India’s drone rules, which were notified last week, offer little in terms of safeguarding people’s privacy. The rules also don’t do enough to address issues of surveillance that drones pose when used by law enforcement agencies on the ground.
The Civil Aviation Ministry had published a draft of these rules in June 2020 and had invited comments from stakeholders. The comments were never made public. The notified rules are an effort to frame dedicated legislation around drone use in the country, which so far has been regulated as civil aviation requirements under the Aircraft Act.
Consider this: The rules mention the word ‘privacy’ only once. The idea of seeking consent from people before a drone is flown over them is not mentioned even once. The rules say that drones should fly while “ensuring the privacy of a person and its property during operation”. However, they fail to delineate how this is to be ensured. Furthermore, while violation of this rule has been penalised, there is no mechanism for an individual to seek recourse or damages.
This provision also leaves the onus of protecting the privacy of individuals on the person flying the drone, and the rules themselves offer little in terms of procedural safeguards.
Then there’s the biggest problem of them all. The rules say that the government can exempt any of its agencies to deploy drones if it is in the “interest of security of India,” or in “national interest”.
There have been several instances of law enforcement agencies deploying drones without seeking the required authorisations from the Ministry of Civil Aviation and the airline regulator Directorate General of Civil Aviation. Drones have been flown over several protests. This means that there is neither publicly available information about the manner or purpose for which these agencies use drones, nor is there any transparency around the types of drones they deploy.
The possibility of wide interpretation of ‘national interest’ and ‘interest of security’ could enable mass surveillance. Together, these result in a situation where checks and balances on the use of such highly invasive technology by government agencies are completely lacking.
When it comes to the data that a drone would collect, which may well include the sensitive personal data of people such as their facial data, the rules say that the drone pilot will have to ensure the protection of the data and make sure that it is not shared with any third-party.
While it is commendable that the rules demand operators to make sure that the data collected by their drones should be safeguarded, they fall short of laying down specific circumstances under which a drone should be allowed to capture images and videos. Neither do they deal with how its footage is supposed to be stored, processed, and safeguarded.
Modern day drones are extremely efficient and capable devices. They usually come equipped with camera systems capable of capturing high definition images and videos. In many cases, visuals from a drone’s camera have also been relayed to a central monitoring hub for real-time monitoring by law enforcement agencies.
Also, while the rules require drones to undergo a number of tests before being certified to fly, none of those tests involves checking the drone for inbuilt privacy designs. Even though in its Drone Ecosystem Policy Roadmap, the Civil Aviation Ministry referenced privacy by design as the standard to eliminate risks of future privacy harms by operators, the rules spend no time on this.
“Drones pose a novel regulatory challenge because of their varied functionality that enables them to collect extensive data through high resolution cameras, infrared sensors, facial recognition technology, license plate identification mechanisms, and thermal imaging, all often without the knowledge or consent of the individuals whose data is being collected,” Saumya Jaju, a lawyer who’s researched on India’s drone regulations, told Entrackr.
“By not mandating privacy by design as an essential element of all drones in the country, the rules compromise on people’s privacy. Having privacy by design would have ensured that privacy is embedded into the design, hardware, and software of the drone at the manufacturing and operation stage,” she added.
The European Safety Agency Regulation mandates that a drone operator carries out a data protection impact assessment in line with the General Data Protection Regulation before operations. However, India’s rules have no such requirement, and don’t even mention the Personal Data Protection Bill, 2019, which is currently being deliberated upon by a joint Parliamentary committee.
Entrackr did not receive a response to our detailed queries sent to the Civil Aviation Ministry, and DGCA, until publication.
Other provisions in the rules
By means of the rules, the government wants to identify almost every single stakeholder in the drone ecosystem, including manufacturers, importers, traders, and pilots. All of these stakeholders will have to register themselves with the DGCA, and will only be allowed to operate once they have the regulator’s approval.
Several industry representatives that Entrackr spoke to concurred that the rules will increase the compliance burden on their companies.
For a drone company to be authorised, it will have to have a registered office in India, and the chairman and at least two-thirds of the company’s directors will have to be Indian citizens.
To get authorised, these companies will have to submit an application to the DGCA, who could also direct them to obtain a security clearance for people including directors in case of companies, or others in top management positions, from the concerned authorities. The rules did not specify the circumstances or reasons for which such clearance may be needed.
Central and state government agencies will not require this additional security clearance.
Once authorised, these entities will receive a Unique Authorisation Number from the DGCA, which will remain valid for ten years, and can be renewed for a further ten years.
A prototype drone can not be manufactured or imported without the DGCA’s permission. The only purpose of a prototype drone is to obtain a certificate of manufacture and airworthiness for a particulate type of drone. Once approved, every single prototype drone will be assigned a unique number, which will have to be affixed on it in an identifiable manner.
A drone without a valid certificate of manufacture and airworthiness can not be operated in India. In fact, any part or component of a drone can not be imported without the DGCA’s approval. One thing to note here is that many drone parts are not unique to drones, and can be used in other things as well. It’ll be interesting to see how the government enforces this provision.
The DGCA will appoint testing laboratories to test prototype drones for airworthiness. Some of the mandatory requirements for airworthiness:
- Compliance with the No Permission, No Take-off (NPNT protocol)
- Global Navigation Satellite System (GNSS) receiver(s) for horizontal and vertical position fixing;
- Autonomous Flight Termination System or Return To Home (RTH) option;
- Geo-fencing capability
- Real-time tracking system, and a 360 degree collision avoidance system.
For the certification process, applicants will produce their prototype drone, along with design documents to the testing laboratory allotted to them, and demonstrate that the drone is in compliance with the design aspects and other manufacturing and airworthy requirements.
And then there is retrospective compliance. Compliance with the NPNT requirement is mandatory for all existing imported drones except nano type (less than 250 grams in weight) prior to their operation.
Drones made by China’s DJI, which make up a bulk of the drones available in India, do not follow the NPNT protocol. As they are popular, many of their models have already been imported into India and are widely used by many drone operators. However, since none of these drones are NPNT compliant, they will have to be retrofitted with the NPNT module to conform to the drone rules. In fact, DJI has openly criticised the requirement in the past.
