-WP29 releases opinion on data and privacy protection issues relating to the utilisation of drones-

Recently, due to the high deployment of technology in the drone industry, as well as their impact on privacy, the implementation of a specific legislation has become more current in the European Union. The Article 29 Data Protection Working Party (WP29) published its opinion concerning data and privacy protection issues relating to the use of unmanned aircraft systems (UAS) in Civil Aviation which is addressed both at national (CAAs) and European legislators.

The Opinion was written in response to the European Commission's DG Enterprise and Industry's request to issue recommendations regarding the commencement of establishing an adequate framework and how data and privacy protection issues should be addressed at European level.

The WP29 was set up under Directive 95/46/EC and it is composed of a representative from each EU Member State, the European Data Protection Supervisor and a representative of the EU Commission.

While the European Commission focuses on the data and privacy protection issues arising from the use of remotely piloted aircraft systems (RPAS), WP29 highlights that the Opinion should apply to data processing arising from the use of any manned, unmanned (fully autonomous aircrafts or remotely piloted aircraft systems), aeronautical or spatial aircraft for civil operations.

High risks for data and privacy protection

Even if it is undeniable that the civil use of drones has a positive effect on the economy, the WP29 draws attention to the potential danger of data and privacy protection. RPAS are increasingly being used for commercial and civil purposes, however it is not the use of the drone itself, but the on-board sensors which may represent high risks for data and privacy protection.

Firstly, they can cause privacy concerns among the public due to the equipment which is added to the drones (smart cameras, specific sensors, detection equipment and radio-frequency equipment), not to mention the possibility of interconnecting drones or their ability to enter places which are almost inaccessible (through roofs, fences, barriers) and which can lead to an infringement of civil rights and to the so called 'chilling effect'.

Secondly, a potential risk of function creep exists, due to the developed technology and the sophisticated equipment that are used (the huge amount of data can be collected by drones of which data subjects are not aware).

Legal framework

While a coherent legal system does not exist regarding the data protection issues arising from the use of drones, the Data Protection Directive 95/46/EC (the Directive) and the Directive on Privacy and Electronic Communication 2002/58/EC (amended by 2009/136/EC) may serve as a legal framework if drones are used by providers of publicly available electronic communication services. The WP29 sets down some exceptions that may fall out of the scope of the Opinion according to the Directive:

  • data processing by a natural person in case of a purely personal or household activity (Article 3.2 of the Directive).
  • in case of personal data processing solely for journalistic purposes (Article 9 of the Directive).

The European advisory body considers the use of drones by law enforcement dangerous. Police services should make sure that the use of drones directly operated by them is necessary and has a valid legal basis, otherwise fundamental rights and freedom, protected by the European Convention of Human Rights (Article 8 on the right to respect for private and family life) and the European Charter of Fundamental Rights (Article 7 on the respect for private and family life and Article 8 protection of personal data), may be infringed. Furthermore, collecting data by the use of drones for law enforcement purposes should respect the principles of proportionality and transparency.

Recommendations and indications

The WP29 gives indications and recommendations to policy makers and sector regulators, manufacturers and/or operators.

In the WP29's opinion, the introduction of no-fly zones could be envisaged, and maps could be printed out to inform the users about the designated areas. This might represent a solution to ensure the protection of private areas (such as gardens, courtyards, terraces).

Manufacturers could involve a Data Production Officer in the design and make drones as visible as possible. The WP29 also recommends the adoption of Codes of Conduct, containing sanctions in case signatories violate the norms, which might help operators prevent infringements.

The WP29 emphasises the importance of transparency and proportionality principles. Data subjects must be aware of the collection and the processing of their personal data (Article 6 of the Directive) and also informed (Article 11) publically by means of social media, leaflets, websites etc.

In conclusion, the Working Party calls on European and national policy makers, as well as Civil Aviation Authorities (CAAs) and Data Protection Authorities (DAPs) to cooperate and to promulgate a comprehensive legislation. The main scope is to make data processing legitimate in compliance with Article 7 of the Data Protection Directive.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.