The increasing commercial use of drones raises legal aspects of the operation of unmanned aerial vehicles. In this article we focus on one of the most hotly debated legal issues related to drones: the use of drones in light of regulations on protection of personal data.
The topic of personal data in the context of drones has attracted the interest of many bodies at the European level. In November 2014 the European Data Protection Supervisor issued an opinion on the matter. A lengthy report prepared for the European Commission was also released in November 2014. And in June 2015 the Article 29 Data Protection Working Party published an opinion on the protection of privacy and personal data in the context of the utilisation of drones. The last of these documents seems particularly significant, as other opinions issued by Art. 29 WP in the past have exerted a huge practical influence on application of data protection regulations.
To grasp the dilemmas connected with personal data in the context of drones, first we must understand what personal data is, what legally constitutes processing of personal data, and why the topic of personal data is so important in the case of operation of drones.
Why are drones such a huge challenge for data protection?
The huge interest in the issue of personal data in the context of drones arises from the fact that drones may intentionally or unintentionally obtain great amounts of data qualifying as personal data, often unbeknownst to the data subject. The risk of infringing on privacy or unlawful processing of personal data is therefore very high in the case of drones.
Drones in themselves do not create new legal issues not encountered before in the area of data protection. But their properties are such that the use of drones is particularly sensitive from the perspective of personal data. There are several reasons for this:
- Drones are capable of gathering a great amount of data which in many instances is personal data.
- In the great majority of cases drones will collect personal data without prior consent of the data subject, or even over the person’s objection.
- It may be extremely difficult for the person whose data is collected by a drone to identify the entity collecting the data.
- Because of the lack of a relationship between the operator of the drone and the person whose data is collected, it is hard to comply with the statutory informational duties to the data subject.
- When drones are connected to publicly accessible telecommunications networks, there is a risk that the data they gather could be intercepted by unauthorised persons.
So is it unlawful to gather personal data when performing tasks using drones? To answer that question, we have to start from the foundations.
Personal data is more than just a name
Popular belief to the contrary notwithstanding, personal data means much more than just somebody’s first and last name. Personal data means any information that can be used to identify a specific person. Thus apart from someone’s name, it includes any data that might identify the person, even if on the surface this does not seem obvious. The conceptual scope of personal data evolves dynamically along with the development of technology. New technical solutions make it possible to decipher new information that is unique to specific individuals. And so, in time, personal data has come to include such items as IP addresses, geo-positioning data, biometric data, digital voice recordings, and so on. Now such data, alone or in combination with data from other sources, can easily be used to identify a specific person.
Under the legal definition, personal data means any information concerning an identified or identifiable person. Therefore personal data is not just data that obviously identifies a certain person. Data concerning an identifiable person is also personal data. Therefore, even if we are unable at the specific moment to determine the details of the person whose data we have in our possession, that doesn’t mean that it isn’t personal data.
A camera records an image of a certain place for many days. Among other things, it records persons who appear at the location. On the surface these people seem anonymous. But linking the recordings with data from other sources makes it possible to identify specific people. Say the camera records a person emerging every day at the same time from the same distinctive vehicle. It’s enough to do an Internet search on the vehicle to check the personal details of the owner (e.g. through photos tagged on social media).
What are the consequences of this broad definition of personal data? Firstly, uncertainty. The lack of a precisely defined scope of this concept means that we can never be entirely certain whether the data we possess is personal data or not. Whether data enables identification of a specific person will be determined by numerous factors, in many cases factors we have no control over. The law sets one boundary. Namely, information does not constitute personal data if determining the identity of the person on the basis of the data would require excessive cost, time or effort. But then it is not obvious whether this should be evaluated in light of the capabilities of the entity holding the data or under objective criteria.
These doubts lead to the conclusion that the most cautious approach would be to assume that it cannot be ruled out in advance that at least some of the data collected by drones can be classified as personal data. This in turn implies a need to analyse the activity conducted with the use of drones in terms of compliance with data protection regulations.
When does processing of personal data begin?
The definition of processing of personal data set forth in Poland’s Personal Data Protection Act is very broad. Firstly, merely gathering data counts as processing of data. Any owner of a drone equipped with functions of recording data from the surroundings should face the fact that this activity will be regarded as processing of data for purposes of data protection regulations. This in turn entails the need to comply with a number of requirements arising out of the data protection regulations.
What should be done?
It would be worthwhile to conduct a kind of test to determine to what extent activity conducted using a drone may fall under data protection regulations.
First, the drone operator must check whether the drone is equipped with the function of recording data from the surroundings. (We assume this will be true in the great majority of cases.) It must be stressed that this doesn’t apply just to drones recording images. As suggested above, personal data means more than just images. It could be geo-positioning data or other types of data which—particularly when combined with other data—enable identification of individuals (e.g. licence plate numbers or IP addresses).
