Civilian drones are becoming ever-more widely used, and are raising incredible privacy concerns. In the US, if their use becomes even more prevalent, expect to lose any right to privacy at all. Europe is far more conservative in this regard.
Starting as simple gadgets meant for technology hobbyists, drones have evolved considerably from the beginning of the 21st Century. With miniaturization and exponential improvements in computing power and storage technologies, driven by the military as well as the mobile telephony market, drones have gained massive boosts in utility and precision. This has also meant that, with the ubiquity of drones, the government, private companies and individuals are increasingly collecting and storing information gathered by such drones, including video, audio, locational information, and even biometric information through facial recognition software.
Drones have become ubiquitous in their use in several countries. Technically termed Unmanned Aerial Vehicles (UAVs) – I will use the terms ‘UAV’ and ‘drones’ interchangeably – their history can be traced back to 1849 when the Austrians first used balloons to launch timed bombs on Italy. Since then, the progress of such technology has been tremendous, with cutting edge technology being the Predator Drones developed by the United States of America in their use for targeted strikes in areas outside their jurisdiction. Apart from such combat uses, however, there are also multiple civilian applications that have been predicted to impact the economy in a substantial manner; with an industry foreseen as being in excess of $100 Billion by 2025. To begin with, I will discuss the existing technological and legal variables involved in the use of drones. The post will then move on to an analysis of these variables in the context of civilian privacy in the United States of America and the European Economic Area. These areas have been chosen specifically due to the prevalence of drones in them. The post will then conclude with possible suggestions towards a more responsible usage of drone technology for the protection of the right to privacy.
Drone technology can be distinctly categorized into two subsets: the hardware (involving the drone itself) and the software (progressing from remote controlled operations to autonomous use). The post will discuss each of these separately.
For our purposes, I will be categorizing UAVs into two broad classes: those used for military applications, and those used for civilian ones. Note that each category has multiple subcategories, since this is an exponentially growing area, but I will focus on the civilian use of drones. Civilian drones can be categorized as follows:
- Rotary Drones
These are the most widely used drone types, simply because they provide a stable platform requiring minimal space for take-offs, which can be used to add cameras and sensors. This is balanced by lower payload capacity, short durations, speed and range of flight.
- Fixed Wing Drones
These types are used for their ability to carry heavier payloads and provide higher speeds and range of flight. However, this is offset by their need for larger space for take-offs and landings, as well as having a forward-only motion with a requirement for wind to generate lift.
This differentiation is important because the type of drone determines the level of intrusion into the privacy of civilians. As stated above, rotary drones form excellent stationary or multi-axis platforms for mounting cameras with a 360-degree view around them, while fixed wing drones form excellent terrain mapping platforms where covering a large area is more important. Intrusions into privacy can be further discussed with an understanding of the sensors involved with drone technology that may be relevant:
- Cameras: Most popular conceptions of drones have them carrying cameras with variable quality. Models such as the Parrot AR Drone 2 and the DJI Phantom range can carry extremely high quality video and still frame cameras that capture high quality content. Of course, the cameras need not be limited to the visible range of the spectrum; they may also encompass infrared and other invisible parts of the spectrum. These can detect variables such as heat and vegetation.
- Geolocation: Drones can also be equipped with GPS sensors to track the exact location of the drone – and therefore the data that it has collected.
- Flight Control Sensors: This makes it easier to fly the drone, and can include an accelerometer, gyroscope, barometer, compass, etc.
Data gathered by these sensors can be combined to provide further insight; this is termed as ‘sensor fusion’ and can be used, amongst other things, to detect and track people and vehicles in real time using thermal imagery and Gaussian shape matching. This depends entirely on the software used along with the drone. “Hobbyist” drones with a camera would provide no more than raw video or still footage, while sophisticated commercial drones can have dozens of uses based on the analysis of the data collected.
Another aspect of software used is the autonomy provided to a drone. Drones can be operated remotely by a pilot, or they can be granted a degree of autonomy where the drone can “make decisions without human intervention”.
