Privacy and Data Protection Implications of the Civil Use of Drones


by Ottavio MARZOCCHI  (Policy Department  C: Citizens’ Rights and  Constitutional  Affairs European  Parliament )


Drones (also called RPAS, Remotely Piloted Aircraft Systems, or UAV, unmanned aerial vehicles)  are  aircraft   without  a  human  pilot on board,  which are  guided  by a  remote pilot.
Drones have been developed for military use but are now increasingly used for civil purposes. Currently drones are employed for critical infrastructure and civil protection, disaster management and search and rescue, environmental protection, law enforcement and surveillance, journalism, commercial activities and leisure, while it is foreseen that in the future they will also be employed for other missions, such as agriculture, energy, transport  of goods  and  cargo  – and  even  of people.

States plan to increase their use of drones, while industry, small and medium enterprises and private companies have a growing interest in the manufacturing, selling and use of drones to monitor their activities or provide goods and services to clients. Being currently available on the market at affordable prices, their use by private individuals has  increased   exponentially.

The current and prospective development of drones has a series of positive impacts, notably for employment, SMEs and industrial development, and has a potential to generate growth and jobs. Drones can carry out operations in emergency situations, where human intervention is either impossible or difficult (drones could help save lives in operations of humanitarian relief, search and rescue at sea, when nuclear accidents or natural  disasters  occur,  etc).
As with any technology, there are also risks to be taken into serious account by stakeholders, regulators, institutions and citizens in order to prevent, minimize and counter the potential negative impacts of some applications of drone technology. This is especially the case in the absence of proper regulation or/and when drones are used in illegal,  unsafe or irresponsible  ways.

In terms of risks for privacy and data protection, drones normally carry video-cameras to allow pilots to fly them. These images can be easily recorded and stored, and are often uploaded onto the internet. The privacy of private life and property can be interfered with and violated when drones capture images of people in their houses or gardens. A series of other applications and payloads can also be installed on drones, allowing the gathering and processing of personal data and seriously interfering with and potentially violating citizens’ rights to privacy and data  protection1.

In terms of security and safety, drones pose a series of considerable and serious risks. As reported by the media, drones have been spotted over airports or close to them, disrupting or/and threatening civil aviation; have crashed on the ground; have been flown over critical infrastructure, embassies or tourist attractions; have injured people. The prospective increase in the number of drones flying at different heights (including in the space currently reserved for civil aviation), in different directions (drones normally change    direction    multiple    times,    on    the    basis    of    pilots’    orders)    and    areas,    with    different weights and speeds, over people and private properties, poses serious challenges. The technological environment to ensure the secure and safe integration of drones in the civil aviation system does not yet seem ripe, as communications can be easily lost or hijacked, the detect and avoid systems are not by default installed on drones and systems to block their access into no-fly zones (geo-fencing) are not in place. Responsibility and liability for drones’ use is not yet guaranteed, as identification of the owners or pilots is not required in most EU MS, making transparency or law enforcement action almost impossible.

Potentially, the positive applications of drones (e.g. for fire-fighting; or nuclear plan inspection) can be nullified by negative applications (e.g. private drones flying around and impeding quick fire-fighter intervention, as happened in Norway; or private drones flying over the nuclear power plant, or even crashing on it). These elements show that drones pose a series of challenges and concrete risks for safety, security and the fundamental rights of persons, which are to be addressed seriously.

The exponential development and spread of drones challenges policy makers to regulate them and their use by balancing the will to support drones’ positive potential for the economy while preventing, minimizing and countering the negative impacts and the risks illustrated above. A series of initiatives at international, European and national level are currently underway to respond to this challenge.

The European Commission has worked in recent years to promote RPAS integration into the European civil aviation airspace (“non-segregated air traffic management environments”). The next steps in the process will be the development of safety rules by EASA during 2015. Based on this, the Commission will issue a package containing a revision of the basic European Civil Aviation Safety Regulation (currently under impact assessment) possibly in 2015 to allow the integration of drones from 2016 onwards.

