The use of drone technology by both private and public actors have raised significant privacy concerns for Indians. Unfortunately, the current statutory and regulatory framework proves inadequate to protect against the drone privacy intrusions.
Currently, the government agencies are utilizing the drones for multitude of purposes. To illuminate, Indian Railways and Indian Forest Department have used drones for monitoring the Seawoods-Nerul-Uran railway project and plantations, respectively. As a part of government's development programmes, Survey of Villages and Mapping with Improvised Technology in Village Areas (SVAMITVA) Scheme has been launched by the Government to map lands of the Indian rural residents to establish clear ownership of their properties using drone technology. In a similar instance, the Telangana Government has launched a programme named ‘Hara Bahara', to plant 1 billion trees by 2030 using seed copter drones and tested drones to deliver Covid-19 vaccines in remote areas. The Government agencies like the Ministry of Defence, the Home Ministry and the Bureau of Civil Aviation Security (BCAS) plans to leverage the ‘counter rouge drone technology' and the Ministry of Agriculture and Farmers Welfare promotes the drone technologies for crop protection and for spraying soil and crop nutrients and using drones for variety of purposes such as surveillance.
As the above-mentioned examples illustrate, the many benefits of the drones cannot be debated but at the same time its potential abuse cannot be ignored. The extensive use of manoeuvrable and stealthy drones equipped with myriad sensors, cameras, recorders, imaging technology and other surveillance equipment leads to unsettling inference that the drones have the capability of gathering an inordinate amount of personal information, both inadvertently and intentionally. Exacerbating this concern, as per a press release by the Ministry of Civil Aviation (“MoCA”), numerous organisations have been granted permission by the MoCA and Directorate General of Civil Aviation (“DGCA”) to operate drones for purposes such as surveillance, delivery of healthcare essentials, ariel survey of crop health and research activities. In the wake of covid-19, several police departments were allowed to use drone technologies to get the real-time updates on the lockdown violations and to monitor body temperatures of people in crowded areas using thermal cameras with drone technologies.
The drone operations are gradually becoming the indispensable part of our lives but problematically, the drone regulatory framework falls short of providing sufficient privacy protection against drone operations.
Privacy Safeguards under Existing Regulatory Framework
Since 2018, the drone industry was regulated by Civil Aviation Requirements (“CAR”) for Operation of Civil Remotely Piloted Aircraft System (“RPAS”) which were issued by the DGCA in August 2018 along with the DGCA RPAS guidance manual, 2020 (“Guidance Manual”). In terms of privacy safeguards, a general obligation was imposed upon the remotely piloted aircraft (“RPA”) operator or remote pilot to ensure that privacy norms of any entity are not compromised in any manner. Further, the Guidance Manual under guiding design principles stipulated that the following privacy principles must be embedded in the design of every RPAS: (a) proactive efforts must be made to protect privacy and not reactive; approach must be preventative and not remedial; (b) privacy must be the default setting; (c) visibility and transparency must be maintained in the design of the RPAS; and (d) all stakeholders' privacy must be respected. The MoCA, in January 2019, released the drone ecosystem policy roadmap (“Drone Policy”) which gave recommendations on protection of personal data arising from the drone operations. The Drone Policy recommends that the manufacturers at the design and development stage must take into account the principles of privacy and protection of personal data by design and by default. Further, it also recommends that the DigitalSky Service Providers (DSPs), (which are the service providers registered on a DigitalSky platform hosted by the DGCA for various activities related to the management of unmanned aircraft system activities in India), collecting personal data must be required to establish feedback and review mechanisms including requests to access, anonymize, or erase the data of the data principal.
Thereafter, the above-mentioned rules were replaced by the Unmanned Aircraft System Rules, 2021 (“UAS Rules 2021”), which were released on March 12, 2021. The UAS Rules 2021 required the unmanned aircraft system operator to ensure the privacy of a person and its property during operation and further allowed the capturing of images and data by an unmanned aircraft only after ensuring the privacy of a person, its property, and is permissible under law. It is pertinent to note that the data protection principles as recommended under the Drone Policy didn't get reflected in the UAS Rules 2021. Owing to the criticism with respect to the burdensome compliances, the MoCA on August 25, 2021 published The Drone Rules 2021 (“Drone Rules 2021”) replacing the UAS Rules 2021. Surprisingly, the Drone Rules 2021, omitted the word ‘privacy' entirely from its text and thereby, wholly and completely failed to account for the dangerous potential impact of the proliferation of drones to the fundamental right to privacy of individuals and its various aspects as defined by the Supreme Court in Justice K.S. Puttuswamy (Retd.) v. Union of India.
