October 2014: The Impact of Remotely Piloted Aircraft Systems (Drones) on Privacy and Data Protection


The Impact of Remotely Piloted Aircraft Systems (Drones) on Privacy and Data Protection


Remotely Piloted Aircraft Systems (RPAS) – or drones – are since years widely used for military purposes. Only in recent years RPAS are also used for civilian and commercial purposes. Society has accepted the curtailment of the individual’s privacy rights in order to benefit from technological progress.

The individual live is under constant surveillance. One cannot determine the effects yet that this all new control and control infrastructure will have on personal behaviour.

Governments and law enforcement agencies are advocating that the need to protect society is justifying encroachment of personal lives.

RPAS is a new tool, which is being deployed to collect information for civilian as well as military purposes. These aircraft are capable of flying silently for more than 24 hours at considerable range, loiter over targets and collect a considerable amount of information.

The Privacy Right
The personal sphere of the individual was recognized by the Universal Declaration of Human Rights of December 10th,1948 (Article 12) which states that no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

The European Convention of Human Rights in Europe recognized the existence of the individual’s right to respect for his private and family life, his home and correspondence, prohibiting any undue or unlawful interference by public authorities with the exercise of this fundamental right except such as is in accordance with the law and is necessary in a democratic society in the interest of the national security, public safety of the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The European Court of Human Rights has never provided a conclusive definition of privacy, and in Niemietz vs Germany emphasized the risk of imposing excessively narrow boundaries to this right.

The notions of privacy and data protection, while inextricably linked and liable to overlap in some cases, should however not be confused. While privacy rights apply to a wide range of conducts and practices, data protection legislation mostly concerns itself with the requirement that personal data must be processed fairly and for a specified purpose (or in other words, according to due process) and with the consent of the subjects concerned.

The spatial boundary between private property and public space is particularly relevant in the case of RPAS. There can be no doubt that the (intentional or unintentional) collection of information from satellites or aircraft or RPAS flying over private property would represent a significant threat for privacy rights.

RPAS1Most national and international privacy regimes recognize the need to limit the exercise of privacy rights. The Convention for the protection of individuals with regard to automatic processing of personal data of 28 January 1981, “Recognizing that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples”, under Article 9 allows derogations for: “a) protecting State security, public safety, the monetary interests of the State or the suppression of criminal offenses; b) protecting the data subject or the rights and freedoms of others”.

The same derogations have been reiterated by Directive 95/46/EC and Regulation 2001/45/EC, which allow restrictions to privacy rights in the presence of certain competing public interests.

So far, RPAS have been employed exclusively by States or public entities, and mainly for security purposes. The cost of operation and maintenance of drones is however today easily within reach of corporations and even private citizens. These RPAS can be easily (and cheaply) fitted with cameras, sensors and recording devices that may collect a large number of data.

Privacy and Data Protection within the existing EU legal Framework
Article 6 of the Treaty on European Union committed the European Union to accede to the European Convention of Human Rights and article 7 of the EU Charter of Fundamental Rights (which became binding in December 2009 when the Lisbon Treaty finally came into force) replaced the right of privacy of “correspondence” with the right of privacy of “communications”.

The 1981 Convention was prompted by the need to assert the social responsibility of those who handle sensitive data as a curb to their growing information power and to “streamline the uneven and conflicting data protection laws among the European States”.

Directive 95/46/EC marked an overhaul of data protection legislation in Europe and had a lasting influence on EU law and jurisprudence. The Directive committed Member States to protect the individual’s right to privacy as regards the processing of personal data, defined as “any information relating to an identified or identifiable natural person (‘data subject’).

Directive 95/46/EC also recognizes the data subject’s “right of access”, that is the right to obtain from the controller confirmation as to whether data relating to him is being processed and, in case of violation of the Directive, the right to demand rectification, erasure or blocking of data”.

Directive 95/46/EC had a profound and lasting influence on privacy regimes all over Europe, prompting the rise of “omnibus” privacy laws, that is to say laws that “establish regulatory standards for a broad area” (as opposed to “sectorial” or “sector-specific” laws).

However, a major limitation of the regime set up by Directive 95/46/EC is that it leaves considerable (and perhaps excessive) leeway to national lawmakers in a field that would probably require a unified approach.