I will discuss the legal framework regarding drones on the basis of economic regions, as follows:
Within the USA, regulations have been set up by the Federal Aviation Administration (FAA). The FAA requires commercial (non-recreational) users of drones to procure a Certificate of Waiver or Authorization (COA) before operating their drones. This is meant to form a step in the process of integrating “Unmanned Aerial Systems” (UAS) with the American National Airspace System (NAS); this was a requirement of the FAA Modernization and Reform Act of 2012 passed in the USA to ensure applicability of laws to drones.
In the EEA, drones are called “Remotely Piloted Aircraft Systems” (RPAS). Currently, regulations require that any drone over 150kg are regulated in the same way as manned aircraft, with each country within the EEA having the ability to regulate drones below that threshold as they see fit. The European Aviation Safety Agency (EASA) released a request for comments regarding the regulation of RPAS on 31 July, 2015, with a closing date for comments on 15 September, 2015. The new proposal tries to classify drones on the basis of the safety of their usage; from the “Open” Category, entailing low risk, which need to follow certain minimum safety rules; “Specific” Category, entailing medium risk, with authorization by a national aviation authority (NAA); to the “Certified” Category, entailing higher risk, which is equated with manned aviation regarding regulations.
With a discussion regarding the variables in the technology of drones, and the legal basis of their operations, let us now focus on the privacy aspects of regulation of drones. For the purposes of such an analysis, legality will be discussed on the basis of the collection of personal data, and the analysis of such data. To recap, the possible types of data that may be relevant in the context of drones are: raw video and still footage of persons, thermal imagery, geolocation, speed, air pressure, direction, and more.
To delve further into the impact of drones on the right to privacy, let us first look into a brief description of this right itself.
In the USA, while ‘privacy’ has not been explicitly mentioned, the Fourth Amendment to the Constitution has been interpreted, in an established manner, to give such a right to privacy to its citizens. The Fourth Amendment states, specifically:
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
Importantly, this Amendment depends on an ‘expectation of privacy’ in an individual, the breach of which leads to a breach of the right to privacy.
The Council of Europe has signed and ratified the European Convention on Human Rights, Article 8 of which clearly mentions the right to privacy. Article 8(1) mentions that everyone “has the right to respect for his private and family life, his home and his correspondence”. This Article makes certain exceptions with regard to intrusions to this right by a public authority; however, since civil and commercial usage of drones is discussed here, these exceptions fall outside the scope of this post.
From a technological perspective, the right to privacy has been covered under the Data Protection Directive (DPD), which handles such a right by ensuring that adequate safeguards are in place while processing personal data of persons situated within the European Union.
Ostensibly the lesser infraction of the right to privacy when held against data analytics (discussed later), it is nevertheless necessary to delve into the implications of pervasive and, in the context of drones, possibly surreptitious collection of personal data.
Note that I am looking into the regulatory angle only, since an analysis of court judgments would make this post far longer than it already is.
With the Fourth Amendment discussed above, the Supreme Court of the United States has provided certain clear judgments regarding surveillance of private property by other individuals. The right to privacy from unmanned civilian drones has been a subject of State, and not Federal, regulation. Typically, drones would be affected by three kinds of laws: tort claims for trespass onto private property; specialized rules such as wiretapping, anti-voyeurism and anti-paparazzi regulations; and specific laws created to block surveillance by private drones.
It has also been argued that Fourth Amendment jurisprudence could be made applicable on drone operation. The Supreme Court has held that a two criteria test must be followed for the collection of data: “that a person have exhibited an actual (subjective) expectation of privacy” and “that the expectation be one that society is prepared to recognize as ‘reasonable.’” However, this would still be subject to State laws, such as those of Idaho, Texas and Oregon which focus on the private use of drones. These statutes generally restrict usage of drones without written consent (Idaho), provide a blanket ban on list of uses but with a list of exceptions (Texas), or allows private property owners to bring an action against drone operators flying below an altitude of 400 feet (Oregon).
In this manner, while there are no clear case laws yet specifically regarding the collection of data by drones, it can be stated that existing rules, regulations and court precedent could be applied to restrict collection in cases where the ‘reasonable expectation of privacy’ has been breached, or where drone operation goes against federal aviation regulations.
With the existence of Article 8 of the ECHR and the DPD, regulation regarding the collection of personal or private data in general has been clearly established. However, its application to drones has not been well settled. The Article 29 Working Party (WP29), in its opinion on the use of drones, as well as the opinion of the European Data Protection Supervisor (EDPS), have provided some clarity on this issue.
