Regulating the eye in the sky - drones, privacy and data protection

All children of the 1970s understood that if an object in the sky was not identifiable as a bird or a plane, then it had to be Superman. Today however it is more likely to be an unmanned aerial vehicle or a 'drone' as they are more commonly known.

An expanding market

Advances in technology have seen drones evolve from the sole preserve of the military, through to devices with wide civil, commercial and consumer application, available at price points to suit every budget.

This rapid expansion in the global drones market promises a very different relationship between society and its use of the sky. The potential applications for drones appear to have no limit. Facebook is already testing solar powered drones to deliver internet connectivity to remote parts of the world and both Google's Project Wing and Amazon's Prime Air initiatives are testing drone deliveries to our homes, and seeking to overcome the challenges of operating drones safely beyond current line-of-sight restrictions.

There is also a marked growth in consumer drone use. An intelligence Drones report by Business Insider in March 2016, reported that global consumer drone shipments are projected to top USD 7.3 million in 2016 and, according to the report, will reach USD 29 million by 2021, meaning shipments will more than quadruple over the next 5 years as technology improvements encourage increased adoption.

However, the expansion in drone technologies brings with it a number of important risks and challenges for regulators, drone manufacturers and operators. Some risks, such as compliance with aviation laws, will be obvious but other risks and threats, including those to privacy and data protection, are equally important.

Threat to privacy?

It is worth emphasising that not all drone use will necessarily give rise to privacy and data protection issues. Rather it is where, for example, equipment on-board the drone allows for the collection of visual images, sound or geo-location information. This equipment may be integrated into the drones at purchase or added by way of the growing market of software and hardware vendors , which expand a drone's features and functionality. Those on the ground, may of course, not be able to tell what on-board features a drone buzzing above them includes, meaning that a perception of being spied upon can potentially persist regardless of the data gathering capabilities of specific drones.

One example of the public sensitivities to surveillance is the number of reported cases of drones being shot down by agitated members of the public. There have been several reported incidents in the US. In the British Channel Islands, it was reported in the summer of 2016, that a local man reached for his shotgun and downed a drone being flown to photograph a house nearby at the request of the owners. The man later referred to the drone as the "flying Peeping Tom machine", claiming it visited his private sun deck and hovered in front of his daughter's room. He added that he had no knowledge at that time as to whom was controlling the drone or from where. He also explained that his house was on the approach to the grass airstrip of the island and that he therefore believed his actions were "in the interests of our community, both over safety and privacy".

Key aspects of the EU legal framework

There is no specific harmonised law in Europe on the privacy and data protection implications arising from the use of drones, rather the data protection Directive 95/46/EC (the Directive) and national data protection laws implementing the Directive apply to the extent that data captured by drones is personal data of individuals. In addition, there are also the wider rights and principles enshrined in the European Convention on Human Rights, (the Convention) in particular the right everyone has to respect for his private and family life, his home and his correspondence under Article 8.

From a UK perspective, the Convention rights are incorporated into UK law by way of the Human Rights Act 1998, obliging courts and public bodies to take account of the Convention rights when considering any matter involving those rights. Referrals of member state court decisions to the European Court of Human Rights (ECHR) has, over time, created a body of law that recognise the importance of protecting private life. This is particularly the case in the face of technologies, which may enable, for example, covert images to be captured without consent and/or be widely disseminated in cases where there is no public interest in disclosure.

Aside from the Directive and the wider Convention rights, certain member states may also have national provisions relevant to the use of CCTV systems that can be equally relevant to drone use where they include video systems.

Key data protection law considerations

From a data protection perspective, the collection and use of personal data of individuals (such as images, sound or location information) by equipment on-board a drone can be subject to data protection law.

Certain limited exemptions may apply, including where drones are used for personal or domestic, reasons, (such as using a simple drone in the back garden). A clear distinction could previously be drawn between exempt hobbyist domestic use and commercial, professional use of drones (to which data protection law applies). This distinction has become blurred however, following the decision of a Court of Justice case in a reference from the Czech Republic involving private use of CCTV . The effect of this case means the domestic exemption is restricted and would be unlikely to apply in a case where, for example, a drone captured footage outwards from boundaries of the users property and covered, (even partially) a public space or other people's gardens or property so that the data of individuals in those other spaces was processed.

This does not mean that domestic or hobbyist use of drones is prohibited, rather it means that users must be alive to the potential privacy intrusion, which their drone use may cause. Some of the considerations mentioned below that have become relevant to all professional and commercial users of drones may be equally relevant when ensuring responsible use of drones in the domestic or hobbyist context.

Key data protection requirements relevant to the use of drones include the following: 
 

  • Lawful processing – meaning in practice that:
    • drones collecting personal data must comply with all relevant laws. This will be particularly relevant if national law prohibits drone use, where a specific authorisation is required from the relevant Civil Aviation Authority (CAA) due to type or size of the drone or the way it is used or where national regulations on CCTV apply to  drone cameras; and
    • one of the legal basis in the data protection law, necessary for the processing to be legitimate are satisfied. Relevant conditions here include:
      • consent  - In practice obtaining the consent of the subjects of images or video recordings, for example, is likely to prove difficult in many cases, particularly as in order to be valid, their consent would need to be freely given, specific and informed;
      • necessary for a contract where the subject is a party – this could be relevant where a drone is used by an estate agent under its contract to sell a property, to take a video just of the owners property or alternatively where a purchased product is delivered to a buyer's home by drone;
      • necessary for legal or public interest reasons –such as certain limited, necessary and proportionate law enforcement uses of drones;
      • strictly necessary to protect the subjects vital interests – for example the use of drones in certain cases by emergency services to locate accident victims; or
      • necessary for the purposes of legitimate interests - this is provided the data subject's interests, rights or freedoms do not override those of the controller for the data from the drone. Examples here may include drones used for private security or to survey critical infrastructure such as power lines or pipes as well as those used for environmental monitoring or archaeological site mapping.

