Drone use and privacy and data protection

The use of drones is often associated with an invasion of privacy or fear of such an invasion. Indeed, it may be that the use of a drone may involve an invasion of privacy and the acquisition of personal data. Personal data in this case is usually considered as part of a broader category such as privacy.

1. Use of drones

The above statement is a certain simplification, as the protection of personal data is now an individual area of law, regulated separately through specialised legislation, with particular reference to the RODO – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)[1]. The provisions of this act aim to protect a person’s information sphere regardless of the nature of the personal data to be processed, i.e. whether it belongs to his/her sphere of privacy or whether it has the nature of information directed outwards, relating to his/her public, professional, social activities.

The right to privacy and the right to the protection of personal data are now two related but nevertheless separate legal categories. Both of these rights in the EU are fundamental rights. The protection of privacy is strictly dependent on the degree of effectiveness of information protection mechanisms. Data protection is a kind of specialised construction that serves to protect the similar values that protect the right to privacy. In the considerations conducted here, we focus on a certain area common to the right to privacy and the protection of personal data, which is the information sphere of an individual, i.e. the issue of acquiring information about a person using a drone. This is because there is no doubt that the use of a drone may also threaten an individual’s privacy in other ways. Indeed, if we refer to such a way of understanding privacy, within which the emphasis is placed on seclusion, lack of external interference, freedom from disturbance of peace and home turf, the very flying of a drone over someone’s property, especially when it is unjustified, repeated or obstructive of the normal use of the property or its facilities, may be treated as violating privacy, although not in the information sphere.

2. Threats to the information sphere from drone use

It should be emphasised that linking the risks of privacy or data protection violations to the use of a drone is a certain simplification, since the basic type of drone, consisting only of components necessary for flight, does not serve to process personal data. Risks only arise when such an unmanned aircraft is equipped with instrumentation that allows for the acquisition or direct transmission of data. This includes, for example, sensors for this purpose, or other suitable equipment allowing, for example, sound or image recording or temperature measurement and recording.

In this respect, it is worth referring to the findings of Opinion 01/2015 of the Article 29 Working Party on privacy and data protection issues related to the use of drones[2]. Although this opinion dates from before the adoption and application of the RODO, it can still be an important point of reference when designing the acquisition of personal data by means of drones or when the possibility of such acquisition of information is even hypothetically possible.

Following the example of the Article 29 Working Party, it is possible to identify categories of devices whose use may affect the privacy and protection of personal data. These devices can be classified as follows:

  1. image-recording equipment: intelligent cameras with fixed or variable focal length lenses capable of collecting and transmitting live images, equipped with face-recognition functions on the drone or on the ground, enabling the drone to identify and track specific persons, objects or situations, identify movement patterns, read vehicle number plates, while providing a 360° field of view, capable of detecting thermal energy emitted by the target, enabling flight and recording of images in poor visibility (due to fog, smoke or dust) or at night;
  2. detection equipment: optical-electronic sensors, infrared scanners, radar transponders to identify objects, vehicles and vessels and obtain information on their position and course, even if separated by a wall, smoke or other obstacles;
  3.  radio-frequency devices: such as antennas locating access points to the local radio network or mobile phone stations, femtocells and IMSI interceptors used by law enforcement agencies to control mobile phones and networks or by service providers to relay communications between networks and terminal users;
  4.  special sensors for detecting nuclear traces, biological traces, chemical materials, explosive devices[3].

The processing of images, including images of persons, houses, vehicles, vehicle licence plates, etc., sounds, geographic location data or other electromagnetic signals relating to an identified or identifiable natural person carried out through data-processing equipment equipped with an unmanned aircraft may have a real impact on privacy or the protection of personal data. This leads to the need to determine the scope and grounds for the processing of personal data under the RODO, as well as the measures that must be put in place to protect privacy as a personal good that is protected under civil law provisions, led by Articles 23 and 24 of the Civil Code[4] and Article 81 of the Copyright Law[5]. In any case, however, it should be made clear that what is relevant from the point of view of privacy and data protection is not the use of drones per se, but the data processing equipment installed on the drone and the subsequent processing of personal data, which may take place as the purpose of using the drone or as a side effect when the collection of data by this means is not intentional[6].

