House of Lords - Civilian Use of Drones in the EU

Civilian Use of Drones in the EU - European Union Committee Contents

CHAPTER 6: DATA PROTECTION AND PRIVACY

159. The progressive integration of RPAS into the airspace raises particular concerns in respect of data protection and privacy. Indeed, the Communication states: "RPAS operations must not lead to fundamental rights being infringed, including the respect for the right to private and family life, and the protection of personal data".[195] The protection of personal data is regulated by the Data Protection Directive at EU level and in the UK by the Data Protection Act 1998. Privacy, though, is a less well defined concept related to the right to respect for private and family life. It is enshrined in Article 8 of the European Convention on Human Rights. This chapter addresses these two areas in turn.

Data Protection

THE DATA PROTECTION DIRECTIVE AND COMMERCIAL RPAS USE

160. The EU has a well-established competence with regard to data protection by virtue of the EU Data Protection Directive 95/46/EC, the provisions of which have been implemented in the UK by the Data Protection Act 1998 (as amended).[196] The Directive requires that personal data be collected only for specified, explicit and legitimate purpose.[197]

161. The EU Data Protection Directive provides that Members States may restrict the scope of the obligations contained in the Directive for reasons of national or public security, defence, or the investigation of criminal offences. Moreover, the Directive does not apply to the processing of data by individuals in the course of purely personal or household activities. However, the latter exemption no longer applies if data collected in a personal capacity are published and publicly accessible online. As a result, the Directive applies only to commercial RPAS operators and not to hobbyist or leisure users.

162. The Professional Society of Drone Journalists noted the significant implications of data protection legislation for the commercial use of RPAS, since RPAS are "essentially sensor carrying aerial devices … used to collect data"[198]. Accordingly, Trilateral Research and Consultancy Ltd said that RPAS pilots considered their aircraft as "machines through which they can collect massive amounts of data".[199]

163. This does not mean, though, that RPAS present a new or increased threat to data protection, compared with existing technology. The National Centre for Precision Farming told us: "The use of RPAS for aerial work is likely to be far less intrusive than CCTV coverage and the use of mobile phone cameras".[200] Mr Lissone, of EUROCONTROL, said that RPAS brought "the same controversies as Google streetview when they were driving around with a camera on top of a car filming every house."[201]

164. Nonetheless, a number of submissions highlighted the fact that RPAS alter the way in which data is collected. The Centre for Democracy and Technology said that RPAS "have unique vantage points allowing for levels of surveillance that ground based individuals may not expect."[202] David Smith, of the Information Commissioner's Office, said: "There is more scope with these systems (RPAS) for what we could call collateral intrusion", whereby data not relevant to specific purpose of the operation are collected, such as images of people in their gardens collected in the course of an inspection on a chimney.[203]

165. On the other hand, David Goldberg said: "No operator among the operators that I am familiar with has the slightest interest—the slightest interest—in surveillance or in close scrutiny of independent human beings."[204] He said that data protection concerns about RPAS were "not credible in relation to the use of RPAS in the market that we are talking about" where operators carry out aerial surveillance of crops or infrastructure.[205] Mr Lissone said that, in his experience, RPAS pilots who were aware of current legislation handled data protection "with the greatest and utmost care according to the European Standards".[206]

166. Moreover, we were assured that the EU Data Protection Directive, and its implementing legislation in the UK, are flexible enough to accommodate commercial RPAS use, and that such flexibility would be lost if specific RPAS data protection legislation were to be created. The Information Commissioner's Office noted that existing legislation had adapted to other emerging technologies in the past: "Since the [Data Protection Act] came into force, traditional CCTV systems have become an established part of society while other technologies such as automatic number plate recognition have emerged." [207]

167. The advantage of the flexibility inherent in the Directive is that it accommodates the varied cultural perspectives on data protection across the EU, which, as Thales UK noted, are reflected in the varying degree of public concern regarding RPAS.[208] Moreover, flexible data protection legislation is able to respond to the variation in types of RPAS operations. Mr Smith said: "We may need to apply that [law] in slightly novel ways, but I am not saying there should be a change in the law."[209] Mr Lee also said there was no need for "new knee-jerk laws … It is the job of lawyers, regulators and judges to interpret the law as it is in the light of new technologies."[210]

