‘Eye in the Sky’- India’s Drone Operations and Privacy Concerns
India's use of drone policing during COVID-19 exposes the need for an overarching data protection law
The use of drone technology in India and its implication on privacy rights has surprisingly managed to evade much public attention, considering the extent of its use by government agencies and law enforcement over the past few years. The recent use of drones by terrorists to drop explosive devices at an Indian Air Force base in Jammu, and a proposal by the Indian government in quick succession to replace a set of newly introduced drone rules with further modified rules, has rekindled public conversation on this issue. This blog seeks to discuss the use of drone technology by law enforcement agencies in policing functions during the pandemic to enforce lockdown norms, India’s drone regulations and exemptions available for government agencies, and its effects on the right to privacy.
Drone use in India
Indian law enforcement agencies have been increasingly relying on the use of drone technology. The Delhi police has admitted to the use of drones hired from open markets during the Delhi Assembly elections and the devastating riots in the city in February 2020.
Further, drones were used to monitor potential protests during the foundation of the Ram temple in Ayodhya while the Indian Railways have recently procured them to keep railway premises under surveillance. These examples are in line with a growing international trend of using drones as policing tools, such as in the USA, Australia, Brazil, and United Arab Emirates.
Such use of drones has become further normalised in India during the COVID-19 pandemic. The Delhi police hired drones to conduct surveillance and collect data in the form of images and videos to ensure people were following lockdown norms. These surveillance drones had the capacity to record footage in SD cards and relay a live feed to the police officer piloting the drone.
Similarly, the Mumbai police and the Brihanmumbai Municipal Corporation have relied on drones to observe lockdown violations in residential areas such as Andheri and Dharavi. Drones used by the Punjab police in Amritsar sent alerts to the nearest police officer upon detecting individuals less than 6 feet apart, using a combination of artificial intelligence, location mapping, and high-definition cameras. Similar projects using drones were commenced in Hyderabad and across Kerala – the latter even hiring private citizens to operate hired drones as part of the surveillance efforts.
The data recorded by drones in Kerala included thermal imaging and video footage and was directly transferred to the phones of the local police. Even after the suspension of lockdowns, the use of drones in a monitoring role has continued in Chennai. These activities merit analysing drone regulations in India, viewed from the prism of policing function and ensuring safeguards for citizens’ privacy as well as data protection.
India’s drone regulations
Earlier, drones were regulated under the Aircraft Rules, 1937 read with provisions of the Civil Aviation Requirements, 2018 (CAR) issued by the Director-General of Civil Aviation under the Aircraft Act, 1934. The CAR prescribed manufacture, operation, and registration parameters for drones. In terms of privacy safeguards, the CAR merely required the drone operator to ensure that the privacy of any entity is not compromised in any manner, without elaborating any privacy standards or safeguards for such an obligation.
On March 12, 2021, the provisions pertaining to drone regulation in the Aircraft Rules, 1937 and the CAR were replaced by the Unmanned Aircraft System Rules, 2021 (UAS Rules). The UAS Rules regulate the manufacture, registration, and operation of drones and auxiliary drone infrastructure. The UAS Rules prescribe additional data protection and privacy measures- (a) requiring the drone operator to ensure the privacy of a person and their property while operating a drone, (b) requiring the drone operator to ensure data protection using ‘suitable’ procedures and ‘appropriate’ applications, and (c) prohibiting sharing of data gathered by a drone with third parties without explicit consent from the data subjects. Further, the UAS Rules only allow images and data to be captured by drones, when permissible by law, after ensuring the privacy of a person.
The UAS Rules also allow the drone operator to decide the suitable and appropriate mechanisms for protecting the data gathered. However, the present framework offers overarching discretion on crucial aspects of privacy and data protection to the drone operator. To ensure that such discretion does not lead to the violation of an individual’s right to privacy and data protection, the UAS Rules must operate within a codified data protection legislation. Practices adopted by drone operators on the foregoing privacy and data protection requirements could be subject to review by a data protection regulator to determine how these clauses can be best fulfilled by drone operators.
On July 15, 2021, after criticism on the cumbersome nature of the UAS Rules, the government published the Draft Drone Rules, 2021 for public comments, seeking to repeal the UAS Rules and replace it with a simpler set of regulations. Absent in these draft rules are any of the incremental provisions of the UAS Rules on citizen privacy and protection of data collected by the drone or any mention of safeguards to privacy or data protection. These draft rules result in a self-regulatory model without any mandated privacy safeguards or an overarching law on data protection, undoing years of incremental additions of privacy safeguards.
Exemptions from data protection regulations
On May 2, 2020, the Ministry of Civil Aviation announced a conditional exemption under the erstwhile Aircraft Rules, 1937 and the CAR for government agencies. On May 8, 2020, the Ministry of Civil Aviation launched the Government Authorisation for Relief Using Drones (GARUD) portal to fast-track the conditional exemptions for drone use sought by government agencies. The conditional exemptions were specifically applicable to drone use for aerial surveillance, aerial photography and public announcements relating to COVID-19, and was valid until further orders.
