The Future of Unmanned Flight (Part 3): Data Protection & Privacy     

Introduction & Legal Framework 

This article is part of the “Future of Unmanned Flight” series, which presents the current regulatory framework of drones in the EU and Bulgaria, examines open issues regarding privacy, data protection, liability, insurance, and any other developments in the growing industry of unmanned flight.

Be sure to regularly check the Kambourov & Partners’ website and social media accounts for analyses, news and updates regarding the regulatory world of drones.   


As the industry of commercial drone operation develops, there are two questions that loom larger than all others: Will my privacy be respected? How is my personal data going to be processed? In order for most drones to be operated, they are equipped with video cameras, which capture images capable of being used in a wide array of privacy-violating ways such as “high power zoom, facial recognition, behaviour profiling, movement detection, number plate recognition, thermal sensors, night vision, radar, see-through imaging, Wi-fi sensors, microphones and audio-recording systems, biometric sensors, [...] etc.”(1). It is no secret that the capabilities of drones and the add-on systems available for them benefit from the small size and difficult detectability of the novel aircraft which can lead to a state of surveillance greatly surpassing its current shape according to the European Parliament.

The European Data Protection Supervisor (“EDPS”) has published a number of opinions on the privacy issues that commercial civilian unmanned aircraft systems (“UAS”) raise. The EDPS has pointed out that the EU, in contrast to other jurisdictions like the US, acknowledges that the right of privacy must be ensured not only in one’s private sphere but also in public. However, the EDPS has pointed to the lower price, non-detectability, larger access to public and private spaces and automized following of specific people or groups as some of the problem-producing aspects of unmanned aircraft compared to similar tools like satellites, airplanes, helicopters and CCTV(2). The larger mobility of drones in relation to the most popular current tool of surveillance, CCTV, creates the possibility for dynamic information gathering, meaning that a target could be followed for prolonged periods of time and additional data points of interest are recorded in real time, allowing for a network of surveillance targets to grow immediately and organically.

Legal Framework

This description of the novel technology’s surveillance capabilities can be a cause for worry for a lot of people. However, it must be pointed out that regulators both on the EU and national level have every incentive to try and make the use of drones for commercial purposes possible and the only way in which this can be achieved is through the development of strict rules on their privacy-related capabilities as to ensure the acceptance of the public and the continued protection of the social order.

The protection of privacy and data in the current legal framework is based on the General Data Protection Regulation, which was adopted as a way to uniformly protect the privacy and personal data of individuals from abuse by businesses and to control the export of such data outside the EU(3). According to Article 35 of the GDPR a Data Protection Impact Assessment (“DPIA”) is required when a new technology with large-scale data processing capabilities is developed. This DPIA must include a comprehensive description of the potential processing abilities and an assessment of whether they are proportional and necessary for the purposes of the operation. Furthermore, the risks to rights and freedoms of those capabilities are also assessed and appropriate risk-mitigating measures, safeguards and mechanisms must be adopted as part of the DPIA. All of this is to be conducted by the independent supervisory authority of each Member State as established by Article 51 of the GDPR.

Apart from the DPIA, Article 25 of the GDPR created an EU-wide requirement for privacy by design and by default. This has been transposed into Annex IX of the new Basic EASA Regulation (you can read more about the Regulation in the first part of the series) as a requirement for manufacturers. Even though the national data protection supervisory bodies are responsible for certifying the privacy by design (Art. 43; GDPR), major differences between Member States are unlikely due to the transborder nature of both the manufacturing and the usage of UAS, which would require, if not uniformity in measures, at least mutual recognition. In this sense the EDPS has proposed five standardized principles for privacy by design for UAS:

1) legislation should create different classes of sensors depending on the objectives of the drone operation, which should be connected with the different types of operation categories (more details here) and privacy risks should carry the same weight as physical riskiness;

2) data retention by design, including automatic scheduled deletion of data;

3) data protection functionalities like the possibility to disengage certain types of sensors during flight, automatic masking of private areas and pixelating of faces;

4) those functionalities should be the default settings;

5) clearly communicate to drone operators the privacy and data concerns that can arise during operations (4).    

(1) Marzocchi, O. (2015). Privacy and Data Protection Implications of the Civil Use of Drones: In-depth Analysis. European Parliament, p. 21 (link to publication)   

(2) Bassi, E. (2019). European Drones Regulation: Today’s Legal Challenges. In 2019 International Conference on Unmanned Aircraft Systems (ICUAS) (pp. 443-450). IEEE   

(3) Regulation (EU) 2016/679 – “GDPR”   

(4) European Data Protection Supervisor (2014). A new era for aviation – Opening the aviation market to the civil use of remotely piloted aircraft systems in a safe and sustainable manner. (link to publication)