Drones And Their Data Protection Implications: Guidance Provided By Article 29 Working Party

The Article 29 Working Party has published an Opinion (01/2015) about the data protection and privacy issues in relation to the utilisation of drones.
The Working Party acknowledges the social and economic benefits of drones within the aviation market and the opportunities that could develop for law enforcement agencies, but emphasises that risks and threats to individuals' privacy will also increase through a large-scale deployment of drone and sensor technology.

While the commercial use of drones would be subject to the 28 members states' national data protection laws, generally at the EU level there is no specific data protection legislation for personal or governmental use of drones. Drones also present several unique challenges because of the manner in which personal data can be processed; for instance, through images, sound, geolocation, and the potential to interconnect multiple drones, as well as the potential for them to be used to gather information from areas that would not ordinarily be public, such as over walls, fences, or other barriers without the need for a direct line of sight. The potential for data collection from such unique vantage points increases the risk that individuals will be less aware that their personal data is being processed, in turn reducing transparency and increasing the possible intrusion into individuals' privacy.

The Opinion seeks to assist policy makers, manufacturers and drone operators by providing guidelines of how they should address data protection. Examples of compliance suggested include:

• Verifying the need for specific civil aviation authority authorization
• Deleting or anonymising any data that is not strictly necessary
• Engineering the technology in such a way to avoid collecting unnecessary personal data
• Adopting privacy-by-design and privacy-by-default measures
• Make data subjects aware of data collection and processing through a multi-channel approach, including written event information, use of social media, public displays, and newspapers or leaflets; and, as good practice, information should also be provided on drone operator website
• Undertaking privacy impact assessments to consider how a drone may impact the privacy of others
• Providing sufficient information with the packaging accompanying drones relating to the potential intrusiveness, and including maps showing permitted use space

The Opinion outlines the Article 29 Working Party's recommendations that include a suggestion that codes of conduct for drone users be drawn up to address data protection concerns and the responsible use of drones. The Working Party also requests that governmental policy makers require cooperation with the civil aviation authorities and data protection authorities.

The UK Civil Aviation Authority has already emphasised its willingness to levy fines on drone users for their inappropriate use. Regulators across Europe may follow suit.