Modi government recently withdrew the contentious Personal Data Protection Bill 2019, which aimed to regulate how companies and the government could use the digital data of citizens. And, it is yet not known when the new version of the law would see the light of the day. Freedom advocacy and social media groups raised a ruckus when IRCTC had floated a tender for appointing a consultant for digital data monetisation to leverage its more than 100 million registered users data. As per the tender document, the customer's data that will be studied by the consultant includes name, age, mobile number, gender, address, email-id, no. of passengers, class of journey, payment mode, login/password. Concerns raised Internet Freedom Foundation, a Delhi-based non-governmental organisation advocating digital rights and liberties, expressed concerns over the tender and outlined its pitfalls in a series of tweets. “Hey, train travellers, your data will soon be monetised by the government, and that too, in the absence of data protection legislation! ...A profit maximisation goal will result in greater incentives for data collection, violating principles of data minimisation & purpose limitation. Past experiences from the misuse of Vahan database amplify fears of mass surveillance & security risks," it said. "IRCTC, a government-controlled monopoly, must not prioritise perverse commercial interests over the rights and interests of citizens,” the NGO added. “And, given the recent withdrawal of the Data Protection Bill, 2021, such monetisation becomes even more concerning".