Drones have long been considered as "eyes in the sky" with all but the most basic consumer models routinely equipped with some form of camera for still or video image capture. More advanced surveillance technologies can combine a sophisticated camera drone's high-quality audiovisual recording and storage capabilities with data analytics tools such as facial recognition software, gait analysis and other biometric assessment techniques to identify individuals for targeted observation. The size and manoeuvrability of drones enables them to monitor individuals at a distance and to follow and track targets, potentially without the knowledge of the person that is subject to surveillance.
As technologies develop and drones become "smarter", the possibilities for data collection are almost limitless. Global positioning system (GPS) is a technology that is often a built-in feature of drones and allows for its location (and that of any surveillance target) to be tracked and recorded. Drones can be equipped with thermal imaging cameras that detect human presence through body heat. It is also possible to use a wifi antenna affixed to a drone to locate individuals via their mobile telephones.
The above examples create obvious tension with legal obligations of privacy and non-intrusion into the personal lives of individuals (as distinct from the personal injury and property damage risks). Many legal systems consider the right to privacy as a fundamental human right and surveillance programmes are often the target of public outrage, political ire and regulatory clampdowns. Direct surveillance by way of drone technology is no less invasive – and potentially more so – than closed circuit television or fixed security cameras.
Even non-surveillance drone activity should be considered through a lens of privacy protection despite the less obvious risks. In many cases, the context of drone use and the type of data collected can create an indirect impact on individuals with a consequent implication under privacy laws. The inadvertent capture of persons (and their activities) recorded by drones used for surveying or research purposes is one example.
Accordingly, the enhanced capabilities and potential of drone-based technologies raises questions as to the obligations to be imposed upon manufacturers and operators of drones to ensure due consideration is afforded to the privacy and data collection implications of drone use.
Privacy & Data Protection Laws: General
Historically, drone regulation has been focused primarily upon safety considerations but increasing attention will need to be paid to privacy and data protection laws. Globally, there are varying levels of maturity in such legislation ranging from comprehensive, principles-based data protection regimes - such as Europe's General Data Protection Regulation (GDPR) or the Australian Privacy Act - to the patchwork of sectoral and state laws in the United States of America. In emerging markets, the situation may be further complicated by the lack of any specific data protection legislation and the potential application of local criminal codes, media and content regulation, copyright or defamation laws.
The GDPR marked a fundamental shift in the European and global approach to data protection regulation by clearly spelling out core principles relating to the collection and/or processing of personal data. In essence, personal data is to be processed lawfully, fairly and in a transparent manner for specified and legitimate purposes. This processing should either be based on the consent of the person concerned or some other basis laid down by law. Moreover, every reasonable step must be taken to ensure that personal data is accurate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’) and processed in a manner that ensures appropriate security of the personal data.
These principles form the basis of data protection legislation in many other jurisdictions outside Europe. The Australian Privacy Principles (or APPs) are referred to by the national data protection regulator as "the cornerstone of the privacy protection framework" in the Australian Privacy Act 1998 (Cth). They set out key pillars of openness and transparency, accuracy and security that align strongly with the GDPR. In Singapore, the Personal Data Protection Act 2012 establishes requirements for lawful data processing and principles of transparency, purpose limitation and storage limitation. Similarly, State or national laws in Canada, South Africa, Bahrain, Qatar and other territories, as well as the Model Code for the Protection of Personal Information published in 1996 by the Canadian Standards Authorisation, are all similarly principles based.
Privacy & Data Protection Laws: Drone Specific
Increasingly, governments and regulators are moving beyond guidance on the application of existing data protection laws to drone operations and towards the inclusion of more specific drone-related provisions into law. For example, California approved an update to its Civil Code in 2016 that made a person liable for physical invasion of privacy when that person:
"…knowingly enters onto the land or into the airspace above the land of another person without permission or otherwise commits a trespass in order to capture any type of visual image, sound recording, or other physical impression of the plaintiff engaging in a private, personal, or familial activity and the invasion occurs in a manner that is offensive to a reasonable person."
Privacy and data protection regulations that identify explicit privacy responsibilities when using drones could provide greater consistency and certainty for drone operators, insurance companies, courts and individuals. Such laws would ideally outline specific privacy principles and requirements tailored to drone usage, and mirror existing gold standards of data protection, such as the GDPR.
Areas of particular concern for drone operators in respect of data protection laws include obligations to provide information to data subjects, requirements to establish data retention procedures and procedural protections for accessing data. Many critics of drones have raised concerns that the collection of aerial imagery and videos will enable pervasive surveillance that allows drone operators (whether a governmental agency or a private individual) to know what individuals are doing at different points in time without the usual provision of information to individual data subjects that would be expected if their data was collected via other means. Such footage may be retained indefinitely and could be used to build a picture around private details of a person's life.
It would be helpful to the industry if legislators adopted more uniform policies and procedures to address the retention of information, focussing on the information that is collected, how it is stored, and how it is accessed. Additionally, legislators should consider implementing transparency and accountability measures specific to drone operators – for example, requiring them to publish "usage logs" which document the activities conducted by the drones and the information collected during such activities (see McNeal, Gregory, ‘Drones and aerial surveillance: Considerations for legislatures’, The Project on Civilian Robotics Series, Brookings (November 2014) ). Privacy laws regulating drones could also allow legislators to clarify what they mean by specific terminology and to specify what places should be entitled to specific privacy protections. At the moment, conflicting laws and frameworks have caused confusion in certain countries as to the types of activities that are prohibited and the areas that are protected.
Commercial and recreational drone operators should be aware of local, state, federal and international laws relating to privacy and data protection that may directly or indirectly impact their drone activities. Drones that violate the privacy of individuals may expose their owners, and their employees, to civil and criminal liabilities, including hefty fines and adverse court awards or high settlements.
Drone operators should consider risk-based and risk-management strategies when setting up and operating their drones. In particular, they should conduct an analysis of potential privacy risks before deploying unmanned aircraft systems: a balance should be struck between the threats to privacy of individuals who may be affected by the drone and the benefits and interests derived by the drone operator. Interference with privacy and data protection rights can be minimised at the outset when planning: (1) the flight path intended; (2) the drone and equipment used; and (3) the management of collected data.