Drones are the game changing marvel of technology representing boundless possibilities for innovation and utilisation. In the initial days, they were primarily used by governments across the world as a way to supplement their militaristic operations. However, given that the technology has immense capability for application in the civil sphere, different jurisdictions have already come up with frameworks to regulate the subject matter.
Drones can indeed be used for multiple purposes, including, (a) monitoring and inspection of infrastructure like railways; (b) improvement in agriculture through crop and soil health monitoring system; (c) ‘general use’ by civilians; (d) media and entertainment; (e) conservation of wildlife, etc. The multi-use capability of drones has become even more apparent in light of the spread of Covid-19 pandemic. Authorities are increasingly opting to use them for monitoring the situation as well as ensuring contactless operations and services to the public at large.
With use of drones set to only increase over time, it is important that such uses be regulated in an effective way to ensure that the right to privacy is respected, and the safety and security at large is not compromised.
A. Regulatory framework
Since 2014, India through the Directorate General of Civil Aviation (“DGCA”) has been endeavouring to put in place appropriate regulations for “unmanned aircraft systems”. Over time, India has seen a dramatic shift from its earlier stance of imposing a total ban on civil use of ‘remotely piloted aircraft systems’ (or what in general parlance is known as ‘drones’) to a regulated use of the same. On August 27, 2018 DGCA issued a circular laying down the Requirements for Operation of Civil Remotely Piloted Aircraft Systems (RPAs) (“Drone Regulations 1.0”). These regulations enable operation of visual line-of-sight daytime-only drones post obtaining a Unique Identification Number (“UIN”), Unmanned Aircraft Operator Permit (“UAOP”), and fulfilling other operational requirements. Drone Regulations 1.0 came into force on December 1, 2018, along with the Digital Sky Platform (“DSP”) and introduced the policy of ‘No Permission – No Takeoff’ in India. DSP is an unmanned traffic management platform that permits users to register their drones, pilots and owners.
To further liberalise the functioning of commercial-purpose drones, a drone taskforce was created by the Ministry of Civil Aviation. On the recommendations of the task force, the Drone Ecosystem Policy Roadmap was released on January 15, 2019 (“Drone Regulations 2.0”). This seeks to enable commercial use of drones, including autonomous drones, allowing their operability beyond visual line of sight. Further, this also seeks to enable foreign investment in this sector, creating a level playing field for foreign and domestic players. In May 2019, the DGCA sought expression of interest for beyond visual line of sight (BVLOS) drone experiments, for which it had approved delivery app Dunzo and drone startup Throttle Aerospace for conducting these experiments, even though the current framework does not allow for delivery of goods and/or food items via drones. The National Counter Rogue Drone Guidelines were introduced to address the law and order and national security issues which may be a result of the rampant use of drones. The Ministry of Civil Aviation also issued a notification allowing voluntary disclosure of non-compliant drones which were operating in the Indian airspace. Pursuant to this notification, the Ministry of Civil Aviation has registered 19,553 drones in India.
B. Current scenario and desired plug-ins
The potential of drones to fight the pandemic lies in such uses as its ability to deliver medicines and essential supplies as well as disinfecting large areas, which makes it imperative to examine the applicable privacy laws in the background of the unique characteristics of these machines. Various state governments and agencies have started using drones to enforce the lockdown imposed by the government and use it to curb the spread of disease.
Drones have the capacity to carry technologies like thermal imaging cameras, facial recognition technology, radio frequency equipment, etc. These latest advancements in technology only increase its reach and power further. Given that Indian cities are growing vertically, the concerns for privacy and possibility of surveillance only rise, with the drones collecting any and every data that come their way. Drones, thus, have a greater potential to infringe privacy than most other technologies available in the market and it has become necessary for the extant regulations to address this issue in a holistic and robust way.
In Drone Regulations 1.0, privacy is briefly addressed under the Operating Requirements which prescribe that: “RPA operator/ remote pilot shall be liable to ensure that privacy norms of any entity are not compromised in any manner.” There is no explanation as to what these norms being referred to are. In the absence of certainty of applicable framework, the basis of levy of penalties on potential violations (suspension/cancellation of UIN/UAOP) remains open to questions and lacks clarity.
It may be noted that the details required for Application for grant of Permission for Aerial Photography/Remote Sensing Survey (Annexure XI) include information like purpose of aerial photography/ survey, objects to be photographed, scale of photography, type of data, etc. It is not clear whether these will be scrutinised for protection of privacy of individuals before grant of permission.
The DGCA RPAS Guidance Manual, issued subsequently in November 2018, suggests that ‘Privacy of Design’ should be a guiding rule for a drone embedding the following principles:
- Proactive not reactive; preventative not remedial
- Privacy as the default setting
- Visibility and transparency – keep it open
- Respect for privacy of all the stakeholders – keep it ecosystem-centric
However, these principles use many abstract words, without any substantive content to the ‘privacy by design’ principles. While there exist the common law tort of privacy and the data protection norms under the extant laws governing privacy, these are not sufficient to safeguard against the violation of privacy (because of their limited scope, the elaborate reasons for the same are beyond the scope of this blog).
Thus, as of now, there is no clarity on the rights and liabilities concerning privacy of various stakeholders in the drone ecosystem.
In Drone Regulations 2.0 (yet to be enforced), there is enhanced focus on privacy issues. The need to ensure that drones do not compromise the privacy of citizens is reflected with a whole section dedicated to ‘data protection and privacy by design’. However, the only concrete requirement mentioned in these regulations is to “establish feedback and review mechanisms including requests to access, anonymise, or erase the data of the data principal” (apart from the compliance required under any data protection law once implemented). There is, however, no guidance as to the kind, extent, and manner of data collection, and the necessary consents required to collect, use, store and share data.
