A recent investigation by The Independent revealed a dramatic increase in incidents involving drones being reported to the police this year.
Disturbingly, the incidents reportedly include over-flying children’s playgrounds by paedophiles, peeping toms peering through bedroom windows, spying on ATM users to steal PIN codes, and watching for empty homes to enable burglary.
The report, published on 8 August, commented on the apparent lack of legislation governing the use of drones and cited calls for regulation.
However, despite the perception that they are unregulated, operators should be aware that where drones are used to capture information about individuals, they are likely to be subject to existing data protection law.
In the UK, data protection law is currently under reform, and likely to be superseded by legislation that includes significant penalties for those who breach its provisions.
Accordingly, drone operators must ensure they do not infringe individuals’ privacy or risk heavy fines.
What are drones?
Drones, or ‘unmanned aerial vehicles’ (UAVs), have existed for decades in a military context, however in recent years have increasingly been used for a wide range of civilian purposes.
Drones may be remote controlled, fully automated or a combination of the two, and they frequently incorporate a very high-resolution camera. They may also be designed to deliver a payload, and used for applications such as parcel delivery.
>See also: How to solve the danger of the drone
Over the last few years, technological advances have reduced costs, making drones more accessible to individuals and businesses. Widely available, a drone incorporating a 4K high-resolution camera may be purchased for only a few hundred pounds.
Increased accessibility has enabled a wider range of users – from individuals and small businesses to the largest organisations – to use drones for a broad range of applications that may previously have been prohibitively costly.
The ability to capture aerial footage cost effectively holds appeal for a broad range of organisations, enabling the use of drones in a variety of settings such as film and TV production, surveying, agriculture, policing, security and surveillance.
Drones are already used in a civil context for applications such as conducting highly accurate land surveys, aerial photography for residential or commercial property sales, searching agricultural land for invasive species, monitoring for law-enforcement purposes, and security to prevent unauthorised or illegal access to the Channel Tunnel.
Less obvious civil uses include inspecting inaccessible parts of a refinery by a major oil company, detection and prevention of poaching in a wildlife reserve, and inspecting airliners for routine maintenance.
As costs decrease and functionality is enhanced, operators in the private, public and third sectors will find an ever-increasing number of applications for drones.
The potential to cause physical damage to air traffic and individuals is readily apparent and well-publicised. More subtle is the potential privacy risk arising by virtue of drones’ ability to capture footage from private locations, potentially undetected by virtue of their compact size and low noise output.
Drone operators, whether individuals or corporations, have the ability to collect images and footage of individuals in private and hitherto inaccessible locations, potentially undetected by the individual.
While responsible operators are unlikely to deliberately engage in overtly intrusive activities such as voyeurism or criminal ‘snooping’ (notwithstanding rogue employees or contractors), they may inadvertently breach data protection rules by inappropriate collection or subsequent use and storage of personal information.
Organisations and individuals in the UK that collect information about living individuals must generally comply with the Data Protection Act 1998 (DPA). The DPA regulates the use of personal information, by imposing a number of obligations upon those who collect it, in particular that such collection and use must be ‘fair and lawful’.
Failure to comply with the DPA may result in fines of up to £500,000. However, the DPA is under reform and likely, notwithstanding Brexit, to be replaced with the European General Data Protection Regulation (GDPR).
The GDPR grants data protection authorities a range of powers including the ability to issue fines of up to 4% worldwide annual turnover or €20,000,000. Further, the English courts recently recognised the tort or civil wrong of misuse of private information, albeit untested to date.
This could potentially enable individuals to claim for compensation where they suffer pure distress (i.e. no financial loss) as a result of misuse of their personal information.
A drone operator that breaches individuals’ privacy risks regulatory action from the data protection authority as well as civil litigation from the affected data subject, not forgetting the potential reputational damage.
The increasing recognition of privacy as a fundamental human right and ever-stricter data protection legislation mean that the legal and regulatory risk are become greater.
Accordingly, anyone considering using drones for a civil purpose should make sure their use, and any use of the information collected by them, strictly complies with the DPA and the GDPR when it comes into force.
It is not true to say that the use of drones is unregulated – and when it comes to data protection law, ignorance is no defence.
Sourced from, James Castro-Edwards, partner and head of data protection law, Wedlake Bell