168. The Information Commissioner's Office also said that EU data protection legislation was currently being updated, "to take account of any new technological developments in a technologically neutral way".[211] The Council of Ministers and the European Parliament are currently negotiating a proposal for a General Data Protection Regulation. The Minister said that, depending on when it is approved, the Regulation would come into force in Member States at the earliest in 2017.[212]

169. The General Data Protection Regulation, as proposed, also considers how technology could be used to prevent collateral intrusion by commercial RPAS pilots. Professor Paul De Hert and Laura Jaques recommended that commercial pilots make use of "privacy by design", whereby the RPAS collecting photographic imagery or video images, from which individuals could be identified, "consider the use of anonymous video analytics or blurring technology."[213] The Information Commissioner's Office said that, in the updating of EU data protection legislation, "The focus on data controller accountability and privacy by design/privacy by default will be important concepts that RPAS developers and regulators should consider carefully."[214]

170. Despite these forthcoming measures, concerns were raised about the levels of awareness among commercial RPAS pilots regarding their data protection responsibilities. Trilateral Research and Consultancy Ltd said that its EU-wide research found "a significant gap in RPAS industry representatives understanding of their privacy and data protection obligations." It also suggested that specific guidance for RPAS pilots on the impact of data protection legislation would help raise awareness.[215] As well as explaining the law regarding the collection and retention of data, the Centre for Democracy and Technology said these guidelines should clarify where pilots and data subjects could reasonably expect data not to be captured.[216] Mr Lee said that guidance would also help to ensure that "the law can be applied fairly and consistently to the use of RPAS."[217]

171. The Information Commissioner's Office noted that it had revised its CCTV Code of Practice to include specific information on the use of RPAS.[218] Trilateral Research and Consultancy Ltd said that similar guidance was being produced by data protection authorities in France and Belgium.[219]

172. We do not believe that there should be technology-specific data protection legislation for RPAS. The proposed General Data Protection Regulation is the appropriate vehicle to meet the challenges of increased commercial use of RPAS. At the same time, pilots should be made aware of their obligations under existing data protection legislation as well as the draft Regulation. We recommend that the Commission, through Member States' data protection agencies, create and share specific data protection guidance for commercial RPAS pilots.

173. Concerns were also raised about how members of the public would be able to exercise their rights under the data protection legislation. Rights Watch UK said it would be "hard for a normal individual to identify which organisation is flying an RPAS, for what purpose, and whether that RPAS is being used for a purpose that will collect data about that individual."[220] Trilateral Research and Consultancy Ltd suggested that research funding should be allocated to constructing a "recognition system for RPAS" which would rely on "unique identifiers", such as chips, to be "tracked via GPS using a centralised system". It continued: "Such a system would be a robust transparency tool that would enable citizens to immediately identify the RPAS, the operator and the avenue through which they could find out additional information."[221] The Centre for Democracy and Technology made a similar recommendation.[222] Professor De Hert and Ms Jaques said that such a system would also help RPAS operators to "identify themselves and inform individuals about the aim and location of their operations", and thereby improve the transparency of their operations.[223]

174. We have recommended the creation of an online database through which commercial RPAS pilots could share details of their flights with other airspace users. One of the benefits of such a database would be that RPAS pilots could use it to inform members of the public of their data protection policies to make it easier for individuals to rely on their data protection rights.

