On October 15, 2014, the UK Information Commissioner’s Office (ICO) published an updated code of practice for surveillance cameras. Among other topics, the ICO uses the Code to begin to address privacy practices for drones.
Drones are not new, but two factors are now making questions about drones and privacy practices more pressing. First, many drones now include high quality cameras, sourced originally from smart phone technologies, which increases their potential impact on individual privacy. Second, the price of drones has fallen dramatically in recent years — making them increasingly ubiquitous and available for both businesses and consumers. Policymakers in the United Kingdom and in the European Union are currently gathering information and conducting impact assessments to determine whether new legislative rules are needed to deal with the privacy challenges posed by drones, or whether existing data protection rules are sufficient.
The ICO guidance note makes clear that standard data protection rules (and rules governing the use of CCTV cameras) will, in the meantime, apply to the use of drones. It explains that — as with organizations and individuals handling data more generally — drone users should be separated out into professional and commercial users, on the one hand, and hobbyists, on the other. Hobbyists, using drones for purely domestic purposes, are unlikely to be covered by data protection rules — but use of drones for non-domestic purposes will be governed by data protection requirements.
The ICO then goes on to explain that it believes drones have a “high potential for collateral intrusion by recording images of individuals unnecessarily,” and then makes several recommendations in relation to commercial and professional drone use:
- Drone use should be “limited” to avoid “recording…when flying over other areas that may capture images of individuals;”
- Organizations using drones in such circumstances should provide a “strong justification” for their use;
- Organizations should carry out privacy impact assessments prior to using drones to develop such a justification and to develop measures to mitigate privacy impact;
- Recording of individuals from a significant height “should not be continuous;”
- Organizations must seek to provide notice of drone recording to affected individuals, for example using “innovative ways of providing [notice]” such as requiring drone operators to wear brightly colored clothing, distributing signs to affected areas, and maintaining a privacy notice on a website to govern information collected by the drones.
The system that receives the data from the drone is also regulated and should be protected by adequate data security measures, for example, encryption.