The significant proliferation of drone use and the fact that their use can have multiple purposes means that the use of drones also needs to be addressed more widely in non-aviation contexts, related to the impact of this still new technology on other areas. One of these is undoubtedly the area of personal data protection, as it is becoming increasingly apparent that drones are sometimes used for purposes whose fulfilment directly requires the processing of personal data, as well as in those where the processing of personal data is only a side aspect of the activity carried out by the operator.
From the perspective of the data protection legislation, the two cases in question are equally relevant, as each of them requires adequate adaptation to the standards set by the data protection legislation, which concerns the measures taken, the procedures implemented, the technical and organisational solutions used.
There is no doubt that with the increasing introduction of drones into the airspace and the emergence of newer and numerous applications of drones, there is a real need to focus on the challenges posed by the large-scale use of drones and sensor technology. This is particularly true for privacy and the human information sphere.
Drones can have applications in logistics and transport services, fleet management, cinematography, press, electronic media and entertainment[1]. Drones support a wide range of public tasks, including those under the remit of local authorities, such as surveying, land management, emergency management, public safety, including urban monitoring, mass events, command systems support, infrastructure inspection – dikes, rivers, critical infrastructure monitoring, construction inspection and support for logistical work in the construction sector, transport management. The use of drones in environmental protection has become widespread, for example for surveying the state of greenery, air quality, ground and surface water levels, supporting the detection of illegal waste dumps, etc. Drones can be used to search for victims of disasters, assist in medical transport, monitor traffic or enable the examination of environments that are dangerous to humans, assist in the detection of abnormal events, the prosecution of crime, the search for people and vehicles. Unmanned aerial vehicles are increasingly used in agriculture to inventory crops, forests or livestock, etc. The citation of such a broad catalogue of applications illustrates well how many areas a determination has to be made as to whether drone activities will in some way affect a person’s privacy and personal data.
It is important to note that the catalogue of personal data is equally broad and, moreover, open, hence the use of drones may affect an individual’s sphere of information in different ways. It is the case that in addition to information that directly identifies a specific person, there is a lot of information that can be linked to this person and that only arises from the context and, depending on the facts or the situation of its use, has a different degree of “identifiability” and different impact on the information sphere of the individual. For example, if a drone equipped with image capturing tools produces a recording of two people moving in a car, then depending on the quality of the recording and the wider context, namely what the purpose of the recording is, who has access to it, how the analysis of the image will take place, how the image will be distributed, what conclusions will be drawn from the recording, whether the data subjects are aware that they were in the area thus monitored, etc., the admissibility of such actions can be assessed.
During the COVID-19 pandemic, many technologies were used for new purposes, modifying their application and testing the effectiveness of the measures taken. This includes the use of drones, which was innovative on the frontline of the fight against the coronavirus, while at the same time demonstrating how useful these aircraft could be used in the relatively non-obvious circumstances of pandemic prevention. Drones have been used, among other things, to control compliance with restrictions put in place, transport blood and organs, deliver medicines and, in some countries, agricultural drones have been adapted to spray disinfectants in public places (streets, bus stops) or spaces where mass events (e.g. concert halls) would take place[2].
According to media reports, in China, drones patrolled the streets, taking measurements of the body temperature of passers-by from the air; in addition, drones provided voice information to residents of Chinese cities, reminding them, among other things, of their obligation to wear protective masks[3]. Without entering here into excessive legal considerations and determinations as to whether, from the perspective of data protection regulations, all the above-mentioned activities are indeed legitimate, it is undeniable that, during this pandemic period, the use of drones could have involved and probably did involve an expansion of the scope of personal data processing through this technology, also in this particular area, which is still the so-called sensitive data, singled out in data protection regulations as those which are particularly protected, requiring higher standards of conduct.
Protection of personal data when using drones – a subject of legislative interest in the European Union
The findings conducted here concern the application of the RODO – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)[4] to the use of unmanned aerial vehicles, to the extent that personal data is processed through them, as well as in an administrative and logistical context. Indeed, this regulation is universal and universal in nature.
Outside the scope of the findings herein will remain the use of drones for military purposes, or for the purposes of crime prevention, investigation, detection and prosecution of criminal offences and enforcement of penalties. The latter is addressed by a separate Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA[5].
The use of drones in the activities of companies or public entities requires adequate preparation and safeguards in the field of personal data protection, both when it comes to the admissibility of the processing of personal data, the rights of data subjects and the numerous conditions related thereto, as well as the security sphere shaped by requirements of a technical and organisational nature. Some of these issues are certainly no different from those that are the subject of activities undertaken by any personal data processor, but some are specific because a drone is used to process personal data.
