- Security TWENTY
- Women in Security Awards
In a three-part article, 6SGlobal detail the legal background to using drones with regard to privacy, such as making an impact assessment. You can contact: firstname.lastname@example.org.
Drones are also referred to as Remotely Piloted Air System (RPAS) or unmanned aerial systems (UAS) or unmanned aerial vehicles (UAVs) (collectively drones). It is known how useful drones are on operations and some may consider that commercially available drones can be put to use to meet service non-core aviation requirements – photography, multimedia applications, surveys etc. UAS’s are covered by the General Data Protection Regulation (GDPR) and as such they are treated in much the same way as ‘Drone’ systems. This paper is aimed at UAS and UAV technology capabilities and how they interact with privacy laws in comparison to those in the European Union (EU). Europe will be the first region to have a comprehensive set of rules ensuring safe, secure, and sustainable operations of drones both, for commercial and leisure activities. Common rules will help foster investment, innovation, and growth in this promising sector.
Drones are readily available on the high street and internet, and are being sold in their thousands, and it is not hard to see why. Not only are they affordable and capable, they are great fun to fly or operate, and have great utility. Whilst most people use them for personal recreation, they are also extremely popular with photographers and those that use photography in their business, like estate agents or the media. Those who work at height now use them to get information before climbing or instead of climbing, survey companies use them, and large parcel delivery companies have an aspiration to use them for deliveries. Drones are here to stay, but what is the problem? In simple terms, for most drone users, there is not one, but there are those who operate their drones too high or too close to airfields. In 2016 there were over 50 reports from pilots of commercial airliners that their aircraft had almost hit a drone. Military aviation is not immune, there have been near misses with Chinooks at RAF Benson and RAF Odiham, likewise for fixed wing aircraft at RAF Cranwell, and in 2016 a Navy Lynx at 2000ft missed a drone by an estimated 30 to 50 feet.
Most of the time, they are not used as a simple aircraft system, and include devices such as cameras, microphones, sensors, GPS, which may allow the processing of personal data. Whilst privacy also raises concerns as the Information Commissioner’s Office (ICO) recommends that users of drones with cameras should operate them in a responsible way to respect the privacy of others. The General Data Protection Regulation (GDPR) came into force May 2018. At the time of publication, and within the United Kingdom (UK) the two most significant fines levied are British Airways £183m by the ICO, for not protecting customer data, and a £99m fine on Marriott for not protecting guest data. This article will also look at the rights to private and family life and to data protection, as guaranteed in Article 8 of the Council of Europe Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental Rights of the EU, which apply to this emerging technology. Moreover, since remotely piloted aircraft systems have the same potential to seriously interfere with the rights to private and family life and to data protection as the online technologies considered by the Court of Justice of the European Union in the Digital Rights Ireland and Google Spain v AEPD rulings, they must be considered very carefully.
Most of the time, these technologies enable or imply the processing of personal data and therefore trigger the application of the data protection framework. For instance, many Drones that will be introduced on the market will include a video camera device with specialised software to process the video feed. This camera device with its specialised software may well have capabilities such as high-power zoom, facial recognition, behaviour profiling, movement detection, or number plate recognition. Drones could also be equipped with Wi-Fi sensors, microphones and audio recording systems, biometric sensors processing biometric data, GPS systems processing the location of the person filmed, or systems reading IP addresses of all devices located in a building over which the Drone will fly. Embedded technologies could also include the possibility to track devices carrying chips and persons / vehicles wearing them. The embedded technology will thus offer the possibility to collect, record, organise, store, use, combine data allowing operators to identify persons directly or indirectly. This identification could be done by a human operator, by automatically screening the image taken against the facial recognition programme of an existing database, by scanning to detect a smartphone and use it to identify the person, in passports, etc. As a result, Drones can be used to process personal data, in the meaning of Article 2(a) of Directive 95/46/EC .
Consequently, it is of crucial importance that, as underlined by the Communication, Drones are developed on the EU market in full compliance with the fundamental right to the respect for private and family life guaranteed in Article 8 of the ECHR and Article 7 of the Charter and with the right to the protection of personal data, as guaranteed in Article 8 of the Charter. Data protection law establishes a number of requirements and safeguards, which enable the controller to process personal data, provided that Drones are used transparently and for lawful purposes, and that they raise individuals’ awareness on the actions carried out through Drones when they involve processing of their personal data. Because Drones are remotely piloted, controllers should not only focus attention on the act of piloting but should also point out their possible consequences. The consideration of individuals’ rights to privacy and data protection should raise their awareness on the consequences of their acts.