3. The right to protection of personal data in connection with the use of unmanned aerial vehicles

The development of data protection law was initiated at the very dawn of the information age. In the era of the phenomenon known as the ‘global society’, informational autonomy, a subcategory of privacy, to which the safeguards offered by data protection law are naturally closely linked, has taken on particular importance. The danger, which must be prevented by the use of increasingly specialised legal tools to this end, lies in external interference in the private life of the individual. This happens through the extraction of information belonging to his or her sphere of privacy, or the centralisation or monopolisation of collected data. The right to the protection of personal data focuses to a large extent on the protection of this value of informational autonomy, which is to be ensured by guaranteeing the individual the right to “informational self-determination” (self-determination), i.e. leaving it to the individual’s sole decision to specify who, what and how he or she can find out about him or herself[7]. This autonomy implies the possibility to dispose of certain information concerning the individual, which must be protected from uncontrolled collection and processing by the individual. The individual thus has the right to create, with the help of information, such an image of himself as he deems desirable by himself and can decide what data about himself he intends to disseminate and what he does not. The essence of information autonomy can thus be reduced to the statement that man should have the right to control the content and circulation of information about himself[8]. It thus goes beyond the traditionally understood right to be left alone.

The inability to control information about oneself deprives a person of the sense of freedom to create one’s own image vis-à-vis those around one, thus nullifying the postulate of the possibility of self-determination[9]. It appears that this lack of freedom may be influenced by the possibility of using drones to track an individual, to obtain data about him or her in a manner and to an extent that is acceptable precisely because a drone is used for these purposes.

Currently, drones so small that they are almost invisible to the eye can track humans. In practice, drones the size of a bee are sometimes used, but such a small size of UAV does not affect the quality of the cameras or other sensors used. Drones may also process images, sound, geolocalisation data or other electromagnetic signals related to an identified or identifiable natural person, carried out by the data processing equipment on board such aircraft. This may have an impact on privacy, but also on the protection of personal data, and therefore result in the need for legislation in this area[10].

It should therefore be borne in mind that when using a drone for business purposes, or for the performance of public tasks, it must be taken into account that the data protection rules apply to such situations, even if personal data are processed in an unintentional, merely incidental or accessory manner. This also applies to customers of drone services, as it is on their behalf and for their benefit that such processing of personal data may take place. Flying an unmanned aircraft equipped with data acquisition or transmission equipment creates a high probability of unintentional collection or other processing of personal data. Such use of a drone, which entails the collection of personal data, must therefore be lawful. It is therefore reasonable to make a careful assessment of the likelihood of personal data coming into possession and to determine whether this is legally permissible[11].

4. The material scope of application of the RODO in the use of drones

According to Article 2(1) of the RODO, it applies to the processing of personal data by wholly or partly automated means and to the processing by non-automated means of personal data which form part of a filing system or are intended to form part of a filing system.

However, for a more precise definition of the scope of application of the RODO, the content of Article 2(3)-(4) and Article 3 of the RODO must be borne in mind, as it is there that the material, personal, but also territorial scope of the act is actually specified. In the practice of using unmanned aerial vehicles to process personal data, issues such as the following may be relevant:

  1.  for what purpose the operator or pilot of the drone is processing personal data – whether they are doing so for professional purposes, business purposes, the performance of public tasks, or purely for private purposes understood as personal, domestic (presumably recreational) purposes;
  2. where the operator is based, whether it processes personal data using a drone exclusively within the EU or whether its activities extend outside the EU;
  3. whether the processing of personal data concerns natural persons who are EU citizens or also non-EU citizens;
  4. whether drone processing activities are carried out in respect of personal data of EU citizens within the EU or whether these data are transferred to a third country or international organisation[12].

The answers to these questions need to be known to the drone operator, but also to the entity for which the operator performs the activities, as they are momentous from the perspective of the obligations incumbent on these entities and the legal consequences associated with such processing.

According to Article 2(2) of the RODO, this regulation does not apply to the processing of personal data:

  1. in the context of an activity not covered by Union law;
  2. by Member States in the performance of activities falling within the scope of Title V, Chapter 2 of the TEU;
  3. by an individual in an activity of a purely personal or domestic nature;
  4. by the competent authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of penalties, including the protection against and prevention of threats to public security.

In addition, it follows from Article 2(3) of the RODO that Regulation (EC) No 45/2001 applies to the processing of personal data by Union institutions, bodies, offices and agencies, whereby Regulation (EC) No 45/2001 and other Union acts applicable to such processing of personal data shall be aligned with the principles and provisions of this Regulation in accordance with Article 98. Article 2(4) of the RODO is without prejudice to the application of Directive 2000/31/EC[13], in particular the liability rules of intermediary service providers set out in Articles 12 to 15 of that Directive.

In contrast, Article 3 of the RODO indicates the territorial scope of the act. Personal data, processing and actions necessary before operating a drone to make the processing lawful.

