K
Kathleen Martin
Guest
Background
Drones have long been considered as "eyes in the sky" with all but the most basic consumer models routinely equipped with some form of camera for still or video image capture. More advanced surveillance technologies can combine a sophisticated camera drone's high-quality audiovisual recording and storage capabilities with data analytics tools such as facial recognition software, gait analysis and other biometric assessment techniques to identify individuals for targeted observation. The size and manoeuvrability of drones enables them to monitor individuals at a distance and to follow and track targets, potentially without the knowledge of the person that is subject to surveillance.
As technologies develop and drones become "smarter", the possibilities for data collection are almost limitless. Global positioning system (GPS) is a technology that is often a built-in feature of drones and allows for its location (and that of any surveillance target) to be tracked and recorded. Drones can be equipped with thermal imaging cameras that detect human presence through body heat. It is also possible to use a wifi antenna affixed to a drone to locate individuals via their mobile telephones.
The above examples create obvious tension with legal obligations of privacy and non-intrusion into the personal lives of individuals (as distinct from the personal injury and property damage risks). Many legal systems consider the right to privacy as a fundamental human right and surveillance programmes are often the target of public outrage, political ire and regulatory clampdowns. Direct surveillance by way of drone technology is no less invasive – and potentially more so – than closed circuit television or fixed security cameras.
Even non-surveillance drone activity should be considered through a lens of privacy protection despite the less obvious risks. In many cases, the context of drone use and the type of data collected can create an indirect impact on individuals with a consequent implication under privacy laws. The inadvertent capture of persons (and their activities) recorded by drones used for surveying or research purposes is one example.
Accordingly, the enhanced capabilities and potential of drone-based technologies raises questions as to the obligations to be imposed upon manufacturers and operators of drones to ensure due consideration is afforded to the privacy and data collection implications of drone use.
Privacy & Data Protection Laws: General
Historically, drone regulation has been focused primarily upon safety considerations but increasing attention will need to be paid to privacy and data protection laws. Globally, there are varying levels of maturity in such legislation ranging from comprehensive, principles-based data protection regimes - such as Europe's General Data Protection Regulation (GDPR) or the Australian Privacy Act - to the patchwork of sectoral and state laws in the United States of America. In emerging markets, the situation may be further complicated by the lack of any specific data protection legislation and the potential application of local criminal codes, media and content regulation, copyright or defamation laws.
The GDPR marked a fundamental shift in the European and global approach to data protection regulation by clearly spelling out core principles relating to the collection and/or processing of personal data. In essence, personal data is to be processed lawfully, fairly and in a transparent manner for specified and legitimate purposes. This processing should either be based on the consent of the person concerned or some other basis laid down by law. Moreover, every reasonable step must be taken to ensure that personal data is accurate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’) and processed in a manner that ensures appropriate security of the personal data.
These principles form the basis of data protection legislation in many other jurisdictions outside Europe. The Australian Privacy Principles (or APPs) are referred to by the national data protection regulator as "the cornerstone of the privacy protection framework" in the Australian Privacy Act 1998 (Cth). They set out key pillars of openness and transparency, accuracy and security that align strongly with the GDPR. In Singapore, the Personal Data Protection Act 2012 establishes requirements for lawful data processing and principles of transparency, purpose limitation and storage limitation. Similarly, State or national laws in Canada, South Africa, Bahrain, Qatar and other territories, as well as the Model Code for the Protection of Personal Information published in 1996 by the Canadian Standards Authorisation, are all similarly principles based.
Privacy & Data Protection Laws: Drone Specific
Increasingly, governments and regulators are moving beyond guidance on the application of existing data protection laws to drone operations and towards the inclusion of more specific drone-related provisions into law. For example, California approved an update to its Civil Code in 2016 that made a person liable for physical invasion of privacy when that person:
"…knowingly enters onto the land or into the airspace above the land of another person without permission or otherwise commits a trespass in order to capture any type of visual image, sound recording, or other physical impression of the plaintiff engaging in a private, personal, or familial activity and the invasion occurs in a manner that is offensive to a reasonable person."
