Data protection / drones / Privacy / Privacy impact assessment

Opinion on drones released by EU Data Protection Working Party


“Technology is neither good nor bad; nor is it neutral” – How far might future usage of drone technology affect the very fabric of the societies in which we live?

The Article 29 EU Working Party (WP) has issued an Opinion about the data protection and privacy implications of utilising unmanned aerial systems (“drones”). This guidance is timely. Drone technology has become widely available at low cost to the civilian market, as well as being deployed by the military and law enforcement, and its popularity is growing. For example, it has been estimated that drones could account for 10% of the total EU aviation market by 2024, with nearly one third of overall world drone production already produced by official manufacturers in Europe (accounting for approximately 6,000 different models so far).

All of these different models raise privacy risks related to their operation. Such risks arise, in particular, to the unique, aerial viewpoints they can capture and the possibility of bulk data-gathering about human targets for unlawful purposes.

While recognising the social and economic benefits of integrating drones into European civil airspace, the Opinion focuses on the criteria for assessing the lawfulness and appropriateness of surveillance technology that can be installed on-board. In particular, it highlights the challenges of ensuring that their operation respects fundamental legal rights of those to whom the data relates. These include, most notably their rights under data protection legislation.

Under the Data Protection Directive, the Opinion sets out recommendations for operators to consider as a means to address concerns where data collected by drones (e.g. images, sounds, and GPS coordinates) can be used – alone or in connection with other information – to identify a living individual. First, however, the WP points out the possible application of the household exemption under Article 3(2) of the Directive – which provides that Directive does not apply to the processing of personal data “by a natural person in the course of a purely personal or household activity” (in the UK, see Section 36 of the Data Protection Act 1998). [For an interesting judgement on this issue last year, in which the EU Court of Justice held that the exemption would not apply where CCTV installed on a family home for crime prevention purposes recorded (even partially) images from a public space, see Sophie’s post here].

Assuming that this exemption is not applicable, issues flagged by the WP for consideration by drone operators include ensuring compliance with the key data protection principles of purpose limitation, data minimisation, and proportionality. For example, measures of compliance by an operator might include choosing drones with sensory equipment appropriate to the purpose of the processing, avoiding the collection of unnecessary personal data, deleting or anonymising captured personal data where possible, together with the adoption of suitable data security. Also important is the promotion of transparency regarding how drones are operated, which would normally involve informing data subjects about the types of data that will be processed, the purposes and duration of the processing of such data planned, and who will access these data. These essential information-provision elements should always be provided to data subjects where the obtaining of their consent is being relied upon by the data controller to justify the processing activity under data protection rules.

The WP also sets out recommendations for European manufacturers to consider, specifically the building of privacy-by-design measures into drone technology, such as the involvement of a data protection officer in the process and the use of in-depth ‘data protection impact assessments’ (DPIAs) to analyse the potential impact of emerging applications on privacy and data protection. Such recommendations are especially fitting at this time as they reflect provisions introduced within the draft General Data Protection Regulation by the European Commission (currently under trilogue negotiation as I reported recently). For example, draft Article 33 of the Regulation would require a mandatory DPIA to be carried out by data controllers where the data processing they want to engage in would present significant risks to individuals. The WP also suggests that post-design considerations for manufacturers might include the provision of information on packaging pointing out the potential intrusiveness of the drones inside and identifying where their use is allowed.

Of course, the concerns raised by drones go wider than compliance with data protection concerns. More practical matters include the need to verify whether drone operation requires authorisation under national law (e.g. in the UK, from the Civil Aviation Authority). Furthermore, there is the risk of one citizen (wittingly or unwittingly) infringing upon another person’s privacy, which may in turn give rise to a cause of action for misuse of private information in the domestic courts. While emerging civilian applications for drones are often recreational (e.g. photography, leisure, services, and logistics), the effect, or indeed the true purpose of the aerial surveillance, in any particular case may be decidedly anti-social.

The risks for the rights and freedoms of individuals are potentially even greater when the processing of personal data by means of drones is carried out for law enforcement purposes, even though there is an exemption (albeit not an absolute one) in the Data Protection Directive to such ends. For example, drone usage by the UK police will have to comply with Part II of the Regulation of Investigatory Powers Act 2000 (RIPA) by deploying specific oversight mechanisms. Article 8 of the European Convention of Human Rights – the right to respect for one’s private life, which is both potentially broader than the scope of data protection law (it might apply to the processing of data which are not personal but nevertheless affects a person’s privacy), and narrower than it (it will not apply upon a processing of personal data which is not considered to infringe a person’s privacy) depending upon the facts of the case – is also potentially relevant. Additional recommendations are included by the WP in a law enforcement context, such as the prohibition of drone usage for constant tracking of a human target.

In conclusion, many of the WP’s recommendations echo those made in the ICO’s data protection code of practice on the use of CCTV and surveillance cameras (see my early post on this topic, as well as the Home Office Surveillance Camera Code of Practice Pursuant to Section 29 of the Protection of Freedoms Act 2012). However, as drones are not fixed to the ground, the issues they raise are potentially more wide-ranging than those associated with CCTV and create fundamental dilemmas for policy-makers regarding the appropriateness of introducing specific rules for their responsible usage. To this end, the WP acknowledges that the development of common European standards by the European Aviation Safety Agency to regulate the operation of civil drones may be required, as well as new national policies explicitly incorporating privacy and data protection standards.

While the EU Institutions are aware of the challenges ahead to enable this fast-growing industry to reap its full potential (see, e.g. the European Commission’s 2014 Communication on Opening the aviation market to the civil use of remotely piloted aircraft systems in a safe and sustainable manner), it is clear that more can be done from a social acceptability viewpoint. Promoting new standards and the adoption of industry codes of practice specific to drones – to help to promote awareness of the potential for privacy problems and prevent infringements – would be a first step, as acknowledged by the WP (e.g. page18 of the opinion).

A larger step for the future would involve more explicit recognition that the social impact of drones goes beyond those of privacy and data protection. Indeed, many have called for public consultation about drones that encompasses wider ethical and civil issues (such as the dangers of social sorting) and, potentially political liberties (such as how drones can be used as tools of counter-surveillance by citizens against unjustified state intrusion).

As the historian, Melvin Kranzberg, described, “technology is neither good nor bad; nor is it neutral”. In other words, context makes all the difference in evaluating technology. The challenge for policy-makers now is to develop a policy framework that will enable the progressive development of the drones market, while maintaining the correct balance between security and liberty. There is a lot at stake. It would not stretch the imagination unduly to think of future scenarios where drone technology could be used in ways that affect the very fabric of the democratic society in which we live.

Alison Knight

Leave a Reply