5. Areas of application of the RODO when using a drone

An analysis of the RODO provisions shows that they generally affect the following areas of drone use:

  1. area one – concerns the processing of personal data obtained by means of a drone, including image and sound recordings or photographs taken, as well as many other personal data for which the acquisition, analysis or other operations are carried out by means of a drone and its supporting instrumentation;
  2. area two – deals with organisational issues related to the use of drones, i.e. the operation of such a device by a person with the appropriate qualifications and skills, as well as the conclusion of contracts between the operator and the drone pilot and between the operator and customers who have placed an order for such services;
  3. the registration of UAV operators to be subject to if they operate an unmanned aircraft which, on impact, can impart kinetic energy of more than 80 joules to a human being or whose operation involves risks to privacy, the protection of personal data, security or the environment, as provided for in Regulation (EU) 2019/947.

For each of the areas so defined under the RODO, a documentation layer is important. The processing of personal data requires proper documentation of the relationship between the drone operator and the pilot, and between the operator and the client commissioning the service for which the unmanned aircraft is used. This subject relationship already needs to be documented in a way that is compliant with the RODO and in such a way as to demonstrate lawful processing, that is, in essence, compliant with the RODO.

The operator processes personal data when documenting compliance with legal requirements or pilot qualifications. In accordance with Article 32(4) of the RODO, the controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or processor who has access to personal data does not process the personal data other than on instructions from the controller, unless required to do so by EU or Member State law. The processing of personal data at the controller’s direction and under the controller’s authority is a related issue. Such processing must be carried out in accordance with the RODO.

The drone operator has an obligation to ensure compliance with the security requirements for the processing of personal data, mainly described in Articles 24, 25 and 32 of the RODO, which are based on an analysis of the risks to the rights or freedoms of the individual with respect to the specific circumstances, thus taking into account the nature, scope, context and purposes of the processing.

Compliance with the obligations correlated with data subjects’ rights set out in Chapter III of the RODO remains a separate issue. Neither drone operators nor the entities that use their services are exempt from complying with these obligations, although the realisation of data subjects’ rights is, in many cases, severely hampered or even illusory.

dr hab. Marlena Sakowska-Baryła, prof. UŁ

Department of European Constitutional Law, Faculty of Law and Administration, University of Łódź

attorney at law, partner at Sakowska-Baryła, Czaplinka Kancelaria Radców Prawnych Sp.p.

ORCID: https://orcid.org/0000-0002-3982-976X

[1] OJ. EU. L. 2016. No. 119, p. 1 as amended.

[2] Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones, Adopted on 16 June 2015, (WP 231), https://ec.europa.eu/newsroom/article29/items/640602, accessed 06.11.2023.

[3] Opinion 01/2015, Article 29 Working Party, p. 7.

[4] Act of 23 April 1964 Civil Code (i.e. Journal of Laws 2023, item 1610, as amended).

[5] Act of 4 February 1994 on copyright and related rights (Journal of Laws 2022, item 2509 as amended).

[6] Opinion 01/2015, Article 29 Working Party, p. 7.

[7] K Wygoda, Protection of personal data and the right to information of a personal nature, [in:] Civil rights and freedoms in the Constitution of the Republic of Poland, ed. by B. Banaszak and A. Preisner, Warsaw 2002, p. 401.

[8] A. Mednis, Legal protection of personal data and threats to privacy – Polish solutions, [in:] Personal data protection, pod red. M. Wyrzykowski, Warsaw 1999, p. 167.

[9] See J. Barta, R. Markiewicz, Data protection …, p. 45.

[10] A. Konert, Unmanned Aerial Vehicles. New Era in Aviation Law, Zagadnienia cywilnoprawne, Warsaw 2021, p. 150.

[11] https://dronerules.eu/en/professional/obligations/summary-of-privacy-rules-in-eu, accessed 06.11.2023.

[12] M. Ostrihansky, M. Sakowska-Baryła, M. Szmigiero, The Law of drones, Warsaw 2021, p. 238.

[13] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), OJ EU.L.2000.178.1.

See also

The website is operated as part of the programme of the Polish Ministry of Education and Science – Social Responsibility of Science.

The project is carried out by Cardinal Stefan Wyszyński University in Warsaw.

Project name: Law of new technologies – drones, electromobility. Innovation, development, security.

The state-funded project was accepted for funding in the context of a competition launched by the Minister of Education and Science on 8 March 2021 as part of the “Social Responsibility of Science” programme.

Value of aid: PLN 235,087,00. Total cost of the project: PLN 265.087,00

The aim of the project is to promote scientific research in the field of the law of new technologies by disseminating knowledge of the legislation on unmanned aerial vehicles – drones – in particular their operation, design, the obligations of operators and pilots, the obligations of public actors in the field of electromobility and the support mechanisms for users.

Project manager: Dr. Maciej Szmigiero

Information

The law of new technologies – drones, electromobility. Innovation, development, safety.

Contact us: m.szmigiero@uksw.edu.pl

Menu

Categories

Social Media