Continue reading: https://www.clydeco.com/en/insights/2022/2/data-protection-privacy-and-drones
Drones have long been considered as "eyes in the sky" with all but the most basic consumer models routinely equipped with some form of camera for still or video image capture. More advanced surveillance technologies can combine a sophisticated camera drone's high-quality audiovisual recording and storage capabilities with data analytics tools such as facial recognition software, gait analysis and other biometric assessment techniques to identify individuals for targeted observation. The size and manoeuvrability of drones enables them to monitor individuals at a distance and to follow and track targets, potentially without the knowledge of the person that is subject to surveillance.
As technologies develop and drones become "smarter", the possibilities for data collection are almost limitless. Global positioning system (GPS) is a technology that is often a built-in feature of drones and allows for its location (and that of any surveillance target) to be tracked and recorded. Drones can be equipped with thermal imaging cameras that detect human presence through body heat. It is also possible to use a wifi antenna affixed to a drone to locate individuals via their mobile telephones.
The above examples create obvious tension with legal obligations of privacy and non-intrusion into the personal lives of individuals (as distinct from the personal injury and property damage risks). Many legal systems consider the right to privacy as a fundamental human right and surveillance programmes are often the target of public outrage, political ire and regulatory clampdowns. Direct surveillance by way of drone technology is no less invasive – and potentially more so – than closed circuit television or fixed security cameras.
Even non-surveillance drone activity should be considered through a lens of privacy protection despite the less obvious risks. In many cases, the context of drone use and the type of data collected can create an indirect impact on individuals with a consequent implication under privacy laws. The inadvertent capture of persons (and their activities) recorded by drones used for surveying or research purposes is one example.
Accordingly, the enhanced capabilities and potential of drone-based technologies raises questions as to the obligations to be imposed upon manufacturers and operators of drones to ensure due consideration is afforded to the privacy and data collection implications of drone use.
Privacy & Data Protection Laws: General
Historically, drone regulation has been focused primarily upon safety considerations but increasing attention will need to be paid to privacy and data protection laws. Globally, there are varying levels of maturity in such legislation ranging from comprehensive, principles-based data protection regimes - such as Europe's General Data Protection Regulation (GDPR) or the Australian Privacy Act - to the patchwork of sectoral and state laws in the United States of America. In emerging markets, the situation may be further complicated by the lack of any specific data protection legislation and the potential application of local criminal codes, media and content regulation, copyright or defamation laws.
The GDPR marked a fundamental shift in the European and global approach to data protection regulation by clearly spelling out core principles relating to the collection and/or processing of personal data. In essence, personal data is to be processed lawfully, fairly and in a transparent manner for specified and legitimate purposes. This processing should either be based on the consent of the person concerned or some other basis laid down by law. Moreover, every reasonable step must be taken to ensure that personal data is accurate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimisation’) and processed in a manner that ensures appropriate security of the personal data.
These principles form the basis of data protection legislation in many other jurisdictions outside Europe. The Australian Privacy Principles (or APPs) are referred to by the national data protection regulator as "the cornerstone of the privacy protection framework" in the Australian Privacy Act 1998 (Cth). They set out key pillars of openness and transparency, accuracy and security that align strongly with the GDPR. In Singapore, the Personal Data Protection Act 2012 establishes requirements for lawful data processing and principles of transparency, purpose limitation and storage limitation. Similarly, State or national laws in Canada, South Africa, Bahrain, Qatar and other territories, as well as the Model Code for the Protection of Personal Information published in 1996 by the Canadian Standards Authorisation, are all similarly principles based.
Privacy & Data Protection Laws: Drone Specific
Increasingly, governments and regulators are moving beyond guidance on the application of existing data protection laws to drone operations and towards the inclusion of more specific drone-related provisions into law. For example, California approved an update to its Civil Code in 2016 that made a person liable for physical invasion of privacy when that person:
"…knowingly enters onto the land or into the airspace above the land of another person without permission or otherwise commits a trespass in order to capture any type of visual image, sound recording, or other physical impression of the plaintiff engaging in a private, personal, or familial activity and the invasion occurs in a manner that is offensive to a reasonable person."
Continue reading: https://www.clydeco.com/en/insights/2022/2/data-protection-privacy-and-drones