The GDPR is said to be ‘technology neutral‘[1]: the GDPR should be flexible enough to allow technology to evolve and at the same time provide a certain guarantee of protection of personal data.
The GDPR introduces a system whereby the entities responsible for the processing of personal data, ie the controllers[2] and the processors,[3] need to continuously assess risks for privacy and act upon the assessments, whereby they are ‘accountable‘, and need to be able to demonstrate that their processing is compliant with the GDPR.
This also applies to the operation of RPAS combined with other technology that allows identifying individuals, such as cameras, sensors, GPS equipment[4]. RPAS may for example be used for facial recognition, behaviour profiling and number plate scanning. Sensors on RPAS may capture thermic and UV images and infrared rays allowing identification and processing. Embedded technologies may allow them to read IP addresses of devices or track devices carrying RFID chips. RPAS may collect information on widespread areas and during a long period of time. When RPAS are equipped with technology that involves processing of personal data, the processing is generally considered as a ‘high risk‘ for the protection of personal data, requiring specific technical and organizational measures.[5]
Where the operator of RPAS is a ‘controller‘, it will be his general obligation to have ‘appropriate‘ technical and organizational measures in place for GDPR compliance, taking into account the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals (GDPR, Art 24). The measures – which also increasingly manufacturers will have to take into consideration[6] – must allow integration of data protection principles both at the moment of ‘the determination of the means‘ for the processing and at the time of the processing itself (Art 25), they need, for example,eg to ensure that no personal data are being processed that are irrelevant in relation to the purpose of the processing (‘data minimization principle‘), to avoid processing for other purposes than the originally intended purpose (‘purpose limitation‘ principle), to allow erasure of personal data that are no longer necessary in relation to the purpose of the processing (‘storage limitation‘ or ‘retention limitation‘ principle), to allow the individuals to exercise their rights also where the RPAS is hard to see or the operator hard to trace (‘lawfulness, fairness and transparency principle‘).[7] Measures to make individuals aware of the presence of RPAS (eg bright colors or logos) may be necessary, it may be recommended to activate cameras or sensors only at the moment of arrival at a destination by using GPS coordinates or by automatically using a blurring technique if premises or individuals are captured which are not the subject of the processing; for personal data stored on the equipment of the RPAS it should be possible to remove the storage equipment as soon as possible and have it retained securely.[8] Measures should indeed also provide for the required security of the data, including where they are transmitted by radiofrequency, which could involve eg encryption tools, pseudonymisation or anonymisation techniques, assignment of access rights strictly on a need to know basis and logging methods.[9]
The measures, which can take account of the state of the art and the cost of implementation (Art 25(1)), must be considered at an early stage in manufacturing or design of the RPAS. From the moment that an operator intends to add technology that allows identifying individuals, that operator – as a controller[10] – should ensure that such technology allows personal data to be protected: ‘data protection by design and by default‘. The GDPR underlines the importance of data protection by design and by default by encouraging the public authorities to take these principles into consideration in the context of public tenders (Recital 78).
For many RPAS uses, a genuine ‘data protection impact assessment‘ will be required: these are required, in particular, when using new technology, eg where ‘a systematic and extensive evaluation of personal aspects relating to natural persons‘ is carried out ‘based on automated processing, including profiling‘, or where ‘processing on a large scale of special categories of data‘ is carried out, or where ‘a systematic monitoring of a publicly accessible area‘ is carried out on a large scale.[11] They must contain at least: a systematic description of the envisaged processing operations and the purposes, an assessment of the necessity and the proportionality of the processing operations, an assessment of the risks to the rights of data subjects and the measures envisaged to address the risks. A single assessment may address a set of similar processing operations that present a similar high risk (Art 35(7)).
Building in data protection features from the beginning of the design is preferable over the attempt to adapt a product at a later stage, where adaptation becomes costly and technically difficult.[12] For existing uses where data protection has not been technically provided for in the design and manufacturing, the controller will need to consult with the supervisory authority on what measures to take. Cooperation of RPAS manufacturers and operators with supervisory authorities will be necessary to clearly set specific design requirements that allow effective compliance. It may also be advisable to seek the views of data subjects or their representative associations.
Appropriate policies and procedures must be put into place and be documented. Standardization bodies are playing an increasingly important role. They can issue standard policy language with descriptions of data processing and safeguards, eg involving privacy icons.[13] Policies could be included in the package of the RPAS.
