There is an increasing usage of unmanned aerial vehicles (“UAV”, more widely known as drones) for civil and commercial purposes: from environment monitoring to agriculture, from audiovisual productions to my favorite football team training… Whilst there are no doubts about the potential benefits of the civil use of drones, there is still no certainty about what are the most appropriate rules to address the data protection risks deriving from a large-scale deployment of drone technology.

The concerns are in essence very similar to those outlined for the Internet of Things (see here our post on IoT data protection concerns), as after all this is also about the increasing usage of sensors.

Whilst in many jurisdictions there are specific rules about operating and licensing a drone (see here our last post about Italian regulations), there are yet no drone-specific data protection regulations.  This may be surprising given the substantial data intrusion that may be caused, particularly if we compare the highly regulated fixed CCTV systems with what can be done by a drone equipped with visual recording or other sophisticated recognition sensors.

There is a generally perceived risk of being under surveillance, with individuals not being fully aware of whether and to what extend their personal data may be processed. There is also some confusion about the data protection responsibility chain, as to defining who is doing what. Often drones are used by outsourcers (as we experienced in many audiovisual productions), and those that from a legal perspective end up being data controllers or processors may not be fully aware of their responsibilities.

The above concerns had been addressed in Europe by the Article 29 Working Party (“WP29″) which issued the “Opinion on privacy and data protection issues relating to the utilization of drones” (with the Italian Data Protection Authority as rapporteur).

With this Opinion, the WP29 clarified that the usage of drones is not per se problematic. The concerns mainly stem from the lack of a general perception of the potentially invasive effects that may derive from a (wrong) usage of drones.  Albeit some guiding principles can be inferred from the current data protection and CCTVs regulations, the existing regulatory framework is not sufficiently updated for the current technologies.

The Opinion is addressed to drones manufacturers, operators as well as national lawmakers and law enforcers. Similarly with the approach used for the Internet of Things, the WP29 main recommendation is to opt for a privacy by design and by default approach, including default privacy settings that minimize collection and further processing of unnecessary personal data.

First of all, the data subjects must be informed as soon as reasonably practicable and if a disclosure to a third party is envisaged, at least when the data are first disclosed. The drone operators will have to provide an information notice, which should take into account the peculiarity of the operations carried out. This is a rather intuitive issue: it may not be easy to post a privacy notice on a small object that flies, and it may be even more difficult for the data subject to read it!  It is accordingly advised an assorted approach: from the traditional information sign posts in the area where the drone is operating – also using symbols for ease of recognition and concise form – to notices to be provided through social media and authorities’ and operator’s websites. The drones should also be as visible as possible, for instance with bright colors and flashlights. Furthermore, the operators will have to choose a technology that not only will limit as much as possible the collection and subsequent processing of data, but also ensure adequate security measures, including encrypted storage and transmission of information. This last point is becoming increasingly relevant, also considering the electronic and cyber-attacks to which drones and the data gathered may well be subject.

As for the lawmakers, the WP29 recommends specific regulations that address the usage of drones, also requiring prior privacy impact assessments with criteria to be set out with the main industry operators. The WP29 also prompts the usage of EU research funds for identifying adequate technologies for supplying the information notice to the interested parties (e.g. smart licence plates).

Last but not least, the WP29 also encourages a cooperation framework between the data protection and aviation authorities, as well as the adoption of industry code of conducts and privacy certification processes . If combined with an adequate effort in technology research for technology based solutions, a self-regulatory approach, or at least an active involvement of the main stakehooders, will no doubt help in finding the right balance between an efficient usage and the protection of the individuals’ fundamental rights and freedoms.