The use of Drones for civil purposes must comply with fundamental rights to privacy and data protection
The EDPS therefore welcomes the reference in the Communication to the EU data protection legal framework and the insertion of a chapter 3.4 dedicated to fundamental rights. Besides, the fundamental right to data protection, enshrined in Article 8 of the Charter and Article 16 of the Treaty on the Functioning of the EU (hereinafter: “the TFEU”), applies to the processing of personal data. The UK has a positive obligation to ensure that, be it for commercial or professional, law enforcement, intelligence or private purposes, the processing of personal data via Drones respects the essential elements set forth in Article 8 of the Charter as well as the more detailed rules laid down in EU secondary legislation. Under secondary law, Directive 95/46/EC, Council Framework Decision 2008/977/JHA , Regulation (EC) 45/2001 and Directive 2002/58/EC, as interpreted by the Court of Justice of the EU (hereinafter “CJEU”), lay down detailed conditions and safeguards to ensure the lawful processing of personal data. Council of Europe Convention 108 for the protection of individuals regarding automated processing of personal data also provides relevant safeguards including a private life.
As in Von Hannover v. Germany ruling , “the concept of private life extends to aspects relating to personal identity, such as a person’s name, photo, or physical and moral integrity; the guarantee afforded by Article 8 of the Convention is primarily intended to ensure the development, without outside interference, of the personality of each individual in his relations with other human beings. Therefore, there is a zone of interaction of a person with others, even in a public context, which may fall within the scope of private life. Publication of a photo may thus intrude upon a person’s private life even where that person is a public figure”. The Court reiterated that, “in certain circumstances, even where a person is known to the general public, he or she may rely on a “legitimate expectation” of protection of and respect for his or her private life”. In parallel, the processing of personal data triggers the application of the European data protection framework, wherever it is carried out, whether in a public or a private space, as long as the processing takes place in the context of the activities of an establishment of the controller in the UK or with equipment or means located in the EU. Even though technological developments would allow a significant increase in surveillance of individuals in the public space or even in private spaces (such as their house, balconies or garden) and the processing of a larger amount of personal data, these rights would remain and the safeguards they represent would not be lowered.
The right to data protection does not apply in the limited number of exceptions in Directive 2016/679 (the GDPR). Amongst these, the household exception could be relevant to a few limited uses of drones. The right to data protection is thus excluded when the processing of personal data is strictly limited to processing by a natural person during a purely personal or household activity. Recital 12 refers to activities which are exclusively personal or domestic, giving correspondence and the holding of records of addresses as examples of activities excluded from the scope of the Directive. Consequently, the processing of personal data through DRONES carried out by private users would not fall within the household exception in cases where the use of the DRONES is aimed at sharing or even publishing the resulting video/sound captures/images or any data allowing the direct or indirect identification of an individual on the Internet and, consequently, to an indefinite number of people (for instance, via a social network).
Submitting the use of drones by private users / citizens for private activities or as a hobby, and the resulting processing of personal data, to these criteria, one comes to the conclusion that the processing carried out via DRONES might meet several of these criteria and fall out of the scope of the household exception. The scale and frequency might vary a lot depending on Drone hobbyists who could join clubs and associations and sometimes, but not necessarily and systematically act in a collective and organised manner. As a result, DRONES use by individuals for private activities may, quite frequently, be subject to the requirements of the GDPR. In any event, as a pre-condition for the data protection rules, the processing of personal data must be lawful in all respects. This means also complying with other relevant rules in areas such as civil or criminal law, intellectual property, aviation, or environmental law.
The processing of personal data via a drone for commercial or professional purposes must comply with national legislation implementing the GDPR if the controller is established on the EU territory or is making use of equipment situated on the territory of an EU Member State. The territorial scope of application of the directive was recently clarified by the CJEU in its judgment Google Spain v AEPD. In that judgment, the Court took into account a number of elements, such as the presence of an establishment on the territory of an EU Member State and the relationship between the activities of that establishment and the data processing at issue, to decide on the applicability of EU data protection law to a processing carried out online by a company having its principal establishment outside the EU. Article 3 of the proposed General Data Protection Regulation (hereinafter “GDPR”), which is still under negotiation, would extend this scope to the processing of personal data “in the context of the activities of an establishment of a controller or a processor in the Union” and “to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behaviour” .
Nevertheless, as clarified by the CJEU in the Satamedia ruling , “activities […] may be classified as ‘journalistic activities’ if their object is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them”. The mere publication of data on the Internet or in a newspaper, without such an object is not sufficient for it to fall under the journalism exception.
