Drone Law, Technology, Privacy Rights & Cyber Security
The regulation on drones is an area of law that often gets overlooked in the discussions surrounding privacy rights and data protection of individuals. In recent years, the usage of drone technology in India, especially by the government during lockdown, has seen a massive increase. To name a few instances, Police Departments in the states of Delhi, Mumbai, and Punjab have used drones for ensuring adherence to lockdown protocols by state residents, with Kerala police even hiring freelance drone surveillance operators. Law enforcement agencies have also used drones as means of policing. Major instances of this includes Delhi police’s usage of drones from the open markets to curb riots ensuing from the 2020 Delhi Assembly elections, UP police’s usage of drones for security purposes during Ram Temple’s inauguration in Ayodhya, along with the Indian Railways using drones for surveillance purposes.
Hence, law enforcement agencies using drones for surveillance purposes was normalised while covid protocols were enforced. However, even after the suspension of lockdown, this utilization of drones has not halted in states such as Chennai, where the police continue to use drone surveillance on their beaches. For this reason, a closer look at the drone regulation laws currently operating in India is warranted in order to inspect whether a proper balance is being struck between state security and the privacy rights of Individuals under the current framework.
Drone Regulation Laws in India
Prior to the Unmanned Aircraft System Rules, 2021(UAS Rules), drones were regulated under the Aircraft Rules, 1937 and the Civil Aviation Requirements, 2018(CAR). These regulations merely pertained to regulating the licensing, registration, manufacture, and other similar operations of drones without any mention of protection of privacy. However, the UAS Rules prescribe measures of data privacy and protection to be adhered to by drone users. Under UAS 2021 Rules, a drone pilot is under the obligation to guarantee the privacy or individuals and their properties, and to not share any information collected by drones to third parties without getting consent from the individuals whose data is collected. However, the data privacy scheme offered by the Rules had many pitfalls, such as the fact that the drone operator had the freedom to choose their own mechanism of enforcing data protection via various applications. In the absence of any overarching data protection legislation, this gives drone operators excessive discretion that can lead to the violation of an individual’s right to privacy.
Due to these and other similar concerns, the government published the Draft Drone Rules on 15th July, 2022, which seeked to replace the UAS Rules. However, the first draft of the DDR Rules was a regression on the growing jurisprudence on data privacy laws in India, as it lacked any provisions which mandated data protection standards and it instead put in its place a self-regulatory model, which was already a point of major criticism of UAS Rules 2021. Due to this, the rules faced backlash from the public which resulted in it not being enforced.
Another major drawback of these regulations is that governmental agencies under both the UAS Rules and previously enforced CAR, 2018, received conditional exemptions from being liable under the respective statutes. The conditional exemption under the UAS Rules of 2021 exempts the entire statute from being enforced on any governmental agencies under the Ministry of Home Affairs and State/ UT police regarding the operation of drones. Hence, drone surveillance in India for these agencies have relied on good faith rather than being bound under a data protection legislation.
This mode of operation may see a change with after the enforcement of the PDP Bill. This is because while S.35 of the draft bill allows the central government to exempt any governmental agency from its provisions on grounds of state security and safety, the draft bill mandates certain procedural safeguards. These include defining institutional process applications to review the exemption orders, mandating a written and reasoned order of exemption, and enabling Data Protection Authority (DPA) to audit the governmental agency’s adherence to S.35’s scope and conditions of exemption on an ongoing basis.
Threat to Individual Privacy
Under the current laws, the drone regulations in India pose a serious threat to an individual’s right to privacy. The extent of exemptions that is granted to governmental agencies while operating drones would be deemed to be a violation of individual privacy in most jurisdictions that have a developed jurisprudence on Data Protection. For example, Paris Police’s use of drones to enforce lockdown protocols was held to be an infringement on the personal data protection laws that are enforced in France. The US Courts have developed the ‘mosaic theory of privacy’ which insinuates that data collection has to be looked at as a whole and not only in minor instances to correctly assess the risk of violating a person’s data protection rights. Hence, widespread and indiscriminate data collection by drones in such jurisdictions are deemed to be illegal, unlike in India where such usage is protected under the wide exemptions granted to governmental agencies. Letting these agencies continue to act within these exemptions without any overarching data protection legislation that protects individual liberties is going to be extremely harmful to India’s jurisprudence on data protection. Instead, we should adopt the approach taken by the US Courts and view our current regulations through the mosaic theory of privacy. The extent to which indiscriminate data can be collected by drones amounted to being a ‘search’ under the US Constitution, thereby needing a lawful warrant for the same. At the least, the Indian Courts can use the Puttaswamy Judgement to ensure that the exemptions granted to the agencies adhere to the three-fold requirement for restricting the right to privacy. Under the PDP Bill, by adhering to the procedural safeguards, we can hold governmental agencies for violating provisions of s.35. This, however, would be a very small step that needs to be taken in order to reach the ideal legal environment on Drone Regulation.
Threat to Cybersecurity
The innovation in drone technology in recent years also poses a threat to cybersecurity across all jurisdictions. Drones might be used to inject malware on frameworks or disrupt the framework’s functioning, and this is true especially for those frameworks that operate via wireless protocols such as Bluetooth. Cyber criminals in other instances can even use drones to create digital interruptions in facilities that are unreachable on foot or vehicle. By flying drones over these facilities, such disruptions may be caused. Security measures against human threat such as biometric scans are, therefore, futile against such cyberattacks.
Drones can even be used to target people by providing spoof Wi-Fi access. People trying to connect to these Wi-Fi networks can have their data stolen, perform man-in-middle assaults, and conduct illegal surveillance on networks. This threat is amplified by the BYOD (Bring Your Own Device) policy followed by organizations that compel employees to bring their own devices to connect to the company’s Wi-Fi. In the absence of security measures such as forestalled de-confirmations, it leaves the employees of companies open to such cyberthreats.
Hence, it would not be long before businesses around the world start deploying security measures to specifically focus on drone cyber-attacks. The most common of these measures can be functionally categorised into securing drones and counter drones. Securing drones are proactive measures that help fortify the security of drones to prevent them from being hacked. These include implementing strong passwords, updating the drone’s firmware, using anti-malware software on the controlling device, etc. The second type of measures include employing counter drones that help mitigate the threat of illegal drones. In the United States, the FAA (Federal Aviation Administration) employ UAS drones whose communications cannot be jammed or taken down. They are also able to detect unauthorised drones and take them down. However, these counter drones are applied only to the military sector. As drone technology continues to evolve, new manners in which the crimes that are perpetrated using that technology will also increase. It is pertinent, therefore, that sufficient cybersecurity measures against these drones are employed by firms at a commercial level to prevent unforeseen losses by these crimes in the coming decades.
 S.35(a) DPB 2021
 S.35(b) DPB 2021
 S.35(c) DPB 2021
 (2017) 10 SCC 1