by Nimrat Kaur Dhillon
An unmanned aerial vehicle (UAV) is an aircraft that is operated without a human onboard and is colloquially known as a ‘drone’. It is also known as a Remotely Piloted Vehicle (RPV). This is in contradistinction to traditional aircrafts that are controlled remotely by human operators, or may even be guided by computer programs. In the recent past, drones have come to be used for multiple purposes. The global shutdown caused by the COVID-19 pandemic has further increased the demand for contactless delivery, transportation, aerial disinfection, and public space monitoring. In the future, we can see drones used in agribusinesses for geo-mapping, crop observation and monitoring, fertiliser spraying, and analysing conditions of the soil. Facebook in collaboration with Airbus is developing solar-powered drones to improve internet connectivity in remote areas. Owing to a wide array of applications attributed to drones, it is expected to yield a turnover of roughly USD1.8 billion by 2026 in the Indian market. Moreover, Indian government officials are confident that India will soon become a global hub for drone technology and innovation.
Drone Rules and Privacy Challenges
The legal regimen of India had a strained relationship with drones for a long time. The Unmanned Aircraft System Rules (hereinafter, UAS rules) passed by the Ministry of Civil Aviation (MoCA) in March 2021, was discouraged by various industry experts and stakeholders on account of them being highly restrictive. The rules mandated compliance with various requirements, which could potentially lead to administrative bottlenecks and long-drawn approval deadlines. Consequentially, the multi-license system which was enumerated in the regulations hindered the ease of doing business for business players entering the market. To stakeholders’ relief, the MoCA notified ‘The Drone Rules, 2021’ in August 2021 which is a liberal regulation in comparison to antecedent versions of drone rules in India. The new regime succeeded in relaxing compliance requirements for registration, omission of certain hardware and software requirements, and reduction in fee required to register drones, based on their size. MoCA even updated the ‘Digital sky platform’ which was introduced in 2018, to accommodate the new regulations and make the process of getting permissions seamless for RPAS, operators, and pilots. The platform was envisioned to construct a digital infrastructure that supports safe, efficient, and secure access for drones to enter the Indian airspace. There is no doubt that the new rules will significantly help start-ups to enter the industry and open up new possibilities for business and innovation. However, privacy has taken a back seat in this liberalised regime. Drones are commonly equipped with high-definition cameras and use radar technologies that can penetrate walls and monitor people. India is no stranger to the use of such technologies, especially during the pandemic for thermal screening and detection of sick or infected people. Usage of such drones has raised many ethical and privacy concerns, where many researchers have even mentioned that such thermogenic cameras may not even be that efficient in detecting temperatures.
In the past, Aircraft Rules, 1937 in conjunction with Civil Aviation Requirements, 2018 (CAR) was used to provide a regulatory framework for drones. The CAR guidelines required the operator of the drone to ensure that the privacy of an entity or an individual is not breached during its operation. The guidelines lacked a detailed framework, but were still better than the new rules which failed to even mention the word ‘privacy’. These were replaced by the UAS rules in March 2021. The UAS rules prescribed data protection and privacy measures, wherein the operator was duty bound to ensure the privacy of a person and their property. The operator was required to adopt suitable procedures and applications to protect data collected while in operation and to not share it with any third party without taking prior permission. These essential safeguards have not been included in the new rules, which in conjunction with the lack of an overarching law on data protection could result in dire consequences for citizens of this country.
In early 2020, the MoCA launched the GARUD portal to streamline the process of granting conditional exemptions for aerial photography, surveillance, and relevant announcements about the pandemic. Even the UAS rules granted such exemption to government agencies operating under the Ministry of Home affairs. Accordingly, various state police departments had resorted to drones for enforcing the lockdown and collecting data to ensure that the lockdown norms were being followed. Some even continued to use drones to monitor people after the suspension of lockdown. The investigation and intelligence agencies have in the past used drones to keep track of protestors by using facial recognition technology. Such uninhibited usage of drone technology could result in decreased transparency regarding the type, manner, and process of data collection employed by multiple governmental agencies.
