The use of drones is expected to ‘soar’ over the next decade, so Drone Operators need to be aware of Data Privacy risks!
Drone is a term commonly used to describe unmanned flying aircraft. Drones are increasingly used by organisations for commercial purposes as well as by individuals for fun and often involve the use of cameras. The uses of drones are vast and include inspection services, logistics, and security surveillance. The benefits are many; but the prudent drone operator must take steps to ensure that privacy concerns are addressed to ensure data protection compliance and avoid the risk of penalties and privacy breach claims.
It is likely that drones fitted with data collection instruments including cameras, electronic sensors, and infra-red scanners will collect personal data including images of people, geolocation data or even electromagnetic signals from mobile phones. This will often be covert without individuals being aware that they are being monitored. The use of drones is regulated by the Civil Aviation Authority which provides advice for all drone users on respecting people’s privacy here. We have summarised the most significant issues below.
Drone operators must think about privacy and data protection before, during and after take-off. The dexterity of drones offers opportunities to achieve unique vantage points and avoid obstacles. This means that drones can more readily enter private premises without the occupiers knowing and so they can be much more intrusive than static CCTV cameras.
In the UK, the processing of personal data via drones is subject to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and the legal provisions applicable to CCTV systems. Drone operators are encouraged by the Information Commissioner to use drones responsibly, inviting people to think of privacy considerations and to apply a common-sense approach when using personal data captured by a drone, including tips on how to minimise the capture of information that could be considered personal data.
Data protection legislation sets out the conditions under which personal data can be used and, in this context, it also provides certain helpful exemptions, including when personal data can be used for purely domestic purposes and the journalistic exemption.
The use of CCTV and drone imaging on private premises is becoming increasingly contentious and has led to court cases in the EU, UK and Scotland. The interpretation of the domestic exemption is narrow and will not apply if there is any other purpose, even charitable or voluntary, and posting any footage to social media could easily cause the exemption to fly off.
The journalistic exemption refers to operations where personal data is collected through drones with a view to the publication of some journalistic, academic, or artistic material. Organisations and individuals seeking to rely on the journalistic exemption should seek specific advice to ensure an appropriate balance between the fundamental rights to privacy and freedom of expression.
In summary, using drones for commercial operations must take into account the risk that this can be a highly privacy intrusive operation. A data protection impact assessment may be required and the dissemination of information about the intended use of a drone may be required to minimise the risk of regulatory action and privacy breach claims. Our Data Protection Team would be happy to provide input on Data Protection Impact Assessments to mitigate against these risks.
Over recent years guidance has repeatedly set out the privacy risks arising out of the use of drones such as a lack of transparency around the collection of personal data and the purposes for which such data may be used. Adopt a privacy by design and default approach to ensure that data protection principles have been addressed such as proportionality, data quality, data minimisation, security, transparency, and storage limitation principles.
There are also recognised risks that cyber-attacks could allow a drone to be remotely tampered with and for a bad actor to either take complete or partial control or gain access to the sensors or data stored on drones. This could also be a personal data breach which may require to be reported to the Information Commissioner and/or the individuals whose data has fallen into the wrong hands. With compensation claims for data breaches on the increase, this is something to avoid.
Please do get in touch with our Data Protection Team if you require any advice about data protection issues, data breach claims or cyber security matters.