The Article 29 Working Party’s most recently adopted Opinion is ‘Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones‘.
The Opinion’s Exectutive Summary reads as follows:
‘In light of the progressive integration of drones into the European civil airspace and the emergence of numerous applications of drones (ranging from leisure, services, photography, logistics, surveillance of infrastructures) there is a real need to focus on the challenges that a large-scale deployment of drone and sensor technology could bring about for individuals’ privacy and civil and political liberties and to assess the measures necessary to ensure the respect for fundamental rights and data protection.
Indeed, several privacy risks may arise in relation to the processing of data (such as images, sound and geolocation relating to an identified or identifiable natural person) carried out by the equipment on-board a drone. Such risks can range from a lack of transparency of the types of processing due to the difficulty of being able to view drones from the ground to, in any event, a difficulty to know which data processing equipment are on-board, for what purposes personal data are being collected and by whom. Furthermore, the dexterity of drones and the possibility to interconnect multiple drones further facilitates their ability to achieve unique vantage points, for example avoiding obstacles or not to be constrained by barriers, walls or fences, so to easily enable the collection of a wide variety of information even without the need for a direct line of sight, for long periods of time and across large area without intermission (with a high risk of bulk data gathering and possible unlawful multipurpose uses).
Even higher risks for the rights and freedoms of individuals arise when the processing of personal data by means of drones is carried out for law enforcement purposes.
In order to properly address those concerns, after having clarified the scope of the Opinion in light of the exemptions provided for in the Directive 95/46/EC (household exemption, processing for journalistic purposes and for law enforcement purposes), the opinion provides guidelines in order to correctly address the data protection rules in the context of drones.
Verifying the need for a specific authorisation from Civil Aviation Authorities (CAAs) when national law allows to operate a drone, finding the most suitable criteria for legitimate processing, complying with the purpose limitation, data minimisation and proportionality principles (by choosing the most proportionate technology and measures to avoid the collection of unnecessary personal data) and fulfiling, in the most appropriate manner for the case in hand, the transparency principle (by informing data subjects of the processing carried out) are obligations that should be met before operating a drone. Similarly, it is necessary to adopt all the suitable security measures and delete or anonymise that personal data which is not strictly necessary.
Besides, the Article 29 Working Party (WP29) recommends adopting the measures of privacy by design and privacy by default and suggests the data protection impact assessment as a suitable tool to assess the impact of the application of drone technology on the right to privacy and data protection. Furthermore, in order to raise awareness among users a specific recommendation is proposed to manufacturers of drones to provide sufficient information within the packaging (for examples within the operating instructions) relating to the potential intrusiveness of these technologies and, where possible, of maps clearly identifying where their use is allowed…
Among others, the opinion also addresses recommendations to European and national policy makers for the strengthening of a framework that guarantees the respect for all fundamental rights at stake, not only data protection, by also introducing specific rules ensuring a responsible use of drones (which must necessarily include respect for private areas). Furthermore, WP29 calls on policy makers for the introduction of data protection aspects among the key features of national provisions regulating the commercial use of drones (in connection with pilot qualification and training, among airworthiness and certification requirements, while issuing/revoking operating licenses and aerial work permits), calling for a strict cooperation between Data Protection Authorities and CAAs.
WP29 also recommends manufacturers and operators to embed privacy friendly design choices and privacy friendly defaults as part of a privacy by design approach and to involve a Data Protection Officer (where available) in the design and implementation of policies related to the use of drones and to promote the adoption of Codes of conduct that can help the various industry stakeholders and operators to prevent infringements and to enhance the social acceptability of drones. Specific recommendations for the use of personal data collected by means of drones for law enforcement purposes are also set out. In particular, law enforcement data processing carried out by means of drones should, as a rule, not allow for constant tracking and technical and sensing equipment used must be in line with the purpose of the processing.’