The Commission has identified priority areas where the EU could play a leading or coordinating role, notably by developing a regulatory framework to guarantee safety; fostering enabling technologies; security; protecting citizens’ fundamental rights (privacy and data protection); guaranteeing third party liability and insurance; supporting market development and emergence and promoting the European RPAS industry and its competitiveness. EASA and the Council, as well as MS regulations, seem to go broadly in the same direction.

This research finds that:

  • In order to ensure that the EU can regulate drones regardless of their weight, it is necessary to modify EC Regulation 216/2008 and notably its Annex 2, which currently limits the scope of EU action to RPAS weighting more than 150 kg. Once this has been done, the current regulations and laws adopted at national level will have to be modified on the basis of the future EU regulatory regime, which might be based on a new “proportionate to the risk” approach;

. Notwithstanding the fact that interferences to privacy and data protection can be particularly serious when drones are used to collect personal data for law enforcement purposes and surveillance activities, EU data protection law does not currently cover this area (except when such data is exchanged amongst Member States). Activities by private individuals are excluded from the application of the DP Directive due to the “household” exception, but it seems likely that the capturing and processing of personal data carried out by drones in public spaces could be subject to EU data protection law, following the ECJ jurisprudence on CCTV. In these areas, it is primarily for Member States to ensure that privacy and data protection guarantees apply; looking forward, the approval of the Data Protection Regulation and Directive will bring a positive contribution in terms of impact assessments, privacy by design and privacy  by default,  as  these  will  become mandatory;

Citizens’ right to security and safety of citizens does not seem to be fully guaranteed across the EU and by all MS in relation to drones and their use, while enabling technologies are still in development; law enforcement action is virtually impossible as rules on identification of drones and of their operations, responsibility and liability are not  yet  in  place everywhere;

The whole “drones’ chain” should be more closely examined in terms of current and future EU and/or MS regulation needed to minimize or counter risks for citizens and to their rights, from manufacturing and trade (production, selling, buying, internal and international trade, notice for buyers on risks and hazards and applicable rules or legislation for flying drones), to safety (airworthiness, pilot licences, operation authorisation, identification and monitoring of drones and of their flights, establishment of no-fly zones such as critical infrastructures, airports, cities and villages, gatherings, rules that should be followed when operating a drone, for instance visual line of sight, private properties, etc), privacy and data protection rules, as well as laws related to criminal behaviour, intellectual property, aviation, environmental law that are to be respected by drones, security (regulations and measures to ensure that law enforcement action against illegal and unsafe use of drones is possible, responsibility and liability for damage to persons or property as a result of an incident caused by an RPA).

The debate on the future regulatory regime for drones, which has been mainly carried out up to now between industry, stakeholders, technical regulators and working groups (be it at the national, European and international level), should involve more closely both citizens and legislators. Consultations on future options should be carried out, so to take into account citizens’ views and concerns, while legislators should be the ones to take decisions on regulation, given the risks posed by drones. This is the only way to ensure that “public acceptance” of, or “societal concerns” in relation to, drones are addressed and resolved, though the open and democratic debate and  scrutiny.

In order to achieve these objectives at the EU level and ensure a more transparent and democratic debate on the future policy on drones, the EP could ask the Commission report in detail and in straightforward terms, for instance in its upcoming impact assessment, about which actions it plans to undertake in the “drones’ chain” to ensure that the objectives of safety, security, respect of fundamental rights, namely privacy and data protection, environment, responsibility and liability, law enforcement action, insurance, identification and transparency, technological development, can be achieved, with recommendations for MS and/or EU action, and possible options. A description of the regulatory approaches in MS should also be provided, so to allow a comparison and to identify best practices. It should also report about the past, present and future use of EU funds for drones development, and on how funds for civilian uses and military/defence uses of drones interact. A yearly reporting mechanism would also be useful, and could also address the causes and possible remedies to deal with drones’ incidents.

1 For instance: high power zoom, facial recognition, behaviour profiling, movement detection, number plate recognition, thermal sensors, night vision, radar, see-through imaging, Wi-fi sensors, microphones and audio-recording systems, biometric sensors to process biometric data, GPS systems processing the location of the persons filmed, systems to read IP addresses and track RFID devices, systems to intercept electronic communications.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: