On June 18, 2015, the Article 29 Working Party (the "Working Party"), consisting of a representative from the data protection authority of each Member State, the European Data Protection Supervisor and the European Commission, published its opinion regarding the use of drones (also known as unmanned aircraft systems (UAS) or remotely piloted aircraft systems (RPAS)) in the aviation market for civil purposes.
The opinion responds to the European Commission DG Enterprise and Industry’s letter on May 6, 2014, inviting the Working Party to issue its recommendations on how privacy and data protection issues could be addressed at national and European levels to adequately address risks that may arise in connection with drones.
Please note that in the view of the Working Party, those guidelines should apply to data processing arising from the use of any aerial vehicles for civil operations regardless of whether they are manned or unmanned, special or aeronautical.
The Working Party’s key points include:
- Data protection and privacy risks- Personal data can be collected via different devices embedded in drones (e.g. video recording equipment, detection equipment, radio-frequency sniffers). The Working Party highlights that the use of drones poses a high risk of bulk data gathering and unlawful use of data for multiple purposes. The Working Party suggests that this is due their ability to achieve unique vantage points, to collect data over large areas and for long periods of time. The wide range of stakeholders involved in the use of drones also increases their potential to result in privacy intrusion.
- Social sustainability- The Working Party suggests that the perception of drones by individuals is inextricably linked to their social sustainability. The Working Party encourages the introduction of projects raising awareness of the use of drones and the involvement of stakeholders in the debate relating to the integration of drones in the civil airspace. The Working Party emphasises that the effective application of data protection law will contribute to the acceptance of drones.
- Legislation and regulations- The Working Party notes that in addition to the Data Protection Directive 95/46/EC ("Data Protection Directive") and possibly the E-Privacy Directive 2002/58/EC as amended by 2009/136/EC (if drones are used by providers of publicly available electronic communication services), national laws applicable to CCTV systems may apply to drones carrying out video surveillance.
- Data controllers and processors- The Working Party highlights the importance of clearly identifying the role of each party (i.e. data controller or processor) for each type of drone operation. For instance, "while this role could be clear when the drone is used directly by a company who bought it for delivering packages (controller), a different framework could be envisaged in case a company commits mapping of an area to a drone operator (in this case the company is the controller and the operator is the processor)". The Working Party advises that where processing is not carried out directly by the controller, it should be governed by a contract or legal act that requires the processor to act only on instructions from the controller.
- The personal or household activity exemption- In line with the decisions of the European Court of Justice in Bodil Lindqvist (2003) and František Ryneš (2014), the Working Party considers that the household exemption should be narrowly construed. As such, this exemption will only apply to purely personal or household activity and will not apply for instance to personal data that has been published on the internet and which is accessible to an indefinite number of people.
- In accordance with the above, the Working Party emphasises that the use of drones should not impinge the protection of private life, even in the case of personal data collected in public places.
- The Working Party supports the introduction of an obligation on manufacturers to include information in the packaging of products (e.g. model aircraft) highlighting the potential intrusiveness of such technologies and the need to respect privacy and data protection rights. The Working Party also considers "the introduction, when needed, of virtual perimeters" where needed.
- The journalistic activity exemption- Where Member States provide exemptions or derogations from provisions of the Data Protection Directive relating to data processing solely for journalistic purposes, the Working Party recommends that Member States also clearly identify the duties and responsibilities carried with the exercise of this freedom (e.g. For the Working Party, a code of conduct for journalistic purposes would be advisable).
- Processing of personal data for law enforcement purposes- The Working Party is of the view that drones may signal a fundamental transformation of law enforcement practices.
