Civilian use of drones has been increasing greatly in recent years. Now, the use is spreading from pure personal use of hobbyists into the world of customer service and security.
From the legal perspective, there is not much data protection guidance on the use of drones on the EU level yet. When it comes to data protection issue of drones, an analogy with the use of CCTV cameras is often made.
Potential of the new technology
The European Data Protection Supervisor (EDPS) has issued an Opinion discussing privacy aspects of the civilian use of remotely piloted aircraft systems known as ‘drones’. This analysis was initiated by the European Commission, which issued a Communication on the Opening the aviation market to the civil use of remotely piloted aircraft systems in a safe and sustainable manner.
The Commission is aware of the increase in the usage of drones and also sees huge potential in this new technology.
In the Opinion, the EDPS reviewed some of the data processing possibilities of drones and concluded that they can be used for the processing of personal data.
Furthermore, the EDPS is of that opinion that drones, if combined with advanced technologies (e.g. sensors or cameras) may enable processing bigger volume of personal data than CCTV or planes.
This can enable drones to become a powerful surveillance tools and violate individuals’’ right to private life and data protection. The EDPS did not provide an in-depth analysis; they only indicated a direction of data protection requirements that need to be followed when using drones.
More detailed guidance has been provided by the UK national Data Protection Authority (DPA) Information Commissioner’s Office (ICO), who has issued a code of practice for surveillance cameras and personal information.
When discussing the data protection requirements pursuant to the use of drones, it is important to differ situations when drones are used for private activities or for commercial purposes.
Drone usage for private purposes
Although the Data Protection Directive 95/46/EC recognizes an exemption for data processing carried out for purely household activity, the case law has set limitation to this exemption.
For example, such exemption may not apply if a private individual publishes processed personal data on the internet and make them accessible to an indefinite amount of people (Lindqvist case).
Drones are often used for taking pictures and making videos, which are published on social media or otherwise spread over the Internet. Hobbyists should take into consideration that their exclusively personal data processing may need to follow data protection rules.
Another example of such pure domestic usage of drones can be home security. If an individual is using drone instead of CCTV with a purpose of protection of her property and belongings, the individual should pay attention to the capturing scope of the surveillance camera.
In case the drone captures not only private but also fragments of public areas, the household exemption may not apply (Ryneš case). In such situation, the individual should follow the obligations pertaining to data controllers as set out in the Data Protection Directive, which we analyse below.
Drone usage for commercial purposes
Companies that process personal information gathered by the use of drones should follow the EU data protection laws if they are established in an EU Member State or if they make use of equipment situated on the territory of an EU Member State (Google Spain case).
Such companies can be considered either as data controllers or data processors. The obligations of such companies are by analogy similar to those explained in Aphaia’s white paper on Big Data.
In particular, the companies should focus on:
Legal ground for data processing
The applicable legal grounds for the processing of personal data obtained by the use of drones are most likely (1) data subject’s consent or (2) legitimate interest of a company.
When obtaining consent, the company should provide information to the data subject, such as purpose of data processing, information on the controller or data retention periods. If the company relies on legitimate interest, it should consider limiting data processing operations to the necessary minimum.
Data subject’s rights
A company that processes personal data should be aware that data subjects have certain rights under the existing EU data protection framework.
For example, data subjects should be able to (1) obtain information from the company as to their personal data that has been collected; (2) access the data that the company has collected on them (3) correct their personal data; and (4) request that information about them be erased.
Storage of personal data
Companies should store personal data in a secure way, and should limit the access to the data to the minimum necessary. EU regulators generally advise to retain data no longer than necessary and when appropriate, to encrypt the retained data.
In its code of practice for surveillance cameras and personal information, the ICO recognizes that drone usage may be highly privacy intrusive. The ICO finds it very important that the use of drones is justifiable, so they suggest that drone users find innovative ways to inform individuals on the drone camera filming. Possible practices are distinctive clothing of the drone operator or notices on the drone operator’s website.
Additionally, the ICO and the EDPS advise companies to implement privacy by design and privacy by default principle and carry out privacy impact assessment, which has been introduced by the new Commission proposal on General Data Protection Regulation. The idea behind the aforementioned actions is to evaluate the risks that data processing presents for personal data and apply adequate data protection and security measures.
Although the EDPS has provided some guidance, the latter is not particularly detailed, thus a more in-depth analysis would be welcome, given the increasing popularity of the drones. Furthermore, apart from the ICO there is little guidance from national DPAs on the use of drones.