Authored by Satyam Tandon, Advocate at the High Court of Punjab & Haryana and Prashant Munshi, Penultimate Year Student at NLSIU, Bangalore.
First published in the Opinion, Newsletter of the Punjab and Haryana High Court Bar Association, also available here:
Introduction
The Government of India’s use of drone technology for the purposes of peacekeeping and governance has skyrocketed (pun intended) over the last two years. Drones were deployed to monitor potential protests in Ayodhya during the foundation stone ceremony of the Shri Ram Mandir,[1] and the Indian Railways recently introduced a drone-based surveillance system to ensure railway security.[2] Further, the pandemic gave drone technology newfound importance as law enforcement agencies like the Delhi police used drones to ensure social distancing and spray disinfectants in public spaces.[3] The incorporation of drone technology into governance is a global trend that can also be observed in countries such as the United States,[4] Brazil[5] and the United Arab Emirates.[6]
While drone technology undeniably has immense public value, this paper aims to showcase the practical problems that shall be faced by drone operators when the Personal Data Protection Bill, 2019 (Bill) is made applicable to them. The distinctive problem that arises is that, on one hand, the Bill warrants that privacy, if invaded must only be for lawful purposes, notices must be provided, and the obligations of data collectors and processors must be enforced. Whereas on the other hand, drones possess capabilities to use HD cameras, identify locations and track coordinates, identify persons, connect them to their social media platforms, profile them and even run thermal imaging, therefore creating various issues. Combine the two and the lack of a forum to obtain consent from the person drones are collecting such data from raises concerns. Not only privacy, but an innumerable number of practical concerns arise and through this paper, we aim to highlight such concerns and provide specific solutions to counter these problems.
Background
The legal framework governing the use of drone technology in India has undergone significant development in the last few years. Earlier, drones were regulated by the Aircraft Rules, 1937 read with the provisions of the Civil Aviation Requirements, 2018 (CAR, 2018). While the CAR, 2018 dealt with manufacturing, operation, and registration of drones, they hardly elaborated upon the aspect of privacy. The only mention “privacy” merited was under Requirement 12.21 of the CAR, 2018 whereby the Remotely Piloted Aircraft Operator was to “be liable to ensure that privacy norms of any entity are not compromised in any manner.” However, CAR, 2018 failed to explain this blanket statement and did not provide any standards against which this obligation could be met.
In 2021, CAR, 2018 was replaced by the Unmanned Aircraft System Rules, 2021 (UAS Rules, 2021), however the UAS Rules, 2021 were quickly repealed by the Drone Rules, 2021 (DR 21). The DR 21 as presently drafted has no provisions for the protection of privacy of individuals and has effectively, shifted the burden of safeguarding the same upon the Bill. While the latter is not yet law, the Bill is in many ways the last line of defence within the legal framework that protects privacy in India. The Bill is arguably the most progressive piece of privacy legislation in India and seeks to introduce stringent obligations on data collectors and processors, however, when made applicable to drones, its provisions are simply not practicable.
Analysis
- How to consent?
To contextualise this problem, an individual being monitored via drone technology never has the option of saying, ‘no’, such that they do not want to be recorded; or even having a say to the extent of ‘when’ such deployment is warranted.[7] Even if such technology and similar systems are registered under their applicable laws, such machines do not have a necessary forum to ask for consent from the individuals that they might end up recording and taking pictures of.
When such consent isn’t taken, various practical problems surface, however, from a legislative standpoint it creates a unique problem. This is countered through the Bill by imposing stringent penalties and compensation to ensure compliance by data fiduciaries and imposes such duties on the people processing the data. In summary, the Bill works in the following way – a data fiduciary or a data processor shall process the personal data. Applying the same to a recorded video from a drone, inter alia the functions of a drone operator would be to process the data fairly and reasonably; process only for lawful purposes; provide notice of collection to the data principal – such notice should have the purpose, right to withdraw, details about data protection officer; where all the data is to be shared etc.[8] Imagine a wedding, where drones are capturing the videos and pictures of the attendees, would it be practicable to send everyone a notice? Absolutely not and therefore casting the entire duty to provide a notice is simply impossible and thereafter, even ensuring that individual privacy is maintained is also difficult. Therefore, in our submission, such duties when cast on the operators shall be an executional hazard and must be cut down at the root itself, such that consent is explicitly prescribed before recording and capturing content.