With the increasing applications, use and advancement in the drone technology, it becomes even more imperative and urgent, in our view, for a clear and robust framework for the protection of individual privacy, to be put into place. Requirements for drone-operators to operate on a consent-based model of collecting/using personal data, at a minimum, is one of the issues that needs to be addressed at the earliest. It is also important that the protections accorded to privacy are rethought in the background of the invasiveness of a technology like drones, especially given its all-pervasive use in current times.
 Indian Railways conceives to deploy “Drone” cameras in all its Zones/Divisions to enhance safety and efficiency in train operations, Press Information Bureau, January 08, 2018, available at https://pib.gov.in/newsite/PrintRelease.aspx?relid=175459, accessed on April 21, 2020 at 6 p.m.
 Drone Based Agricultural Technology, July 19, 2016, Press Information Bureau, available at https://pib.gov.in/newsite/PrintRelease.aspx?relid=147238, accessed on April 21, 2020 at 6 p.m.
 E-surveillance by drone will make an impetus on the preservation of tiger population- Shri Prakash Javadekar, March 18, 2015, Press Information Bureau, available at https://pib.gov.in/newsite/PrintRelease.aspx?relid=117274, accessed on April 21, 2020 at 6 p.m.
 Public notice dated October 7, 2014 on Use of Unmanned Aerial Vehicle (UAV)/ Unmanned Aircraft Systems (UAS) for Civil Applications issued by the office of the DGCA, available at https://dgca.gov.in/digigov-portal/?page=publicNotices, accessed on April 03, 2020 at 1 p.m.
 Requirements for Operation of Civil Remotely Piloted Aircraft Systems, available at https://dgca.gov.in/digigov-portal/jsp/dgca/homePage/viewPDF.jsp?page=InventoryList/headerblock/drones/D3X-X1.pdf, accessed on April 03, 2020 at 1 p.m.
 Regulations will be effective from 1st December, 2018 Operations of Remotely Piloted Aircraft System (RPAS) to be enabled through Digital Sky Platform dated August 2017, 2018, available at http://pib.nic.in/newsite/PrintRelease.aspx?relid=183093, accessed on April 21, 2020 at 6 p.m.
 Drone Ecosystem Policy Roadmap dated January 15, 2019, available at https://www.globalaviationsummit.in/documents/DRONE-ECOSYSTEM-POLICY-ROADMAP.pdf, accessed on April 21, 2020 at 6 p.m.
 ‘DGCA picks five consortiums to take its drone plan airborne’ Economic Times, January 22, 2020, available at https://economictimes.indiatimes.com/news/defence/dgca-picks-five-consortiums-to-take-its-drone-plan-airborne/articleshow/73508126.cms?from=mdr, accessed on April 03, 2020 at 1 p.m.
 National Counter Rogue Drone Guidelines, October 18, 2019, available at https://www.civilaviation.gov.in/sites/default/files/Counter_rogue_drone_guidelnes_NSCS.pdf, accessed on April 22, 2020 at 4 p.m.
 Notification dated January 13, 2020 issued by the Ministry of Civil Aviation, available at https://www.civilaviation.gov.in/sites/default/files/Drone_Registration_Public_Notice_13012020.pdf, accessed on April 03, 2020 at 1 p.m.
‘It’s Official: The Ministry of Civil Aviation (MOCA) has registered 19,553 Unmanned Aerial Vehicles (UAV)’ dated March 13, 2020, available at < https://www.thehindubusinessline.com/economy/logistics/its-official19553-drones-register-with-ministry-of-civil-aviation/article31062493.ece> , accessed on April 03, 2020 at 12 p.m.
 ‘Covid-19: In the times of ‘touch-me-not’ environment, drones are the new best friends’ Economic Times, April 01, 2020, available at https://economictimes.indiatimes.com/small-biz/startups/features/covid-19-in-the-times-of-touch-me-not-environment-drones-are-the-new-best-friends/articleshow/74924233.cms>, accessed on April 03, 2020 at 1 p.m.
 ‘Sangli, Guwahati police use drones to enforce Covid-19 lockdown’ The Hindu Businessline, March 31, 2020, available at https://www.thehindubusinessline.com/news/national/sangli-guwahati-police-use-drones-to-enforce-covid-19-lockdown/article31220657.ece, accessed on April 03, 2020 at 1 p.m.
 DGCA RPAS Guidance Manual (Revision 2), available at https://dgca.gov.in/digigov-portal/jsp/dgca/homePage/viewPDF.jsp?page=InventoryList/headerblock/drones/DGCA%20RPAS%20Guidance%20Manual.pdf, accessed on April 03, 2020 at 1 p.m.
 The section states that “
i. For the purpose of mitigating risks pertaining to privacy, protection of personal data or personal security arising from the operation of UAS, the original equipment manufacturers (“OEM”) can be required to include corresponding and specific features and functionalities which can take into account the principles of privacy and protection of personal data by design and by default. This is also in consonance with the international best practices.
ii. DSPs should be required to include data protection by design features i.e. implementing appropriate technical and organizational measures designed to implement data-protection principles as part of any UAS operation that collects personal data, and to integrate the necessary safeguards to protect the rights of data principals.
iii. DSPs collecting personal data should be required to establish feedback and review mechanisms including requests to access, anonymize, or erase the data of the data principal.
iv. Minimum training requirements for Remote Pilots should include knowledge of the relevant Indian privacy/data protection regulations.
v. Once implemented, such additional standards and compliances as required under the new data protection law.”