The Use of Drones: A Real Challenge to the Protection of Personal Data

How would you feel if a drone[1] fly over your house and record your children while they play in the garden? Something similar happened in Kentucky, when William H. Merideth decided to shoot down his neighbor's drone with his shotgun, arguing that he was spying on his 16-year-old daughter while she sunbathed by the pool. The judge who saw the case released her from responsibility by stating that she had the right to shoot her because they were violating her right to privacy.

The default configuration of any drone includes at least one GPS and a video camera, so through this technology monitoring, surveillance or control functions can be performed, since they produce extremely sharp images. You can add all kinds of data acquisition and processing devices such as thermal imaging cameras, night vision cameras, 3D scanners, WIFI and / or Bluetooth devices, mobile device detection systems, among others. In other words, drones can have highly sensitive sound recording equipment installed and even infrared cameras or mobile communication interception systems. This allows people to be monitored at home, on the street, in their workplaces and even in their places of recreation.

Likewise, drones can be equipped with facial or biometric recognition devices, which allows people to be tracked or followed based on parameters such as height, age, race or sex. Obviously, the owner of a drone can process personal data that affects people's privacy. It should be noted that, unlike a video surveillance camera installed on a facade, drones can fly and move through the skies, which means that they can go unnoticed by citizens while filming them. This leads us to the following question: How can the right to protection of personal data be protected without slowing down the development of this technology[2]?

It should be remembered that the right to data protection is a fundamental right that guarantees the ability of any natural person to decide and have control over their own personal information. The use of drones with devices such as those mentioned in the previous paragraphs may imply or imply an impact on people's right to data protection and, therefore, may imply an infringement of their rights and freedoms.[3]. We are facing a scenario where, potentially, great abuses in terms of personal data protection can occur, since it is factually impossible for people to exercise real control over who records them from a drone.

Who is obliged to comply with the personal data protection regulations? Taking into consideration that personal data is all information about a natural person that identifies or makes it identifiable, drone operators that collect, store, record and / or process images, videos, sounds, biometric data, geolocation data related to an identified or identifiable person, are subject to the application of Law No. 29733 - Personal Data Protection Law. In other words, whether the data collected by drones unequivocally identifies a person or if their identification requires additional information (information crossing) to identify them, the personal data protection regulations are applicable.

From a strictly data protection perspective, drone operations can be classified into:

1) Those in which the purpose of the operation itself implies a processing of personal data. For example, video surveillance of people or monitoring or tracking people through drones.

Regarding the handling of drones for video surveillance purposes, Directive No. 01-2020-DGTAIPD - Directive on the Processing of Personal Data through Video Surveillance Systems - establishes that people who, for private security purposes, by reason of their functions, have In charge of the video surveillance system through drones, they must have specialized training in the handling of this equipment, guaranteeing reserve and confidentiality.

The person in charge of the treatment or the person in charge must implement the necessary measures to prevent the capture of images from third parties unrelated to the purposes of the capture, so as not to affect their rights. Likewise, it must comply with the principle of information contemplated in article 18 of the Personal Data Protection Law. That is why it is recommended to use a poster or brochure that allows informing that the area is video-monitored by drones. The owners of personal data or those in charge of treatment, if they have a web page, must publish information that allows them to know the different types of operations carried out or those that they intend to carry out in the near future with the data collected. It is imperative that those responsible or those in charge of treatment have on their website, the necessary mechanisms that facilitate the exercise of the ARCO rights of the holders.

Additionally, the data controller must choose the most appropriate technology for the purpose pursued with the operation and adopt all appropriate measures of "privacy by design"[4] (privacy by default), avoiding the collection and subsequent processing of unnecessary data. It must also adopt the appropriate technical and organizational measures to guarantee an adequate level of security, minimizing the risks of infringement of the rights and freedoms of people, in particular to prevent any unauthorized treatment during the transmission phase of the captured data.

