Here’s the second article of a three-parter from security, cyber and data protection advisers 6SGlobal on the law behind privacy and use of drones. You can contact: [email protected].
Under Art.36(1), GDPR, the ‘Drone’ Data Controller must consult the relevant Supervisory Authority prior to the processing of personal data where the Data Privacy Impact Assessment (DPIA) indicates that the processing would result in a high risk in the absence of measures taken by the ‘Drone’ Data Controller to mitigate that risk and reduce it to a residual risk that doesn’t cause harm or damage to Data Subjects. In accordance with guidance published by Article 29 Data Protection Working Party an unacceptable high residual risk includes where the Data Subjects may encounter significant or even irreversible consequences that they may not overcome, and/or when it seems obvious that the risk will occur. In addition, the company and organisation must also comply with individual Member State laws where prior consultation is also required with the Supervisory Authority to obtain prior authorisation in relation to processing for the performance of a task carried out in the public interest, including processing in relation to social protection and public health.
Publishing the DPIA on the ‘Drone’ Data Controller’s website
Although publishing the DPIA is not a legal requirement under the GDPR, the ‘Drone’ Data Controller should seek to publish it or a version of it on its website, seeking guidance and advice from the DPO.
Conducting a Legitimate Interest Assessment (Recital 50)
In the absence of a DPIA, the ‘Drone’ Data Controller may want to conduct a LIA that’s a gap analysis of what it’s doing that complies with the GDPR, what it’s doing that doesn’t comply with the GDPR and what it needs to start doing in order to comply with the GDPR. Generally, authorities and ‘Drone’ companies may rely on legitimate interests as an appropriate legal basis for processing personal data – it entails organisational accountability and enables the responsible uses of personal data, while protecting employees’ data privacy rights. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller.” Note: when ‘Drone’ footage is disclosed to the police (or other competent authority as defined by Schedule 7 of the DPA 2018), it will be processed for under law enforcement process as defined by Part 3 of the DPA 2018, and not processed under the GDPR. How the police (or other competent authority) process it is no longer your concern. In both cases, you must weigh your lawful basis against the data subjects’ privacy rights.
Drones and Implementing Data Protection by Design and by Default
The following considerations apply when implementing the data protection principles of the GDPR.
Lawfulness, fairness, and transparency (Art.5(1)(a), GDPR)
The interaction between the ‘Drone’ Data Controller and the Data Subject needs to be reviewed to ensure Data Subjects grasp what is being done with their personal data. These communications include the website, a pre-recorded telephone message and a customer service call. Any activity of the ‘Drone’ Data Controller that attempts to get consent on a sneaky basis, that buries the Data Privacy Notice in terms and conditions and uses legal gobbledygook rather than clear language will fail to satisfy the test of lawfulness, transparency and fairness and will be an infringement of Art.5(1), GDPR. If front-line staff can’t direct a person to the right place or if the Data Subject needs to scrutinise the fine print of a ‘Drone’ Data Controller’s terms and conditions to find out how to exercise Data Subject rights, a ‘Drone’ Data Controller will not only fail to meet transparency and fairness requirements, it may also open itself to greater scrutiny by the Supervisory Authority in the face of complaints by frustrated Data Subjects.
Household exemption
Household exemption, in the context of Drone surveillance must be narrowly construed. Hence, as considered by the European Court of Justice, the so called “household exemption” must “be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”.