Presently, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, provides some level of protection against potential data breaches. However, the Act does not recognise imagery collected via drones as sensitive personal data and only wrongful collection of physiological data by the drones may get some protection. Moreover, the Personal Data Protection Bill, 2019 (PDP) grants wide exemptions to governmental agencies from the provisions of the bill, on the grounds of public order and safety. Law enforcement agencies are also exempted if drones are used for investigative purposes, under the bill. It should be further noted that the responsibility of issuing codes of practice on compliance of data fiduciaries and processors lies on the shoulders of the Data Protection Authority which mainly comprises bureaucrats appointed under the union government. So, the independence of these members becomes highly questionable. These members may be apprehensive of criticising the government and resultantly warrant governmental agencies with unfettered powers. The PDP bill has not yet been notified as law and only time will tell whether the legislation is successful in putting forth a robust and comprehensive framework on data protection.
In the absence of comprehensive legislation to regulate privacy in India, the pivotal judgment given by the Supreme Court in K.S. Puttaswamy v. Union of India (2017) held that the right to privacy is a fundamental right recognised under Article 21 of the Indian Constitution. The Supreme Court stated that any restriction placed on the privacy of an individual should stand true to the test of proportionality enumerated by the court. The restriction placed must be enabled by law, for a legitimate aim or purpose, must be proportional, and have sufficient procedural safeguards in place to avoid excessive intrusion by the state.
The main argument that surveillance helps in maintaining law and order has statistically failed as there is no data present to back this, and instead contributes to curtailment of free movement of marginalised groups and subjects them to constant moral policing. Regardless of the multitude of advantages related to utilizing drones outfitted with cameras, one can’t just deliberately ignore the misuse of surveillance potential while using the drones.
The International Organisation of Standardisation in 2019 published international safety and quality standards for UAS, wherein they enumerated detailed guidelines related to data protection and privacy, and urged the operators to adopt software to manage data effectively. International Civil Aviation Organization (ICAO) has time and again stressed the importance of drafting a responsive framework for drones that prioritises the aviation industry’s long-term goal of safety, security, and performance. Though ICAO has refrained from drafting a model guide on privacy and data protection, it has urged the states to independently incorporate an appropriate provision in the domestic legislation on drones to regulate their operation, manufacture, licensing, etc. Many countries have successfully incorporated such provisions to assure that technological advancement does not end up jeopardising the essential rights of its citizens.
For instance, Transport Canada Civil Aviation understood the risks involved in the usage of drones for recreational purposes and accordingly outlined privacy guidelines for recreational, commercial, and governmental operators. Drone operators under Canadian law will be held accountable for their actions and they are duty bound to limit the unreasonable collection of certain data, obtain consent before capturing an individual’s personal information, store the information captured securely, and be open and responsive about activities. Additionally, the Canadian government is also working to raise more awareness about drone technology to foster public trust. In 2018, the European Aviation Safety Agency via regulation 2018/1139, required the drone operators to acquaint themselves and comply with the domestic privacy legislation and the EU General Data Protection Regulation (GDPR) to ensure safety, privacy, and protection of personal data. The regulations also urge the need to equip the drones with features and functionalities to reduce the chances of any accidental breach. Interestingly when other countries were using drones to maintain law and order during the pandemic, the highest administrative court of France called the Conseil d’État held that police officials are disallowed from using drones to track people who flout social distancing rules, as this action threatens an individual’s right to privacy. The council opined that drones are equipped with high-definition cameras which can identify individuals and is in contravention of data protection laws.
The new rules have successfully clarified the Indian government’s intent to focus on technological advancement, but have compromised the security and safety of its citizens. It is high time that individual privacy should not be sacrificed at the altar of law and order. The government should commit to introducing essential safeguards in conjunction with a comprehensive data protection law framework to avoid misuse of drone technology. The government should also mandate the installation of redaction programming on drones to avoid unnecessary data collection. To encourage accountability and avoid misuse, the government, similar to article 35(1) of the GDPR, should carry out privacy impact assessments before indulging in mass surveillance programs. Therefore, India needs to enact and draft robust laws to aid in progress, without compromising the fundamental rights of individuals.