​Privacy Risk Assessment Priority for Drone Operation

On 25 May 2018, a new EU General Data Protection Regulation comes into force and will apply across all EU member states. Pending the outcome of Brexit this also includes the UK. There are potentially serious implications for drone filmmakers and in an increasingly litigious society it is probably only a matter of time before an operator is taken to court under the new rules. When infringements can be subject to fines of up to EUR 20 million or in the case of in the case of a business, up to 2% or 4% of the total worldwide annual turnover of the preceding financial year, whichever is the higher – then it’s worth paying attention to what the rules do and do not permit.

There are obvious cases where drones might be deemed to deliberately invade the privacy of citizens – hovering low over houses where permission has not been sought or trying to peek into the window of a high rise.

Filmmakers will be sensitive to this issue and most production companies will be obtaining image rights and all relevant permissions for whatever they plan to shoot as a matter of course.

However, with drones now fitted with a variety of sensors including artificial intelligence in the case of Chinese developer Zero Zero Robotics, the exact ‘mission’ of a drone flying overhead may not be apparent to people on the ground. While a drone may be flying at a legal height and within the parameters of a designated area, anyone who can see the drone or any owner of an adjacent property to its flightpath may find cause for alarm.

The rising traffic of UAVs in the sky is already prompting tighter scrutiny of restrictions around their use. Aviation authorities worldwide are calling for drones to be outlawed in the vicinity of aircraft after several near misses. Specifically, when it comes to data protection there are aspects which can escape the net.

The right which everyone has for respect for their private and family life, and home is enshrined under Article 8 of the European Convention on Human Rights. From a UK perspective, the Convention rights are incorporated into UK law by way of the Human Rights Act 1998.

Data protection rules give people captured in images a right to ask for their photos to be deleted if they have not given consent beforehand.

So being as transparent and clear to potential subjects upfront is a sensible step.

According to Sally Annereau, Senior Data Protection Advisor at law firm Taylor Wessing, this can include taking steps to make the drone as noticeable as possible. This could include using bright colours, flashing lights and alert noises. It can also include labelling or providing registration mark details for the drone, which may be relevant if control of the drone is lost and data needs to be linked back to the operator. The use of registration marks may also provide the future potential for wireless transmission of drone registration details to be cross referenced with an online resource providing details of the controller of the drone and its use.

Annereau also points to websites and applications to give more information about why, how and where drones have and will be used by the controller.

Key data protection requirements relevant to the use of drones also includes proportionate processing. In practice this means making an assessment to ensure that only personal data that is “adequate, relevant and not excessive” are collected and that “any personal data collected is limited to the minimum necessary for the purpose.”

Annereau provides guidance to help meet this requirement and suggests understanding the capabilities of the drone and choosing technology and settings that are appropriate to the specific objective. For example:

  • switching off the recording features where these are not required or only activating these when the drone has reached the specific zone of interest, (rather than leaving these continuously running across the flight).
  • understanding if the drone has features that can be used to restrict its field of vision to a reduced area of focus;
  • considering whether software built into the drone (or capable of being applied to the drone) enables mapping against pre-defined no-fly zones. This can be done to prevent the drone entering these areas and minimising the risk of intrusive personal data collection.
  • understanding the drone’s data storage capabilities and ensuring that any personal data collected is only kept for the minimum time necessary for its purpose and disposed of appropriately when it is no longer required.

Beyond this it is necessary to secure the data. It means taking steps to secure personal data from any unauthorised or accidental access, disclosure, alteration or loss, including remote cyber-attacks on the drone itself and where the personal data is being transmitted from the device. This could, for example, be by using encryption or other appropriate methods to lock down access to the information to only those limited people who are authorised to view or access the recorded images and data.

There is no such thing as casually flying a drone when any image and information gathered by cameras and sensors on board is the personal property of someone. A privacy risk assessment model for drones has become essential.

You might also like...