Lawfulness of Processing
Before use, the purposes of processing must be specified in detail. Drone surveillance can serve many purposes, e.g. protection of property and other assets, collecting evidence for civil claims. These monitoring purposes should be documented in writing and need to be specified for every surveillance camera in use. Drones that are used for the same purpose by a single controller can be documented together, if every camera in use has a documented purpose. Furthermore, data subjects must be informed of the purpose(s) of the processing in accordance with Article 13. Drone surveillance based on the mere purpose of “safety” or “for your safety” is not sufficiently specific. It is furthermore contrary to the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Existence of legitimate interests
Drone video surveillance is lawful if it is necessary in order to meet the purpose of a legitimate interest pursued by a controller or a third party, unless such interests are overridden by the data subject’s interests or fundamental rights and freedoms. Legitimate interests pursued by a controller or a third party can be legal, economic, or non-material interests. However, the controller should consider that if a the data subject objects to the surveillance in accordance with Article 21 the controller can only proceed with the Drone surveillance of that data subject if it is a compelling legitimate interest which overrides the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The legitimate interest needs to be of real existence and must be a present issue (i.e. it must not be fictional or speculative). A real-life situation of distress needs to be at hand – such as damages or serious incidents in the past–before starting the surveillance. Considering the principle of accountability, controllers would be well advised to document relevant incidents (date, manner, financial loss) and related criminal charges. Those documented incidents can be a strong evidence for the existence of a legitimate interest. The GDPR also clearly states that public authorities cannot rely their processing on the grounds of legitimate interest, as long as they are carrying out their tasks.
Necessity of processing
Personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). Before installing a Drone surveillance system, the controller should always critically examine if this measure is firstly suitable to attain the desired goal, and secondly adequate and necessary for its purposes. Drone video surveillance measures should only be chosen if the purpose of the processing could not reasonably be fulfilled by other means which are less intrusive to the fundamental rights and freedoms of the data subject.
Before operating a Drone camera system, the controller is obliged to assess where and when Drone surveillance measures are strictly necessary. Usually a drone surveillance system will operate in normal daylight working hours. Questions concerning the processing’s necessity also arise regarding the way evidence is preserved. In some cases, it might be necessary to use black box solutions where the footage is automatically deleted after a certain storage period and only accessed in case of an incident. In other situations, it might not be necessary to record the video material at all but more appropriate to use real-time monitoring instead. The decision between black box solutions and real-time monitoring should also be based on the purpose pursued. If for example the purpose of ‘Drone’ surveillance is the preservation of evidence, real-time methods are usually not suitable. Sometimes real-time monitoring may also be more intrusive than storing and automatically deleting material after a limited timeframe. The data minimisation principle must be regarded in this context. It should also be kept in mind that it might be possible that the controller could use security personnel instead of video surveillance that are able to react and intervene immediately.
Balancing of interest
Presuming that the ‘Drone’ surveillance is necessary to protect the legitimate interests (or other legal basis) of a controller, a ‘Drone’ surveillance system may only be put in operation, if the legitimate interests of the controller or those of a third party (e.g. protection of property or physical integrity) are not overridden by the interests or fundamental rights and freedoms of the data subject. The controller needs to consider –
1) to what extent the monitoring affects legitimate interests, fundamental rights, and freedoms of individuals and
2) if this causes violations or negative consequences about the data subject’s rights. In fact, balancing the interests is mandatory. Fundamental rights and freedoms on one hand and the controller’s legitimate interests on the other hand must be evaluated and balanced carefully.
Making case-by-case decisions
As the balancing of interests is mandatory according to the regulation, the decision has to be made on a case-by-case basis. Referencing abstract situations or comparing similar cases to one another is insufficient. The controller must evaluate the risks of the intrusion of the data subject’s rights; here the decisive criterion is the intensity of intervention for the rights and freedoms of the individual. Intensity can inter alia be defined by the type of information that is gathered (information content), the scope (information density, spatial and geographical extent), the number of data subjects concerned, either as a specific number or as a proportion of the relevant population, the situation in question, the actual interests of the group of data subjects, alternative means, as well as by the nature and scope of the data assessment. Important balancing factors can be the size of the area, which is under surveillance and the amount of data subjects under surveillance. The use of drone video surveillance in a remote area (e. g. to watch wildlife or to protect critical infrastructure such as a privately-owned radio antenna) has to be assessed differently than ‘Drone’ video surveillance in a pedestrian zone or a sports event gathering.
Data subjects’ reasonable expectations
The existence of a legitimate interest needs careful assessment. Here the reasonable expectations of the data subject at the time and in the context of the processing of its personal data must be included. Concerning systematic monitoring, the relationship between data subject and controller may vary significantly and may affect what reasonable expectations the data subject might have. Data subjects can also expect to be free of monitoring within public areas especially if those public areas are typically used for recovery, regeneration, and leisure activities as well as in places where individuals stay and/or communicate, such as sitting areas, tables in restaurants, parks, cinemas and fitness facilities. Here the legitimate interests or rights and freedoms of the data subject will often override the controller’s legitimate interests.
