Drones and data protection: the Spanish Data Protection Agency publishes a new guide to inform users about these operations

Written on 21 Jun 2019

The Spanish Data Protection Agency (AEPD), taking into account the growing use of unmanned aircraft vehicles (drones) among the civilian population, has issued a guide that addresses the data protection impact of this type of aircraft.

Unmanned aircraft vehicles (drones) constitute a growing technological sector with enormous potential. There are calculations that predict the creation of up to 100,000 jobs in Europe directly in the next fifteen years as a result of the development of this technology. The magnitude of its economic impact is still difficult to determine.

Due to this technological reality, the European Union decided to address its regulation in order to ensure greater legal certainty to the Member States. Thus, the European Commission adopted Commission Delegated Regulation (EU) 2019/945 and Commission Implementing Regulation (EU) 2019/947, which will replace the existing national standards on this matter.

The foreseeable universalization of the use of drones is well known and the debate on the data protection implications of this technology is more vibrant than ever. For this reason, the Spanish Data Protection Agency decided to join the challenge undertaken by the European Union and published the guide “Drones and Data Protection”, which offers a series of data protection recommendations to drone operators.

The Spanish Data Protection Agency issued this guide in accordance with the provisions of Royal Decree 1036/2017, of 15 December, which regulates the civilian use of piloted aircraft by remote control, establishing, in its article 26, the obligation of the drone operators to “adopt the necessary measures to ensure compliance with the provisions of personal data protection and privacy protection”. Therefore, to address this aspect, the guide provides various scenarios in which it sets out how this aspect, in each case, should be taken into consideration to ensure the correct processing of personal data, given the technology applied to certain devices (GPS, video cameras, even 3D scanners and mobile device detection systems), in order to avoid any violation of the rights and freedoms of citizens. Thus, the different types of operations are identified as follows:

  • Operations that do not include processing personal data: although operations can be carried out with drones that, given their basic configuration, do not capture images, sounds or any other type of personal information, it must be ensured that no individual can be identified or that their anonymization is set before sharing this captured image or video on the internet. Otherwise the provisions of the General Data Protection Regulation (“GDPR“) and the Organic Law of Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD“) would be fully applicable. Operations carried out in the recreational or domestic field usually include these purposes.
  • Operations with the possibility of processing personal data: this case includes those circumstances in which, although it is not the main objective, capturing personal data may occur unintentionally (for example, when inspecting infrastructures and treatments in agriculture). The Spanish Data Protection Agency offers several recommendations to minimize the impact that these operations may have on individuals, such as carrying out flights at times when there is not a large public influx, capturing images in such a way that the people that appear in them cannot be identified (adjusting the image to the minimum resolution possible) or reducing the granularity of the geolocation.
  • Operations whose purpose is the processing of personal data: this section covers those operations that, due to their nature, involve the processing of personal data, such as video surveillance and recording events. In these cases, in which the provisions of the GDPR and the LOPDGDD will be fully applicable, as well as what is established in the guide on the use of security cameras (more information can be found in our post), it is important to define, among other aspects, in what capacity the drone operator acts (whether as data controller or data processor with regard to the personal data obtained), and to protect the right to information of the individuals that may be affected.

The guide also offers a series of recommendations to take into account before operating the drone, such as carrying out a data protection risk analysis and, where appropriate, carrying out a data protection impact assessment when the processing involves a high risk for the rights and freedoms of citizens. The Spanish Data Protection Agency also presents a section containing a follow-up of common processing personal data issues that may arise from using the drone.

In short, the publication of this guide is the result of the increasing use of piloted aircraft by remote control, not only for the professional field but also for private individuals. With this, the Spanish Data Protection Agency decided to throw light where technological advances involve unfamiliar scenarios and case studies for processing personal data in order to ensure greater legal security for the operations carried out with drones within the European Union.