Application of the Law Enforcement Directive, LED (EU2016/680)
Notably processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, falls under the directive EU 2016/680, therefore any drone footage would be subject to the requirements of the GDPR.
The use of drones also has to respect the fundamental right to privacy so that these activities should be based on a clear and accessible law, serve a legitimate goal and be necessary in a democratic society and proportionate to the purpose pursued. When they result in processing personal data, they are subject to the data protection safeguards. Law enforcement authorities processing personal data via Drones have to respect the fundamental right to privacy as enshrined in Article 8 of the ECHR and the interference with the exercise of this right should be done in accordance with Article 8(2) of the ECHR and the corresponding case law of the European Court of Human Rights. As a result, their activities must take place in accordance with the law, i.e. be based on a law or prescribed by law, this law being publicly accessible so that citizens are able to obtain information on how their rights may be interfered with. This law should also be foreseeable, meaning sufficiently clear and detailed for the citizen to be able to foresee when he or she is likely to be subjected to measures involving Drones.
The methods and types of uses of Drones by law enforcement authorities should not be secret. This use should serve one of the legitimate goals set out in Article 8 paragraph 2 of the ECHR and be necessary in a democratic society, that is respond to a “pressing social need”. The ECHR applied these requirements to the interference of law enforcement authorities with the exercise of the right to privacy in its S. and Marper ruling. Police will benefit from the use of Drones as in 2008/09, the police service was operating 33 aircraft for an annual revenue cost of £45m, and initial calculations were that a national police air service could maintain a fleet of 29 helicopters for an annual revenue cost of £37.5m. In 2016/17, National Police Air Service (NPAS) was operating 19 helicopters (with four fixed-wing aircraft still to come) with a revenue budget of £39.6m, an amount that represented a real-terms reduction in funding of about 28 percent since 2008/09. With each aircraft flying fewer hours on average, however, the cost per flying hour has doubled, therefore the introduction and use of drones will substantially reduce costs.
Drones are not operated by NPAS but are deployed either by the force concerned, by a partner force (e.g. within a regional collaboration) or by a partner agency (e.g. the local fire and rescue service). There is a National Police Chiefs Council (NPCC) Strategic Drones Working Group, and the only forces directly represented are the Metropolitan Police and the Police Service of Northern Ireland (NPAS was also represented). Instead, membership consisted of other organisations operating or concerned with drones, such as the Department for Transport, the Ministry of Defence and the Air Accident Investigation Branch. There is a general lack of knowledge in forces about what was discussed or agreed at these meeting. NPAS recently submitted a bid for funding from the Police Transformation Fund for a one-year project to produce a national baseline of the police use of drones, which was also intended to assess the potential for collaboration with fire and rescue services and other agencies. What has not been discussed is the mechanism for sharing the data obtained from Drones or any other requirements under the GDPR or even the Law Enforcement Directive, this should be immediately addressed and reviewed. Looking at the West Midlands CCTV assessment they do not identify any requirement under the Law Enforcement Directive, additionally the force indicates a ‘Legitimate interest’ in collecting data, something which a public body cannot implement under the GDPR.
What is new
Whenever personal data is collected by drones operated in the EU, the EU legal framework for data protection applies in principle. Together with other requirements (including aviation safety rules, certification/type-approval, health etc), the respect of data protection requirements and the right to private and family life will enhance the development of the market of Drones within the EU in compliance with the fundamental rights of the individuals concerned. In fact, only those Drones that will have integrated data protection and privacy in their design will be well regarded by society at large, that is, not only by data protection. UK drone laws, so what laws are coming next? Europe will be the first region in the world to have a comprehensive set of rules ensuring safe, secure, and sustainable operations of drones both, for commercial and leisure activities. Common rules will help foster investment, innovation, and growth in this promising sector. In July 2020, new European drone regulations are scheduled to start in the UK, despite the UK having left the EU. This will see the UK align with the European Aviation Safety Agency. In a nutshell, the new rules will see drastic changes in the differences between leisure/hobbyist and commercial flights, with a greater emphasis on the type of drone(s) you have and where you intend to fly. This will be on top of the current registration requirements we have already covered.
New drones will be classified under a new system, as well as flights themselves being categorised. The aim is to make things simpler, and indeed safer, than they are now. But like with anything new, only time will tell how effective this new approach will be. So, until then, just make sure the Drone Code is followed and register as a drone flyer, the registration information can be located on the Civil Aviation Authority (CAA) released Version 2 of Civil Aviation Publication (CAP) 722B. The release of the document marks the beginning of the transition of National Legislation to align and harmonise with that of other member states within the European Union (EU). The document follows the release of CAP 1789 earlier in the year which outlined EU regulation package. The implementing regulation will officially come into force on July 1, 2020; although you will notice NQEs preparing for the transition in anticipation of that date.
