Drones, also known as unmanned aerial vehicles or remotely piloted aircraft (RPA), are not new. Indeed, drones were first developed in the '50s and have been used by the military for years. However, drones have only recently come on the civilian market. There are many possible commercial applications for drones, ranging from leisure, photography and logistics to the surveillance of infrastructures and crops.

As with all new technologies, it is expected that the development of RPA technology will create new jobs and growth. However, the large-scale deployment of drones equipped with cameras or other types of sensors raises privacy and data protection concerns. Indeed, drones can be designed to support payloads which vary in size and functionality (e.g. the processing of sounds or images, the recording of geolocation data, the detection of electromagnetic signals, etc.). In addition, drones may be difficult to view from your bathroom window or even from the ground.

In order to address various privacy concerns, the Article 29 Working Party has issued Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones. The opinion analyses how compliance with data protection laws can be ensured and gives concrete recommendations to policymakers, regulators, manufacturers and operators of drones. At the national level, data protection authorities are also dealing with this issue. For example, the Belgian Privacy Commission has posted on its website FAQs on drones (NL/FR).

One recommendation which caught our attention is that manufacturers be required to embed privacy friendly design choices and privacy friendly defaults as part of Privacy by Design.

Privacy by Design is an approach to systems engineering which takes privacy into account throughout the entire engineering process, not just at the end of the project as is unfortunately too often the case.   Privacy by Default is the application of default settings to protect individual privacy insofar as possible.

In our view, a Privacy by Design or Privacy by Default approach is absolutely necessary when it comes to drones. Where drones are equipped with cameras or other sensor technology allowing for the processing of personal data, due attention must be paid to privacy concerns from the start of the manufacturing process and throughout the drone's lifecycle. Issues such as the purpose of the processing, the information of data subjects, retention of personal data, and the security of the processing must be carefully considered. It is in any case appropriate to start with a privacy impact assessment.

Of course, the situation is very complex, and Privacy by Design or Privacy by Default alone is not enough. Adequately protecting privacy in the context of the large-scale deployment of drones requires a wide range of measures by all stakeholders involved. It is necessary to avoid at all costs conveying the impression of constant surveillance (even in the bathroom)!

If you are looking for something to read during your holidays, please note that interesting material on drones is available on the European Commission's website and the website of the European Parliamentary Research Service.