How the Drone Rules, 2021 threaten the right to privacy

With India trying to compete globally on issues of technology and drone usage, it is necessary to analyse if the relevant Indian regulation is on par to provide the necessary safeguards from privacy violations. RENU GUPTA and AKSHAT BHUSHAN argue that the current legal framework is lacking in terms of proportionality, and suggest ways in which public safeguards can be built into the existing laws in India.

———

The Drone Rules, 2021 came into effect from August 2021. These rules mark a major policy shift towards liberalisation as compared to the previous rules that were notified in 2018, 2020 and March 2021.

It is clear that owning and using a drone is not going to be difficult. But how should a technology capable of surveillance not become a tool for breaching people’s privacy, is an area on which the rules are silent. The only proposed legislation dealing with privacy is the Personal Data Protection Bill, 2019 (PDP Bill), which has not yet been passed as law and is being scrutinized by a Joint Parliamentary Committee.

There is enough evidence of governments deploying invasive video monitoring devices such as CCTV cameras for ‘maintenance of law and order’. However, unlike conventional video monitoring devices like stationary cameras, drones or unmanned aerial vehicles are portable and equipped with a high powered camera lens with night vision that can stay aloft and surveil a huge area without even being seen. Drones use radar technologies which can penetrate walls and surveil people even within their homes. Drones have been used extensively by state governments in India for enforcing the lockdown during the Covid-19 pandemic and maintaining public order.

In this piece, the authors examine the legal vacuum in regulating drone surveillance, and suggest some measures to safeguard privacy.

Drone Rules, 2021 are silent on privacy vis-à-vis surveillance

Rule 5(a) of the Drone Rules, 2021 permits nano drones which weigh less than 250 grams. These tiny drones can easily be used to sneak into anyone’s person or property and take photos and videos of people.

The Unmanned Aircraft Systems Rules, 2021 (UAS Rules, 2021) came into effect from March 2021. Rule 27(h) of the UAS, Rules 2021 puts an obligation on the operator to ensure the privacy of person and property during its operations, and Rule 39(2) required the drone operator to ensure the privacy of individuals and their property while collecting any video footage or image.

These rules have been replaced by the Drone Rules, 2021, which do not have these safeguards. Would it mean that there is no longer any obligation on the operator to ensure privacy of person and property in operations of drones? It does seem like that.

Also read: UT Administration Bans UAVs in Parts of J&K as Security Concerns Grow

Personal Data Protection Bill gives wide exemption to government agencies

The PDP Bill seeks to introduce the concept of informed consent, purpose limitation and storage limitation as measures for ensuring data privacy. However, in its current form, the PDP Bill is insufficient for dealing with privacy concerns around drone surveillance by the state.

Section 35 of the PDP Bill empowers the union government to exempt any government agency from any or all provisions, on grounds such as sovereignty and integrity of India and maintenance of public order. The only safeguard that has been provided is that the government has to record the reasons for such exemptions, in writing. However, it is not answerable to any independent authority while ordering such exemptions. Section 36 gives exemption to law enforcement agencies for detection, investigation and prosecution of any offence. Thus, the union government can grant unfettered powers to law enforcement agencies for data processing.

In the PDP Bill, the responsibility of issuing specific codes of practice and ensuring compliance by data fiduciaries and data processors, lies with the Data Protection Authority of India [Section 49(1), 49(2)(h) and Section 50]. But all members of the Data Protection Authority are to be appointed by bureaucrats serving under the union government [Section 42]. Therefore, while framing guidelines or scrutinising the activities of government agencies as data fiduciaries and processors, the independence and impartiality of such an authority is questionable.

KS Puttaswamy vs. Union of India: The only guiding light

In the absence of any legislation regulating privacy, the only jurisprudence in this regard is provided by the landmark 2017 decision of the Supreme Court which upheld privacy as a fundamental right under Article 21 of the Indian Constitution. The apex court also held that although the expectation of privacy in public places cannot be unreasonably high, it does not mean that privacy of an individual should altogether be given up in such places.

Therefore, unfettered surveillance using drones is violative of the fundamental right to privacy.

Yes, privacy like any other right is not an absolute right. The court laid down a four-pronged test of proportionality that must be satisfied for restrictions on privacy to be reasonable.

i) Restriction on privacy must be enabled by a law

The first limiting principle against curtailment of privacy is legality. The action of the state to restrict privacy must be pursuant to an enacted statute. But these Drone Rules, 2021 do not regulate surveillance and most of the surveillance is being carried out through executive notification, without any procedural safeguards.

