One of the biggest hurdles to the commercial exploitation of UADs or unmanned aerial devices (UADs) is dealing with the privacy issue.
General issues of privacy are considered in our article, Drones - the privacy, confidentiality and harassment dimensions. Here, we focus on data protection considerations.
UADs with video cameras can capture large amounts of data. In many cases, the data will include personal data i.e. data which can identify a living individual. Not only is this a highly regulated environment in the UK and the rest of the EU, it is also a key issue in getting consumer buy-in, both to using UADs and being comfortable with businesses using them.
Of course, not all data captured by UADs will be personal data and even where the data being recorded is technically personal data, the risks to privacy will span a spectrum depending on the use of the UAD and what is done with the data it collects. For example, a child playing with a simple UAD in the back garden recording his siblings and downloading the footage will be exempt from compliance with the DPA. What if he incidentally records images of his neighbours? Again, this is unlikely to be too much of an issue. What if the neighbours are sunbathing topless and the child then posts the images on social media? More of a problem? How about a person using the same device to record unrelated children playing in a public playground? Suddenly we are in a completely different arena. Knowing where the line falls between personal or domestic use by "hobbyists" which is exempt from compliance with the DPA, and use which is covered by the DPA, either because it is for commercial purposes or because it goes beyond domestic use, is not always straightforward.
The use of personal data is regulated in the UK by the Data Protection Act 1998 (DPA) (although this is likely to be replaced in the near future by a new EC data protection Regulation). The first principle of the DPA is that personal data must be processed fairly and lawfully. Often, this will be achieved by gaining the consent of the person whose data is being processed. In addition, the DPA requires that data processing should not be excessive, should be relevant, accurate, kept up to date and kept secure. All of these requirements can be a challenge in the context of UADs. We accept that we are occasionally caught in someone else's photo or video which may even be posted on Facebook or other social media. We have also grown used to the increasing prevalence of CCTV cameras, but most of us are uncomfortable with the idea that we could be filmed by anyone at any time, particularly from a hovering UAD, without our permission and when we don't know who is doing the filming or what the images are being used for.
The UK's Information Commissioner (ICO) recognised the growing issues around video surveillance technology when updating guidance on the use of surveillance cameras towards the end of 2014. The ICO guidance on CCTV cameras was first published in 2000. Since the code was last updated in 2008, technological developments have moved quickly. Surveillance technology has become increasingly sophisticated and far more portable, which also means it has become more widespread. With the increasing prevalence of surveillance cameras in our lives, has come additional privacy issues. The ICO's updated guidance (Code) reflects the technological developments in surveillance, particularly in relation to new technologies like body worn video and UADs which are covered for the first time.
While many of the CCTV elements are similar to those in the previous version of the Code, it is worth checking its recommendations if you use or are responsible for any type of camera surveillance. For those using or developing newer technologies like UADs, the Code is essential reading. It is particularly worth taking into account at the development stage as making products capable of data protection compliance (i.e. incorporating privacy by design) will be key to bringing them to market successfully.
The Code emphasises the need to conduct privacy impact assessments prior to deciding whether or not to proceed with a surveillance system. These should look at the pressing need the surveillance system is intended to address and whether its proposed use has a lawful basis and is justified, necessary and proportionate – issues which are particularly difficult to resolve in relation to UADs.
In addition, the Code stresses: the requirement to ensure that the system only goes as far as necessary for the purposes required; the need to inform data subjects they are being recorded or monitored as well as of their other rights; the need to respond to data subject access requests; and the requirement to make sure data is held securely and for no longer than necessary. In other words, the overriding need to comply with the data protection principles.
In a section dealing particularly with UADs like drones, the ICO stresses that the recording element must be capable of being turned off. Special consideration has to be given as to how to inform users these technologies are being used and of their rights given the challenges involved. Continuous recording is discouraged and said to be highly unlikely to be justifiable. Operators are also warned that audio recording is likely to be harder to justify than visual recording.
The ICO has also published a separate topic guide on drones and the DPA. The ICO reminds potential users that drones with cameras are likely to be covered by the DPA but also suggests that all users of drones consider the guidance which recommends they:
- let people know before recording begins, if possible;
- consider the surroundings to minimise any intrusion;
- get to know the capability of the camera;
- plan the flight in order to minimise intrusion;
- think before sharing images; and
- keep images safe.
The issue of UADs and their impact on privacy is becoming increasingly pressing. The ICO gave evidence to a Parliamentary Committee in Autumn 2014, on the risk to privacy posed by UADs and underlined that their use for commercial purposes must be carried out in accordance with the DPA. He also said that the line between commercial and private use of UADs was blurring and that there was growing pressure to regulate the private use of UADs and other surveillance technology despite the fact that such use might not be covered by the DPA.
It now appears, though, that a wider range of surveillance technology is covered by the DPA than was previously thought. In the CCTV Code, the ICO distinguishes between "hobbyists" using devices for domestic purposes and those individuals or organisations using them for commercial purposes. The ICO considered that this was relevant given that there is an exemption from regulatory compliance in relation to processing of personal data for domestic purposes under s36 DPA which states that: "personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes, are exempt from the data protection principles and the provisions of Parts II and III". A recent decision by the Court of Justice of the European Union (CJEU) has, however, thrown the extent of the exemption of the "hobbyists" into doubt.
The CJEU ruled in a reference from the Czech Republic on the issue of whether use of a private CCTV camera was covered by the European data protection framework.
A Czech journalist was disputing the application of data protection law to his use of a CCTV camera for home security purposes. The camera was installed in a fixed position and recorded the entrance to his home, the public footpath and the entrance to the house opposite. The recording was stored on recording equipment in the form of a continuous loop. As soon as it reached full capacity, the device would record over the existing recording, erasing the old material. The journalist argued that the use fell within the domestic purposes exemption but the CJEU disagreed on the grounds that the camera was able to identify individuals walking along the street beside his home. The CJEU did say that the use of CCTV technology might be justifiable under the legitimate interests ground, in which case, consent of the people captured would not be required, but it also underlined the narrow scope of the domestic purposes exemption.
The ICO has confirmed that this judgment will, by extension, apply to UADs and that it is reconsidering the Code and the advice on drones as a result. We can expect further guidance but the implication is that use of a UAD which records people other than its operator and their immediate circle of family and friends, even if incidentally, may well be covered by the DPA. This sounds absurd in the context of a child playing with a drone in the back garden or park but much less so in the context of the paparazzi filming a celebrity over the garden fence.
It is worth keeping in mind that even if the ICO is obliged to reconsider the remit of the domestic purposes exemption as a result of the CJEU judgment, or potentially when the new EC data protection Regulation comes into force, we are unlikely to see enforcement action against individuals using UADs responsibly for personal use, even if they do capture personal data of strangers incidentally. And, of course, in all these situations, there are other laws which will protect privacy (see our article on Drones - the privacy, confidentiality and harassment dimensions) in cases where data protection law may not be relevant.