Indian govt’s regulation policy for drones covered everything but privacy

Regulation scholarship has devoted considerable attention to the choice between rule-based and outcome-based regulation with no clear resolution in sight. When it comes to emerging technologies, this debate becomes even more complex because of the indeterminate nature of consequences at an early stage. Even if we were to promote outcome-based regulation, what outcomes are we talking about? Similarly, will rules promote or hinder positive values like innovation and experimentation?

This debate played out significantly post the financial crisis of 2008 when elaborately worded rules failed to tackle underlying systemic issues with mortgage-backed lending. In response, regulatory reformers called for outcome-based regulation wherein actors would be punished (or incentivised) based on their ability to fulfil certain outcomes. But critics of an outcome-based approach emphasise that outcomes are usually spelt out at an extreme level of generality, thereby rendering regulation worthless. Additionally, evaluating the outcome is difficult, placing considerable strain on regulatory capacity and resources.

Also read: Lost in the data localisation debate: Does India have full power to exploit its own data?

Models applied for drones

Take the case of the rule-based model first. This model, also considered a technology-based model because of the reliance on scientific stipulations when detailing permissible and impermissible behaviour, has been used to address concerns with the safety of civilian drone operations. But as is often the case, coming up with an extensive set of rules for the operation of the technology can end up stifling further innovation. This assumes significance because the drones market carries huge potential of generating employment opportunities for India’s youth in the manufacturing sector even as the industry is projected to be worth US$ 900 million by 2021.

In India, the no-permission, no-takeoff (NPNT) regime that UAV Regulations 1.0 puts in place for drone operations is rife with elaborate technological requirements that all drone manufacturers must provide for in order to enable mid-air tracking of drones. This regulation-technology solution mix, branded “Digital Sky”, while laudable for its objectives, misses the point that bad actors seldom comply with the onerous requirements imposed on everyone. Instead, to ease operational hurdles, it would have made more sense to have an outcome-based approach where operators must comply with well-defined operational outcomes including safety and security. An additional obligation could be to share material facts with the regulator rather than awaiting the latter’s permission before embarking on drone operations.

Conversely, the outcome-based model has been liberally applied when it comes to safeguarding the privacy of citizens. Instead of elaborately worded guidelines, we get to see open-ended statements that drone operators must respect the privacy of individuals. The supporting documents such as operators’ manual and technical tender for Digital Sky make cursory references to privacy-by-design without any guidance on how this objective may be achieved. Pursuant to the unanimous decision of a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy vs Union of India (2017), wherein privacy was held to be a fundamental right, we would expect better from the civil aviation ministry on safeguarding this valuable right.

Also read: ‘Digital colonialism’: Why countries like India want to take control of data from Big Tech

Ways to address privacy concerns

Ideally, the rule-based model would have worked better. To do so, the ministry should have begun with delineating the kind of harms in play here. The first set of harms are traditional privacy risks, which stand exacerbated because of the unique features of drone technology.

When fitted with a high-resolution camera and miniaturised recording devices, drones are capable of serious intrusion into private spaces without the knowledge or consent of the individual subject to such surveillance. Apart from clear guidelines on the kind of operations for which drones may record visual feed and the format in which such feed may be stored, it would also serve well to introduce some criminal liability for intentional privacy intrusions. Considering the absence of a robust privacy tort in India that guarantees hefty monetary compensation to violated individuals, these measures are essential to bolster confidence in the technology.

Additionally, there are new age informational privacy risks associated with the technology on account of the ubiquitous data gathering and processing that it facilitates. To address the same, citizens need a privacy dashboard that keeps them informed of impending drone operations as well as gadgetry fitted in these drones. A personal data protection framework must also adequately address profiling and other concerns arising from similar technologies.

Finally, we must also develop safeguards against community privacy risks as governments increasingly resort to these technologies in the context of law enforcement and counter-terrorism. In short, the choice between rule-based and outcome-based models depends heavily on the risks we are talking about. Any technology regulation must use this as the starting point before zeroing in on either of these models or when applying a hybrid of the same for different kinds of risks. This must be followed by a suitability assessment and a regulatory impact assessment before finally opting for any particular regulatory design.

This article is part of a series examining The Future of Data in partnership with Carnegie India leading up to its Global Technology Summit 2019 in Bengaluru from 4-6 December 2019. More details about the summit are available here. 

The author is a Visiting Fellow at the Centre for Policy Research. Views are personal.