2) Those operations in which the purpose of the operation a priori it would not include the processing of personal data, such as construction inspection, topographic surveys, land inspections and other photography and video services. However, in this case we are faced with two events:

2.1) That, indeed, no personal data is processed. For example, that the treatment is carried out for domestic use or that, due to the circumstances, no personal information is collected. In this case, you should only be careful if you want to share the footage on social networks or on the internet and you should ensure that they do not contain images or data relating to people, vehicles, homes or other objects that could lead to the identification of subjects, and if so, anonymize them using blurring techniques or similar.

2.2) That there is a risk of occurrence of personal data processing in an unintentional or inadvertent way. For example, when filming the construction of a building. In this case, even if it is not the purpose of the recording, there is a risk that personal data may be captured unintentionally or inadvertently. This can happen either because it is inevitable to capture certain images of people in the background, or because other types of information are captured (nearby homes, recreation areas, vehicles, etc.).

In these cases, the drone operator must respect the principle of proportionality and minimize the capture of images to what is absolutely necessary, reducing the chances that people may inadvertently appear in the images, and considering the possibility of not capturing the entire flight, but rather only those moments that are necessary.

Also, you must have a drone that complies with the principle of “privacy by design”Such as, for example, adjusting the resolution of the image to the minimum necessary to execute the purpose of the treatment, reducing the granularity of the geolocation for the same purpose; apply techniques to anonymize images (automatically during capture or procedures to do so immediately afterwards) or mechanisms to start and stop data capture at any time during the operation; implement secure communications protocols that prevent third parties from accessing the transmissions of the captured data or even the control of the device itself, or include mechanisms that allow the encryption of the data captured and stored on the drone itself[5].

By way of reflection, the current personal data protection regulations, as stated, are not enough to protect citizens from improper treatment by drone operators. For this, it is necessary, first of all, that the State train people more about their right to the protection of personal data. Second, higher fines are needed to discourage improper treatment. Finally, incentives are urgently needed for entrepreneurs to decide to invest in technology that complies with the principle of privacy by design. Perhaps a regulation that allows those companies that have a certification regarding the protection of personal data to have some type of tax benefit or that this gives them greater possibilities of being contracted with the State stimulates compliance with the Data Protection Law Personal.

[1]     The term "drone" refers to any unmanned aerial vehicle ("Unmanned Aerial Vehicle", UAS). Under this concept it is possible to understand any “propelled aerial vehicle that does not carry personnel as an operator on board”.

[2]     Currently, drones are used for recording events, such as sports shows, concerts, fashion shows, weddings. Also, in Russia and Israel there are already companies that use it to make shipments. In Dubai, it is planned to use this technology to transport people. It is also useful for emergency situations such as searching for lost people or taking resources to places that have suffered a natural catastrophe because their speed of flight allows them to cover huge areas in a very short time. In Spain, drones are beginning to be used to control maritime revenue. The builders use them to record their works; farmers, to locate pests; firefighters, to fight forest fires; geologists, to take samples from the interior of the volcano or other places that are difficult to access; archaeologists, to study the ruins. Even drones could be the solution to guarantee internet access in rural areas, which could run on solar energy.

[3]     Guide with recommendations on data protection in the use of drones. Spanish Agency for the Protection of Personal Data, p.4.

[4]     The principle of "privacy by design" or "privacy is a principle that is included in the General Data Protection Regulation of the European Union which can be applied to our system, which determines that before launching a product or service the impact of this must be taken into account, with respect to people's privacy. This supposes a preventive reflection in relation to the purpose of what is going to be built and the possible consequences that it could have for the privacy of the user. It is based on proactive measures, that is, it prevents and anticipates privacy problems before they occur. That is, it does not wait for risks to materialize. The key to this principle is that a product or service developed under this concept does not require any action on the part of the user to protect their privacy. Even if the person does not take any action, privacy remains intact, since it is predetermined. Personal data must be automatically protected in any technological system.

[5]     Ibid, p. 7.



- Advertising Notice-
Alejandro Morales
Lawyer graduated from the University of Lima. Master in ICT Law, Social Networks and Intellectual Property at ESADE Business & Law School. Head of the Law and New Technologies Area at Torres y Torres Lara - Abogados. Specialist in Business Law, Protection of Personal Data and New Technologies.


1,954Happy fans


*All fields are required
es Spanish