ThinkstockPhotos-488982577-webOn June 16, 2015, the body of European data protection regulators known as the Article 29 Working Party (WP29) issued an opinion1 that clarifies EU data protection rules in the context of civil drones. The opinion explains how the principles of EU data protection law apply to drones, and provides a list of recommendations for drone manufacturers and operators, regulators and policymakers, and other stakeholders. This article highlights the key takeaways of the WP29 opinion.

Background

The main piece of data protection legislation in the European Union is EU Data Protection Directive 95/46/EC. The directive includes specific rules on how companies can process personal data, extends specific rights to individuals (e.g., the right to be informed of the data processing), provides for data security measures, and sets significant restrictions for the transfer of personal data.

In the context of drones, the WP29 opinion clarifies that images, sound, geolocation data, or other data collected by drones that relates to an identified or identifiable natural person should be considered personal data, and will be protected by Directive 95/46/EC. However, compliance with the directive may be particularly challenging in the context of drones. For instance, WP29 sees a specific risk of a lack of transparency, since it is difficult for individuals to know how their personal data is being processed via a drone, for what purposes, and by whom. WP29 also warns against the excessive collection of personal data via drones, and multipurpose uses of the bulk data collected.

Recommendations

The WP29 opinion provides a list of recommendations for drone operators, and for drone manufacturers to help the operators comply with EU data protection law. It also provides recommendations to policymakers and stakeholders to take measures to make the drone market compliant with EU data protection law. The key takeaways from the opinion are:

  • Security Measures. Under Directive 95/46/EC, personal data must be protected from data breaches by appropriate security measures. WP29 encourages drone manufacturers to work with security experts to address any security vulnerabilities of their drones. WP29 sees a particular vulnerability in the transmission phase, when personal data is transferred from the drone to the base station. Drone manufacturers should also design drones in such a way that operators can delete or anonymize unnecessary personal data as soon as possible after the data has been collected, and set a storage period after which the collected data is automatically deleted.
  • Information to Drone Operators in Packaging. WP29 advises drone manufacturers to provide information within the packaging of the drone (e.g., within the operating instructions) relating to the potential intrusiveness of the drone and recalling the need to respect privacy and data protection laws when using the drone. Where local laws prohibit the use of drones in certain areas, manufacturers could provide a link to official maps that indicate the areas where drones are permitted.
  • Notice to Individuals. Directive 95/46/EC requires that individuals receive notice that their personal data will be processed. WP29 considers that, for the processing of personal data via drones, notice should be provided via a combination of channels (e.g., signposts, symbols, website). Drones should also be made visible and identifiable from as far as possible (e.g., using flashing lights, bright colors). When in line of sight, the drone operator should be clearly visible and identifiable with signage, so that it is obvious who is responsible for the drone. Drone manufacturers are advised to take these notice requirements into account in the design of their drones.
  • Privacy by Design and Privacy by Default, Data Protection Impact Assessments. EU regulators require companies to build their products and services in a way that allows compliance with EU data protection law (known as the principles of “Privacy by Design” and “Privacy by Default”). For drone manufacturers this means, for instance, that the drone should be built in such a way that the collection and/or further processing of unnecessary personal data can be avoided (e.g., by automatically blurring faces when images of identifiable persons are not necessary). WP29 also suggests conducting data protection impact assessments to assess the impact of drones on the right to privacy and data protection.
  • Policymakers and Stakeholders to Develop Framework for Drone Use. WP29 calls upon policymakers at the EU and national levels to consult with industry representatives to prepare a framework for drone use which includes data protection requirements. For instance, policymakers and stakeholders should develop criteria for data protection impact assessments to be conducted by drone manufacturers and operators. WP29 also recommends that Civil Aviation Authorities work closely with Data Protection Authorities to include data protection requirements into certifications and licenses for drone operators. WP29 also sees a role for codes of conduct, data protection certifications, and privacy seal schemes to increase industry compliance. Finally, WP29 recommends that the European Commission support research and investment for new technologies intended to increase transparency concerning drones, including smart license plates for drones, for example.

Conclusion

In the EU, drones are perceived as particularly privacy-intrusive devices. Some EU member states have already adopted or prepared drone legislation2 and there is EU policy in the making which aims to address privacy and security concerns relating to civil drone use.3 The WP29 opinion articulates the concerns around drones and cautions drone operators to use drones in a way that takes into account EU privacy concerns. For drone manufacturers this means that they should make privacy- friendly design choices that allow drone operators to comply with EU data protection law.

Although opinions from WP29 are not legally binding, they are taken into consideration by privacy regulators in the EU when applying data protection law. The opinion therefore provides a good indication of how regulators will evaluate compliance of drone manufacturers and operators with data protection and privacy laws in the EU. Moreover, WP29’s recommendations (e.g., making privacy-enhancing design choices) are in line with the principles included in the proposed new EU data protection legal framework, i.e., the General Data Protection Regulation.4

1 See the WP29 Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilization of Drones (WP231), June 16, 2015, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp231_en.pdf.

2 For instance, the Belgian government is preparing drone legislation which recently received the green light from the Belgian Privacy Commission. The Privacy Commission’s opinion on this draft legislation is available at http://www.privacycommission.be/sites/privacycommission/files/documents/advies_32_2015.pdf (in Dutch) and http://www.privacycommission.be/sites/privacycommission/files/documents/avis_32_2015.pdf (in French).

3 The European Aviation Safety Agency is currently seeking input from drone stakeholders to propose a regulatory framework for drone operations. The expiration date for comments is September 25, 2015. More information is available at https://www.easa.europa.eu/newsroom-and-events/news/short-summary-easa%E2%80%99s-proposals-new-rules-drones.

4 The proposed General Data Protection Regulation is a new piece of EU data protection legislation that is now in the final stages of the EU legislative process. It is expected to be adopted sometime between the end of 2015 through the beginning of 2016. The General Data Protection Regulation would become effective two years after adoption. For an update on the latest developments concerning the regulation, please see the July 2015 issue of the WSGR Data Advisor at: https://www.wsgr.com/publications/PDFSearch/the-data-advisor/Jul2015/index.html#4.