PRIVACY IMPACT ASSESSMENTS

175. The proposed General Data Protection Regulation, mentioned earlier, would require any commercial operation involving the collection and processing of personal data to undertake a Privacy Impact Assessment (PIA). PIAs assess the risk of a project interfering with an individual's informational or physical privacy. PIAs are intended to help to identify risks in the early stages of a project and provide an opportunity to develop mitigating strategies.[224]

176. A number of witnesses recommended that commercial RPAS pilots should carry out PIAs even in advance of adoption of the Regulation, although there was uncertainty regarding when they should be carried out. Mr Lee, of Taylor Vinters LLP, and the Centre for Democracy and Technology both said that PIAs should be required as part of any submission requesting permission to operate an RPAS to national aviation authorities.[225] Mr Lee also recommended that PIAs be mandatory for any operation in congested areas, owing to the higher likelihood of collateral intrusion.[226] Trilateral Research and Consultancy Ltd recommended that a PIA should be carried out "before conducting each type of operation". This would allow companies to take data protection issues into account at an early stage rather than "applying costly retrofixes".[227] It continued: "The strength of such impact assessments is that they enable the regulatory framework to take account of the heterogeneity of RPAS technologies and missions."[228]

177. Requirements for commercial RPAS pilots to complete PIAs would demonstrate that public concern regarding privacy was being addressed. The Information Commissioner's Office said that PIAs were "often the most effective way to demonstrate to the [Information Commissioner's Office] how personal data processing complies with the Data Protection Act".[229] Thales UK said: "A basis for wider acceptance will be for users to demonstrate a rigorous approach to personal data security, recognising the duties and responsibilities of Data Controllers."[230]

178. A requirement to complete PIAs would have resource implications for RPAS businesses as well as for data protection agencies. Mr Goldberg said he feared regulation requiring PIAs would become box ticking exercises,[231] while Mr Smith suggested that PIAs, by preventing intrusions, could reduce the resources devoted by the Information Commissioner's Office to dealing with breaches of the law.[232]

179. While we agree with the principle of encouraging RPAS pilots to carry out Privacy Impact Assessments, care must be taken not to overburden regulators and emerging RPAS businesses. Once the EU General Data Protection Regulation is agreed, we recommend that the Government explain the extent to which it specifically addresses the use of RPAS.

Privacy

PERSONAL RPAS USE AND PRIVACY

180. The Royal Aeronautical Society suggested that much of the public's concern regarding privacy and the use of RPAS was directed towards private rather than commercial users.[233] While commercial users are required to comply with the EU Data Protection Directive, hobbyist and leisure users are exempt. Mr Smith, of the Information Commissioner's Office, said that while "there is a gap [in the law] in relation to the hobbyist-the private user", this problem also existed with other forms of technology.[234] The latter point was borne out by the Royal Aeronautical Society: "UA [unmanned aircraft] should be included within the overall discussions relating to the impact of technology on privacy but not be singled out for special attention".[235]

181. Mr Smith added that the role of the Information Commissioner's Office was to deal with data protection as opposed to privacy: "I am not sure that the legislation and the powers we have are particularly well suited to this one individual invading another individual's privacy."[236]

182. While the EU Data Protection Directive does not cover the "purely personal" use of RPAS, all relevant criminal offences, such as stalking and harassment, apply equally to commercial, hobbyist and leisure RPAS pilots. The criminal law of course falls within national competence. Dr Kevin MacNish, a former GCHQ employee, said the best way to address these concerns was by "ensuring that existing laws regarding stalking, peeping Toms and telephone interception extend to cover cases involving RPAS and do not allow for loopholes."[237] The British Model Flying Association drew attention to existing provisions, under the Air Navigation Order 2009, limiting the use of RPAS in circumstances which would entail invasion of another individual's privacy. For instance, Article 167 prohibits an RPAS used for surveillance being flown less than 50 metres from any person or vessel not under the control of the pilot, and 150 metres from any congested area or open air assembly.[238]

183. Concerns regarding the enforcement of existing laws in relation to the misuse of RPAS are discussed in Chapter 8 on leisure users and public consultation.