Let people know before you start recording, in some scenarios this is going to be quite easy because you will know everyone within close view (for example, if you are taking a group photo at a family barbecue). In other scenarios, for example at the beach or the park, this is going to be much more difficult, so you’ll need to apply some common sense before you start. The GDPR and the Data Protection Act 2018 applies to the collection of personally identifiable information and other sensitive information. Personally, identifiable information (PII) is information which can identify a specific person. Sensitive information includes health, financial, racial, sexual, and other information which may or may not also be personally identifiable information.
Where personal and sensitive information is collected for commercial purposes, privacy legislation requires that the subject of that information understand the purposes for which the information is collected and may be used, and consent to its collection and use. Data collected that includes personally identifiable information or sensitive information where the donor has not consented to its collection, can, in some cases, be made anonymous through deletion of the personally identifiable information (an example would be pixelization or blurring of identifying features, such as faces, house numbers, registration plates etc). Collection and commercial use of information that is not personally identifiable information and other sensitive information is not subject to privacy regulation. When operating drones operators must consider ‘consent’ which is defined in Article 4(11) of the GDPR as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR. When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing.
Drones are now being introduced within many enforcement agencies such as police, Defra etc. and their use changes the way professionals from the private and public sector interact in private or public places for the purpose of enhancing security, obtaining audience analysis, etc. Drone surveillance has become high performing through the growing implementation of intelligent video analysis. These techniques can be more intrusive (e.g. complex biometric technologies) or less intrusive (e.g. simple counting algorithms). Remaining anonymous and preserving one’s privacy is in general increasingly difficult. The data protection issues raised in each situation may differ, so will the legal analysis when using one or the other of these technologies. The amount of data generated by the video, combined with analysing tools and techniques increase the risks of secondary use (whether related or not to the purpose originally assigned to the system) or even the risks of misuse. The general principles in GDPR (Article 5), should always be carefully considered when dealing with video surveillance.
Seeing the bigger picture and filling in the gaps
At first glance, Data by Design and Default (Art.25, of the GDPR is deceptively simple. Although it is relatively short in length compared with other parts of the EU Regulation, its impact is extremely far reaching in terms of compliance. It’s notable that the GDPR isn’t prescriptive. A ‘Drone’ Data Controller needs to demonstrate how it meets these new requirements. This is not a tick-box exercise but brings to life a risk-based approach to data protection that’s outcome-focused. In this new compliance landscape, personal data protection must be front of mind rather than an after-thought.
Principle of Least Privilege (POLP)
A useful first step in complying with the Data Protection by Design and Default is the application of the Principle of Least Privilege (POLP). In the context of employees and contractors working for the ‘Drone’ Data Controller, the POLP only grants workers with the lowest level of access to personal data that is sufficient for them to do their jobs. The POLP also applies to things other than people, including software programmes and processes. For example, an employee may be permitted to view ‘Drone’ footage but not print it, download it or modify it. Granular permissions can be granted by the ‘Drone’ Data Controller where certain employees and contractors can have access to all ‘Drone’ data, whilst others have access to specific ‘Drone’ activities. This can be from within the ‘Drone’ Controller or at other points of the value chain such as ‘Drone’ Data Processor(s) and sub-Data Processors. The POLP isn’t referenced in the GDPR but adherence to it will assist the ‘Drone’ Data Controller to comply with the principles of data protection including purpose limitation, data minimisation and ensuring the security of personal data. A ‘Drone’ Data Controller can ensure consistency across the entire value chain by automating privileges and permissions through technical measures.
Data Privacy Impact Assessment
Under Art.35, GDPR, the Data Protection Impact Assessment (DPIA) is a tool that can help the ‘Drone’ Data Controller and the Data Processor identify the most effective way to comply with data protection obligations and meet the expectations of Data Subjects under the GDPR. The DPIA is required to be performed where processing of personal data and when using new technologies is likely to result in a high risk to the rights and freedoms of individuals. It will be required in cases of an evaluation of personal aspects based on automated data processing including profiling, processing on a large scale of special categories of personal data or systematic monitoring of a publicly accessible area. Under the GDPR, the DPIA is a mandatory ‘hygiene factor’ for a ‘Drone’ Data Controller prior to the commencement of certain personal data processing activities as specified under Art. 35(3), GDPR. The DPIA entails describing all personal data classes processed along with associated data protection risks; whether personal data processing is lawful; an assessment of the impact of data processing on the rights and freedoms of Data Subjects and managing the risks to processing personal data by using appropriate safeguards.