Among others, the various aspects of privacy include an individual's right to protect bodily integrity, secure informational privacy and safeguard decisional autonomy. Ofcourse, such right of privacy must be balanced with the statutory requirements that have to be met by the stakeholders of the drone ecosystem before these technology devices are deployed in the public domain.
In the absence of a dedicated privacy framework for new technologies like drones, unmanned aerial systems etc., the only available and applicable legal requirements are the broad privacy principles as drawn from the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) issued under Information Technology Act, 2000 (“IT Act”) and the Justice Srikrishna Committee Report on Data Protection, which ultimately led to the Personal Data Protection Bill, 2019. However, the SPDI Rules does not cover the processing of personal information by government entities and are applicable only to body corporates or individuals acting on behalf of body corporates collecting, receiving, possessing, storing, dealing or handling the personal information of natural persons in India. Considering the application of drones either as a real-time video-graphic/technical surveillance and location tracking tool, a data aggregation device, or for law enforcement purposes, generic law such as IT Act and SPDI Rules are ineffective for emerging technologies such as drones, which are inherently invasive in nature.
The Way Forward
The drone regulations have undergone multiple amendments in the past, but unfortunately all those amendments have failed to seriously account for the unique privacy and data protection challenges that arise from technological tools like drones. Below are some of the suggested measures which could be built into the drone regulations to safeguard the privacy of the individuals.
Firstly, the drone manufacturers should be incentivized to include corresponding and specific features and functionalities which can take into account the principles of privacy by design and by default to ensure that the minimum amount of the personally identifiable data is collected, processed and retained during the operation of the drones. They should systematically evaluate the potential privacy impact of the drone technology and its likely usage to ascertain the appropriate safeguards and considerations that are required to be incorporated into the built and design of the payloads, software and interface of the drone, from the beginning of the design, development and production stage. Further, Government should include mandatory provisions regarding the privacy by design and by default in the drone regulations to protect the personal identifiable data throughout the lifecycle of the drone i.e., from the collection to processing to storage and finally to the secure deletion of the data. Further, an obligation must be imposed upon the government agencies involved in the drone operations that government undertakes, to use only such drones which are designed on the principle of privacy by design and default. Additionally, they must be obliged to establish feedback and review mechanisms including requests to access, anonymize, or erase the data of the data principal.
Secondly, an obligation must be imposed upon the government agencies involved in the operation of drones to conduct privacy impact assessment (identifying data protection risks and providing solutions to counter the same) and submit the report, in the prescribed format, to DGCA before commencing any programme or service that involves handling of personal identifiable information, in order to minimise privacy concerns. Further, they should be obliged to promote reasonable security safeguard policies to manage security risks related to data collected during drone operations according to the operator's size and complexity, the nature and scope of its activities and the sensitivity of the data collected and retained. The drone operators should make a reasonable effort to only allow the authorized individuals to have access to the data collected during the drone operations.
Thirdly, government must incorporate provisions in the regulations on good practices regarding the collection, storage, retention, sharing and deletion of data collected during the operation of drones. For instance, the drone operators should avoid intentionally collecting the data of the individual without the consent of the data principal, reasonable efforts should be made by the drone operators to minimize the drone operations and activities over the property of the individual without their express consent, data of the individuals should not be retained for longer period than it is reasonably necessary to fulfil the purpose for which it is collected. Further, the regulation should also contain a built-in mechanism for receiving requests to erase, de-identify the data of the individuals. Having said that, in order to make the process transparent and more accessible to the public, DigiSky platform can be used to make the requests related to deletion of personal data. Additionally, with respect to sharing of data with the third parties, necessary baseline procedural safeguards should be built into the regulations, such as of a written request, declaration that the information will not be shared with any other person, and even if it is shared it will be in the manner as per the extant laws prevailing in India.
Fifthly, regulations should require that reasonable steps must be taken to obtain consent of person's whose information is likely to be captured by the usage of drones. It may be achieved by giving prior notice to the individuals informing them about the area where the drone will be operated and timeframe of such flight. The contents of the notice may include information such as: (i) the purpose of collection of data; (ii) kinds of data which is intended to be collected; (iii) entities with whom the data will be shared; (iv) procedure to address privacy related complaints; (v) the period for which the data will be retained; (vi) the individuals or entities with whom such personal data may be shared. However, there might be scenarios where obtaining consent is not feasible such as medical emergency, disaster management etc., in such cases, the personal data may be processed without the consent of the data principal, but it should be processed only for specific, clear and lawful purpose along with the security safeguards including the steps necessary to prevent misuse, unauthorized access to, modification, disclosure or destruction of personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.