This article is co-authored by Eduardo Linares and Aaron Lopez de Castilla.
Regarding the recent ruling issued by the Constitutional Court (hereinafter, "TC") in favor of Ms. Máxima Acuña Atalaya (hereinafter, "Ms. Acuña") against Minera Yanacocha SRL for having proven the violation regarding the right to privacy through the use of the video surveillance camera and the drone device.
On February 5, 2016, Ms. Acuña filed a habeas corpus claim against Minera Yanacocha requesting the cessation of acts of hostility against her and her family, while, as indicated, Minera Yanacocha would have ordered the overflight of a "drone" on your property, with the aim of monitoring and monitoring your person. For its part, Minera Yanacocha maintained that the flight of the aforementioned “drone” was carried out within the framework of the tests carried out by the company that sold said device, and that this even occurred on a single occasion.
In this way, the TC developed its analysis on the possible violations of people's privacy with the use of new technologies.
Thus, picking up the main concepts developed by the TC, the “Dron” is defined as any unmanned aerial vehicle (“Unmanned Aerial Vehicle”), a term that comes from the military field to refer precisely to remotely piloted aircraft (also known as “RAD” by its initials from the English “Remotely Piloted Aircraft”), however, for the TC its legitimate use would be limited to the following considerations:
- Regulated and limited use: The use of Drones can violate the privacy rights of people, so it is imperative that their use should be regulated and limited. However, exceptions would be made for cases in which drones are used by public entities for the sake of citizen security or the public interest that does not involve a serious and irreparable violation of people's privacy.
- Preventive measures: Without the need for the drone to physically enter the private space, through its technology, intimate details of people's personal or family life could be captured, so the manipulation of these must be carried out taking into account all the necessary precautions to avoid violating people's rights.
- Restricted spaces: Avoid accessing places that pose a risk to the privacy of people, such as windows, gardens, terraces or any other space on private property whose access is not previously authorized.
- Intrusion justification: In case the drones access a restricted space, it must be reasonable and proportional to the benefit to be obtained. The aforementioned aspect is supported by the provisions of Law 297333, Law on Protection of Personal Data and its Regulations, approved through Supreme Decree No. 003-2013-JUS by which the principle of proportionality is developed, which specifies that everything Processing of personal data must be adequate, relevant and not excessive to the purpose for which they were collected.
- Prior authorization: It is forbidden to fly over private or state properties without prior authorization from the owner or the pertinent authority; except in situations of public interest and humanitarian nature, such as emergency or sinister situations.
- Collection of personal data: The collection of personal data through the use of drones will be lawful as long as it is carried out within a property for own use (for example: in a private property, rented, or acquired through public concession, etc.), or when it is acted within of its perimeter, without invading the space for public use or third parties.
- Overflight restriction in public spaces: Despite being in public spaces, people maintain their right to privacy and image, which is why overflights in public spaces with crowds of people are restricted.
The criteria established by the TC are interesting insofar as they signify an advance regarding the regulation of the use of operating systems such as drones, however, this still deserves greater precision and scope that we hope the General Directorate of Protection of Personal Data can be developed in order to protect personal data that could inevitably be violated due to the disproportionate use of Drones; air vehicles that over time become more relevant in our country, both for security uses (we see that several municipalities have acquired such devices for better control of citizen security), as well as for private and professional uses (we see related activities to photography that they make use of drones to find the best possible shot and shot), but in both cases it means an increase in their use.
However, in Peru it is not the first time that drones have been discussed, since through Directorial Resolution No. 02-2020-JUS / DGTAIPD that approved Directive No. 01-2020-JUS / DGTAIPD, Directive of Personal Data Processing through Video Surveillance Systems (hereinafter, the "Directive"), important but not sufficient scope was given to the processing of data through the use of Drones, specifying certain specific aspects regarding the purposes of video surveillance , where it was established that people who, for private security purposes, by reason of their functions, are in charge of the video surveillance system through drones, must have specialized training in the handling of this equipment, guaranteeing reserve and confidentiality.