Any personal data legitimately processed by drones for specific purposes should also not then be used in different ways that are incompatible the original purpose.

  • Transparent and clear to subjects – meaning people should be made aware of the collection and processing of their personal data. In particular, they should be told who the controller of the drone is, the purpose of the processing and other information such as the type of data being captured, who it may be shared with and their rights to access and correct the data. Clearly, drone use presents challenges for how to give clear and upfront information to people and for this reason it is recommended to adopt a range of different approaches to communicating this information, which may include, for example:
    • advance notices - for example this may be possible in the context of a sporting or other events where information can be provided in pre-event literature, programme materials and on social media. It may also be relevant where, for example, an estate agent writes to inform neighbours in advance that it will be recording footage of a property for sale near them.
    • on-site notices – including posters and signs at the entry to discrete drone-monitored areas
    • drone identification – taking steps to make the drone as noticeable as possible. This could include for example using bright colours, flashing lights and alert noises. It can also include labelling or providing registration mark details for the drone, which may be relevant if control of the drone is lost and data needs to be linked back to the operator. The use of registration marks may also provide the future potential for wireless transmission of drone registration details to be cross referenced with an online resource providing details of the controller of the drone and its use.
    • operator visibility –for line of sight drones the operator can be made to appear highly visible and identifiable as such.
    • online resources – such as websites and applications that are used to give more information about why, how and where drones have and will be used by the controller.
  • Proportionate processing – meaning in practice an assessment is made to ensure that only personal data that is adequate relevant and not excessive for the purposes are collected and that any personal data collected is limited to the minimum necessary for that purpose. Steps to help meet this requirement when operating drones will include, for example:
    • drone technology – understanding the capabilities of the drone and choosing technology and settings that are appropriate to the specific objective, for example:
      • switching off the recording features where these are not required or only activating these when the drone has reached the specific zone of interest, (rather than leaving these continuously running across the flight);
      • understanding if the drone has features that can be used to restrict its field of vision to a reduced area of focus;
      • considering whether software built into the drone (or capable of being applied to the drone) enables mapping against pre-defined no-fly zones to prevent the drone entering these areas and minimising the risk of intrusive personal data collection.
      • understanding the data storage capabilities of the drone and ensuring that any personal data collected is only kept for the minimum time necessary for its purpose and disposed of appropriately when it is no longer required.  
      environment – when planning the use of a drone, considering the area, and plotting a flight path that avoids as far as possible, flying over populated or private areas and buildings;
  • Secure processing –taking steps to secure personal data from any unauthorised or accidental access, disclosure, alteration or loss, including remote cyber-attacks on the drone itself and where the personal data is being transmitted from the device. This could, for example, be by using encryption or other appropriate methods to lock down access to the information to only those limited people who are authorised to view or access the recorded images and data.

In order to take account of the above, it is therefore recommended to carry out a privacy impact assessment to evaluate if the proposed use of the drone is likely to intrude on people's privacy, whether the use is necessary and proportionate and if so how any detrimental impacts might be overcome, taking into account the considerations mentioned above.

Enforcement and remedies

Complaints can be brought before the relevant data protection authority if a person believes that drone use has resulted in processing of personal data in breach of data protection law. That said, the focus of regulator attention is more likely to be on intrusive commercial use of drone technology rather than those individuals using drones responsibly for personal use, even if they do capture personal data of strangers incidentally.

Serious data protection breaches could result in formal action. In the case, for example, of the UK, the Information Commissioner could seek formal undertakings of future compliance, serve an enforcement notice requiring certain steps to effect compliance or issue a monetary penalty of up to GBP500,000. Individuals also have the right to bring actions for compensation if they have been damaged by the processing of personal data.

It is worth noting that as of 25 May 2018, a new EU General Data Protection Regulation (GDPR) will replace the Directive and apply across all EU member states. In addition to formal legal obligations to conduct privacy impact assessments and to adopt privacy by default and by design concepts into compliance controls, the law will include enhanced rights for individuals, and tougher penalties for non-compliance.

In particular, infringements of certain provisions can be subject to fines of up to EUR 10 million or  EUR 20 million or in the case of in the case of a business, up to 2% or 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher depending on the type of provision is breached. Individuals' rights to compensation will also be broader, including the ability to bring claims for both financial and non-financial damage (including distress) they have suffered as a result of the breach.

Against this backdrop of changes to the data protection regulatory framework, the further expansion of drone use in coming years is also driving an ongoing push (such as by the European Aviation Safety Agency and the European Commission) to develop a wider regulatory framework for the operation of drones. These developments may in turn also extend the current privacy risk assessment model for drones outlined above.

Certainly the intensity of the debate and scrutiny around drones underlines the importance of all risks identified, including the privacy and data protection issues for drone technology and their use. In the meantime, as drones become more prevalent, we must hope that until the law catches up with the market that social norms will help to regulate drone use without the need to reach for the shotgun.

Author

Sally Annereau
Senior Data Protection Advisor, Taylor Wessing

Sally Annereau is a Senior Data Protection Advisor at the London Office of Taylor Wessing's International data protection practice. She has 25 years experience of advising on data protection and information law matters. Ms. Annereau previously worked for six years at the UK Information Commissioner's Office, in addition to data protection compliance roles within the broadcasting, direct marketing and professional services industries.

Ms. Annereau regularly presents and  contributes on data protection as well as providing wider thought leadership on data protection issues and has been published and broadcast by the Guardian, the Daily Telegraph and the BBC.