On December 16, 2013, the Article 29 Working Party (hereafter the Working Party) on privacy and data protection provided DG Enterprise and Industry with its response related to the use of Remotely Piloted Aircraft Systems (RPAS) by governmental, commercial and private operators, leaving the personal or recreational use of RPAS out of the scope.

The Article 29 Working Party pointed out that – regarding the possible future regulatory framework- neither of the draft instruments currently being discussed at EU level (General Data Protection Regulation and Police and Criminal Justice Data Protection Directive) includes specific provisions on the processing of personal data carried out by means of RPAS. It can therefore be assumed that the general provisions on the protection of personal data will be applicable to such processing.

The new provisions relating to data protection impact assessment, the principles of data protection by design and by default and the specific provisions on certification of data processing operations might be of particular relevance to address the privacy and data protection threats related to the use of RPAS.

Article 33, paragraph 1, of the draft Regulation introduces the obligation for controllers and processors to carry out a data protection impact assessment prior to risky processing operations such as the monitoring of publicly accessible areas, especially when optic-electronic devices (video surveillance) are used on a large scale.

According to Article 23, paragraph 2, of the draft Regulation, the controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and that data are especially not collected or retained beyond the minimum necessary for those purposes.

The Article 29 Working Party highlighted that the specific provisions on certification of data processing operations might also have to be considered as an additional means to ensure that privacy by design is implemented in RPAS. The risk of blanket surveillance arising from the use of RPAS for law enforcement purposes requires specific provisions in order to prevent misuse of these technologies and minimize the interferences with the fundamental rights and freedoms in accordance with well-known democratic principles. Ultimately, the Article 29 Working Party clarified that, as outlined by the European Commission in the Staff Working Paper on RPAS of 2012, the future new Police and Criminal Justice Data Protection Directive, would, if adopted, “define the benchmarks for data processing carried out by state authorities” and its adoption “could increase the confidence of citizens regarding the operation of state or governmental RPAS”.