The importance of these issues in the European Union has been recognised for some time. The EU Commission considered whether to include the processing of personal data by drones in the general data protection rules or to develop a separate regulation for them[6]. However, as it did not consider the processing of personal data by drones to be specific enough to devote a separate regulation to it, the general rules in this area, which are currently shaped by the RODO, apply to this area.
In the context of data protection in the use of drones, Opinion 01/2015 of the Article 29 Working Party on privacy and data protection issues related to the use of drones[7] is still relevant. In this opinion, the Article 29 Working Party accurately points out that a number of privacy risks may indeed arise in connection with the processing of data (such as images and sounds relating to an identified or identifiable natural person and data identifying the geographic location of that person) by devices installed on a drone. It also emphasises the variety of risk factors associated with this processing. These can range from issues such as the lack of transparency of the types of processing due to difficulties related to the possibility of observing drones from the ground, to the difficulty, in each case, in obtaining knowledge of the type of personal data processing equipment installed on drones, the purpose of its collection and the person who carries it out. In addition, the agility of drones and the possibility of using multiple such craft equipped with different devices to collect and analyse data, including personal data, enhances their ability to reach unique vantage points, crossing physical boundaries, barriers, obstacles (e.g. walls or fences) to easily enable information collection without the need for a direct line of sight. This can be done accurately, continuously over a long period of time, over a large area[8].
In the cited opinion, the Article 29 Working Party rightly argues that when personal data processing using drones is carried out for law enforcement purposes, it must be assumed that a greater risk to the rights and freedoms of individuals arises[9]. This is all the more relevant for the public sector because in all cases of processing of personal data by public entities, where the data processor has public authority and the data collected or analysed can be used by the data processor to exert a sovereign influence over individuals, it is reasonable to expect these situations to be as transparent and explainable as possible to data subjects. At the same time, these actions should constitute a necessary means to achieve a predetermined public purpose. Indeed, it should be borne in mind that drones are always only a tool, the use of which entails certain challenges and needs of a legal or technical nature, including those related to the information sphere of the individual. In this context, it is not really the drones that pose a threat to this sphere, but their reckless or unlawful use. The said Opinion 01/2015 of the Article 29 Working Party, in its objectives, was intended to contribute to a better protection of personal data in the use of drones and arguably, despite its non-binding nature, has served this purpose.
The Commission, within the framework of the Competitiveness of Enterprises and Small and Medium-sized Enterprises 2014-2020 (COSME) Framework Programme[10], decided to fund an ‘awareness campaign’ to facilitate the understanding of the legal environment and constraints related to the use of drones in Europe. The Programme launched the DroneRules PRO project, which aimed to contribute to the development of a culture of privacy and data protection among drone operators, manufacturers and pilots by providing them with high-quality online information and relevant educational resources[11], as part of which, among other things, the most relevant privacy and data protection principles[12] were made available in individual languages.
It is therefore a question of applying the universal principles of personal data protection in those cases where the processing of personal data occurs by means of a drone, as well as when it occurs in the area of the logistics of this project, since the collection of personal data, their analysis, storage and other activities that are carried out with their use also occur in connection with the acquisition of authorisations, permits, at registration. The legal, technical and organisational conditions set out in the provisions on common rules in the field of civil aviation, production and operation of unmanned aircraft and the provisions of the RODO must therefore be met. The provisions of this regulation are in fact a set of procedures ‘superimposed’ on the aviation industry procedures arising from the legislation governing the use of unmanned aircraft. Their application requires appropriate correlation, attempts to make the conceptual grid coherent and attempts to clearly define the scope of subject and object and the system of legal safeguards.
EU Regulation 2019/945 and EU Regulation 2019/947 set out a comprehensive system of harmonised regulations for unmanned aircraft of three categories, distinguished by a risk analysis of drone operations for each type, mass and application. The aim of introducing the new regulations is, among other things, to protect privacy and personal data while allowing free access to airspace for drones.
The European Union has proposed the adoption of geofencing systems (geo-fencing systems) as part of the mandatory requirements for drone operations. Such systems use GPS and other satellite systems to automatically prevent drones from flying near prohibited areas, such as airports, prisons and nuclear power plants. However, the most momentous seems to be the introduction of the mandatory registration from 1 January 2021 of all UAVs weighing more than 250g in the ‘open’ category, which necessarily involves the processing of personal data. The registration obligation itself is introduced, among other things, for the sake of privacy and data protection risks[13]. The processing of personal data related to this registration refers to the performance of duties of an administrative nature, including the collection and storage of personal data, which are necessary for this registration. As specified in recital 19 of the preamble of EU Regulation 2019/947 – “national registration systems should comply with applicable EU and national rules on privacy and the processing of personal data and the information stored in these registration systems should be easily accessible”.
