This is a guest post provided by Bristows LLP.
The uses to which drones can be put – from surveillance and photo-journalism to a range of leisure pursuits – is increasing exponentially. So too is the potential for drones to collect mass amounts of data about individuals and operators. This trend raises a number of data privacy and security concerns. If a drone operator collects, uses or stores personal data (i.e. information from which an individual can be indentified), it must comply with data privacy and security laws. A separate but related issue is that the types of communications data collected by drones might make operators and manufacturers subject to disclosure requirements under current and future investigatory powers laws. We touch on these key privacy and security aspects of the use of drones further in this post.
Data privacy compliance – key points to be aware of
The UK Data Protection Act 1998 (“DPA”) applies to the processing (collecting, using, storing and disclosing) of personal information. Such processing must be ‘fair and lawful’, which means, among other things, that individuals whose data is being processed must be notified of the processing, the nature and purpose of the data being collected, and the identity of the data controller (i.e. the entity or person that decides how and why the personal data is processed, usually the drone operator).
Notifying people that you are going to collect and process their personal information via a drone may sometimes be difficult, particularly at large public events. However there are steps drone operators can take to try to achieve legal compliance. Making drones highly visible (e.g. with flashing lights or bright colours) would help alert the public to the presence of a drone. Individuals could also be notified through signposting or information leaflets in specified areas, or through social media. Notices should explain how individuals can exercise their rights in respect of any information collected about them. In certain circumstances, data controllers may require an individual’s consent before using a drone to collect their personal information.
Drone operators should be careful to only process the minimum types and amounts of personal information required for their intended purpose, and to retain such data no longer than necessary. Additionally, the DPA requires data controllers to have security measures in place to protect against unauthorised or unlawful processing and accidental loss or damage to personal information. Further, UK-based drone operators should be mindful that they must comply with the DPA even where they operate a drone outside of the UK.
In June 2015 the Article 29 Working Party (“WP29”) – the EU’s data privacy advisory board – issued its opinion on the use of drones. The opinion contains some helpful recommendations for drone operators and manufacturers seeking to ensure legal compliance, such as drones should be designed with privacy in mind to ensure legal compliance from day one (so-called “privacy by design”), and assessments should be carried out in the early development stages to evaluate the data privacy impact of the drone. The WP29 also suggests that drone operators adopt policies which explain how they will operate drones lawfully and responsibly. Drone operators who follow the WP29 guidance can generally expect to be compliant with data privacy laws as they apply to the use of drones.
In the near future we will see changes in data privacy law that drone operators processing personal information will need to be aware of. During 2018, the DPA will be replaced by the recently-published EU General Data Protection Regulation (“GDPR”). The GDPR aims to catch data privacy law up with current and emerging technologies including drones, and to give individuals greater control over the use of their personal information. In particular, drone operators should be mindful that the GDPR imposes significantly increased fines for data breaches and non-compliance.
Investigatory powers and information disclosure – key points to be aware of
Under the Regulation of Investigatory Powers Act 2000 (“RIPA”), law enforcement bodies (including the police and intelligence services) have rights to require a telecommunications operator to disclose certain communications data. The purposes for requiring disclosure are wide-ranging and include national security grounds, prevention/detection of crime, and public health and safety.
Depending on the circumstances, it may be that a drone operator constitutes a telecommunications operator for the purposes of RIPA. If so, it can be compelled to disclose information it has collected about individuals and their use of drones – such as telemetry information, geolocation, and time and date metadata – to a law enforcement body.
In November 2015, the government published the draft Investigatory Powers Bill (the so-called “snoopers charter”) which aims to update and replace existing laws governing the investigatory powers of the state, police and intelligence and security agencies. Once passed into law, drone operators are likely to have wider obligations with respect to storing information collected through drones and assisting the police and security services to combat threats to national security.
As indicated above, regulators of various types are making attempts to catch up with the pace of technological change. As drones come to feature more prominently in the public consciousness, it is likely that data privacy concerns will figure highly on the radar of regulators who may seek to enforce new data privacy laws strongly against drone operators who are not compliant. Similarly, as the types and breadth of data collected by drones increases, it is likely that security agencies will be keen to use new and existing powers to require operators to hand over data they may believe will help in tackling crime and terrorism.
Drone operators are advised to ‘watch this space’ as the law develops in this area, and the impact of their activities from a privacy and security perspective become better understood.