The draft Unmanned Aircraft System Rules, 2020 ("Draft Rules"), which was released for public comments earlier this month, appear to have left a chasm by having inadequately addressed privacy concerns. Privacy emerges as a core concern as an imminent consequence arising out of civil/commercial operations of drones. Rule 35(1) of the Rules state as follows:
"An imagery may be captured by an unmanned aircraft except in the non-permissible area after ensuring the privacy of an individual and his property."
Notice that the Draft Rules merely state that privacy of an individual has to be respected without laying down any detailed guidelines and principles. It only presents an outcome and leaves the responsibility of that path, open-ended.
Why adopt an outcome-based approach for privacy?
It is a matter of concern that the Draft Rules adopt this outcome-based approach in relation to privacy because the same Draft Rules adopt an input-based approach for issues concerning safety standards and manufacture of the drones by stipulating technological standards that stakeholders have to comply with.
Considerable thought has been given while formulating the input-based aspects. For instance, safety concerns also have been accorded considerable technological inputs on Draft Rules by mandating that drones should have geo-fencing and return to home technology to ensure that the drones do not fly beyond the approved geographical boundaries.
Even the Civil Aviation Requirements, 2018 ("Regulations") and the Guidance Manual ("GM"), the current policy framework governing unmanned aerial vehicles, use only an outcome-based approach to privacy. Regulation 12.21 of the Regulations provides that drone operator/drone pilot shall be liable to ensure that privacy norms of any entity are not compromised in any manner and Para 1.4.3 of the GM simply states that privacy principles must be embedded within the drone by design to achieve the stated outcome in Regulation 12.21.
But there is ample scope and necessity for drone regulations to be prescriptive to ensure that privacy is not violate. Maybe it could concentrate on impact – for example, 'drones cannot fly within 40 feet of an individual or private property', or could the focus turn to technical inputs: 'drone operators shall fly a drone only if it is fitted with equipment that detects distance of an individual/private property'?
Extant Laws with respect to privacy and data protection
The present framework for privacy and data protection is covered by the Information Technology Act, 2011, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules"). The recent judgment delivered by the Supreme Court in the case of Justice K. S. Puttaswamy (Retd.) and Anr v. Union of India and Ors, have also provided ample fodder to strengthen the privacy laws.
The IT Rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data. The Expert Committee to the Data Protection Bill, 2018 in its report, held that while the IT Rules were a novel attempt at data protection at the time they were introduced, the pace of development of digital economy has shown its shortcomings. For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract. Further, the IT Act applies only to companies, not to the government.
The Data Protection Bill, 2019 (Bill) appears to address data protection concerns observed by the Expert Committee. The Bill, which is applicable to both Government as well as private entities, does this by putting in place a framework for notice and consent to the data principal (owner of the data) before their data is collected or processed, imposing obligations for data protection on the data fiduciary (entity deciding use cases for data), and setting up a mechanism for regulation and penalties for contravention.
However, the probability of a specific nature of privacy for the Draft Rules appears unlikely. We need to consider traditional forms of intrusions to privacy which stand heightened because of unique features of drone technology: intrusion into private airspace, surveillance, stalking and harassment where data is not necessarily collected or processed as per the Bill. In such scenarios there is no clear regulatory framework in place. This is particularly alarming considering certain corridors have voiced that India does not have a robust tort law.
We could start by compiling various harms that arise out of drone operations with respect to privacy and list out specific standards that can be adopted to address the harms. Further, is there is also a need to amend civil laws to accommodate private complaints for breach and compensation? Or in the alternate, should the outcome based approach be scrapped for the other?
The outcome based versus the input based regulatory models particularly in terms of emerging technology is well documented and there is consensus that outcome based approach is better suited for emerging/disruptive technologies. But, the outcome based approach in its present form would have been best suited if there was already a robust framework for privacy and data protection in place.
The authors are associated with HS Law & Associates and may be reached at [email protected]. Views expressed here are personal.