- The use of drones, or information collected by drones, by law enforcement authorities directly interferes with the rights to respect for private life and protection of personal data (Art.8 European Court of Human Rights and Art.7 and 8 of the European Charter of Fundamental Rights). The Working Party emphasises the limitations on the use of drones in this context: (i) there must be a valid legal base, (ii) it must be necessary and appropriate to achieve a specific purpose, (iii) a prior evaluation by the Data Protection Authority ("DPA") may be applicable, depending on national practice, (iv) the enforcement authority must comply with the principles of proportionality, data minimisation and transparency, and (v) a strict retention period of data should be set. The Working Party also highlights the need for a regime which includes an approval mechanism in the organisational law enforcement hierarchy.
- The Working Party notes that where drones are used by law enforcement authorities in relation to civil offences, they should also comply with the requirements laid down in the Data Protection Directive. The use of drones is restricted to cases where the processing is necessary (i) in order to protect the vital interests of the data subject, (ii) for the performance of a task carried out in the public interest, or (iii) in the exercise of official authority vested in the controller or a third party to whom the data are disclosed.
- The Working Party recalls that data can only be processed for the purposes laid down in legislation and should not be used for (i) indiscriminate surveillance, (ii) bulk data processing, (iii) data pooling, (iv) profiling, or (v) automated enforcement of decisions. The Working Party recommends that drones are only used for justified purposes which are decided in advance, should be geographically restricted and time-limited. The Working Party suggests that public demonstrations should, as far as possible, be protected from any kind of surveillance.
- The Working Party confirms that the courts should be able to review the use of drones for intelligence and law enforcement purposes in line with national practice.
- Lawfulness of the processing- The Working Party considers which legal bases (Art.7 of the Data Protection Directive) may justify the processing of personal data collected by the civil application of drones.
- Consent- The Working Party suggests that it could be regarded as appropriate in few cases. This is because it is unlikely that the data subject (i.e. living individual subject to data processing activities) will have given (i) free, (ii) informed and (iii) specific consent. In many cases, an individual may not (i) be free to enter or leave a surveyed area without being under surveillance, (ii) be informed of the necessary details relating to the processing and/or (iii) be able to identify the purpose of the processing to which he is requested to consent. Further down the opinion, if image recognition systems were to be used, the Working Party recommends to honour active or passive tag signals used by data subjects to indicate their intentions (for further details see the Offlinetags project – http://offlinetags.net). This is inspired by on-going reflexions on wearable technologies issues.
- Necessary for the performance of a contract to which the data subject is a party- The Working Party suggests that this could apply to the use of drones in delivering a parcel or providing video recording services at a data subject’s property. However, the Working Party notes that the incidental processing of third parties’ personal data is not covered and should be avoided unless another legal basis applies.
- Necessary for compliance with a legal obligation or necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed - The Working Party suggests that they may be relevant in cases where the controller is complying with a legal obligation and where the use of drones is necessary and proportionate (e.g. security related uses such as smuggling control or the surveillance of an archaeological site required by a specific provision).
- Necessary to protect the vital interests of a data subject- The Working Party proposes that this may apply to safety-related uses of drones, such as fire scene inspection, disaster relief, or the rescue of victims of mountain accidents. However, as this legal basis is strictly interpreted, it may be favourable to consider whether any other legal basis can be relied upon first.
- Necessary for the purpose of a legitimate interest pursued by the controller - The Working Party suggests that this may be relevant where drone operations are necessary for critical infrastructure surveillance (e.g. pipe or power line inspection), meteorological research (e.g. hurricane tracking) or wildlife research and where appropriate safeguards are implemented and such legitimate interests are not overridden by the data subject's interests or fundamental rights and freedoms.
- Purpose limitation principle- The Working Party supports the requirement that personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (Art 6.1b of the Data Protection Directive) unless there is an autonomous legal basis for the additional purpose.
- Proportionality- The Working Party notes that personal data can only be processed if it is adequate, relevant and not excessive in relation to the purpose for which it is collected. The Working Party confirms that a strict assessment of necessity and proportionality applies.