Two years later, Directive 97/66/EC on privacy and electronic communications was adopted, to regulate specific areas, which had not been addressed by Directive 95/46/EC. This Directive was amended in 2002 by Directive 2002/58/EC on privacy and electronic communications, also called the “ePrivacy Directive”. Like Directive 95/46, also the ePrivacy Directive recognizes the right of Member States to adopt measures, which curtail privacy rights for law enforcement reasons and other public interests.

Directive 2002/58/EC was in turn amended in 2009 by Directive 2009/136/EC, which is part of the so-called “Telecoms Package”: a legislative framework designed to regulate the electronic communications sector, amending the existing rules. The “Telecoms Package” includes also a general framework Directive, and Regulation 1211/2009, which established a Body of European Regulators for Electronic Communications (BEREC).

In January 2012, the Commission published two draft instruments to radically reform the existing regulatory framework: the transformation of Directive 95/46/EC into a “General Data Protection Regulation” (which will apply to data collection and processing by private or commercial RPAS operators) and a Directive regulating sensitive data processing by law enforcement authorities.

Following the EU-US conference on privacy and data protection in March 2012, the Civil Liberties, Justice and Home Affaires (LIBE) committee of the European parliament has started debating the proposals tabled by the Commission. The rapporteurs, Mr Jan Philipp Albrecht MEP and Mr Dimitrios Droutsas MEP emphasized the need to replace Directive 95/46/EC, which has “failed to achieve a proper harmonisation due to the different implementation of provisions in the Member States”, with a directly applicable Regulation.

RPAS3Do RPAS require a dedicated regulatory framework on privacy and data protection?
Existing manned aircraft or satellites may already be fitted with cameras and sensors to collect data, images and any other kind of information, and it would appear therefore that RPAS do not add anything new to the existing data-gathering tools and technologies.

However, RPAS represent a far cheaper and more versatile tool (especially if compared to satellite systems), which could be employed by a much higher number of operators. Apparently, a few million of small RPAS (up to 20 kg) already operate – sometimes illegally – in the world marketplace. Moreover, the increasing use of RPAS by public entities for security or law enforcement purposes has raised serious concerns among scholars and the general public, who have expressed serious reservation about some kind of “Orwellian technology” which could be used to subject individuals to continuous surveillance even without their knowledge.

A very effective way of protecting privacy rights might also be to “embed” privacy and data protection rules in the technology that now threatens it. Privacy by design might prove an extremely useful tool to ensure effective enforcement of EU and national legislation, especially where mini RPAS are concerned. This tool has been made much more effective by tremendous strides in the field of artificial intelligence, and its importance had already been acknowledged by the EU lawmakers in Directive 95/46/EC. However a dedicated set of rules may now have become indispensable.

A more stringent discipline might be accompanied and complemented by codes of ethics, to help law enforcement agencies navigate this “grey area” and to promote best practices. Actually, Directive 95/46/EC had already acknowledge the importance of a code of conduct that would contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.

With regard to the use that police and law enforcement agencies might make of RPAS, the debate seems to be skewed by a misunderstanding on the notion of “privacy” which has riddled public debate in the last decades and by an rather uncritical assumption of the actual effectiveness of surveillance measures.

These advocates of more pervasive surveillance measures have often tended to reduce privacy to a mere form of “concealment or secrecy”, in an attempt to justify the sacrifice of the “moral autonomy” of the citizen for the pursuit of security concerns.

This brief overview of the development of privacy rights tried to provide some perspective in this regard. It should however be borne in mind that any measure which might infringe upon or curtail privacy rights should be grounded on a reasoned and careful assessment of the security gains which could actually be achieved.

The introduction of RPAS in the European airspace has sparked much controversy and aroused (not always rational) fears. There is a strong concern for the possible reactions to the introduction of RPAS into the civilian airspace that could lead to “dramatize the need to rethink the very nature of privacy law.

The only way to assuage mounting fears and to guarantee the continued protection of the “moral autonomy” of citizens against any undue or unlawful intrusion, seems to be a decisive action on the part of the EU lawmakers: the General Data Protection Regulation currently under discussion might be a great opportunity to this end.

For further information and comment, please contact Arthur Flieger (, +32 3 238 77 66)

© 2014 A. Flieger – This publication is defined to provide accurate and authoritative information in regard to the subject matter covered. It is transmitted with the understanding that the publisher is not engaged in rendering legal, or any other professional services. If legal advice or other expert assistance is required, professional services should be sought. You can always contact A. Flieger at