In addition, the issue of data protection is addressed in the practical and implementation aspects of EU Regulation 2019/947 – among the obligations of the unmanned aircraft system operator (UAS.SPEC.050), set out in Part B entitled “Operations with unmanned aircraft systems in the <<specific>> category”, point (iv) to procedures to ensure that all operations are carried out in accordance with the provisions of the RODO, with an explicit reference to the operator conducting a data protection impact assessment if required by the national data protection authority in application of Article 35 of the RODO. In addition, when setting out the requirements for the operations manual for the standard scenario, it is also indicated that the operations manual for the STS set out in Appendix 1 must, as a minimum, contain the procedures for the protection of personal data referred to in section UAS.SPEC.050(1)(a)(iv), thus emphasising the vital importance of respecting the right to the protection of personal data and the associated requirements of a procedural nature when data processing is carried out using unmanned aircraft.
EU Regulation 2019/947 clarifies in recital 18 that, in accordance with Article 56(8) of the underlying Regulation (EU) 2018/1139, this Regulation is without prejudice to the possibility for Member States to establish national rules to subject the operation of unmanned aircraft to certain conditions for reasons outside the scope of Regulation (EU) 2018/1139, including reasons of public security or the protection of privacy and personal data in accordance with Union law. This issue must therefore be borne in mind, although we do not refer to any national legislation in this area in the findings conducted here. It is only worth mentioning that Article 56 of Regulation (EU) 2018/1139, cited here, characterises the compliance of UAVs, indicating in paragraph 8 that the principles introduced by the provisions of this act are without prejudice to the possibility for Member States to establish national rules to subject the operation of UAVs to certain conditions for reasons outside the scope of this Regulation, including public safety or the protection of privacy and personal data in accordance with Union law.
In summary, therefore, the RODO applies both to the processing of personal data carried out using drones and to the processing of personal data that takes place in the organisation of these activities. Indeed, the regulation not only sets out standards for the processing of personal data, but also shapes a number of procedures and obligations on entities that carry out activities that require the processing of personal data to any extent.
Concluding remarks
The impact of the RODO legal regime on drone use and the aviation sector is significant. The relevance of the protection of personal data is explicitly mentioned in the EU regulations on the use of drones. Operators using drones are required to adapt their operations to the principles set out in the RODO – both when it comes to the basis for processing personal data and the technical and organisational aspect. This involves the implementation of appropriate procedures and safeguards, the production of relevant documents directly required by the RODO provisions and those that will allow them to demonstrate that a particular entity is acting in accordance with the RODO provisions when using drones.
dr hab. Marlena Sakowska-Baryła, prof. UŁ
Department of European Constitutional Law, Faculty of Law and Administration, University of Łódź
attorney at law, partner at Sakowska-Baryła, Czaplinka Kancelaria Radców Prawnych Sp.p.
ORCID: https://orcid.org/0000-0002-3982-976X
[1] See more extensively A. Konert, M. Sakowska-Baryła, Legal regulation of the use of unmanned aerial vehicles by the media, International Journal of Legal Studies 2020, No. 8, pp. 47-74.
[2] https://mamstartup.pl/drony-beda-dezynfekowac-wnetrza-sal-koncertowych-czy-centrow-handlowych-mozliwe-ze-w-przyszlosci-takze-ulice-i-przystanki, accessed 06.11.2023.
[3] https://mamstartup.pl/roboty-pomagaja-nam-w-walce-z-koronawirusem-oto-kilka-ciekawych-przykladow, accessed: : 06.11.2023 r.
[4] OJ. EU. L. 2016. No. 119, p. 1 as amended.
[5] OJ EU.L.2016.119.89.
[6] Ottavio Marzocchi, Privacy and Data Protection Implications of the Civil Use of Drones, https://www.europarl.europa.eu/cmsdata/85184/Drones-%20formatted.pdf; accessed 06.11.2023.
[7] Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones, Adopted on 16 June 2015, (WP 231), https://ec.europa.eu/newsroom/article29/items/640602, accessed 06.11.2023.
[8] Ibid, p. 3.
[9] Ibid.
[10] COSME. Europe’s programme for small and medium-sized enterprises., https://ec.europa.eu/growth/smes/cosme_en, accessed:06.11.2023.
[11] Drone Rules, https://dronerules.eu/en/, accessed 06.11.2023.
[12] https://dronerules.eu/en/professional/obligations/summary-of-privacy-rules-in-eu, accessed 06.11.2023.[13] Recital 14, recital 16 of EU Regulation 2019/947.