The introduction of the UAS Rules in March 2021 replaced the erstwhile Aircraft Rules, 1937 and the CAR. Shortly after this change, in April 2021, a conditional exemption from the entire Unmanned Aircraft System Rules, 2021 was granted to all government agencies under the jurisdiction of the Ministry of Home Affairs and for police forces in all states and union territories.
In the past two years, law enforcement agencies have conducted drone surveillance by consistently obtaining broad exemptions from India’s extant drone regulations. As a result, drone surveillance for policing has relied on good faith and contractual obligations, as opposed to legal safeguards for data protection and privacy.
This may continue to be the modus operandi for tackling obligations under India’s upcoming data protection law. Section 35 of the draft Personal Data Protection (PDP) Bill, 2019 (PDP Bill) gives the central government wide powers to exempt government agencies from provisions of the PDP Bill if deemed necessary on grounds including public order and state security. The PDP Bill requires reasons for these exemptions to be recorded in writing. This written record must also specify the procedures, safeguards, and oversight mechanisms applicable to the exempted government agencies.
However, in light of continued data collection and processing by government agencies on regular citizens and keeping in mind the wide exemption powers for drone use by law enforcement agencies, potential exemptions from data protection laws would constitute a major threat to individual privacy.
Policing through drones- a blind spot in privacy jurisprudence?
The ‘mosaic theory of privacy’ was developed by the US Court of Appeals for the DC Circuit in United States v. Maynard and endorsed by the US Supreme Court in United States v. Jones and Carpenter v. United States. The mosaic theory of privacy implies that as in a mosaic, the concept of data collection must be looked at as a whole, and not in part, to assess the risks of data collection to individual privacy. Jones and Carpenter held that GPS surveillance and policing through the use of cell site location information could respectively be categorised as a ‘search’ under the Fourth Amendment to the United States Constitution and would require a lawful warrant.
A fundamental issue with such widespread data collection is that the state collects data on citizens in an indiscriminate manner, and not just against suspects in criminal activity under a lawful process. The use of drones for policing and law enforcement in India reflects similar practices. The ability of drones to use high-definition cameras, collect location coordinates, run thermal imaging and distance mapping, and record images and footage of a general population brings to light the risks of widespread and indiscriminate data collection and processing.
An overview of India’s cases on state surveillance shows that India’s jurisprudence on state surveillance has so far been rooted in cases involving individual or specific surveillance. However, developments such as drone technology and its use in a systemic manner pose unique questions such as the role of informed consent in public drone surveillance and potential violations of privacy, seen through the lens of the mosaic theory.
Further, the use of drones through exemptions without an underlying data protection law is yet another instance of encouraging technology to assist in state functions and services in the absence of a comprehensive data protection law. Another example of such widespread use of technology in surveillance is the commencement of facial recognition technology (FRT) for policing in various states in India. The present use of drones equipped with high-resolution cameras and SD cards allows drones operations in conjunction with FRT, possibly enabling the compilation of huge personal data reference points with little transparency, safeguards, and oversight.
In strikingly similar circumstances, the use of drones by the Paris police to enforce COVID-19 lockdown restrictions was prohibited and deemed as violating personal data protection laws by France’s Supreme Court for Administrative Justice, pending legal safeguards approved by France’s data privacy watchdog. The verdict reasoned that drones that could fly at a range of 80-100 meters could technically identify individuals, risking potential use in contravention to data protection laws.
The way forward
The advent of new technologies and their use through wide exemptions from data protection obligations raise concerns regarding the lack of safeguards, oversight, and accountability. A clear example is how Indian law enforcement agencies have obtained broad exemptions from the feeble protections on privacy and data protection under India’s drone regulations.
These concerns can be assuaged to an extent with the launch of a personal data protection law, wherein exemptions granted to law enforcement agencies require some written safeguards and oversight procedures. However, a fundamental shift in the use of drone technology for policing is urgently needed.
Firstly, policing by government agencies using drones should be treated as data processing under India’s upcoming personal data protection law, and accordingly, must only be conducted pursuant to a clear, specific, and lawful purpose. Further, government agencies that use drones for monitoring and surveillance should be classified as significant data fiduciaries, and should conduct a data protection impact assessment prior to commencing any policing activity using drones.
Secondly, while government agencies may foreseeably rely on exemptions from drone laws and data protection laws, drone operations and the resultant data processing must adhere to the three-fold requirement for restraints on privacy laid out in Justice KS Puttaswamy (Retd.) v. Union of India. Drone operations by government agencies must meet the requirements of legality, necessity, and proportionality to their objectives regardless of the exemptions obtained from any legislation.
Thirdly, government agencies must be prohibited from hiring and renting drones owned and/or operated by private citizens. Public procurement through the release of tenders and requests for proposals increase transparency on the specifications and abilities of drones being used by government agencies.
Views are personal