Drone Privacy Concerns Exist in Europe But Debate Not as Heated as in U.S.

Emerging risks of drones, including privacy concerns, are subject of updated aviation safety rules making their way through the EU institutions. As the European Commission, European Parliament and Council prepare to begin talks on the rules, a drone industry representative and data protection attorney told us privacy is an important issue in operation of unmanned aircraft, but it hasn't attracted as much attention as it has in the U.S. That could be because of Europe's good data protection laws or that drone use isn't as extensive as in the U.S., they said.

The EC set out its position on the civil use of remotely piloted aircraft systems in a safe and sustainable manner in an April 2014 statement. It said RPAs "are an emerging market to create jobs and growth" and said Europe's strategy is to establish a single RPA market to "reap the societal benefits of this innovative technology" and deal with citizens' concerns "through public debate and protective action wherever needed." The EC said drone operations "must not lead to fundamental rights being infringed, including the respect for the right to private and family life, and the protection of personal data.”

Among the wide range of potential drone applications are some that may involve collection of personal data and raise ethical, privacy or data protection concerns, particularly in the area of surveillance, monitoring, mapping or video recording, the EC said. Drone operators would have to comply with applicable data protection rules, especially those set out in national laws adopted pursuant to the EU data protection directive and the framework for handling personal data processed in the course of police and judicial cooperation in criminal matters. The most commonly identified privacy risks involve use of surveillance equipment installed on drones, the EC said. Opening the aviation market to RPAs must involve an assessment of measures needed to ensure privacy and data protection, it said. The European Aviation Safety Agency will develop more detailed drone rules and earlier this year published a "prototype" regulation.

In light of such potential risks to personal privacy and civil and political liberties, the Article 29 Data Protection Working Party laid out a series of recommendations to private and government stakeholders, in a 2015 opinion (Opinion 01/2015, available here). WP29 urged policy makers to set specific rules for responsible drone use, such as virtual perimeters or no-fly zones to keep the drones out of back yards. It urged policymakers, in close consultation with industry, to develop data protection impact assessment criteria for industry and operators. WP29 urged drone makers to embed privacy friendly design choices and defaults into their equipment and adopt codes of conduct to help industry and different categories of operators prevent privacy infringements.

The issue is, "What do you do with the data?" said Drone Alliance Europe Executive Director Andrew Charlton. The alliance, with members including Amazon Prime Air and Google, is pushing for integration of commercial drones into European airspace. Drones aren't outside data protection law, he said.

Issues vary depending on what type of user is flying them, said Charlton. Those who want to use the equipment commercially are awaiting EU legislation now under discussion among the EU bodies, which satisfactorily addresses privacy, he said. One question is how to treat and distribute the data a drone collects, raising questions such as whether people must be given notice akin to that required for closed-circuit TV, he said. Providing privacy by design and default, as recommended by WP29, will be a challenge, said Charlton. Drone operators should ask whether they need a camera at all, he said.

The other type of use is noncommercial, and this is where privacy issues really come into play, Charlton told us. People must be educated about privacy rules, but it would be "bonkers" to enact special requirements for private drone users, he said. The alliance will hold a roundtable in Europe with the Center for Democracy and Technology to make sure everyone stays calm about the issues, he said. Privacy is a real issue for drones, and industry agrees it must address people's quite appropriate concerns, Charlton added.

Drones with cameras that might record the comings and goings of individuals will be subject to EU data privacy laws, the same as safety cameras on the street, said Hogan Lovells (London) data protection lawyer Eduardo Ustaran. Worries about drones are heightened because they aren't always visible, so data collection can be intrusive and surreptitious, he emailed. Because drone use may not be as extensive in Europe as in the U.S., "they have not attracted a lot of attention from a privacy perspective," Ustaran said.

In terms of compliance with EU data privacy laws, unless the owner of a drone can claim that any data collection is a purely personal or household activity, the main requirements will be the need to give notice and to justify collection, said Ustaran. There's clearly no opportunity for people to consent to their information being collected by being filmed, so drone users will have to rely on the "legitimate interests" justification, but that means any data collected must be used in a way that doesn't harm people's privacy rights, he said.

Providing notice of possible data collection via drones is equally difficult, "but it is likely that regulators will demand at least some kind of blinking light or something like that, to show that a drone is capturing images," Ustaran said. It's quite likely that drone manufacturers will also be expected to give users some guidance on how to collect data without breaching other people's privacy, he added.

While commercial drone operations will be similar in Europe and the U.S., one key difference is that Europe has had comprehensive data protection and privacy legislation in force for many years, said CDT European Affairs Director Jens-Henrik Jeppesen. No new legislation is needed, so "businesses that deploy drones for various purposes are covered by the rules, and will have to ensure they comply with them as a matter of course," he emailed. There will no doubt be more detailed codes of conduct, possibly with the approval of data protection regulators, said Jeppesen. CDT contributed to some preparatory work in 2014, he added.