Drones are becoming increasingly more commonplace in Ireland and across the globe. From aerial photography to assisting search and rescue operations, drones can be put to a variety of beneficial uses. However, the use of drones also carries concerns relating to both safety and privacy.
We examine how drones are regulated in Ireland and review the upcoming proposals at EU level. We also consider the privacy issues surrounding the use of drones and the steps that should be followed if a drone is being used for commercial purposes.
The Irish regulations
The Irish rules that govern drones are the Irish Aviation Authority Small Unmanned (Drones) and Rockets Order (SI 563/2015) and the Irish Aviation Authority (Nationality and Registration of Aircraft Order) (SI 107/2015) (the “Regulations”).
The Regulations provide that all drones weighing over 1kg must be registered with the Irish Aviation Authority (“IAA”). Also, a drone should not be operated if it will be a hazard to another aircraft in flight or operated in a negligent or reckless manner so as to endanger life or property of others. The Regulations include a variety of other restrictions and prohibitions, including that drones should not be flown:
- closer than 5km to an aerodrome,
- more than 120m above ground level, or
- further than 300m from the operator of the drone.
To fly drones outside these limits, permission of the IAA must be obtained.
Potential measures in the EU
On 1 December, the Council of the EU agreed a draft regulation (the “Draft”) which represents proposed EU-wide rules for civil drones. Currently, the EU is responsible for regulating unmanned aircraft above 150kg, with lighter drones being subject to national rules.
The Draft will apply to all varieties of drone, from small toy drones to large unmanned aircraft. The rules seek to set down basic principles to ensure safety, security and privacy. The main rule affecting drones is that national aviation authorities will have to certify certain drones. The certification process will be proportionate and risk-based. The larger the drone, and the higher the risk it poses, the more likely the drone will be required to be certified. Privacy will also be taken into consideration during the certification process.
It’s worth highlighting that the legislative process is on-going and that the Draft currently provides the European Aviation Safety Agency with the power to develop more detailed rules on drones.
Privacy and data protection
Both the Article 29 Working Party and the Data Protection Commissioner (“DPC”) have expressed concerns about the use of drones in such a way that could affect individuals’ privacy. These concerns are particularly focused on instances where sensors such as smart cameras and radio frequency equipment are added to drones.
The DPC suggests that the data collected by drones, which are equipped with additional sensors, should be limited to what is strictly necessary in order to achieve a specific purpose or purposes. For example, a drone used for taking aerial photographs of landscapes should not be used to record peoples’ faces.
Transparency is another key privacy-related issue for drones. The DPC recommends that drones should be visible and easily identifiable in appearance. In addition, the DPC suggests that efforts should be made to highlight the fact that recording of data is taking place. This might entail making clear to the general public in the area in which a drone will operate by using signage or advertisements in local newspapers.
The DPC states that robust security and access controls should be put in place. This ensures that any personal data collected by the drones can only be accessed by authorised people.
4.Retention and anonymisation
Personal data must only be retained for as long is necessary for the purpose or purposes for which it was collected. A drone owner, who is also a controller of personal data, may look at installing software that automatically deletes personal data when a task is completed.
As an alternative to this, it may be appropriate to install technology that automatically blurs or obscures faces of people that were inadvertently collected.
Privacy and commercial drone use
According to the DPC, if a drone is being used for a commercial purpose, a privacy impact assessment should be undertaken before the drone is used. This assessment should take into account the purpose the drone is being used for, the potential risks to data protection, and the necessity to implement safeguards to address any concerns.
It would also be prudent to put a Drone Usage Policy in place which would outline the uses of any personal data and the security and retention policies that surround the collected data.
Before take off
Drones, and their use, are becoming subject to increased regulation, both from an aviation safety and a data protection standpoint. Given the likely implementation of EU-wide measures on the regulation of drones, it is important to keep up-to-date on applicable rules and obligations. In particular, both consumer and commercial operators of drones should ensure to familiarise themselves and comply with rules on safety, security and privacy.