Necessity to perform a task carried out in the public interest or in the exercise of official authority vested in the controller
Personal data could be processed through video surveillance under Article 6 (1) (e) if it is necessary to perform a task carried out in the public interest or in in the exercise of official authority. It may be that the exercise of official authority does not allow for such processing, but other legislative bases such as “health and safety” for the protection of employees, visitors and employees may provide limited scope for processing, while still having regard for GDPR obligations and data subject rights.
Purpose limitation (Art.5(1)(b), GDPR)
A ‘Drone’ Data Controller must ensure it knows what’s actually happening with personal data it processes and whether this goes beyond the purposes stated in the Data Privacy Notice and the Record of Processing Activities. Rogue or well-meaning employees that re-purpose personal data or third parties that surreptitiously collect personal data, for example by ‘scraping’ data from a website or by profiling, will put a ‘Drone’ Data Controller in breach of Art.5(1)(b), GDPR.
Data minimization (Art.5(1)(c), GDPR)
A ‘Drone’ Data Controller may only process personal data that is necessary for a specific processing activity. For example, if the occupation of a gym member is irrelevant for registration purposes to use the gym, this shouldn’t be recorded, and it would be better to remove this field from the registration process to eliminate unnecessary collection of personal data. To do this, a ‘Drone’ Data Controller should confirm which processes exist in practice:
•are there unknown, informal practices that have not been captured in the Record of Processing Activities ?
•have the business owner or database administrator walked through it to explain what’s happening at a technical and organizational level?
•have automated scanning tools been used?
•has the ‘Drone’ Data Controller spoken with front-line staff who access and use the ‘DRONE’ databases to see what’s happening in the ordinary course of business? Do they understand the broad definition of personal data under the GDPR to answer questions accurately?
Data Minimisation by Architecture
The ‘Drone’ Data Controller should apply the POLP when designing the information system so individuals who process personal data only receive what they need.
Accuracy (Art.5(1)(d), GDPR)
A ‘Drone’ Data Controller must take every reasonable step to ensure inaccurate data is rectified or erased “without delay”. This is technically challenging where personal data hasn’t been directly obtained from the Data Subject, for example through a merger or acquisition or from a data broker.
Storage Limitation (Art.5(1)(e), GDPR)
The ‘Drone’ Data Controller may only store personal data for as long as it can be justified by the processing activity, subject to another legal or regulatory obligation(s). In that case, it’s important to confirm which data elements must be retained, as it may not be necessary to retain a complete profile. The GDPR codifies a data loss management (DLM) best practice and the ‘Drone’ Data Controller should have processes in place to either automatically destroy or aggregate personal data once the storage time limit has expired or to trigger a review process. For example, ‘Drone’ footage recorded for security purposes should only be retained long enough to resolve a security incident. If no security incident requires a review of the footage, it should be automatically over-written by programming an automatic override of ‘Drone’ recordings every X number of days, where X reflects the amount of time usually necessary to discover there’s an incident requiring longer retention of the specific footage required. The remainder would then be overwritten in the regular cycle.
Integrity and Confidentiality (Art.5(1)(f), GDPR)
Technology helps protect the integrity and confidentiality of personal data, but people are the ‘weakest link’ in the value chain. The ‘Drone’ Data Controller should have a process for regularly testing, assessing, and evaluating effectiveness of these measures, including testing policy compliance, gathering metrics and closing gaps.
Accountability (Art.5(2), GDPR)
A ‘Drone’ Data Controller must demonstrate compliance with the data protection principles and GDPR processing requirements. The Records of Processing Activities, the DPIA/LIA, Certification and Codes of Conduct can collectively be used to demonstrate compliance with the GDPR. They must also ensure all suppliers are correctly trained together with the correct level of administration rights. At the same time, it’s important to integrate necessary safeguards to meet GDPR requirements, such as those regarding security and international data transfers. Such measures include encryption, pseudonymisation as well as other technical and organizational safeguards in light of international data transfers.
Article concludes on this link.