An operator of a drone used for monitoring transmission lines does not operate the drone with the intention of gathering personal data, but for checking on the condition of infrastructure. Most of the flights are conducted over uninhabited terrain. Sometimes, however, the drone does fly over developed land, and people may incidentally fall within range of the drone’s cameras. In that case, it cannot be ruled out that the operator of the drone may come into possession of personal data.
After determining that the drone operator may obtain access to personal data, it should be determined whether the drone is equipped with a function recording the data it gathers (i.e. whether any personal data that is gathered by the drone can be stored), or if the data (such as images) is immediately deleted. In the latter case, application of data protection regulations can be excluded as a practical matter, because the data can hardly even be said to be collected.
Data protection regulations will most likely apply, however, if the data (e.g. image, sound, IP address) obtained by the drone then undergoes recording and storage. In that case we are clearly dealing with collection of data, which under the Personal Data Protection Act itself constitutes processing of the data.
If the software used by the drone enables automatic masking and anonymising of personal data (e.g. images of people), it may be assumed that the drone operator is not processing personal data. If there is a guarantee that such data is permanently anonymised, that data will not constitute personal data.
If however the data gathered is not anonymised, we will most likely be dealing with processing of personal data in light of the regulations. Here we reach two fundamental challenges connected with applying data protection regulations to drones.
First, it should be determined who acts as the controller of the data gathered by the drone. This is key, because it is the data controller who bears basic obligations (and potential liability for failure to comply with them) under the data protection regulations. And the data controller is not always the entity that actually gathers the data.
A big manufacturing company hires a firm specialising in conducting measurements using drones. The firm conducts regular checks on the client’s infrastructure. During the measurements, it regularly records data concerning owners of properties where the infrastructure is installed (such as image of the owners, and the licence numbers of vehicles parked on their property). The data is forwarded to the client and processed by the client for its own purposes. In this case it is the client, not the drone operator, that is the data controller.
Then, after identifying the data controller, it is essential to determine whether the controller has any legal grounds to collect the personal data. This issue needs to be analysed on a case-by-case basis. It should be pointed out, however, that in commerce a very common legal basis for processing personal data is the consent of the data subject. In the case of drones, obtaining such consent will be greatly hindered. This difficulty is even greater considering that in many instances drones will gather data that could be classified as sensitive data. In that case, the consent must be given in writing.
But the consent of the data subject is not the only legal basis for processing data. In practice, it may be assumed that operators of drones will rely on other grounds when gathering data, particularly the claim that gathering the data is necessary for pursuing legally justified purposes by the data controller (Art. 23(1)(5) of the Personal Data Protection Act). In that case, the consent of the data subject is not required to gather the data. However, this basis cannot be relied on if processing of the data infringes the fundamental rights and freedoms of the data subject. Because of this restriction, a thorough analysis should be conducted before relying on this legal basis.
The Personal Data Protection Act imposes certain obligations on data controllers even at the stage of collecting the data. Under Art. 24 and 25, the controller must provide certain information to the person whose data is being collected, such as the controller’s address and the purpose for collecting the data. And here we encounter one of the most difficult practical hurdles in applying data protection regulations to the use of drones. This obligation may be practically impossible to perform.
Indeed this raises a paradox. Even though the data gathered by a drone may potentially constitute personal data under the act, in most cases the controller of the data will not be in a position to identify the persons whose data it is processing and thus fulfil its informational obligations to those people. The opinion issued by the Art. 29 Working Party makes an interesting point in this context. According to the authors, drone operators should try to perform this informational obligation using any available means. When drones are used to monitor infrastructure, they recommend posting appropriate notices at the infrastructure stating that it may be monitored by drones gathering data, and indicating who is the data controller. In the case of major events (such as sports events) recorded using drones, it is recommended for example that the relevant information be included in the programme distributed to persons attending the event.
What does the future hold in store?
Based on the report prepared for the European Commission and on the opinion of the Art. 29 Working Party, it appears highly likely that future regulations applicable to drones will be aimed at:
- Ensuring easy identification of controllers of personal data (e.g. by mandatory labelling of drones)
- Creation of more organised systems of information about operators of drones in a given territory (indeed, the Art. 29 Working Party suggests creating special information platforms that will be easily accessible to data subjects)
- Imposing on producers of drones the requirement to apply “privacy by design” and “privacy by default” rules, which in practice means factory installation of software masking or anonymising personal data collected by the drone.
Krzysztof Wojdyło, New Technologies Practice, Wardyński & Partners
This article was originally published in Polish in the September 2015 issue of Automatyka.