- Data minimisation principle- The Working Party supports the use of proportionate technology and the implementation of anonymisation techniques whenever processing of personal data is unnecessary. For example, drones equipped with video cameras can be set up to automatically blur images to avoid the collection of images of identifiable persons when they are not necessary. Other example: A drone used to monitor a roof damaged by a storm should not be required to record the entire flight, especially if the location of this interest is some distance from the take-off and landing location. Where possible, the Working Party recommends involving a data protection officer. The Working Party’s previous guidance on anonymisation techniques and analysis of biometric technologies includes further recommendations.
- Privacy by design and by default- The Working Party considers it essential that the principle of data protection by design and by default is adopted by manufacturers and operators. The Working Party favours technology that has been engineered in such a way as to avoid the collection and processing of unnecessary personal data. For example, the Working Party suggests that the firmware of drones operating in strategic or critical infrastructure should be engineered to inhibit data collection within no –fly zones.
- Data protection impact assessment- The Working Party recommends that that European and/or national policy makers foster the implementation, as good practice, of data protection impact assessments for each type of drones operation which may involve the processing of personal data. This should take into account the purpose of the operation, the type of drone and the combination of sensing technology used. The Working Party is of the view that policy makers should, in consultation with industry representatives, provide manufacturers and operators with an easy to use set of data impact assessment criteria.
- Transparency and providing information- The Working Party recommends that notice is given to those impacted by data processing unless exemptions apply. The notice should identify the controller or his representative, the purposes of the processing and any further information such as the data subjects’ right to access the data. The Working party suggests that a multi-channel approach should be taken and advises that information is published on a dedicated website. Visible drone operations in fixed locations should provide information on signposts, information sheets at events or posting leaflets to addresses may be more appropriate in other circumstances. Publishing information on TV, social media, the drone operator's website or the CAA's website when drone authorisation must be granted, or for those in remote areas in newspapers, leaflets, posters or given by letters in mailboxes or TV. As far as is possible, drones should be visible and identifiable (using flashing lights or buzzers). The same should apply to the drone operator who should be highly visible. For the Working Party, "the requirement to display a registration mark (similar to a vehicle license plate) is only relevant in so far as drones are visible from ground level or if there is a loss of control and stored data have to be linked back to the operator". In a similar vein, the Working Party believes that requiring the transmission of a wireless registration mark signal which can be cross referenced with an online database to enable individuals to identify missions and operators is "an interesting solution". However, it considers that the data protection and data security concerns which are raised by a registration system must also be borne in mind. The European Commission is invited by the Working Party to support researches and investments in this respect.
- Security of data processing- Article 17 of the Data Protection Directive requires the implementation of appropriate technical and organisational measures. The Working Party recommends that designers of drones engage with appropriate security experts to ensure that security vulnerabilities are properly addressed. The level of security should be appropriate to the risk represented by the processing and the nature of the data. Security protection should be provided on the drone itself and in the transmission of personal data from the drone to the base station. The Working Party also recommends that the number of people with access to data should be limited, access should be granted on a need-to-know basis, encrypted storage and transmission should be used where possible, logs of access and use should be recorded and data breach notifications should be sent to the DPA when legally required.
- Storage periods- The Working Party supports the introduction of storage and deletion schedules, so that personal data processed via drones cannot be stored for a period longer than is necessary for the purpose of the processing. This will schedule the regular, automatic deletion of personal data which is no longer necessary.
- Cooperation between different actors-The Working Party highlights the importance of the cooperation between DPAs and CAAs. The Working Party recommends that declarations of compliance with privacy and data protection principles are incorporated into the existing processes carried out by competent CAAs in regulating the commercial use of drones (e.g. pilot qualification and training, issuing operating licences). The Working Party supports the promotion of data protection certifications, to improve operators’ awareness and understanding of data protection. The information provided might also help realise a publicly available central database of operators.
- Self-regulatory tools- The Working Party supports the promotion and adoption of codes of conduct (including sanctions for non-compliance) to increase the accountability of drone operators and to enhance the social acceptability of drones. The Working Party also recommends the use of privacy seals to increase accountability and compliance.
To conclude, the Working Party formulates: