Drones and Privacy: Belgian Privacy Commission Approves Draft Royal Decree

Until a couple of years ago, drones, or remotely piloted aircraft systems (“RPAS”), were only used for military purposes. Recently, however, the technology has been further developed, as a result of which drones have not only become smaller, more practical and less expensive, they can and are also used for civil or commercial purposes, such as infrastructure monitoring, photography or even transport of goods and people. Real estate agencies already use drones to take pictures of private properties. Amazon is testing a drone delivery system to send packages to its customers and Domino’s did the same for its delivery of pizzas. While no one seems to question the potential social and economic benefits of drones, in particular as regards jobs and growth, their use by private companies and individuals for economic or other purposes does raise a number of important concerns.

In Belgium, the Minister of Transport has presented a draft Royal Decree regulating the private and commercial use of drones. Until now,  drones were subject to air traffic regulations and their use was subject to an authorization being obtained from the Belgian Civil Aviation Authority. In addition, the commercial use of drones was not allowed. The new Royal Decree is aimed at filling this legal void and should finally provide for a legal framework for the use of RPAS. Although this is an important step forward, it remains to be seen how the new regulation will be applied in practice. First, the scope of application of the Royal Decree does not seem to be entirely clear. The Decree provides that it does not apply to aircraft systems that are designed (whether or not exclusively) for use as a game by children of less than 14 years. How will be determined which RPAS meet this condition? The Decree is also not applicable to model aircrafts that are used only for recreational purposes, provided their starting weight is less than one kg and their use meets six cumulative conditions. One of those conditions is that the model airplanes are only used “for private purposes outside public space in urban areas”. Another condition that must be met is that the RPAS may not fly above an altitude of ten meters or over a large group of people in open air. It is not clear how these conditions will be interpreted and enforced.

In this article, however, we want to focus on the privacy issues raised by drones. Most of the time, drones are not merely used as simple aircraft systems. They often include devices such as cameras, microphones, sensors  and GPS, which may allow the processing of personal data, including images, sound recordings and all sorts of information about identifiable persons.

In Belgium, as in most European countries, there are no data protection laws or regulations that relate specifically to the collection and processing of personal data through the use of drones. There is no question, however, that the personal data collected by drones is also protected by the existing data protection legislation in Belgium and the EU. The Belgian Privacy Commission (the Data Protection Authority) confirmed this point of view in its Advice dated 22 July 2015 with respect to the draft Royal Decree. The Royal Decree itself also states that users of drones must ensure compliance with applicable data protection laws

Under the applicable data protection rules, the use of a drone will always require a legitimate ground for processing. This can be, amongst others, the unambiguous consent of the data subject or the necessity of the processing for the execution of a contract or for compliance with a legal obligation. In the context of recreational or commercial use of drones, consent will in most cases be the only legitimate ground available, although it may be impossible or at least very difficult to obtain.

This means, for instance, that if a drone is used to shoot images of an event with the purpose of making a film to promote such event, then the footage may not be used to identify people, since it is not possible to obtain each and everyone’s consent. Hence, persons appearing in the promotional film should be made unrecognizable as much as possible.

Another consequence of the data protection rules is that drone users are to be considered data controllers who are subject to a number of obligations, including informing individuals about the processing of their personal data, providing them access to their data, and notifying the competent data protection authority of the processing of personal data.

The Privacy Commission also points out that the use of cameras on drones for surveillance purposes, is subject to the Act of 21 March 2007 on the use of surveillance cameras. Pursuant to this Act, cameras placed on drones are to be considered mobile cameras, which may only be used by law enforcement authorities for the purpose of crowd control or license plate recognition.

Applying and enforcing the data protection regulations to a potentially highly intrusive new technology is very important, but at the same time it will likely not be easy.  Drones are by nature mobile and discrete, and in particular the smaller and lighter drones flying at relatively high altitudes but equipped with powerful cameras or recorders, will be very difficult to detect. And even if drones are used in a visible and indiscrete way, the question remains how one can enforce the privacy regulations (in particular information and consent) in practice. The Data Protection Authority also pointed this out in its Advice related to the Royal Decree, but it did not offer any solutions.

Therefore, in order to ensure privacy protection to the greatest possible extent, it is recommended to take the necessary measures from the outset, which leads us to privacy by design.  

Drone manufacturers should be invited to analyze at the earliest stages of development how their device might interfere with the privacy of individuals, so that they may then build these devices in a way which reduces such interference to what is strictly necessary and proportionate to the purpose pursued. As such, manufacturers might propose different types of sensors depending on the purchaser’s objective, so that the latter may choose the one that is least intrusive (for example, if the drone is used to build accurate roadmaps, it does not need high resolution cameras able to read license plates). Drones could also be equipped with tools that provide for automatic masking of private areas and automatic detection and pixilation of faces that are (accidentally) gathered in images and videos. Manufacturers could also be encouraged (or forced?) to set up data retention by design, that is to say, the possibility to schedule the automatic and regular deletion of the data processed.

Obviously, even if drones are designed to protect privacy and are equipped with all possible tools to ensure compliance with applicable law, their owners should also be made aware of their obligations. Drones should therefore come with clear information about the applicable privacy rules and the different obligations of the user under national and EU law.

As drone use for commercial or recreational purposes is still in its infancy, it remains to be seen how their use will impact people’s privacy and to which extent the data protection regulations will be enforced in practice. Especially in the first years to come, data protection authorities and courts will need to be vigilant and show that non-compliance cannot be tolerated.