Background
Drones have long been regarded as "eyes in the sky," but the most basic consumer models are regularly equipped with some sort of camera for still or video image capture. More advanced surveillance technologies can combine the high-quality audio-visual recording and storage capabilities of a sophisticated camera drone with data analytics tools such as facial recognition software, gait analysis and other biometric assessment techniques to identify individuals for targeted observation. can be identified. The size and maneuverability of drones enable them to monitor individuals at a distance and potentially follow and track targets without the knowledge of the person under surveillance.
As technologies develop and drones become "smarter", the possibilities for data collection are virtually limitless. Global Positioning System (GPS) is a technology that is often a built-in feature of drones and allows its location (and that of any surveillance target) to be tracked and recorded. Drones can be equipped with thermal imaging cameras that detect human presence through body heat. It is also possible to use a WiFi antenna attached to the drone to locate individuals via their mobile telephone.
The above examples create a clear tension with the legal obligations of privacy and not intruding into the personal lives of individuals (as distinct from the risks of personal injury and property damage). Many legal systems consider the right to privacy a fundamental human right, and surveillance programs are often the target of public outcry, political outrage, and regulatory clout. Direct surveillance through drone technology is no less invasive - and potentially more - than closed circuit television or fixed security cameras.
Even non-surveillance drone activity should be considered through the lens of privacy protection, albeit with less obvious risks. In many cases, the context of drone use and the type of data collected can create an indirect impact on individuals with consequent implications under privacy laws. An example is the inadvertent capture of recorded individuals (and their activities) by drones used for survey or research purposes.
Accordingly, the increased capability and capability of drone-based technologies raises questions as to the obligations to be placed on drone manufacturers and operators to ensure that the privacy and data collection implications of drone use are given due consideration. .
Privacy and Data Protection Laws: General
Historically, drone regulation has focused primarily on security considerations, but privacy and data protection laws will require more attention. Globally, such laws have various levels of maturity ranging from broad, principles-based data protection regimes – such as Europe's General Data Protection Regulation (GDPR) or the Australian Privacy Act – to patchworks of regional and state laws in the United States. As far as. Of America. In emerging markets, the situation may be further complicated by the lack of a specific data protection law and the potential application of local criminal codes, media and content regulation, copyright or defamation laws.
The GDPR marked a fundamental shift in the European and global approach to data protection regulation by clearly clarifying the basic principles relating to the collection and/or processing of personal data. In short, personal data is to be processed in a legal, fair and transparent manner for specified and lawful purposes. This processing must be based either on the consent of the person concerned or on any other ground prescribed by law. In addition, every reasonable step must be taken to ensure that personal data is accurate, relevant and limited in relation to the purposes for which it is processed ('data minimization') and is processed in a way that Ensures proper protection of personal data.
These principles form the basis of data protection legislation in many other jurisdictions outside Europe. The Australian Privacy Principle (or APP) is referred to by the national data protection regulator in the Australian Privacy Act 1998 (CTH) as a "cornerstone of the privacy protection framework". They set the key pillars of openness and transparency, accuracy and security that align strongly with the GDPR. In Singapore, the Personal Data Protection Act 2012 establishes requirements for lawful data processing and the principles of transparency, objective limits and storage limits. Similarly, state or national laws in Canada, South Africa, Bahrain, Qatar and other territories, as well as the Model Code for the Protection of Personal Information published in 1996 by the Canadian Standards Authority, are all based on similar principles.
Privacy and Data Protection Laws: Drone Specific
Increasingly, governments and regulators are moving from guidance to the application of existing data protection laws to drone operations and the inclusion of more specific drone-related provisions in the law. For example, California approved an update to its Civil Code in 2016 that made a person liable for physical invasion of privacy when that person:
"... knowingly enters another person's overhead or airspace without permission or otherwise engages in any kind of visual image, sound recording, or other physical impression of plaintiff engaged in private, personal trespass , or family activity and aggression in a manner that is disrespectful to a reasonable person."
Privacy and data protection regulations that identify clear privacy responsibilities when using drones can provide greater stability and certainty for drone operators, insurance companies, courts and individuals. Such laws would ideally outline specific privacy principles and requirements tailored to the use of drones, and would reflect current gold standards for data protection such as the GDPR.
Areas of particular concern to drone operators regarding data protection laws include obligations to provide information to data subjects, requirements to establish data retention procedures, and procedural protections for accessing data. Many critics of drones have raised concerns that the collection of aerial imagery and video would enable widespread surveillance that allows drone operators (whether a government agency or a private individual) to know where individuals are at different points in time without the usual provision. But what are you doing? For personal data subjects, as would be expected if their data was collected by other means. Such footage can be kept indefinitely and used to build a picture around the private details of a person's life.
It would be helpful to the industry if legislators adopt more uniform policies and procedures to address retention of information, focusing on the information collected, how it is stored and how it is accessed. Additionally, legislators should consider implementing specific transparency and accountability measures for drone operators – for example, requiring them to publish "usage logs" of activities operated by drones and those collected during such activities. document the information (see McNeil, Gregory, 'Drones and aerial surveillance: Ideas for legislatures', Project on Citizen Robotics series, Brookings (November 2014). Privacy laws governing drones should allow legislators to clarify this what they mean by specific terminology and to specify which locations should be entitled to specific privacy protections. At the moment, conflicting laws and frameworks have led to confusion about the types of activities prohibited and protected areas in some countries. have been born.
Drone operator
Commercial and recreational drone operators should be aware of local, state, federal and international laws relating to privacy and data protection that may directly or indirectly affect their drone activities. Drones that violate the privacy of individuals can expose their owners and their employees to civil and criminal liabilities, including hefty fines and adverse court awards or higher settlements.
Drone operators should consider risk-based and risk-management strategies when setting up and operating their drones. In particular, they must analyze potential privacy risks before deploying unmanned aircraft systems: a balance must be struck between the threats to the privacy of persons likely to be affected by drones, and the benefits and interests derived by the drone operator. Interference with privacy and data protection rights can be initially minimized when planning: (1) the intended flight path; (2) Drones and used equipment; and (3) the management of the collected data.
Clyde & Company as a firm is committed to engaging with and understanding the risks associated with the use of drones, along with a growing network of cross-sector experts and associates, to help our clients cope with the rapidly evolving risk landscape. be able to help. If you would like to understand how we can help you with this, please contact Dino Wilkinson, Maurice Thompson, Dr. Tony Tarr and Julie-Anne Tarr.