One solution would be to require an operator who has planned a drone flight over an area, to take consent from the people in that area before deploying their drone. Or require drones to be flown beyond a certain limit in order to avoid identification. The latter is followed in Japan where drones are banned from usage in dawn and dusk hours and are further required to maintain at least 30 metres distance from people and objects[9]. Another possible solution can be to require registration of videos, monitoring of such videos and requiring consent, if such videos that are being captured are for a commercial purpose. This concept is used in Australia, where “commercial gain” is used to gauge whether or not the drone is required to be registered. Such examples simply showcase various other variables that have been used to pivot the legislation to encompass other considerations and usage of principles to highlight and harness the true purposes of the legislation.
- Ideological difference
Under Section 3(21) of the Bill, the definition of harm is stated as, inter alia, “any observation or surveillance that is not reasonably expected by the data principal.” This brings out the entire dichotomy as in our submission, data, if recorded, without consent, should qualify as harm, whereas the aspect of consent is wholly missed out. We submit that when something as tangible as data is recorded, copied a hundred times over, distributed a thousand times over and analyzed a lakh times over, and in short has been processed, without one’s consent or knowledge, that is problematic. However, these concerns are not at all catered to in the Bill and this seismic shift in ideology is problematic for the times to come, because the day collection of data without consent is made permissible, there are limitless possibilities where this could create a butterfly effect.
This is further eroded down to the level that under Section 14(1), data can be processed for reasonable purposes, without consent, but subject to the regulations of the Data Protection Authority. Such reasonable purposes can include fraudulent activities, recovery of debt, etc. Now, applying this in the case of drones, if I have a bad debtor, I may be able to fly a drone around his house, hoping to find a treasure chest because, such flying would be in furtherance of a recovery of debt. The example taken is necessarily exaggerated in order to showcase the problem and this was exemplified recently in Paris, where usage of drones for enforcement of COVID-19 lockdown restrictions was prohibited and deemed as violating personal data protection laws by France’s Supreme Court for Administrative Justice. The verdict reasoned that drones that could fly at a range of 80-100 meters could technically identify individuals, risking potential use in contravention to data protection laws.[10]
One can even look at Article 12 of the Universal Declaration of Human Rights, which provides that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks”,[11] which has been made applicable in addition to GDPR requirements in Europe, upon drones. Therefore, the emphasis must be on the importance of data, which starts with consent. And this consistently observable theme whereby data is classified as personal and further classified as sensitive must be permitted to accord different kinds of protection, only on the condition that consent is taken. And therefore, in our submission, we submit that collection without consent is harm.
- Misguided and oversimplified
Upon discussion of the abovementioned issues of consent, it very evident that the Bill as presently constructed is not at all made for drones. Rather upon examination of the Bill, it has been evidently drafted to cater to signees of privacy policies; terms and conditions of a website and online platforms; employment agreements; IPR agreements; non-disclosure forms; and confidentiality agreements etc; where explicit representations and warranties on the collection, storage, withdrawal of consent, usage of data are made. In fact, these are the first set of clauses that are necessarily incorporated in a privacy policy which in turn act as necessary safeguards against privacy concerns of individuals. The Bill in our submission, is a measure to enforce such clauses and provide for such clauses, when they have been omitted, through application of the Data Protection Authority’s standards.
