Drones have become increasingly popular and prominent over recent years and there is much positive to be said about the significance of their use and potential contribution to the UK economy and the job market.
However, most technological advances collide to a lesser or greater degree with the law. In the case of drones, one of the key areas relates to the processing of personal data. Information held relating to identifiable living individuals is covered by the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). As a result, personal data is to be processed lawfully, fairly and in a transparent manner for specified and legitimate purposes. This should either be based on the consent of the data subject, or a basis laid down in law. Moreover, every effort should be made to ensure that the data is accurate and limited to what is necessary for the purpose.
Drones (also known as Unmanned Aerial Vehicles (UAVs)) are, as the name suggests, unmanned aircraft controlled by either operators or onboard computers. Due to their ability to take photos, videos and scope buildings and other environments, their use has raised privacy concerns for many. Drones can inadvertently collect personal data of individuals who were not the intended focus of the recordings.
If a drone is used by an organisation, the organisation is deemed the controller for any personal data captured and is required to comply with data protection law. However, for an individual operator, this is a little murkier.
Both the UK GDPR and DPA 2018 have a household exemption in relation to processing of data. This applies during a purely personal or household activity and it could be argued that this exemption could apply to individuals using drones for their own purpose (‘hobbyist’ drone owners), although it is clear from current case law that this will depend on the specifics of the case. The ECJ considered that an individual who had installed a camera that recorded the entrance, public footpath and the entrance to the house opposite was not covered by this exemption and therefore his activity was subject to data protection legislation.
Owning a drone – what are my data protection obligations?
Where such use involves the collection of personal data and data protection law is engaged, it is often appropriate to conduct a Data Protection Impact Assessment (DPIA) in order to assess whether using a drone is the most appropriate way to solve a problem that you have identified and that you have suitably evaluated the risks to the rights and freedoms of individuals whose personal data may be collected.
Issues to investigate when conducting the DPIA include the duration of the recording. Unless it is necessary and proportionate, recording should not be continuous. You should also consider the technological ecosystem within which the drone features. For example, to what extent the drone connects with and shares the personal data with other technology and systems. In any event, all data needs to be collected securely in and shared between the different devices and channels. Data should also be retained for the shortest amount of time possible, and it should be disposed of in an appropriate manner when the footage is no longer needed. In this context and with a view to finding the least intrusive way to achieve one’s legitimate purposes, it is important to choose the right type of drone. For example, some drones are designed with restricted fields of vision or only record at certain altitudes.
Of broader general application but with particular relevance to drones, the CAA has some top tips on protecting people’s privacy:
- Respect other people and their privacy
- Make sure you are aware of what the camera can do and what kind of images it can take
- Make sure you can be clearly seen when you are flying the drone
- Where possible, let people know before you start recording or taking pictures (never fly over groups or crowds who are not with you)
- Think before sharing photos and videos on social media
- Keep any photos and videos secure and delete anything you do not need
By way of reminder that this is not purely an academic discussion, bear in mind that the fines for infringement of UK GDPR for infringement of any of the data protection principles or rights of individuals can go up £17.5 million or 4 per cent of annual global turnover – whichever is greater.
If you need any more guidance in relation to your use of drones and privacy considerations or would like to discuss any aspect of this article, please contact Simon Halberstam.
 František Ryneš v Úřad pro ochranu osobních údajů, Case C-212/13,