There are several legal aspects related to the use of drones, including a number of data protection issues.
Although no comprehensive legislation has been enacted so far in Hungary, the Hungarian Data Protection Authority (Hungarian DPA) has, similarly to other data protection authorities, summarized the main data protection aspects of the use of drones for various purposes (public, commercial and private) in a recommendation a few years ago, and proposed further legislation. (In the meantime, legislation has been adopted on aviation aspects of the use of drones but the data protection issues were not covered.)
The issue is also discussed on the European level. At the end of November 2018, the so-called Amsterdam Declaration on the direction for a common European drone service market has been approved.
What are the main privacy aspects of the use of drones?
As the Hungarian DPA’s recommendation states:
“In general, it should be emphasized that the use of drones alone is not a data protection issue, but the atypical data processing with drone-mounted accessories has data protection implications. The main difference from the data processing so far is that even the proper use can be very invasive into the privacy of people, as the tool is able to collect data about everything that is in its field of vision, which is, compared to the use of similar technologies, unusually wide and can be changed very quickly.”
Thus, the use of drones with tools (especially cameras) that are capable of recording personal data is in the focus of data protection.
The use of drones can also have a significant impact on the privacy beyond the specific data processing, as the perception of the presence of the drone in itself can create a sense of intrusion into the private sphere (even in the absence of specific data processing), or data processing is also feasible in a manner that data subjects are not aware of it.
What privacy rules are currently applicable to the use of drones?
In the absence of special rules, the general data protection rules, such as the General Data Protection Regulation (GDPR), apply to the data processing activities in connection with the use of drones.
In practice, this means that a legal basis for the data processing shall be granted (e.g. legitimate interest or consent), and special attention should be paid to compliance with the basic principles of data processing (purpose limitation, data minimisation, storage limitation, etc.). The data processing activities with drones shall be designed with a focus on the principles of "privacy by design" and "privacy by default".
The possibility of exercising the data subjects’ rights must also be ensured. This may cause some troubles to data controllers, for example, in many cases, it is difficult to identify the data subjects.
With regard to data processing with drones, transparency and providing prior information are very important elements of the data controllers’ obligations, since this may serve as the basis for exercising any additional right. The way of providing information depends on the scope of data processing and it may vary case by case. For example, it can be provided in the form of on-line information, placement of posters, etc.
In some cases, data controllers shall prepare a legitimate interest test before commencing the data processing activities with drones (if the legal basis is the legitimate interest of the data controller or a third party). According to the "black list" issued by the Hungarian DPA, if the use of drones includes systematic surveillance (i.e. systematic and large scale surveillance of data subjects in public areas or spaces by camera systems, drones or any other new technology), it is also mandatory to carry out a data protection impact assessment (DPIA).
The guidelines for using drones issued by ICO should also be considered. It contains the following tips on responsible use of drones:
- Let people know before you start recording.
- Consider your surroundings. If you are recording images beyond your home, a drone may intrude on the privacy of others where they expect their privacy to be respected (such as in their back garden).
- Get to know your camera first. It is a good idea to get to know the capability of your camera in a controlled situation to understand how it works.
- Plan your flight. By understanding its capabilities, it will be easier to plan how to avoid invading the privacy of other people.
- Keep you and your drone in view. If you are clearly visible then it will be easier for members of the public to know that you are the person responsible for the drone.
- Think before sharing. Think carefully about who’s going to be looking at the images, particularly if you’re thinking about posting them on social media.
- Keep the images safe. The images that are not necessary can be deleted. If you keep them, the images shall be stored in a safe place.
The guidelines of the Data Protection Commission of Ireland (DPC) on video recording indicates that “the DPC does not currently have specific guidance on the use of ‘action cams’ (such as GoPros) or drones capable of recording video, but, as you can imagine, many of the considerations relevant to CCTV and dash cams apply equally to the use of these types of video recording equipment.”
The Israeli Data Protection Authority has also published draft guidelines on the use of drones recently. The draft guidelines do not apply to drones that collect information "for personal use that is not for business purposes".
Outlook - Protecting the privacy against the use of drones in Pennsylvania
In Pennsylvania, privacy regulations for drones ("unmanned aircraft") came into force just a few months ago (on January 10th). According to this new Pennsylvania legislation, the use of drones “to intentionally or knowingly conduct surveillance of another person in a private place or to place another person in reasonable fear of bodily injury a summary offense – i.e., a fine of up to $300.” The law includes exceptions for law enforcement officials, first responders, utility companies and some government employees.