Drones and privacy: data protection risks
Unmanned flying aircraft (drones) have rapidly become a part of our lives during the last decade. Since the invention of modern prototypes of civil drones, almost everyone has had an opportunity to use drones for different purposes: making photos and videos, including commercial use for movies or television, security surveillance, logistics, agriculture, or even during military operations. Despite this wide range of benefits and possibilities, there are some risks concerning the use of drones. One of the risks is that a drone usually collects huge amounts of personal data. Thus, privacy regulations like GDPR, CCPA, LGPD, and others shall be followed during such data collection.
What personal data can a drone collect?
It actually depends on the quality and model of the particular drone. The simplest ones may not even have any means to collect personal data. However, most of them could do it via different collection instruments: cameras, electronic sensors, and infra-red scanners. It will enable such drones to collect images and videos of people, recognize faces, track geolocation data, and even some signals from smartphones.
In what cases does a drone not collect any personal data?
It may be the case if the drone does not have any means to track and collect personal data. Another situation that may occur is when the drone with GPS trackers and camera purposefully does not collect any personal data, for example, used for infrastructure observations (inspecting traffic jams without an ability to identify particular cars), animals or plants tracking in special places like forests or sanctuaries, agricultural purposes that do not cover any personal data processing. In that case, you also need to be aware of whether the data protection rules are not violated. Spanish Data Protection Agency (ANPD) mentions the following:
“Before sharing internet images or videos captured with a drone, it is necessary to ensure that they do not contain images or data relating to persons, vehicles, residences or other objects that may lead to the identification of data subjects and in the affirmative case, anonymise them using blurring techniques or similar. Examples:
Source: Drones and Data Protection |
What should companies/people who use drones do to be in compliance with privacy regulations?
Once again, it depends on the type of drone and the purpose you use it for. If you have a drone flying over your company’s premises to protect it from intruders, you need to ensure that your data collection is only necessary for achieving your purpose. It is an undisputed fact that a flying drone could be much more intrusive into other’s privacy than a regular CCTV, as an individual cannot expect to be observed, for example, somewhere near your company’s building within a radius of 500 meters. Therefore, as a drone user, you need to ensure that you do not collect personal data (video, photo, geolocation) from random people around. In any case, if you capture some data that way, it must be deleted, as it is not necessary to achieve your legitimate interest in protecting your property.
Another example! Let’s imagine you have a food delivery business that uses drones. It is quite a widespread way of delivery now, but it will undoubtedly grow much more in the nearest future. In that case, you also need to have a purpose for data collection: the address of the recipient and video footage that proves that the food was delivered. You also need to have a legal ground for data processing; most probably, it would be a performance of a delivery contract between your company and the client.
All in all, these two examples cannot describe all of the ways people may use drones for their business and data collection. However, it is easy to track the main principles of how to use drones in compliance with the GDPR:
- You need to have a purpose for data processing;
- You need to have a legal ground for data processing;
- You have to follow data protection principles (delete data when you no longer need it in accordance with the storage limitation principle, collect only necessary amounts of data in accordance with the data minimization principle).
The mentioned advice is the basic and essential part of data processing. Furthermore, in order to be more secure from any financial and other risks, the company or individual who operates drones may need to know more comprehensive and detailed practices:
- “Minimise the presence of persons and objects that allow for their identification (for example, bathers, vehicle registrations, etc.) in the area of the operation. This can be done by, for example, performing flights, where possible, at times when there are not large concentrations of people or when access to the flight zone is restricted.
- Promote and apply privacy features from design such as, for example, adjusting the resolution of the image to the minimum necessary to execute the purpose of the processing, reducing the granularity of geolocation for the same purpose, applying techniques for the anonymization of images (automatically during the capture or procedures to do so immediately subsequently) or mechanisms to initiate and stop the capture of data at any time during the operation, to implement secure communication protocols that prevent third party access to the captured data transfers and even control of the device itself or to include mechanisms that allow for the encryption of the data captured and stored on the drone itself.
- In areas where there will inevitably be people, complete the capture of images in a manner that persons cannot be identified, for example by capturing images only at a sufficient distance to ensure that their identification is not possible.
- Prevent the processing of another type of personal data such as, for example, the indiscriminate capture of mobile device identifiers.” (Source: Drones and Data Protection)
The UK data protection authority (ICO) draws attention to the obligation to inform data subjects that their data are being collected by drones. As it is not an ordinary process for data collection, data controllers/processors need to be innovative regarding the ways they choose to notify people. In the UK, you may register your drone with the Civil Aviation Authority in order to enable public authorities to track it and have some control over its usage, place a sign in the place you use a drone, have a clear and accessible privacy notice on the website that explains how you process personal data.
The Information Commissioner of the Republic of Slovenia also reminds that drone operators to remember data protection principles while processing personal data: legality, fairness and transparency, purpose limitation, storage limitation, data minimization, accuracy, and information security to protect personal data from disclosure. You may read the infographic regarding data protection and drones via the link (available only in Slovenian).
Conclusion
To conclude, drones are one of the signs and technologies of our nearest future. Many services will be provided using drones. Therefore, we need to consider issues concerning this opportunity now and avoid any possible data protection risks in the future. Fortunately, European data protection authorities are actively cooperating with drone operators by providing them with useful advice and guidelines on using them safely. In case you have any questions left, please write us an email 🙂 We will be happy to assist you!