The wee hours of an otherwise uneventful Sunday of June 27, 2021, witnessed a very novel, never-before-used methodology of conducting activities that are detrimental to the national security of India – two explosive-laden drones, controlled by extremist terrorists, were made to crash into the Indian Air Force station at the Jammu Airport. What followed the unfortunate incident was the Government of India’s proposition to overhaul the then pre-existing Unmanned Aircraft System Rules, 2021 (“UAS Rules”) (which was released on March 12, 2021; and hadn’t breathed for four months, even!) with a new set of modified rules & regulations – the Drone Rules, 2021 (“DR 2021”). DR 2021 was finally notified by the Central Government last month.
However, as is almost always the case scenario with all incidents of breach of national security, perhaps what escaped the public eye this time as well are the concerns associated with the usage of Drone-tech in India and its ramifications on privacy rights. The same is evidenced by several instances that we have been a witness to in the recent past – be it the operation of Drone-tech by the law enforcement agencies (“LEA”) in maintaining law and order and in the proper implementation of the lockdown measures, or the exemption that several governmental agencies enjoy under the drone regulations in place; the larger the effect on the right to privacy, unfortunately, shorter has been the leash on the safeguards put in place to defend such right.
Let us take into consideration certain occasions where the LEAs have extensively counted on the use of Drone-tech for policing activities.
• The usage of Drones acquired from open markets by the Delhi Police on two notable instances – one, the Delhi Assembly Elections of February 2020; and, two, the Delhi riots of 2019.
• The employment of Drones by the Uttar Pradesh Police during the foundation stone-laying ceremony of the Ram Temple at Ayodhya in August 2020.
• The procurement of Drones by the Railway Protection Force to augment the surveillance & security mechanism of the Mumbai Division of the Central Railways, in August 2020.
The most surprising and definitive aspect of the practices in India in the usage of Drone-tech by the LEAs is that they are much the same as the practices of Drone-tech use in several other nations like the United States & Australia – and if nothing else, this definitely does showcase the blatant disregard of Governments globally to the worry of the misuse of Drone-tech in contrast to privacy rights. Such apprehension is quite unsettling.
But, we come back. The Covid-19 pandemic has unfortunately promoted and normalized to a large extent Drone-tech operation by Indian LEAs – and perceived from the prism of privacy & data-protection, the policing activities of LEAs are perturbing. Be it the unchecked collection of image & video data by the Delhi Police by use of Drones during the first wave of the pandemic; or the unhindered employment of Drones (and a combination of artificial intelligence frameworks and GPS) by the Punjab Police, Hyderabad Police & Kerala Police in their respective jurisdictions to identify if people are adhering to the lockdown norms or not (with Kerala being the notorious standout in transferring data recorded by such Drones to the cellphones of the local Police officials, directly!), or the intemperate application of Drone-tech in a surveillance role in Chennai even after the lockdown was officially lifted – at the risk of sound like an alarmist fear-monger, perhaps this is what the advent of the inception of the Orwellian State looks like.
DRONE-TECH AND ITS HISTORICAL CHRONICLES
Going back in time, the legal regulations of Drone-tech in India first find their reference in the conjoint reading of the Aircraft Act, 1934 (“AA 1934”), the Aircraft Rules, 1937 (“AR 1937”), and the Civil Aviation Requirements, 2018 (“CAR”). The CAR, which is published by the D-G of Civil Aviation pursuant to the provisions of the AA 1934, stipulated the parameters of manufacture, usage & registration for Drones in India for the very first time. From the focal point of privacy standards, the CAR did not mandate any detailed safeguard framework and simply sought the operator of the Drone to ensure that the “privacy norms of any entity are not compromised”.
March 12, 2021, saw the advent of a more avant-garde legal enactment in the form of the UAS Rules, which superseded the CAR. Not only did the UAS Rules bring a higher amount of scrutiny to the standards of manufacture, usage & registration of Drones – the UAS Rules brought about additional regulations to regulate Drone-tech infrastructure & auxiliary safeguards to protect and preserve data privacy. The novel safeguards of UAS Rules aimed at ensuring not just the security and the privacy of entities by the Drone-operators, but also mandated it upon the Drone-operators to put to use “suitable procedures” and “appropriate applications” while using Drones, as well as prohibited such operators from distributing with any third party any such data collected by a Drone, without the explicit sanction of the person whose data has so been collected.
However, the entire premise of the UAS Rules was counter-intuitive to its aspirations as it left to the discretion of the Drone-operator to determine what kind of mechanisms are acceptable and appropriate for safeguarding the data accrued by a Drone – thereby giving rise to a lapse in the entire supposition of ensuring data protection and privacy. The overarching discretion that the UAS Rules bestowed upon Drone-operators, especially on the significant flanks of privacy, is what finally paved the way for the publication of the DR 2021 in its draft form in the July of 2021.
As potent or efficacious as the DR 2021 may seem prima facie, what is truant is any mention of any particular provision which promises to serve as a guardrail to data privacy in the DR 2021. Very much like its predecessor, the DR 2021 proposes a sophistic model of self-regulation – with absolutely no specified safeguards to prevent the misuse of data privacy.