Importance of the DPIA
Companies and organisations can use the DPIA to systematically assess and identify the privacy and data protection impacts of any products and services they offer and provide. It enables the ‘Drone’ Data Controller to identify the impact and take the appropriate actions to prevent or mitigate the risk of those impacts on Data Subjects. From an internal perspective, consistently using DPIAs helps to raise awareness of compliance with the GDPR and helps to identify problems with processing of personal data early on. This could avoid costly mistakes being made and may trigger a fresh assessment of the actual personal data that needs to be processed in order to fulfil the purposes for processing in the first place and observance of the Principle of Data Minimisation (Art.5(1)(c), GDPR). Staff working for the ‘Drone’ Data Controller will need to be provided with appropriate training and support to assist in conducting DPIAs, overseen by the Data Protection Officer (DPO). Under Art.35(3), GDPR, the DPIA is a mandatory ‘data cleanse’ prior to the commencement of certain personal data processing activities and unlike a Privacy Impact Assessment (PIA) that’s been standard practice for many years and tended to be carried out on a project-by-project basis, the DPIA applies across the whole organisation. The DPIA entails describing all personal data types processed along with associated data protection risks:
• Whether personal data processing is lawful
• An assessment of the impact of data processing on the rights and freedoms of Data Subjects
• Managing the risks of processing personal data by using appropriate safeguards.
When is it appropriate to conduct a DPIA?
The DPIA should be carried out “prior to the processing” of personal data (Art.35(1) and 35(10), GDPR) and this is consistent with the principle of Data Protection by Design and by Default (Art. 25, GDPR). In some cases, the DPIA will be an on-going process, for example where a processing operation is dynamic and subject to on-going change. Carrying out a DPIA is a continual process, not a one-off exercise. Where the ‘Drone’ Data Controller identifies very high-risk processing that it can’t mitigate with existing organisational and technical measures, then under Art.36(1), GDPR it’s under a duty to consultant with the relevant Supervisory Authority (Figure 6.2). According to the GDPR, there are circumstances under which it may be reasonable and economical for the issue of the DPIA to be broader than a single project, e.g. where the ‘Drone’ Data Controller may intend to establish a common ‘Drone’ application or processing platform.
This may mean where similar technology is used to collect the same sort of personal data for the same purposes, e.g. the ‘Drone’ Data Controller could conduct a DPIA to cover all video surveillance across all locations with one DPIA. Under the GDPR, the appropriate time for an organisation to carry out the DPIA would be prior to any of the following circumstances:
• When introducing new technology and/or new applications
• When processing special personal data
• When processing new data classes to which the level of risk is unknown
• When carrying out automated personal data processing and/or profiling where the result of such personal data processing creates legal effects on the Data Subjects or significantly affects the rights of the Data Subject
• When systematically monitoring of a public area on a large scale (e.g. ‘Drone’ cameras)
• When making significant changes to the existing data processing operations
• And highly recommended when using cloud-based services for processing personal data.
Art.35, GDPR sets out a broad requirement that the DPIA must be carried out when personal data processing is ‘likely to result in a high risk for freedoms of individuals. The DPIA must consider the entire lifecycle of personal data processing from the point of collection to the point of deletion. At all stages, the rights and freedoms of Data Subjects must be protected. The ‘Drone’ Data Controller will need to periodically check that the “residual risk” remains acceptable and if it increases with no ability to mitigate this increase in risk, then it will need to consider prior consultation with the Supervisory Authority in accordance with Art.36, GDPR. In accordance with best practice, the ‘Drone’ Data Controller, Joint ‘Drone’ Data Controller and ‘Drone Data Processor will need to review all personal data processing operations, no later than May 2021 to ensure that such personal data processing risk have been mitigated and reduced to a residual risk that doesn’t cause harm or damage to the rights and freedoms of Data Subjects.
Who should carry out the DPIA?
The ‘Drone’ Data Controller and the Data Processor is responsible for ensuring the DPIA is carried out. Carrying out the DPIA may be done by someone else, inside or outside the company and organisation but the ‘Drone’ Data Controller and the Data Processor remain ultimately accountable for that task under the GDPR. The ‘drone’ company must seek the guidance and advice of a DPO and this advice, and the decisions taken, should be documented within the DPIA. Additionally, within the DPIA flight plans as well as flight altitudes must be identified.
Article continues here.