Droning on about Privacy and Data Protection (United Kingdom Law)

Drones have become more popular and prominent over recent years in a number of industries, and have the ability to dramatically change the way many types of work, particularly relating to properties and land, and their review and repair are affected. Drones have been increasingly used for aerial surveys and a variety of other functions not only in relation to the property and construction sector but also in many other industries such as energy, utilities, resources, insurance, agriculture, and agribusiness.

Where in the past, surveyors might have taken hours or even days to assess and measure a property, drones are now often able to do this in minutes. The positive operational and economical ramifications will have an increasing impact on how developers, those managing properties and others engage with technology and particularly drones.

Practical applications for which drones are being used in the property sector include aerial photography, structural information collection, geographic mapping, safety inspections, crop monitoring, law enforcement and border control surveillance, and weather tracking. Appropriate deployment in the private sector can enable companies to get ahead of the competition.

However, the usage of drones illustrates how most technological advances collide, to a lesser or greater degree, with the law. In the case of drones, one of the key areas relates to the processing of personal data. Information held relating to identifiable living individuals is covered by the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). As a result, personal data is to be processed lawfully, fairly and in a transparent manner for specified and legitimate purposes. This should either be based on the consent of the data subject, or a basis laid down in law. Moreover, every effort should be made to ensure that the data is accurate and limited to what is necessary for the purpose.

Drones (also known as Unmanned Aerial Vehicles (UAVs)) are, as the name suggests, unmanned aircraft controlled by either operators or onboard computers. Due to their ability to take photos, videos, and scope buildings and other environments, their use has raised privacy concerns for many. Drones can inadvertently collect the personal data of individuals who were not the intended focus of the recordings.

If a drone is used by an organisation, the organisation is deemed the controller of any personal data captured and is required to comply with data protection law. However, for an individual operator, this is a little murkier.

Both the UK GDPR and DPA 2018 have household exemptions concerning the processing of data. This applies during a purely personal or household activity and it could be argued that this exemption could apply to individuals using drones for their own purpose (‘hobbyist’ drone owners), although it is clear from current case law that this will depend on the specifics of the case. The ECJ considered that an individual who had installed a camera that recorded the entrance, public footpath and the entrance to the house opposite was not covered by this exemption and therefore his activity was subject to data protection legislation.

Owning a drone – what are my data protection obligations?

The ICO (the UK data protection regulator) has provided tips for the responsible use of drones. For any person collecting personal data, you should provide privacy information (who you are, what information you are collecting, what you are doing with the information and how people can exercise their rights if needed) to those whose data you are collecting. Registering the drone with the Civil Aviation Authority (CAA), placing signage around the area where you operate the drone explaining your use, or creating a website with an appropriate privacy policy notice that you can direct people to, will facilitate compliance with this obligation.

Where such use involves the collection of personal data and data protection law is engaged, it is often appropriate to conduct a Data Protection Impact Assessment (DPIA) to assess whether using a drone is the most appropriate way to solve a problem that you have identified and that you have suitably evaluated the risks to the rights and freedoms of individuals whose personal data may be collected.

Issues to investigate when conducting the DPIA include the duration of the recording. Unless it is necessary and proportionate, recording should not be continuous. You should also consider the technological ecosystem within which the drone features. For example, the extent to which the drone connects with and shares personal data with other technology and systems. In any event, all data needs to be collected securely and shared between the different devices and channels. Data should also be retained for the shortest amount of time possible, and it should be disposed of appropriately when the footage is no longer needed. In this context, and with a view to finding the least intrusive way to achieve one’s legitimate purposes, it is important to choose the right type of drone. For example, some drones are designed with restricted fields of vision or only record at certain altitudes.

Of broader general application but with particular relevance to drones, the CAA has some top tips on protecting people’s privacy:

  • Respect other people and their privacy
  • Make sure you are aware of what the camera can do and what kind of images it can take
  • Make sure you can be clearly seen when you are flying the drone
  • Where possible, let people know before you start recording or taking pictures (never fly over groups or crowds who are not with you)
  • Think before sharing photos and videos on social media
  • Keep any photos and videos secure and delete anything you do not need

By way of reminder, this is not purely an academic discussion.

While drones can be cost-saving for industry, they can also be costly if not used in compliance with current laws. Bear in mind that the fines for infringement of UK GDPR for infringement of any of the data protection principles or rights of individuals can go up £17.5 million or 4 per cent of annual global turnover – whichever is greater.

Simon Halberstam & Grace Checkland
+44 20 32 06 27 81
simons muirhead burton

Simon Halberstam & Grace Checkland

SMB (Simons Muirhead Burton)

+44 20 3206 2700