The DPD clearly defines “personal data” to mean “any information relating to an identified or identifiable natural person”, such a person being a “data subject”. Information collected by drones could be used to directly or indirectly identify a data subject, through video and still footage of persons, as well as through the analysis of geolocation data and its correlation with home addresses. Further, personal data that could reveal racial or ethnic origin has been termed as a special category of data. As discussed regarding the sensor technologies present in drones, video and still imagery could certainly be categorized as sensitive data since it would reveal a person’s racial or ethnic origin.
The EDPS has clarified that drones (or RPAS in the EU) must be classified distinctly from manned flights and CCT due to their “mobility and discretion”, as well as their ability to collect data from various sensors. The EDPS has also clarified that personal and commercial use of drones must fall under the ambit of the DPD and its national implementations. The WP29 opinion has stressed on the importance of identifying the “controller” as defined under the DPD – being the entity that determines the purposes and means of processing personal data.
Specifically in relation to the collection of personal data, let us look into the concept of “data quality” identified by the DPD in order to make the processing of personal data legitimate. Apart from the requirement for data to be processed fairly and lawfully, it must also be collected for “specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes”. This is difficult to determine with regard to drones for the simple fact that they may collect personal data inadvertently while being used for purposes that do not require them to collect personal data. For example, it is estimated that 80% of the use of drones by 2025 will be for farming purposes; this purpose does not require any personal data to be collected, but with video monitoring being conducted anyway, the presence of persons may be captured without them being given notice of such collection.
Articles 10 and 11 of the DPD specifically require that a data subject be given notice of personal data being collected. The WP29 Opinion recommends that such a scenario could be covered by ensuring that drones are always highly visible, with notices posted to inform potential data subjects that their data will be captured. The Opinion also recommends that drone operators post information on the internet to provide constant updates regarding the usage of drones. The WP29 also suggests the creation of national or international information resources where larger areas are covered by drones and informing the data subjects may prove conventionally impossible.
A much larger concern arises when the aggregation of multiple types of data is considered. Combination of multiple sensors can lead to vastly improved data analyses, which could allow individual and commercial drone operators the ability to track persons and vehicles with ease, given the right software capability. Their basis in regulations is discussed below.
The USA has developed the “probabilistic model” when dealing with the right to privacy. This essentially means that “a reasonable expectation of privacy depends on the chance that a sensible person would predict that he would maintain his privacy based on prevailing social norms”. On applying this model to drones, this would imply that an increase in ubiquity of drone operations could actually work against the right to privacy, since such prevalent use would suggest that a ‘sensible person’ could actually reasonably expect that he or she would be monitored. The Supreme Court of the United States, while dealing with this aspect, stated that “the defendant had no reasonable expectation of privacy because anyone could fly over his property at the same altitude flown at by the police such that sensible people would not expect to maintain their privacy from overflights in legally navigable airspace.”
This essentially means that the right to privacy, as it stands now, is not very well protected in relation to the analysis of data collected by drones. An individual’s privacy is protected at this stage simply because drone technology is not commonplace.
The processing of personal data in the EU is subject to certain ‘processing grounds’ that make such processing legitimate. Since I have restricted myself to civilian and commercial use, the specific processing grounds that may apply to the use of drones include unambiguous consent, necessity for the performance of a contract and necessity for the purposes of legitimate interests pursued by the controller or the third party to whom data is disclosed.
Unambiguous consent could be a processing ground, in accordance with WP29’s Opinion, if for example a sports team’s training is being recorded with no spectators present. With regard to performance of a contract, the person purchasing a drone, or drone services (such as professional filmography) would necessarily legitimize processing of personal data through the contract between the drone manufacturer (or service provider) and such person. However, as noted by the WP29, this would not cover the processing of personal data of third parties incidentally affected through the use of such drones. With regard to legitimate interests of a controller, this could include drone operations necessary “for pipe or power line inspection or for critical infrastructure surveillance or aerial photogrammetry, atmosphere and meteorological research, wind energy monitoring, hurricane tracking, archaeological site mapping, sea ice monitoring, [and] wildlife research”. However, per the European Court of Justice’s ruling, simple economic interest may not be able to justify the use of such drones.