Therefore, there is a need to enact a comprehensive legislation dealing with data protection in general and regulating drone surveillance in particular.

ii) Restriction on privacy must be for a legitimate aim

Most drone surveillance by the government is carried out for maintenance of law and order. However, there is no data to prove that this has facilitated in improving law and order. Some studies conducted around the world focusing on the efficacy of mass surveillance devices like CCTV cameras, can provide useful guidance.

These studies suggest that such surveillance has had minimal impact on the law and order situation of the particular area. On the contrary, mass surveillance has severely hampered the free movement of women and other vulnerable groups subjecting them to constant moral policing.

iii) Restriction on privacy must be proportionate

The government must choose the least intrusive means. The PDP Bill empowers law enforcement agencies to grant themselves exemptions from the provisions both at the stage of data collection and data processing. Therefore, nothing prevents the law enforcement agencies from using drone surveillance for any purpose including petty offences.

The use of drone surveillance should be for defined offences and only where less intrusive means are not available.

Article 35(1) of the General Data Protection Regulation, which is applicable law in the European Union, mandates the state to carry out a privacy impact assessment before carrying out large scale video monitoring. Such an assessment will increase accountability and reduce indiscriminate use.

There are options of equipping the surveillance device with features that allow minimum intrusion. For example, the camera lens fitted in the drone can be installed with redaction programming which will help the authorities to carry out targeted monitoring of suspected individuals blurring out the image of other people and objects in their surroundings.

iv) Procedural safeguards against excessive interference by the State

When State agencies carry out covert surveillance during mass processions or festivals, the expectation of privacy cannot be too high.

It might be useful to look at the guidelines released by the Canadian Privacy Office in 2006 to regulate video surveillance by police and law enforcement authorities. The agencies must at least inform the public that a particular area is being surveilled and also give information about the agency that is carrying out the surveillance. People should also have the right to access their own data collected through surveillance. The records may be provided to the person after blurring out other people and objects present in their surroundings.

Also read: An explainer on the Pegasus Spyware

According to the UK Surveillance Camera Code of Practice, every agency carrying out surveillance should have a point of contact for addressing the complaints and queries of people to ensure transparency.

Therefore, there should be clear rules on data retention. Some suggestions are: (i) any information collected through drone surveillance must be kept in protected database for a particular time period during which it would only be accessible to law enforcement officials of certain seniority; (ii) this data may be retained beyond a fixed time period only in exceptional circumstances subject to the approval of an independent higher authority.

There is also a disturbing trend where private organizations like Resident Welfare Associations are being granted access to data collected by video monitoring devices installed by the government. Recently, the Kerala government  took the services of private citizens to conduct surveillance through drones that collected data in the form of video footage, and transferred the same directly to the personal phone of police officers.

There should be complete restriction on the data collected by the government given to private parties, and the data collected must be stored in a robust and secure public database.

In UK, the Investigatory Powers Act, 2016 deals with interception of communication by the State, but the provision regarding approval of warrants by the judicial commissioner may be useful for surveillance activities in general. The government could consider having an office similar to the Judicial Commissioner in the UK under the Investigatory Powers Act, 2016. This office would be responsible for ex ante scrutiny for approving the surveillance warrants of law enforcement authorities. This becomes essential for covert and targeted drone surveillance.

Apart from this, there should be an independent auditing authority to ensure compliance. The PDP Bill does provide for a Data Protection Authority. However, it consists wholly of government appointees.

Also read: Conundrum of expectations: are courts prepared for challenges against facial recognition technology?

India is trying to keep up with the technological development taking place around the world but is lagging behind in fulfilling its corresponding duty to safeguard people’s privacy. The present legal framework on drone use fails on the touchstone of proportionality. Therefore, India must enact a robust data protection law and build safeguards in Drone Rules, 2021, to ensure transparency and accountability of surveillance.

(Renu Gupta is an Advocate practicing commercial litigation and arbitration in Delhi, and is the Co-Founding Partner of the law firm Olive Law. Akshat Bhushan is a third year B.A., LL.B. (Hons.) student at the Hidayatullah National Law University, Raipur. The views expressed are personal.)