The Argentine Personal Data Protection Authority has ruled on the use of drones regarding the collection and processing of personal data obtained through their use.
On May 27, 2015 Rule No. 20/2015 (hereinafter, the “Rule”) of the Argentine Personal Data Protection Authority ( “DPA”) regarding the legal conditions for the collection of personal data through the use of unmanned aerial vehicles (UAVs) or drones, was published in the Official Gazette. This new Rule is in line with the previous rule on privacy-related aspects in the use of video surveillance devices (see Video Surveillance Regulation published in Marval News # 148 of March 31, 2015).
The purpose of the Rule is to strictly regulate aspects related to privacy and personal data protection, but it does not encompass regulatory issues regarding air navigation. The Rule covers data collection activities of personal data containing photographic, film or audio material, or material of any other nature, in a digital format that has been obtained through the use of UAVs or drones, for storage or further processing purposes.
The Rule sets out the legal conditions for the collection of personal data through drones, among which we can point out the requirement of obtaining consent from the data subject. Such consent is not required under the following circumstances:
- Public acts or events of general interest;
- Private events in which the recording by the organizer or the person responsible for the event is for ordinary uses and customs (weddings, parties, etc.);
- Recordings by the State;
- Recordings conducted for the purpose of providing care to people in emergencies or disasters;
- Recordings within the premise of a private property. In the event that third party access is granted on a regular basis, the conditions of the processing of data must be informed of in accordance with Personal Data Protection Law No. 25,326.
The owners or users of UAVs or drones that collect and process personal data as a result of their usage have to comply with all of the same obligations Law No. 25,326 imposes on data controllers; for example: honoring the principles of data quality, taking the necessary security measures, complying with the duty of confidentiality, ensuring the rights of the data subjects, and registering databases on the National Database Registry. In addition, they must implement a manual or policies for processing personal data obtained by UAVs or drones.
The Rule also states that, in data collections by these devices for purposes relating to scientific or cartographic studies, or studies about natural resources, personal data anonymization techniques should be applied in the shortest period possible, so as to prevent a person’s identification.
The Rule does not apply to the use of drones exclusively for recreational purposes, and/or uses not aimed at capturing personal data of third parties. Notwithstanding, the Rule itself sets forth some recommendations and good practices for the recreational use of these devices that should be considered by the owners and/or users of UAVs or drones, such as the following:
- The user should exercise reasonable use of these devices, avoiding harmful interferences of privacy.
- The user should avoid the collection of data and/or erase the stored data in the event a data subject raises an objection.
- The user should avoid the collection of sensitive data (data that reveals racial and ethnic origin, political opinions, religious, philosophical or moral convictions, syndicate affiliations, and information regarding health or sex life).
- The user should exercise extreme caution whenever using these devices in public areas or spaces with a high conglomeration of people.