Drone manufacturers can help operators respect privacy rights, says watchdog

Out-Law News | 30 Jun 2015 | 2:57 pm | 2 min. read

Drone manufacturers can help the organisations wishing to operate them respect privacy rights by warning of the "potential intrusiveness" of their use, an EU privacy body has said.

The Article 29 Working Party, a committee made of up representatives from the national data protection authorities (DPAs) throughout the EU, said the manufacturers could also put information on their packaging to tell operators where the use of drones is permitted. The manufacturers can also help account for privacy concerns in the use of drones by designing the devices with data protection in mind, it said.

"Data protection should be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal; such technology should be engineered in such a way as to avoid the processing of unnecessary personal data (for example, in case of strategic or critical infrastructures, engineering firmware of drones in order to inhibit data collection within previously defined no-fly zones could be advisable)," the Working Party's new opinion (21-page / 455KB PDF) said.

New codes of conduct could be drawn up by drone manufacturers and operators to ensure data protection requirements are considered and addressed, it recommended. The codes could help "enhance the social acceptability of drones", it said.

"The promotion of codes of conduct and/or certification schemes for manufacturers and operators could be envisaged in order to improve civil drone operators’ awareness and understanding of data protection issues as well as with a view to help DPAs monitor compliance," the Working Party said. "The important role that codes of conduct might have in this framework is even more conceivable considering that DPAs cannot assess or pursue broader privacy infringements where those fall beyond their legal powers, whilst this is where the accountability of drone operators can come in useful."

The Working Party said that if data gathered by surveillance kit on drones is to be processed by a third party outsourcing provider, the data processing arrangements should be set out under contract. If personal data would be processed through drone use, drone operators need to notify the DPA about the activity, it said.

To meet 'fair processing' obligations, drone operators must "find the most appropriate way to give advance notice to those who can be impacted by the data processing". This could mean using "signposts or information sheets in case of visual operation in a specified area", or advertising the public of their use of drones through social media or other channels, it said. The Working Party said that drone operators should "give clear information always on the relevant website".

The information operators disseminate about their drone use should "contain a clear indication of the [identity of the data] controller and the purposes of the processing and should give data subjects clear and specific indications for exercising the right to access visual and non-visual records concerning them", the watchdog said.

The Working Party said that consent is likely to be "appropriate only in few cases" as a legal basis for going ahead with drone use that will involve the capture of images of people. However, companies will be able to rely on alternative grounds to use drones that gather personal data in certain circumstances, it said.

"Personal data may also be processed if this is necessary for the purposes of the legitimate interests pursued by the controller or by the third party except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms (it is foreseeable that such a criteria could be envisaged, for example, in case of drone operation necessary for pipe or power line inspection or for critical infrastructure surveillance or aerial photogrammetry, atmosphere and meteorological research, wind energy monitoring, hurricane tracking, archaeological site mapping, sea ice monitoring, wildlife research), if appropriate safeguards are implemented in the system," the Working Party said.

It said that, to adhere to data protection law requirements, drone operators should limit the personal data collected and ensure it is secure, both in transit and in storage.