On June 16, 2015, the Article 29 Working Party (the “Working Party”) adopted an Opinion on Privacy and Data Protection Issues relating to the Utilization of Drones (“Opinion”). In the Opinion, the Working Party provides guidance on the application of data protection rules in the context of Remotely Piloted Aircraft Systems, commonly known as “drones.”
The Working Party deemed it necessary to issue specific guidance on this topic as the large-scale deployment of drones and sensor technology on board drones presents several risks with respect to privacy and data protection. These risks result, in particular, from the lack of transparency with regard to the personal data (such as images, sounds and geolocation data) processed by drones and the ability to use multiple drones to collect a wide variety of information for extended periods of time across large areas.
After identifying the privacy and data protection risks related to the use of drones and examining the applicability of EU Data Protection Directive 95/46/EC to drones, the Working Party provided recommendations for European and national legislators, manufacturers of drones and related equipment, and drone operators. The Working Party also provided specific guidelines for the use of drones by the police and other law enforcement authorities.
According to the Working Party’s recommendations, drone users should:
- Verify the need to obtain prior authorization from the UK Civil Aviation Authorities.
- Identify the most suitable legal ground for the processing of personal data while using drones.
- Comply with the purpose limitation, data minimization and proportionality principles (e.g., by taking measures to avoid the collection of unnecessary personal data).
- Ensure that individuals are properly informed about the processing of their personal data (e.g., by distributing leaflets to the public if drones are used during a public event) before operating a drone.
- Implement measures to ensure that the personal data collected by drones is adequately protected and deleted or anonymized after it is no longer necessary.
In addition, drone manufacturers and operators should (1) take into account the privacy by design and privacy by default principles and (2) perform data protection impact assessments to evaluate the impact of drone applications on individuals’ right to privacy and data protection. In this respect, the Working Party requested the competent policymakers to facilitate these data protection impact assessments by developing and introducing a set of criteria for impact assessments that can easily be used by industry and drone operators.
The Working Party also (1) advised national and European regulators to introduce specific rules for the responsible use of drones and (2) suggested that manufacturers marketing small drones should be required to include sufficient information in the drone packaging about the “potential intrusiveness” of drones and the “need to respect European and national legislation and regulations protecting privacy, personal data and other fundamental rights.”
With respect to the use of drones for law enforcement purposes, the Working Party generally believes that (1) the use of drones for such purposes should be subject to judicial review and (2) law enforcement should not use drones to constantly track individuals.