In fact, the Bill not being for drones is further evidenced by the fact that in 2021, CAR, 2018 was already replaced by the UAS Rules, 2021 which contained explicit sections for privacy. Section 27 of the UAS Rules, 2021 obligated the operator to ensure the privacy of both the person as well as their property in the course of operation. Further, there was a blanket approach for ensuring privacy was accorded under Rule 38(2) of the UAS Rules, 2021 which stated that, “An imagery or data may be captured by an unmanned aircraft after ensuring the privacy of a person, its property, and is permissible under law”. Furthermore, prohibitions for flying near certain areas such as areas conducting military activities, airports, prohibited, reserved, borders, coastlines, and eco-sensitive zones etc were also banned under Rule 37(2). And lastly, under Rule 28(17), “the Operator was to ensure that the data gathered could not be shared with third parties without the prior permission of the individual to whom it pertains” and under Rule 28(16), “the operator was required to use suitable procedures and applications to safekeep the gathered data.”
However, it is presently futile to debate the correctness or incorrectness of the UAS Rules, 2021, even if they were a valiant attempt to ensure privacy. This is because the UAS Rules, 2021 were repealed by the Drone Rules, 2021 (DR 21). Naturally, it is evident that the State would not have drafted two separate legislations, and, in this case, it was simply a mistake. Coming back to the point, once the Bill becomes an Act, the issues of privacy, in case of drones, shall soon be shifted to the Bill. Therefore, there exists an argument to not include the Bill in case of drones, as a) it is evidently drafted for websites and not drones; and b) it is oversimplified in terms of its categorisation and would be impossible to implement in case of drone operators. This can then be countered, and DR 21 can be required to incorporate separate clauses for privacy of individuals through drone technology, as drafted in the UAS Rules 2021.
- Balance and proportionality
Upon a careful examination of the Bill, the principal issue that is founded is that the Bill puts forth the idea that surveillance is equal to security,[12] and the same line of argumentation is also followed in DR 21, where essentially the functionalities of the Government are given a free hand as there are various provisions that provide for their exemption. But on the other hand, there are no provisions that echo the stand taken by the Puttaswamy judgment[13], wherein a tri-parte test on the anvil of legality, necessity and proportionality is pronounced.
To showcase the alarming disproportionality of the Bill – it is stated under Section 35 of the Bill, the Central Government has the power to exempt any government agency from any or all of its provisions on grounds such as security of the state, sovereignty, and public order. Similarly, under Section 12 as well, the State, without consent, can process personal data if necessary.
With regards to such usage of drone technology by the government, these sweeping provisions in our submission are not at all the least restrictive measures that can be used to attain the objectives of the Bill. In fact, the need of the hour must be to reconcile the lack of importance accorded to consent and personal privacy by the legislature and the pedestal on which the judiciary has placed the right to privacy. In the landmark Puttaswamy judgement, Justice Chandrachud observed that “A constitutional democracy can survive when citizens have an undiluted assurance that the rule of law will protect their rights and liberties against any invasion by the state and that judicial remedies would be available to ask searching questions and expect answers when a citizen has been deprived of these, most precious rights.” As far as personal privacy in the context of drone technology usage is concerned, the rule of law in India is far from providing citizens with an undiluted assurance regarding the protection of their rights and liberties. The legislature must allow for the necessary safeguards on personal privacy without compromising the public utility of drone technology and in our submission, such measures must be proportional.
In our submission, this can be catered to by establishing necessary independent authorities or advisory commissions that would have the function to keep in check the invocation of exemptions by the State. This would counter the issues mentioned above and keep in check the infringement of fundamental rights of citizens. This must be allotted to Section 35 as presently the Bill does not hold the State answerable to any sort of independent authority; even the Data Protection Authority of India which has been established to create specific codes of practice, which could hypothetically be developed to govern drone technology. It is also important to submit that authorities in advisory capacities must be established, a corpus for research and development in the form of a Drone Institute can be incorporated to facilitate the issues highlighted herein and inter alia provide for training and act as an advisor or independent director of sorts to the State. This shall provide credibility to the invocation of Section 35 rather than it just being a measure to arbitrarily invoke blanket provisions.