In general, however, a reading of the legal framework above suggests that the protection of an individual’s right to privacy has been given due importance with regard to drones. Some Member States have also issues guidelines for responsible usage of drones, such the United Kingdom’s Information Commissioner’s Office (ICO). The ICO suggests that organizations using drones provide a “strong justification for their use”, and come up with “innovative ways” to inform the public that their personal data may be collected.
Drone technology is increasing at a rapid pace. The variables of drone technology, such as software (sensor quality, including video and still footage), as well as hardware (range, altitude, payload capacity and stamina of drones), even for civilian and commercial purposes, have progressed tremendously in the past decade. With many companies contemplating the use of drones for the provision of services, such as Amazon with its pilot programme for the delivery of packages, Dominos delivery pizzas, and others, professional filming for movies, etc. it is becoming increasingly important for drone-specific legislation to be enacted by countries.
A topical analysis of the legislation discussed in the post shows that, relatively, Europe has shown far more willingness to protect the right to privacy of individuals vis-à-vis the United States of America. In Europe, ubiquity of drones is calling for further rules and regulations to be drawn up for the protection of privacy, while in the United States, such commonplace usage may actually work against the right to privacy, considering that the Supreme Court of the United States may hold that privacy may no longer be a reasonable expectation by a sensible individual.
Drone regulation is further complicated by the fact that, with an increase in their range, such drones may cross State or national boundaries, which is currently not provided for, as each State and nation is required to enforce their own privacy rules with regard to drones.
Another complication lies with respect to the categorization of drones. While rotary drones can be used as stationary monitoring platforms, fixed wing drones have larger ranges and can conduct fly-by operations. A question to be answered here is whether a fly-by would still be considered as an intrusion of the privacy of an individual, considering that probabilistically, such an operation would generally not be aimed at breaching that individual’s privacy, but at terrain mapping. Should different regulations apply to different types of drones? On the balance, would such a regulation no longer be considered technology-neutral, and thus in danger of obsolescence?
The coming decade is possibly going to be the most crucial for answering such questions, considering the rapid growth in quality and prevalence of the technology. A right to privacy would necessarily have to be balanced with the economic considerations, since no country would want to obstruct a market with a potential valuation in the tens, or even hundreds, of billions in USD. It is possible that, along with military applications of drones, countries may opt to sign international treaties for the regulation of such technology and the protection of people. At any rate, updates in this field, be it from a technological or regulatory dimension, are very much in the spotlight.
 “Remote Piloted Aerial Vehicles”; http://www.ctie.monash.edu/hargrave/rpav_home.html; last accessed 24/11/2015
 Army-Technology.com; “UAV evolution – how natural selection directed the drone revolution”. http://www.army-technology.com/features/featureuav-evolution-natural-selection-drone-revolution; last accessed 24/11/2015
 AgWired; “Drones to Increase Profitability”. http://agwired.com/2014/01/13/drones-to-increase-profitability/; last accessed: 24/11/2015
 Wired; “What you need to know about commercial drones”. http://www.engadget.com/2014/06/13/commercial-drone-explainer/; last accessed: 24/11/2015
 QuestUAV; “Fixed Wing Versus Rotary Wing For UAV Mapping Applications”. http://www.questuav.com/news/fixed-wing-versus-rotary-wing-for-uav-mapping-applications; last accessed: 24/11/2015
 Ibid at 6
 Brookstone; “Parrot AR.Drone Quadricopter Power Edition”. http://www.brookstone.com/parrot-ar-drone-power-edition-quadricopter/856004p.html; last accessed: 24/11/2015
 RobotShop; “How to Make a Drone / UAV – Lesson 1: Terminology”. http://www.robotshop.com/blog/en/make-uav-lesson-1-platform-rtf-arf-kit-custom-13989; last accessed: 24/11/2015
 Gaszczak, A., Breckon, T.P., Han, J. (2011). “Real-time People and Vehicle Detection from UAV Imagery”. http://proceedings.spiedigitallibrary.org/proceeding.aspx?articleid=731695; last accessed: 24/11/2015
 Shim, D. H, Kim, H. J., Sastry, S.; Hierarchical Control System Synthesis for Rotorcraft-based Unmanned Aerial Vehicles. American Institute of Aeronautics and Astronautics; http://robotics.eecs.berkeley.edu/~sastry/pubs/PDFs%20of%20Pubs2000-2005/Publications%20of%20Postdocs/ShimDavid/ShimHierarchicalControl2000.pdf; last accessed: 24/11/2015
 Federal Aviation Administration, “Certificates of Waiver or Authorization”; http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/systemops/aaim/organizations/uas/coa/; last accessed: 24/11/2015
 Department of Transportation; “Clarification of the Applicability of Aircraft Registration Requirements for Unmanned Aircraft Systems (UAS) and Request for Information Regarding Electronic Registration for UAS”. http://www.gpo.gov/fdsys/pkg/FR-2015-10-22/html/2015-26874.htm; last accessed: 25/11/2015
 Regulation (EC) No. 216/2008 Of The European Parliament And Of The Council
 EASA, “Civil Drones”; https://easa.europa.eu/easa-and-you/civil-drones-rpas; last accessed: 25/11/2015
 EASA, “Proposal to create common rules for operating drones in Europe”; http://www.easa.europa.eu/system/files/dfu/205933-01-EASA_Summary%20of%20the%20ANPA.pdf; last accessed: 25/11/2015
 Ibid at 20.
