Mason Hayes & Curran: Attack of the Drones — drones and data protection in Ireland
Mason Hayes & Curran LLP partner Oisín Tobin and associate Conor Califf explore the data protection issues surrounding the use of drones.
Most drones possess the ability to collect personal data. This often occurs, for instance, by the recording of their surroundings during flight through their onboard cameras. As a result, it is important to consider what obligations the General Data Protection Regulation (GDPR), may impose on your use of these new(ish) age flying gadgets.
What are drones?
Drones, also known as Unmanned Aerial Systems or Unmanned Aerial Vehicles to give them their full technical titles, are becoming increasingly prevalent in our everyday lives, both in commercial and recreational contexts. Indeed, in an age of increased online commerce, some businesses in Ireland are planning long term to add the use of drones to the ways they deliver goods to customers.
While originally developed for military missions, with recent improvements in technology and the lowering of costs, drones have now been widely rolled out in the civil sphere for uses such as search and rescue operations, sports analytics and the delivery of goods. There is also now a thriving market in the sale of drones for personal use, with individuals using smaller drones for activity like aerial photography and exploration.
With the vast majority of drones having often very advanced camera systems however, a drone can effectively be used as a mobile surveillance system. Consequently, in the course of using one, it is highly possible that you will capture the personal data of others in a manner which could trigger the application of the GDPR.
We consider some of the potential data protection issues posed by drones and the Data Protection Commission’s recent Guidance on the use of Drones.
Will you be considered a data controller by using your drone?
Under the GDPR, you are considered to be a data controller if you determine “the purposes and means” of a particular data processing activity. In the context of drones, if your drone has an operational camera which can take recordings that allow you to identify someone in the recording, you are likely to be considered to be processing personal data, i.e. you are determining why and how the recordings of individuals take place. If you do qualify as a data controller, you will be obligated to comply with the suite of obligations imposed by the GDPR.
What lawful basis can you rely on?
You must have a lawful basis under in order to process personal data under GDPR, and data processing related to the recording of identifiable images by drones is no different. As the DPC notes in its Guidance, different lawful bases will be appropriate in different circumstances. In more private settings where you know the data subjects that you are recording, asking for the data subject’s consent may be appropriate. The DPC uses the example of using drones to record practice sessions of team sports.
However, if your drones are used to carry out recordings in a more public setting, it is unlikely that you will be able to obtain consent for all individuals that you will record. Similarly, it is unlikely that you are in a contractual relationship with the recorded individuals. Therefore, legitimate interests is likely to be the more appropriate legal basis on which to rely.
What Transparency must you provide?
When you process data under GDPR, you must provide data subjects with adequate transparency about your processing in line with Articles 12-14 GDPR, as applicable. Noting how difficult this may be in practice, the DPC advises in their Guidance that controllers take a layered approach as appropriate to the situation. Some measures which the DPC highlight and which you may wish to consider implementing include:
- Having appropriate signage outside any venues or areas which you record (similar to CCTV warnings)
- Signalling that the drone is recording by ensuring there are flashing lights/sounds in place on the drone
- Identifying yourself as a drone operator by wearing highly visible clothing
What other Data Protection principles should be considered?
Some of the other core data protection principles you should consider when recording via drones include:
- Data Minimisation: Only collect the minimum amount of data necessary for the processing purpose in question. One privacy protective measure which can be considered for this principle is the use of facial blurring technology, if available to you.
- Storage Limitation: Recordings collected by the drone should only be retained for as long as is necessary to carry out the applicable purpose. Information about how long drone footage or images will be retained for should be added to your data retention policies.
- Accountability: Consider if you have complied with all of your accountability obligations in relation to drone related processing. For example, you should consider if a Data Protection Impact Assessment is needed (for example, could you be recording vulnerable data subjects) and you should consider if your records of processing activities need to be updated to account for drone related processing.
Do any exemptions apply to the application of the GDPR?
The GDPR has an exemption known as the “household exemption” which excludes the application of the GDPR to purely personal or household activities which have no connection to a professional or commercial activity. It is important to note that this exemption is generally applies restrictively.
In the drones context, the DPC’s Guidance advises that “recreational activity” like photography in a public place may qualify as a household or personal activity as long as your recordings are not made available to an “unrestricted audience”. However, the Guidance further counsels that if you use your drone for the purposes of surveillance over a vast area of land which can record surrounding private properties/public spaces, this processing may not qualify as a purely household activity and would be more akin to CCTV recording.
Even if your use of the drone does qualify under the above exemption, it is important that you still consider and comply with all applicable aviation law (such as the Commission Implementing Regulation (EU) 2019/947 of 24 May 2019 on the rules and procedures for the operation of unmanned aircraft) as well as applicable criminal laws (like harassment laws) and tort laws (such as trespass).
The DPC’s Guidance is helpful for controllers to identify and comply with some of the GDPR’s most relevant obligations concerning drones. It signals that Ireland’s data protection regulator will be taking a greater interest in the use of this technology by controllers in the coming time period. As outlined in the Guidance, the DPC has already taken enforcement.
As a result, organisations and individuals will need to ensure that any processing of personal data carried out via drones takes place in full compliance of the GDPR.