[Samraat Basu is a technology and data protection lawyer and Naveen Jain is a corporate lawyer specialising in M&A and PE/VC funding.]
The Indian regulatory landscape regarding the use of remotely piloted and autonomous drones has been evolving over the last few years. In June, the Government of India released the draft Unmanned Aircraft System Rules, 2020 (“UAS Rules”) to regulate the use of drones.
In this article, we first highlight the applicability of the Personal Data Protection Bill, 2019 (“PDP Bill”) to personal data that is collected and processed by drones. Second, we discuss how it is near-impossible for the users of drones to comply with the consent requirement under the PDP Bill. Finally, we opine that the regulatory sandbox provision of the PDP Bill should be utilised until the regulator provides granular details on how consent can be effectively obtained and managed in the specific context of drones.
Interestingly, it has been argued that privacy concerns continue to persist and have not been appropriately addressed in the latest draft drone rules which were released in June. To be fair, there is only one provision in the UAS Rules which states that the privacy of individuals and their property should be ensured while flying drones. No further rules or insight have been provided regarding the manner in which a drone operator/owner ought to protect and ensure privacy. While at first glance this may appear to be a significant oversight, on a closer look, it is clear that the general data protection framework operationalised through the PDP Bill will likely apply.
The obligations enunciated by the PDP Bill are required to be complied by all ‘Data Fiduciaries’. Data Fiduciaries have been defined broadly and include any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data. Further, the PDP Bill is applicable to any personal data that “has been collected, disclosed, shared or otherwise processed within the territory of India.” This means that pretty much anyone (or any corporate entity) who operates a drone, irrespective of size and weight, that is fitted with a camera, smartphone or any other similar apparatus that has the potential to impinge on privacy will need to comply with the PDP Bill.
The first step towards compliance with the PDP Bill is the requirement to showcase a valid ground for processing. Broadly, the grounds for processing may include any one of the following- consent, performance of a function of the government, compliance with law, medical emergency, provision of health services during an epidemic, provision of services and assistance during the breakdown of public order, employment and reasonable purpose.
For a majority of purposes, any private individual or company that is desirous of operating drones can primarily either rely on the ground of ‘consent’ or ‘reasonable purposes.’ Interestingly, as one can only imagine, in situations in the near-future such as wherein a drone is used for food/e-commerce deliveries, it is not possible to collect appropriate and granular consent from thousands of individuals who just happen to be in the line of sight of the drone. More crucially, such individuals have little incentive to provide consent voluntarily.
Accordingly, the only practicable ground for processing in such situations is ‘reasonable purposes.’ The PDP Bill states that reasonable purposes can only be specified by regulations after carefully considering parameters such as interest of the data fiduciary, whether it is reasonably possible to obtain consent, public interest, potential effects on the rights of individuals and reasonable expectation of the data principal (to protect privacy) in any given context.
As pointed out by the European Data Protection Supervisor, drones have the potential for serious misuse and can be used for widespread surveillance as it (a) is essentially an ultra-capable CCTV camera on wings; (b) can access hard-to-reach locations; and (c) can observe intricate details from a distance (through zoom). These factors significantly contribute to facilitating covert and overt surveillance and tracking of individuals or groups by both state and non-state actors.
Given these potential privacy risks, it is unclear whether the use of drones will be permitted by the data protection authority under the ground of ‘reasonable purposes.’ Accordingly, while the Ministry of Civil Aviation is enthusiastically working towards creating an enabling framework for the operation of drones, the wings of such a framework will be clipped until the data protection authority green-lights such use.
In our opinion, companies and individuals intending to operate drones would be well-advised to apply for a regulatory sandbox as outlined in Clause 40 of the PDP Bill until the regulator provides further guidance on how consent can be managed and obtained in the specific context of drones.