FREE BOOK CHAPTER: Third Party Rights – Data Protection and Privacy (from ‘A Practical Guide to Drone Law’ by Rufus Ballaster, Andrew Firman, Eleanor Clot)


In this chapter, we will focus on the new and potential threats to data protection and privacy created by drones and the European, national and drone regulations that are in place to safeguard these rights.

When do Data Protection and Privacy Rights apply to Drones?

It is important to note that not all drone usage will have data protection and privacy implications. The majority of hobbyist drones have no camera mounted on them. With no camera (or other data collection equipment) no data is being collected and there are therefore no potential data protection or privacy breaches. In these instances, the most likely legal remedies available are for the torts of nuisance and/or trespass.

It is only when a camera (or other data collection equipment) is mounted on a drone, that data protection and privacy come into play. This will apply to most commercial drones in operation. The only commercial drone application not involving a camera is likely to be bird drones, used to scare other birds away from fields and runways.

EU and UK Regulations

The European Aviation Safety Agency (EASA) drone regulations deliberately do not address data protection and privacy, as these security issues are deemed to already be sufficiently dealt with in other EU and national regulations. There is no direct assistance to be had from EU drone-specific regulations, but there is plenty of general data protection and privacy legislation at hand to help.

For privacy rights, there is the European Convention on Human Rights, containing the key safeguard to privacy in the EU: “Article 8 Right to respect for private and family life”1. The Human Rights Act 1998 subsequently incorporated the Convention into UK law with an identical “Article 8 Right to respect for private and family life”2.

For data protection, there is the Data Protection Directive 95/46/EC3 that contains the key elements for data processing, in order to protect an individual’s data. In the UK, The Data Protection Act 19984 was enacted to update UK legislation in line with the Data Protection Directive.

The Data Protection Directive is to be replaced by the General Data Protection Regulation (GDPR), which was adopted in April 2016 and will come into force in the UK in May 2018. The GDPR is designed to increase data protection safeguards and harmonise data protection for individuals in the EU. It will introduce changes in this area so is a space to watch, although it is unlikely the law surrounding surveillance/CCTV applicable drones will change that drastically.

UK Data Protection

The UK has a very high level of video surveillance yet members of the public are divided on the benefits of CCTV. When CCTV is attached to a drone, a more complicated debate ensues. Drones can increase the likelihood of data breaches and privacy, as the camera is mobile and therefore has a greater potential area of operation.

Drones with a camera attached have the potential to fall under the Data Protection Act (DPA), the same as any other camera equipment. The Information Commissioner’s Office (ICO) is the data protection regulator in the UK and has included drones in their latest guidance document “In the picture: A data protection code of practice for surveillance cameras and personal information”.5

Information specific to drones is buried in chapter 7 titled “Surveillance technologies other than CCTV systems”, so it is unlikely that the average drone user will come across this information unless they were specifically looking for it.

Shooting drone footage often occurs in public places and photographs/video taken in a public place can be classed as personal data and so fall under data protection regulations. Ideally consent should be obtained from each individual, however in public places, especially large crowds, this is impractical.

Without direct consent, the key test becomes whether the person in the footage had a reasonable expectation of privacy with regards to the images taken. This is assessed on a case by case basis, depending on the circumstances and different thresholds applied. The threshold is lower for figures in the public eye than for general citizens but higher for children.

Another useful ICO guidance document for some drone users is likely to be “Data protection and journalism: a guide for the media”6, which provides guidance on how the DPA applies to journalism.

How existing Drone Regulations indirectly protect privacy

One of the biggest drone fears which is being whipped up into a frenzy in the media is the “peeping Tom” scenario: drones peering in on us whilst we are sunbathing naked in the garden or spying through our windows and catching us in various states of undress within our homes.

There are however, several of the existing drone regulations that should help to allay these fears.

Under current UK drone regulation, drones must maintain a distance of at least 50m from people and buildings not under the control of the person in charge. So unless you are personally involved with the drone which films, it is not permitted to come within 50m of your property. This distance should prevent the majority of drone footage accidentally capturing something from inside one’s home. The 50m distance probably won’t entirely prevent photos from capturing the naked sun bather, however the distance of the shot should make it hard to identify a specific individual’s features.

In addition to this, commercial drone flights are rarely permitted within congested areas, and drone operators must first obtain a Congested Area Operating Safety Certificate (CAOSC) before flying. The UK CAA have issued very few of these and if you live near a city or town centre you are unlikely to see much, if any, drone activity.

Whilst all these preventative regulations sound good, in practice some drone users do not adhere to the rules. This can be seen in the many drone initiated videos across the internet although fortunately, many of these appear to be filmed outside of the UK.

Tighter drone regulations are not necessarily what is required to safeguard people’s privacy but greater awareness and enforcement of the existing regulation would be a good thing.

Civil multirotor drones are ugly, noisy things that are far from inconspicuous when being operated. They are not the military type spy drone that can take your picture without you even knowing it is there. The majority of drones cannot carry cameras with huge telescopic lenses, the likes of which you see the paparazzi using, due to weight, balance and fuel restrictions. So again, this greatly limits the ability for the drone to spy on you.

Let’s try a quick test. Cast your mind back over the last ten years of your everyday life. Now ask yourself this question: how many times have you seen or heard a drone flying around you? For most readers, the number may still be zero, highlighting in itself the smallness of this perceived issue.

Whilst the technology will improve to make “spying” more feasible, by no means is it an imminent threat that we must yet panic about. Whilst drones certainly do provide new ways in which data protection and privacy breaches can occur, they are by no means so unique that the existing legislative framework cannot cope with the potential issues.

Not so special after all

Therefore, the most important aspect to work on in this area is the education of drone users, as currently drone training courses barely touch upon this subject. It is only by understanding and appreciating legal obligations regarding data protection and privacy, that drone users can attempt to fulfil them. This is key to a harmonious future with drones.

More Information / Purchase the Book

5Version 1.1 21/05/2015