Market forecasts predict that the commercial and civil drone market will boom over the next decade. The use of drones, also called unmanned aerial systems (UAS) or unmanned aerial vehicles (UAVs), is becoming increasingly popular with their use already being championed by the likes of Amazon, DHL and Shell. Companies such as Royal Mail are considering both drones for air-mail as well as autonomous delivery vans and major insurance companies are investing in drone technology in order to monitor crop yields amongst other things.
The global economic potential for commercial drone use is looking extremely positive with a recent US study estimating that over the 10 year span from 2015 to 2025, drone integration within national air space will account for $82.1 billion in US job creation and economic growth. These figures aren’t surprising given the advantages of drones to assist businesses whether by offering the capability to streamline delivery, efficient aerial photography and contribute to safe infrastructure maintenance and management.
And so with the prospect of drones being integrated into businesses on a larger scale it is absolutely crucial that businesses understand the legal and other risks attributed to drone use.
A key area of concern is privacy. As a result drone use is an area that the Information Commissioners Office (ICO) has looked to become more involved with as the issue of drones and their impact on privacy has become more prominent. The ICO gave evidence to a Parliamentary Committee in autumn last year, on the risk to privacy posed by UAS and underlined that their use for commercial purposes must be carried out in accordance with the Data Protection Act (DPA).
Earlier this year the ICO issued guidance on drone use for individuals and organisations. The ICO recommends that users of drones, also called unmanned aerial systems (UAS) or unmanned aerial vehicles (UAVs) with cameras should be operated in a responsible way to respect individuals’ privacy rights. Therefore, if a drone has a camera, its use has the potential to be covered by the DPA. If a business is using a drone for commercial purposes, then it is important that you understand your legal obligations as a data controller. Where UAS are used for business purposes, operators will need to comply with data protection obligations and it will be good practice for users to be aware of the potential privacy intrusion which the use of UAS can cause to make sure they aren’t in breach of any data protection or privacy provisions.
The ICO has provided guidance as to the potential data protection risks that businesses may be exposed to when using drones:
The use of UAS has a high potential for collateral intrusion by recording images of individuals unnecessarily and therefore can infringe individuals’ privacy rights. For example, there is a high probability of recording individuals inadvertently, because of the height they can operate at and the unique vantage point they can obtain. Individuals may not always be directly identifiable from the footage captured by UAS, but can still be identified through the context they are captured in or by using the devices zoom capability.
As such, it is very important that you can provide in your Privacy Impact Assessment (PIA) (discussed later in this article) that there is a strong justification for the recording use of the drone. You may be able to reduce the risk of privacy infringement by incorporating privacy restrictive methods in the design of the drone. For example, you may be able to procure a device that has restricted vision so that its focus is only in one place. Privacy by design can be incorporated into your PIA and can form part of your procurement process.
It is important that the recording system on UAS can be switched on and off when appropriate. This is particularly important given the potential for the cameras to capture large numbers of individuals from a significant height. Unless you have a strong justification for doing so, and it is necessary and proportionate, recording should not be continuous. This is something which you should look at as part of your PIA.
One major issue with the use of UAS is the fact that on many occasions, individuals are unlikely to realise that they are being recorded, or may not know that UAV have a camera attached. Businesses can however introduce innovative ways of providing this information. The ICO recommends examples such as, wearing highly visible clothing identifying yourself as the UAS operator, placing signage in the area you are operating UAS explaining its use and having a privacy notice on a website that you can direct people to, or some other form of privacy notice, so they can access further information.
Coverage of the ‘whole’ system
The ICO guidelines advise organisations that data protection issues concerning UAS cover the whole system, rather than just the device in the air, so you need to ensure that the whole system is compliant. You should ensure that any data which has been collected is stored securely. This can be achieved by using encryption or another appropriate method of restricting access to the information. It is also important to ensure that data is retained for the minimum time necessary for its purpose and disposed of appropriately when no longer required.
Unencrypted data links found within drones are particularly vulnerable to jamming, interception and manipulation. There are clear cyber security risks that may arise because a drone could be hacked, its data link or live feed intercepted, or the aircraft could be “spoofed” i.e. its GPS signal manipulated during flight. Businesses should be aware that when operating in an urban environment, due to the heavy use of communications, equipment and other sources of electromagnetic spectrum/radio frequency are at risk of being manipulated or interfered with. Businesses also need to consider mitigation for the consequences of weak or lost GPS signal due to masking by buildings along with the general radio frequency saturation level.
How to be best prepared
Privacy Impact Assessments
A PIA is a process which helps a business to identify and reduce the privacy risks of a project. They enable an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved. A PIA will help you decide if using UAS is the most appropriate method to address the need that you have identified.
With regard to the use of drones, a PIA should consider identifying the drone’s potential effects upon privacy and data protection compliance, how detrimental effects of the drone may be overcome and how the use of the drone can comply with data protection principles.
The DPA does not oblige organisations to conduct PIAs, but the ICO has said they are useful tools for organisations to use in order to help them comply with the requirements set out in the DPA.
It is possible that organisations who undertake PIAs can also hope to be treated more leniently by regulators if they experience a data protection breach and are subject to legal action. There is an understanding by the regulator that not all data breaches are preventable. It is possible to show through a PIA that you assessed the risks of processing personal data, took measures to mitigate those risks, or otherwise identified the reasons why it decided to proceed with certain projects, despite data protection risks being present.
Please contact Daniel Geller for further information.