Under Art 42, the controller must be able to demonstrate that the use made of the RPAS is GDPR-compliant: an approved certification mechanism may be used which, however, does not reduce the responsibility of the controller or the processor for compliance and is without prejudice to the tasks and powers of the supervisory authority. A certification will be issued by certification bodies or by the supervisory authority on the basis of criteria approved by the supervisory authority. The controller, or processor, which submits its processing to the certification mechanism, will provide the certification body or the supervisory authority with information and access to processing activities. A certification can be issued for a maximum period of three years and may be renewed as long as the relevant requirements continue to be met; it can always be withdrawn by the certification body or the supervisory authority if the requirements are no longer met.
RPAS users or their trade associations could define and implement standards or best practice guides; the GDPR encourages sectors to draw up codes of conduct (Art 40): these could take into account the specific needs of smaller companies using RPAS and specific features of their RPAS use. It may be advisable to have codes per sector (eg a code of conduct for RPAS for environmental purposes including photography, a code of conduct for the use of RPAS for cartography, a code of conduct for the use of RPAS for private security services, etc). Where associations prepare the codes they should consult with the supervisory authorities and the codes should be submitted to the supervisory authorities for approval. Codes can be registered with the European Data Protection Board and thus be publicly available, and can be declared valid for the whole EU by the European Commission. An independent body – accredited by the competent supervisory authority – should be appointed, with expertise in the concerned area, to monitor compliance with the code of conduct.
Given the multiple uses of RPAS, the data processing that is involved may be considered as only one of the multiple processing means for a given sector, the RPAS only as one of multiple tools: eg location data for cartography or use in GPS are collected and further processed via different tools and RPAS is only one of the possible applications; security activities involve processing via different channels although RPAS can be one of them, etc. The use of RPAS for data processing will thus probably not in itself be subject to supervision, but will rather have to comply with more general sector related data protection codes of conduct – where the use of RPAS may be a separate chapter. It will be important for manufacturers and RPAS operators to be represented in discussions with supervisory authorities, as well at local level of the individual Member States as at the level of the European Data Protection Board and the European Commission.
Operators of RPAS should be aware that where they process via the RPAS personal data in different Member States or where their processing concerns data subjects in different Member States, the filing of a complaint by an individual or a representative association may have an EU wide impact: where a lead supervisory authority accepts the case and renders a decision, such decision will be sent to the European Data Protection Board with a summary of the facts and grounds (Art 60 (7). It will be necessary to follow up on guidelines and recommendations or best practices that the European Data Protection Board may issue.
Not only safety compliance but also data protection compliance thus becomes a key element in the further development of RPAS use in the EU. A lack of appropriate measures, or a wrong assessment, can lead to sanctions, including severe administrative fines or a ban on processing. Continuous cooperation between industry, users and the authorities will be necessary for clarity and legal certainty, taking into account the fast evolution of technology. The GDPR, with its aim of being ‘technology neutral‘, creates the basis for such further cooperation.
Catherine Erkelens is a partner at Bird&Bird’s Brussels office. She is co-head of the firm’s International Aviation & Defence Group. She deals with aviation work as well as technology work, including data protection.
Thomas Van Gremberghe is an associate in Bird&Bird’s Brussels office, working on data protection matters.
[1] Cf. a.o. Communication from the Commission to the European Parliament, 11 April 2016, COM (2016) 214 final, 2012/0011 (COD), p. 3.
[2] The ‘controller‘ means ‘the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data‘ : Art 4(7) GDPR.
[3] The ‘processor‘ means ‘a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller‘: Article 4(8).
[4] There is ‘a household exception‘: the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity: processing limited to a community of friends, family members or acquaintances of which the scale and frequency does not suggest professional or full-time activity: Art 2(c). Use of an RPAS with camera in one’s own garden could thus be exempt.
[5] The GDPR does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Art 2(d)). Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision (2008/977/JHA, O.J. L 119/89, 4 May 2016) will apply.
[6] Cf Opinion of the EDPS on ‘A new era for aviation’, 26 November 2014, p 13.
[7] Cf Opinion 01/2015 of the Article 29 Working Party on Privacy and Data Protection Issues relating to the Utilisation of Drones, p 3.
[8] Opinion 01/2015,, p 14.
[9] Opinion of the EDPS on Promoting Trust in the Information Society by Fostering Data Protection and Privacy, 18 March 2010 and Art 32(1) GDPR.
[10] Where the operator, alone or jointly with others, determines the means and purposes of the processing, he will be a ‘controller’.
[11] Article 35(1) and (2); ‘ special categories of data‘ refers to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health or sex life and sexual orientation, or data relating to criminal convictions and offences.
[12] Opinion of the EDPS on Promoting Trust in the Information Society by Fostering Data Protection and Privacy, 18 March 2010, p 7.
[13] Recitals 60 and 166, and Article 12(7) and (8) GDPR.