Drones vs privacy: Little Brother is watching you

There are an estimated 90,000 drone owners in the UK (according to the Civil Aviation Authority) and 700 companies/entities which are active in the unmanned aerial systems industry (according to NESTA).

Overview of UK legal framework

There is currently no data protection-type legislation in the UK or at an EU level specifically designed to apply to the use of drones.

The General Data Protection Regulation (“GDPR”) forms the main basis of the applicable legal framework for data protection in the EU. The GDPR currently applies in the UK alongside the Data Protection Act 2018 (“DPA”).

Drone operators, particularly those engaging in commercial operations, are well advised to familiarise themselves with the scope and impact of the data protection legislation to avoid steep penalties.

The ICO and CCTV Code

The Information Commissioner’s Office (“ICO”) is the main independent regulatory body that deals with data protection breaches at a domestic level.  The ICO treats drone recordings as equivalent to CCTV footage, and it directs commercial drone users to the CCTV Code of Practice (“CCTV Code”).  The CCTV Code is a helpful source of best practice guidelines.

The CCTV Code recognises the potential increased severity of a breach of privacy with drone footage. Drones can potentially record footage in places that one would ordinarily have a reasonable expectation of privacy, for example a home or garden.

The quality of imagery from a drone can allow for the collection of facial recognition and biometric information, along with data such as GPS tags; this type of data is considered by the ICO to be  especially sensitive.

The CCTV Code requires that drone operators must act in a responsible manner and ensure that any personal data collected using a drone is processed lawfully.

Lawfulness of data processing

The GDPR imposes a data protection obligation on both the ‘data controller’ and the ‘data processor’.

The data controller is the commissioner of the drone recording (e.g. a news publication outlet). The drone operator themselves (e.g. an independent contractor of the news outlet) is the data processor.

It is therefore vital from the perspective of the data controller that the contractual arrangement between the two parties clearly defines exactly what is to be recorded and how that data is to be processed.

Article 5 of the GDPR requires that personal data must be processed lawfully, fairly and transparently. The controller must either obtain the data subject’s consent to be recorded (which is problematic for some commercial drone uses such as paparazzi photography), or it must be in the legitimate interests of the controller or some other party.

The scope of ‘legitimate interest’ is broad and allows for the processing of data where it confers a benefit to the controller or a third party, where the privacy impact is limited and does not go beyond what is necessary in achieving a stated goal.

For example, if a tourism company commissioned an aerial photograph of a beach to be taken with a drone, it is arguable that even if there are people on the beach who have not been consulted, the overall impact on their privacy is limited such that no breach will occur.

However, context is key. If that image had a sufficient resolution such that it was possible to zoom into the image, the drone operator is in effect taking close-up photographs of beachgoers covertly. In this case, the ‘legitimate interest’ is far less obvious.

Privacy by design

Drones themselves do not breach data privacy, but the attached cameras/sensors have the potential to do so. The GDPR requires commercial drone operators to keep privacy in mind at every step of their operations.

For example, a drone operator might seek to implement an AI-based drone solution in order to map the movements of people at a busy sports stadium (so as to develop improved crowd control measures).

The drone operator could put up clear signage informing attendees of the recording. This can be done by putting up posters at the entrances and throughout the stadium and ensuring that the drone pilots and the drone itself are easily visible.

The operator could also programme the drone (and its flight path) in order to ensure that it will only record what is necessary and nothing more. Suitable IT processes to test and ensure the confidentiality of imagery, storage and encryption of the data must also be contemplated.

Husna Grimes, Senior Consultant at Humphreys Law made the following comment as regards privacy by design:

“Drones themselves do not usually collect personal information, but various bits of kit that you can strap to them do.  Just because a camera or sensors of other kinds have been attached to a drone does not mean that data protection rules won’t apply.  Any operators of drones should be careful because this can be a way of collecting much larger amounts of personal data than would be the case at ground level. A DPIA is always a good place to start if using drones for commercial purposes so that the controller can think about the potential privacy risks from the outset and build in controls and measures to address these risks.”

Data Protection Impact Assessment (“DPIA”)

Along with ensuring privacy by design, commercial users of drones will generally need to carry out a DPIA to ensure that their activities will not breach the privacy of those being recorded.

The GDPR specifies that this is particularly relevant in cases that involve the monitoring of a publicly accessible area, or where the sensitivity of information is particularly high.

It is therefore advisable that commercial drone operators conduct a DPIA if there are any potential risks to the data protection rights of individuals. 

Exemption for ‘household’ users 

The GDPR provides for a (partial) exemption of the data protection legislation in situations that involve personal/household activities, such as amateur drone hobbyists, but only so long as the data is exclusively used in a personal or household capacity.

This does not mean that a hobbyist can collect data under that exemption and then go on to sell or more widely distribute the footage.

Exemption for journalists

The scope of the GDPR is also limited where personal data is processed in the course of a journalistic activity.  The European Court of Justice (“ECJ”) has to date taken a broad interpretation of the term ‘journalism’.

On this basis, those who use drones for commercial activities that are in the pursuit of journalism are also granted a (partial) exemption.

This has potential relevance to photographers who work for news outlets. A balancing exercise must take place when determining the scope of the journalistic exemption, this can become contentious.

Counter drone technology

Unsurprisingly, various businesses are now building software and hardware to defend against drone attacks or to prevent drones from entering specific areas.

Richard Gill, CEO of Drone Defence commented to HLaw:

“Drones are a truly amazing technology and have a multitude of uses for good. However whilst their positive uses are plentiful, they can also unfortunately create privacy and security issues – either accidentally or intentionally.

At Drone Defence, we recognise that in order to enable the huge potential drones have in our future world, we need to provide solutions to any immediate issues with drones that our customers may have. By doing so, we ensure that any use of drones for malicious purposes is kept to a minimum whilst establishing public confidence in this exciting, emerging industry.”

Final thoughts

Drones are here to stay and with them the privacy issues that stem from using drones to collect personal data.

Drone operators should sensibly familiarise themselves with the data protection provisions of the DPA (and the GDPR) and the CCTV Code.  Breach of those provisions could see claims brought for breaches of data privacy of up to €20 million (about £18 million) or 4% of annual global turnover (whichever is greater).

Drones are just another gadget, but they are a gadget that can facilitate the collection of large amounts of personal data and those working in the industry need to be aware of the resulting legislative restrictions on what can then be done with that data.

This piece was researched and prepared by Amir Kursun, with input from Kieron Glover who was with the HLaw team as an intern during the late summer of 2020.

All the thoughts and commentary that HLaw publishes on this website, including those set out above, are subject to the terms and conditions of use of this website.  None of the above constitutes legal advice.  Much of the above will no doubt fall out of date and conflict with future law and practice one day.  None of the above should be relied upon.  Always seek your own independent professional advice.

Humphreys Law