Conclusion
There is no doubt that the Bill is certainly a brave and intense foot forward by the legislature to counter the issues related to privacy law. However, when applied in the case of drones, it showcases shortcomings such as lacking a forum for consent and planting the onus on drone operators or data processors, which are bound to be laborious and unfeasible tasks for the executive. Lastly, the biggest drawback of technology is that it is prone to hacking, and for every technology, a better one exists, and when such technology is able to access a variety of data at the drop of a button, hacks and viruses can really lead to disastrous and Ultron[14] like results. Therefore, in summary, it is submitted that an individual’s fundamental right to privacy must be carefully protected; consent must be taken ‘before’ such data is collected; if data is collected without consent, regardless of what processing the data goes through, mere collection without consent should constitute a grievance; unless a change in the context of drones is made to the Bill, enforcing it shall be a nightmare; and lastly, independent authorities must be enacted and given legitimate powers to act as watchdogs. Only then, can drone laws pass with “flying colours!”
[1] ‘Drones, Restrictions On Outsiders Among Security Protocol Ahead Of Ram Temple Event At Ayodhya’ (Hindustan Times, 2020) <https://www.hindustantimes.com/india-news/drones-restrictions-on-outsiders-among-security-protocol-ahead-of-ayodhya-event/story-s38mI5xYILtfqDqiWLICHJ.html> accessed 29 January 2022.
[2] Press Information Bureau, ‘Indian Railways Introduces Drone Based Surveillance System For Railway Security’ (2020) <https://pib.gov.in/PressReleasePage.aspx?PRID=1646784> accessed 29 January 2022.
[3] Anvit Srivastava and Baishali Adak, ‘Covid-19: Drones Drive Surveillance In Delhi’s Containment Zones’ (Hindustan Times, 2020) <https://www.hindustantimes.com/delhi-news/eye-in-the-sky-drones-drive-surveillance-in-delhi-s-containment-zones/story-uD2n3ZLLmgNRabOEEMHo8M.html> accessed 29 January 2022.
[4] David Kravets, ‘FBI Admits It Surveils U.S. With Drones’ (Wired, 2013) <https://www.wired.com/2013/06/fbi-drones/> accessed 29 January 2022.
[5] ‘Cameras, Drones: Rio De Janeiro To Put Electronic Eyes On Crime’ (Phys.org, 2018) <https://phys.org/news/2018-12-cameras-drones-rio-de-janeiro.html> accessed 29 January 2022.
[6] ‘Dubai: 4,400 Violations Recorded With Drones’ (Khaleej Times, 2021) <https://www.khaleejtimes.com/news/dubai-police-used-drones-to-detect-4400-violations-during-first-quarter-of-2021> accessed 29 January 2022.
[7] Abhishek Chakravarty and Archana Sivasubramanian, ‘The Privacy Question In India’s Drone Regulation’ (Jurist.org, 2021) <https://www.jurist.org/commentary/2021/04/chakravarty-sivasubramanian-privacy-drone/> accessed 29 January 2022.
[8] The Personal Data Protection Bill, 2019 §. 4, 5, 6, 7.
[9] ‘Drones: Guidelines, Regulations, And Policy Gaps In India’ (https://www.orfonline.org/, 2022) <https://www.orfonline.org/research/drones-guidelines-regulations-and-policy-gaps-in-india/> accessed 29 January 2022.
[10] Laura Kayali, ‘France’s Top Administrative Court Bans Drone Use To Monitor Protests’ (Politico, 2020) <https://www.politico.eu/article/frances-top-administrative-court-bans-drone-use-to-monitor-protests/> accessed 29 January 2022.
[11] Universal Declaration of Human Rights, 1948 Article 12.
[12] Soumyarendra Barik, ‘India’s Liberalised New Drone Rules Have Little Space For Citizens’ Privacy’ (Entrackr, 2021) <https://entrackr.com/2021/08/indias-liberalised-new-drone-rules-have-little-space-for-citizens-privacy/> accessed 29 January 2022.
[13] Justice K.S. Puttaswamy (Retd) v Union of India (2017) 10 SCC 1.
[14] Joss Whedon, Avengers: Age Of Ultron (2015).