THE CONTINUALLY CONNIVING GAME OF ‘EXEMPTIONS’
Way back in the May of 2020, the Civil Aviation Ministry had notified a conditional exemption of all the regulations of the former AR 1937-CAR regime for the agencies functioning under the Central Government – and the Ministry was so wilful in its approach that it even launched a portal by the name of GARUD to expedite the process of granting conditional exemptions to governmental agencies! However, such conditional exemptions were granted with a catch – they were only to apply exclusively to such Drones that were to be operated for Covid-19 related activities. The entire ballgame takes a concerning twist however with the arrival of the UAS Rules six months back.
The UAS Rules, which overrode the AR 1937-CAR regime, brought with it an unsettling development – it provides for a conditional exemption to all LEAs under the Home Ministry’s jurisdiction as well as the Police force of all States and Union Territories. The disconcerting feature in the conditional exemption granted to governmental agencies under the UAS Rules is founded on the practice and conduct of the LEAs in overseeing Drone-surveillance activities in the past two years – the reason behind such disconcert is that Drone-surveillance for law & order activities in India has seldom relied on the Law or the principle of Due Process, and almost-always on the fancy of Good Faith or some abstract notion of securing National Interests.
For this very reason, and as infelicitous as it may sound, for all the voices which suggest or seem to connote, or evince that the Personal Data Protection Bill, 2019 (“PDP Bill”) shall, once it becomes an Act, serve as the cure-all panacea to the concerns of breach of personal privacy by Drone-tech – it is high-time to step out of that pipe dream! Section 35 of the PDP Bill unequivocally confers on the Central Government such an authority whereby it can provide LEAs with exemption from the provisions of the PDP Bill, if it deems such an exemption necessary in the interests of the conjectural ideas of “national interest and security”, and “public order and morality”, inter alia other grounds.
THE MOTE IN THE EYE OF PRIVACY: THE LACK OF FORESIGHT IN THE LEGAL REGIME SURROUNDING DRONE-TECH
The 21st Century, for all the novelty and modernism that it has engendered in its innovations, has also brought about a calamitous predicament in the form of privacy infringement which such innovations hold a high potential to commit. The tight-spot that we find ourselves with the advent of futuristic tech is that the methodology via which the State collects personal data more often than not is in an arbitrary and haphazard manner – and, the operation of Drone-tech by LEAs stands as no exception to this practice of the Central Government or the State Governments in India in whimsically put technology to use.
The nuance of data protection and privacy always needs to be viewed holistically, and not in bits-and-parts – thus, the concerns of the risks of the misuse of Drone-tech should be viewed comprehensively while taking into consideration the HD cameras and the thermal imagery & GPS systems which are embedded in them. To add to the all-round fear of the misuse of data that is collected by such Drones, the all-encompassing exemptions that are being granted to LEAs and other governmental agencies to use and utilize such collected data – the thought of this can be petrifying, especially in the absence of a comprehensive data protection regulation in place. With the rise of facial recognition technology-induced surveillance in the policing activities in India, Drones have metamorphosed into influential machines with overpowering data storage and dissemination capabilities – but, with next-to-nothing transparency safeguards.
CONCLUDING REMARKS AND THE WAY FORWARD
An immediate elixir to the concerns spoken of so far is for the exemptions to the LEAs to be accompanied by certain reliable oversight procedures & safeguard mechanisms. For the same, it is the need of the hour for our legislators and members of the civil society to preserver for the expeditious enforcement of the PDP Bill. While at this issue, with the view of increasing accountability, it is also imperative that LEAs should be considered as Data Processors under the PDP Bill, and thus, the usage of Drone-tech by LEAs ought to have a transparent, specified, and lawful purpose. A viable alternative to categorizing LEAs as Data Processors would be to designate as Significant Data Fiduciaries under the PDP Bill such governmental agencies which use drones for surveillance purposes – thereby, making it exigent on all such concerned agencies to mandatorily perform a Data Protection Impact Assessment before any aerial surveillance activity is undertaken.
The preconditions of legality, necessity, and proportionality, as laid down by the Apex Court in the landmark KS Puttaswamy Case, are an absolute sine qua non that have to be adhered to in any activity undertaken by the State which may infringe the hallowed Right to Privacy – and the use of Drone-tech, irrespective of the reason behind such operation, stands no exception to the principle in place.
Perhaps nothing else would embody the concerns and consternations associated with Drone-tech in India 2021, than the notorious 1983 hit of the Police did when they rendered..
“Every breath you takeAnd every move you makeEvery bond you breakEvery step you takeI’ll be watching you
Every single dayAnd every word you sayEvery game you playEvery night you stay..”
I’ll be watching you.
The nuance of data protection and privacy always needs to be viewed holistically, and not in bits and parts; thus, the concerns of the risks of the misuse of drone-tech should be viewed comprehensively while taking into consideration the HD cameras and the thermal imagery & GPS systems which are embedded in them. To add to the all-round fear of the misuse of data that is collected by such Drones, the all-encompassing exemptions that are being granted to LEAs and other governmental agencies to use and utilize such collected data: the thought of this can be petrifying, especially in the absence of a comprehensive data protection regulation in place.