State and journalistic use of RPAS

184. The evidence submitted to us highlighted the potential for Member State authorities to use RPAS to collect data for surveillance or in the course of investigating crimes. Mr Cremin said: "The police have experimented and are experimenting with RPAS, it is fair to say, and I am sure that as we go further forward in time that will be increasingly likely."[239] The Minister said that police could replace helicopters with RPAS or that the coastguard might consider using RPAS in search and rescue situations.[240]

185. The Royal Aeronautical Society said that state surveillance which made use of thermal imaging cameras and facial recognition technology should require additional oversight mechanisms, such as search warrants.[241] Dr McNish agreed that "acceptable use of RPAS by the state should be stipulated in law to prevent function creep leading to the arming of RPAS in extreme situations with non-lethal weapons."[242]

186. Member States may, on the other hand, restrict the scope of the EU Data Protection Directive to exclude certain operations on the grounds of national or public security, defence, or the investigation of criminal offences. The Government was "not persuaded that any extension of EU competency into the regulation of surveillance for public safety, the prevention or detection of crime or for national security purposes is necessary."[243]

187. In the UK, the Information Commissioner's Office said its strategy was to provide guidance to government agencies considering using RPAS.[244] Mr Lee welcomed the provision of guidance, but said that it was important for the "state to justify its use of such exemptions (in the Data Protection Act) regardless".[245] He said that guidance should be developed which described how current regulations, such as the Regulation of Investigatory Powers Act 2000 (RIPA), applied to the use of RPAS.[246]

188. We also raised concerns about how private security firms might make use of RPAS and how that use would be regulated. The Minister told us that if RPAS were to be used by private security companies, "it is important that we make sure that proper controls are in place so that any information gathered … could not be used for reasons other than the correct pursuit of better security and safety."[247]

189. It is beyond the scope of this inquiry, which focuses on commercial operations, to draw conclusions regarding state use of RPAS for surveillance but the acceptability of state use of RPAS should be subject to urgent public debate.

190. The inquiry also drew attention to the use of RPAS by the media in order to capture images and videos. Mr Smith told us that Section 32 of the current Data Protection Act contained an exemption for responsible journalism, so that "If RPAS are being used to investigate matters of serious public concern and to comply with the data protection law would stand in the way of that, there is an exemption."[248]

191. Mr Smith added, though, that RPAS gave less responsible journalists "another, more powerful tool" to invade an individual's privacy: "it is not just about the law and data protection regulation; it is also about media regulation and the new media regulators taking a firm view as well on what is and is not acceptable for publication when it has been obtained through privacy intrusion."[249]

192. Mr Lee, Taylor Vinters LLP, said: "authorities should consider recommending a data protection and airspace permission exemption for rapid response RPAS journalism … If this particular developing area of rapid response journalism by RPAS is ignored then irresponsible, amateur cameramen will, in all likelihood, attempt to take footage anyway."[250]

193. The Minister accepted that journalists should be able to reveal a wrongdoing, but added that "journalists often push barriers and go further than that". There was a risk that 'paparazzi' could use RPAS to intrude on individual's privacy. A consultation with the public should therefore include a discussion about how to get the "balance right between the need to reveal wrongdoing while at the same time ensuring that people have the right to privacy in their own gardens or houses."[251]

194. While journalists can use RPAS to enhance the reporting of important events, they can also be used to invade people's privacy. UK media regulators should initiate a public consultation on the appropriate use of RPAS by the media, with a view to providing clear guidance.

195 Communication from the Commission to the European Parliament and the Council: A new era for aviation: Opening the aviation market for the civil use of remotely piloted aircraft systems in a safe and sustainable manner, COM(2014) 607, p 7 Back

196 Q151 Back

197 Rachel Finn, David Wright, Laura Jacques and Paul De Hert, Privacy, Data Protection and ethical risks in civil RPAS operations, D3.3 Final Report for the European Commission (7.November.2014) pp 67-68. Data Protection Directive, Article 6(b): http://ec.europa.eu/DocsRoom/documents/8550 [accessed on 26 February 2015] Back

198 Written evidence from the Professional Society of Drone Journalists (RPA0032) Back

199 Written evidence from Trilateral Research and Consultancy Ltd (RPA0035) Back

200 Written evidence from the National Centre for Precision Farming UAS Special Interest Group (RPA0016) Back

201 Q64 Back

202 Written evidence from the Center for Democracy and Technology (RPA0034) Back

203 Q150 Back

204 Ibid. Back

205 Ibid. Back

206 Q64 Back