 Article 8(2) of the European Convention on Human Rights
 Data Protection Directive 95/46/EC
 John Villasenor, Observations From Above: Unmanned Aircraft Systems and Privacy, 36 Harv. J. L. & Pub. Pol’y 458, 498-508 (2013)
 Brookings, “Civilian Drones, Privacy and the Federal-State Balance”; http://www.brookings.edu/research/reports2/2014/09/civilian-drones-and-privacy; last accessed: 25/11/2015
 Ibid at 19
 Matiteyahu, Taly G., Drone Regulations and Fourth Amendment Rights: The Interaction of State Drone Statutes and the Reasonable Expectation of Privacy (2014). Available at SSRN: http://ssrn.com/abstract=2425776; last accessed: 25/11/2015
 Katz v. United States, 389 U.S. 347, 351, 353 (1967)
 Katz, 389 U.S. at 360 (Harlan, J., concurring)
 Idaho Code Ann. § 21-213 (West 2013)
 Tex. Gov’t Code Ann. § 423.002(a) (West 2013)
 Or. Rev. Stat. Ann. § 837.380 (West 2013)
 Ibid at 27
 WP29, Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones; accessible at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp231_en.pdf; last accessed: 25/11/2015
 EDPS, Drones, accessible at: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2014/14-11-26_Opinion_RPAS_EN.pdf; last accessed: 25/11/2015
 Article 2(a) of the DPD, ibid at 23
 Article 8 of the DPD, ibid at 23
 Article 6 of the DPD, ibid at 23
 Article 6(1)(b) of the DPD, ibid at 23
 Ibid at 3
 Ibid at 34 at p. 16
 Ibid at 12
 Ibid at 27
 Orin S. Kerr, Four Models of Fourth Amendment Protection, 60 STAN. L. REV. 503, 505–06 (2007)
 California v. Ciraolo, 476 U.S. 207, 213–14 (1986); see supra Part II.B.2.
 Article 7 of the DPD, ibid at 23
 Article 7(a), id
 Article 7(b), id
 Article 7(f), id
 Ibid at 34 at p. 12
 European Court of Justice, Judgment in Case C-
131/12, Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos and Mario Costeja González, 13 May 2014
 Information Commissioner’s Office, “In the picture: A data protection code of practice for surveillance cameras and personal information”. Accessible at: https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-practice.pdf; last accessed: 25/11/2015
 Engadget, “Yes, Amazon’s delivery drones are real (maybe)”. http://www.engadget.com/2014/04/10/amazon-delivery-drones/; last accessed: 25/11/2015
 Time, “Delivering Domino’s Pizza by Unmanned Helicopter: What Could Possibly Go Wrong?”. http://techland.time.com/2013/06/03/delivering-dominos-pizza-by-unmanned-helicopter-what-could-possibly-go-wrong/; last accessed: 25/11/2015
 TheWrap, “Hollywood to the FAA: Let Us Use Drones! (Exclusive)”. http://www.thewrap.com/movies/column-post/hollywood-faa-let-us-use-drones-76011/; last accessed: 25/11/2015