The WP29 provides for a set of recommendations both to the drone’s pilots (generally acting as data controllers) and to the manufacturers (who have to comply with “privacy by design” and “privacy by default” principles) as well as to the national and EU Authorities (to introduce a specific regulation).

ENAC’s reform: need to comply with the Legislative Decree No. 196/2003 and the necessity principle.

Much more attention on the drones’ issue by both the Article 29 Data Protection Working Party (the “WP29”) and the Italian Civil Aviation Authority (“ENAC”).

With regard to the use of drones and the related impact on the data subjects’ privacy, by means of the Opinion 01/2015, adopted on 16 June 2015, the WP29 issues a set of recommendations towards the following subjects:

  • Pilots – as data controllers, they have to respect the principles of purpose, necessity, proportionality and the principle that the data shall be not excessive; they have to guarantee a privacy notice to the data subjects; they have to implement appropriate security measures to protect the data collected and their subsequent erasure and/or anonymization;
  • Manufacturers – they have to comply with “privacy by design” and “privacy by default” principles as well as  provide sufficient information within the packaging about the potential intrusiveness of these technologies;
  • National and EU Authorities – which have to introduce a specific regulation.

As far as the Italian legislation is concerned, the new ENAC’s regulation, by expressly referring to the Legislative Decree No. 196/2003 (the “Italian Privacy Code”), establishes the need to find mechanisms that allow identification only when it is strictly necessary, pursuant to Art. 3 of the Italian Privacy Code.