There aren’t enough provisions in the government’s draft drone rules to safeguard citizens’ privacy, digital rights organisation Internet Democracy Project said in its recommendations. The IDP recommended that unless there’s a comprehensive personal data protection framework, usage of drones by private and public entities should be minimised to security of the state and public health emergencies or natural disasters. The Ministry of Civil Aviation had released draft drone rules last month and has invited comments to it until July 10. The rules are an effort to form dedicated regulation around drone usage, as they are currently regulated as part of Civil Aviation Requirements (CAR), enacted in December 2018, under the Aircraft Act.

In the current draft, only one rule says that drones should be flown while protecting the privacy of individuals and property. However, the organisation noted that even this one rule fails to delineate how the privacy of an individual and their property can be ensured while capturing images from drones. ​“Insufficient safeguards to protect the privacy of individuals is problematic and may encourage mass surveillance by the government and surveillance capitalism by private sector entities,” it said.

The organisation also said that some of the exemptions offered to government agencies in the rules are ​“too wide, as they allow Central and State governments to exempt any person, any UAS [drone], class of UAS, person or class of persons from all or any of the rules”. As a result, it can ​“allow the government to outsource certain essential functions of the state to non-state actors, such as maintenance of law and order. Delegation of such essential functions of the state to private actors may affect the basic rights of the citizens and is an unbecoming approach in a democratic country,” the organisation remarked.

Avoid blanket exemptions to govt agencies, allow judicial oversight: Other recommendations The Internet Democracy Project said that only a handful of government agencies should be exempted from the rules and only under exceptional circumstances, and all exemption orders should be made public for judicial scrutiny:

Exempting entities from adhering to the rules will rob citizens of protections against surveillance: The organisation also recommended that the central government should not be allowed to exempt any person and any drone from adhering to provisions of the rules, as at least two provisions in the draft allow it to. One of these allows the government to provide blanket exemptions to any entity they wish from adhering to some or any provision. ​“This provision would allow for exemption from even rule 35 [which talks about ensuring privacy of people and property], the only rule in the current draft that addresses privacy concerns, leaving citizens without protections from surveillance even vis-à-vis private actors,” IDP noted.

It said that only intelligence agencies and other central government ministries should be considered eligible to avail of this exemption and that too only in ​“exceptional circumstances” such as public health emergency, natural disasters and to ensure security of the state. Only ​‘statutorily backed’ entities should be exempted from obtaining operator permit: Another rule states that the government can exempt any central or state government from obtaining an operator permit in ​“national interest”. IDP recommended that only intelligence agencies that are ​“statutorily backed” should be allowed to be exempted from this rule since ​“security of the state and national security are functions of certain specific agencies of the State, and should not be performed by any other agency, person or class of persons”.

It also submitted that exemptions on ​“national security” grounds make no sense because the term has ​“not been defined in any statute and can be interpreted in many ways, including to enable mass surveillance”. Enable judicial oversight: Exemption orders should be subject to judicial oversight, as recommended by the Supreme Court in the Aadhaar judgment, the organisation said. ​“Judicial officers shall examine the validity of the order and prima facie case against the data principal”.

Follow privacy by design standards: The draft must prescribe strict compliance of privacy by design standards for the manufacturers of drones, as laid down in the draft drone policy 2.0, which was formulated under then Civil Aviation Minister, Jayant Sinha in January 2019.

The rules should also obligate drone service providers to establish feedback and review mechanisms, including requests to access, anonymise, or erase the personal data of the data principal, IDP remarked. Avoid data retention: Data collected by drones such as images, videos, GPS data, among other personal data, should not be retained unless absolutely required for security of the state or in national interest, the organisation said. The accumulated data should not be allowed to be shared or sold to any third party unless it is to ensure security of the state, it added.

Other stakeholders’ recommendations to the draft rules:

By industry body Drone Federation of India: ​‘Deregulate drone components, and ease restrictions on nano drones’ By rights group Internet Freedom Foundation: ​‘Prohibit drone use by law enforcement agencies and integration of drones with facial recognition tech’