As the GDPR enters into force, drone pilots and operators will have to rethink the way they operate or face the risk of non-compliance.
The future of drone use is changing
Drones are undoubtedly a technology which will be with us in the future and will unlock new opportunities and efficiencies for industry, trade and entertainment. However, with the entry into force of the new General Data Protection Regulation (GDPR), some industry practices may prove to be at odds with the new regulatory landscape. It’s not all bad news though. With some self-education around privacy and data protection and planning of operations, drone operators and pilots can make minimal adjustments to the way they operate drones to comply with the law. Trilateral is instrumental in producing content designed to help you do just that as a key member of the DroneRules PRO consortium. In the meantime, here are a few examples of the risks that drone businesses could face:
Imagine yourself as a drone operator:
You have a drone fleet and trained pilots at your disposal and you offer your services around Europe. You are hired across the continent to carry out infrastructure and building inspections, filming activities for promotional purposes, wildlife and environmental studies and traffic monitoring in busy urban environments. All these tasks benefit from the flexibility and accessibility offered by your drones. For years, you are highly sought after because you make sure to capture as much information as possible when in flight and you carry out your mission within short time frames, irrespective of distractions, such as people on the ground. To ensure the information is always available, you keep copies of the original footage in your archives for an indefinite period of time.
All of a sudden you receive a notification from your national Data Protection Authority. You are being fined for breaching the General Data Protection Regulation. Due to your extensive filming during flight in densely populated areas and your prolonged storage of footage with images of people in it, you have failed to comply with the data protection principles of data minimisation and storage limitation. You are at risk of fines because the GDPR imposes fines of up to 4% of worldwide revenue for non-compliance with the GDPR.
|Imagine yourself as a drone manufacturer:|
You are a leading drone manufacturer who builds a variety of drones. They have diverse sizes and each is equipped with powerful cameras and Internet connection, allowing direct streaming of the images captured by the drones. Some of your drones are perfectly suited for professional activities due to their long-lasting battery lives and strong optics. But one day, your business stops receiving orders from clients.
You’ve overlooked new laws, in particular the GDPR and the forthcoming EASA UAV Regulation. Professional drone users cannot commit to using your drones when other manufacturers have incorporated functions that support compliance with new requirements. These functions represent the data protection by design and by default concept by supporting data integrity and security, as well as protection and transparency through means such as encryption of the Internet streaming feed, and cybersecurity controls for access to the drone’s data or electronic identification transmissions. You have not yet included these features and your drones are less relevant in the current market.
The above-imagined cases could become a reality for some drone users and manufacturers. The European Union has taken steps to protect personal data (e.g. footage including images of individuals and their property) through the adoption of the GDPR. The European Aviation Safety Agency (EASA) also regulates the operation of unmanned aircraft vehicles (UAVs). Ultimately, this regulatory shift will have positive impacts, such as alleviating public concerns about the respectful and safe use of drones and ensuring widespread acceptance of the new technology. However, new regulations also mean that drone manufacturers, operators and pilots will soon have to consider and comply with additional rules in their professional activities.
There are two main legal developments which will impact the drone industry in this regard:
- The new General Data Protection Regulation (GDPR) will enter into force in May 2018 and will reinforce existing data protection laws by unifying them across the European Union and giving them “teeth”. There will be administrative fines for breaches which could amount up to 20 000 000 EUR or 4% of worldwide revenue, whichever is higher.
- The EASA UAV Regulation, which is still being discussed by European legislators and will likely enter into force in 2019, seeks to establish a basic safeguard level for UAVs pilots, operators and manufacturers with regard to drone safety, security, and respect for privacy, among others. It is envisioned that fines can also be imposed nationally for failure to comply with these rules.
How can DroneRules PRO help?
To help the drone industry adapt to the upcoming changes, the ongoing project DroneRules PRO will develop new resources and add materials to the information platform DroneRules.eu. These resources will help professionals learn about the changes relevant to them and will guide them in applying them. Trilateral will lead the development of a few key instruments which will support drone professionals:
- E-learning course – an e-learning course will introduce drone professionals to privacy and data protection laws, obligations, requirements, risks and safeguards, as they apply to their specific professional area. Drone pilots and operators will be taught how to identify privacy and data protection risks and how to minimise them or eliminate them completely, while drone manufacturers will be educated how to ensure their drones enable data protection and privacy respect and comply with the technical requirements of EASA’s UAV Regulation.
- Privacy Code of Conduct – to ensure a general safeguard level across the European drone industry, the project will develop a Privacy Code of Conduct which will assist guide drone professionals in their activities by offering specific do’s and don’ts guidance, alongside specific steps for responsible and accountable drone operation and data management.
- Privacy Impact Assessment (PIA) template – To help drone professionals assess the impact of their missions and operations on the privacy of people on the ground, a PIA template will be made available to them, which will incorporate not only risk identification but also safeguards and strategies to mitigate negative impacts. The PIA is similar to the data protection impact assessment, required by the GDPR for high-risk data processing (Article 35). However, it will be tailored to drone activities and will focus on privacy, a broader and more all-encompassing concept than data protection.
- Pre-flight Checklist – Complementing the extensive teaching and knowledge resources provided above, a pre-flight checklist will also be developed – an easy-to-consult resource to help drone operators and pilots carry out brief last-minute checks before their missions. It will ensure that they remember the main do’s and don’ts when it comes to privacy and data protection throughout their operations.
- Privacy-by-design Guide – Specifically targeted at drone manufacturers, a privacy-by-design guide will be created which will provide a single reference document which will encompass (1) how privacy and data protection of people on the ground can be enhanced through appropriate drone design, capabilities and development, as well as (2) what technical and operational measures drones should comply with in order to be legally marketed and commercially flown within the EU.
Together with drone professionals we will create a privacy and data protection culture within the European drone industry and will facilitate compliance with the new legislation.
How can Trilateral help?
Trilateral is a trusted partner when it comes to privacy and data protection regulations and drone use in Europe. Trilateral’s experience with drones and privacy make us well suited to build the DroneRules PRO resources and understand the particular needs of drone professionals.
The DroneRules PRO Privacy Impact Assessment (PIA) template is based on Trilateral’s respected PIA methodology which has been applied across a number of technology innovation projects as a way of effectively operationalising Privacy-by-Design. Within DroneRules PRO, the PIA template will help drone operators and pilots plan their flights from the ground up with careful consideration of privacy and data protection safeguards at every step.
We look forward to working together with our project partners – SpaceTec Partners, University of Udine’s Human-Computer Interaction Lab and BHO Legal, to deliver the full range of DroneRules PRO resources, including the PIA template.
For more information on this research area please contact our team.