Thus, it was also stipulated that it is the responsibility of the owner and / or person in charge of the processing of personal data, the duty to inform the people who will be controlled or registered through the use of video surveillance of drones, for which the implementation of posters is required. or information brochures in the areas of video surveillance by drones.
Due to the above, we see an important and complementary advance to the use of drones, however, we consider it prudent that the establishment of regulations related to drones in the field of personal data protection be treated through a special directive that addresses the scope of its use.
In addition to the above, there have been queries from our clients who use this type of technology in the development of their business activities and not for the processing of personal data, as in the case of the use of Drones for the evaluation and supervision of crops of their property, aimed at collecting data from this activity through technology implemented in its Drones, such as heat cameras, infrared cameras, among others, in which, we reiterate, the purpose is adjusted to their business activities and not with the objective of record or capture the image of third parties outside their activity.
In these cases, we have recommended that the company: i) adjust the technology of its software in such a way that when a person is involuntarily registered, they are anonymized and cannot be identified, thus restricting the registration only to the recording of the operation but not of additional persons or elements; and, ii) establish layered security measures, that is, implement different codes and configurations of the control and access software to the drone, to prevent external programs from allowing their control or hack.
Unlike Peru, in Spain we have specific regulations for the use of drones by citizens. The exponential growth in the civil sphere in the use of drones is an indisputable fact, so a legal framework is necessary to regulate it.
The State Agency for Air Safety (AESA) is the body in charge of regulating the civil use of remotely piloted aircraft, the current regulation being Royal Decree 1036/2017, of December 15, 2017.
The regulations identify the use of drones in 3 ways: professionally, for recreational use and for the use of drones weighing less than 250 grams.
To fly drones professionally, it is mandatory to have a drone license and also to be registered as a drone operator with the AESA.
In the case of recreational drone flights, it is only necessary to have the knowledge to pilot the aircraft safely, through a rating in an ATO (Approved Training Organization) approved by AESA. The maximum weight for the consideration of a recreational drone is a maximum of 2 kg.
Now, it can be thought that the use of drones weighing less than 250 grams is exempt from complying with any type of regulation, however, there are a series of guidelines that must be met to fly legally and safely.
Although the legislation on drones weighing less than 250 grams is permissive, the main guidelines are the following:
- We can fly over crowds of people in urban areas or buildings, as long as it does not exceed 20 meters in height from the ground.
- We cannot fly over National Parks, wildlife conservation areas, Biosphere Reserves, and other protected natural spaces.
- We must not fly within an 8 km radius of any airport, airfield, or other controlled airspace.
- If the drone has a camera, we must not violate the Data Protection Law and the right to honor and privacy of people.
Regarding responsibility for use, Royal Decree 1036/2017 establishes that the remote pilot will be responsible at all times for detecting and avoiding possible collisions and other dangers. With this, the regulations transfer responsibility for any type of damage to the remote pilot.
Privacy and Drones
As I could anticipate, Royal Decree 1036/2017 in article 26 establishes as general obligations that if a drone has a camera, we must adopt the necessary measures to guarantee compliance with the provisions on the protection of personal data and protection of privacy.
The use of drones is a challenge in the management of personal data. Affecting people's right to their image and privacy requires clear guidelines on people's rights to protect their personal data.
This is why the Spanish Data Protection Agency (AEPD) made the guide "Drones and Data Protection" come into force, which establishes a series of specific guidelines and recommendations for the use of these devices.
In the first place, defining the personal data, according to Spanish regulation, is ¨all information about an identifiable or identifiable natural person¨. Therefore, it comes into direct collision with the use of drones, since they can record and / or process personal data such as images, sounds, geolocation data, etc., related to an identified or identifiable person.
Therefore, you must take into consideration the application of the General Data Protection Regulation (RGPD), Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (LOPDGDD) and aeronautical regulations. commented.
From the point of view of the RGPD and LOPDGDD, drone operations are classified into two categories according to their purpose:
- The purpose of the operation itself implies the processing of personal data, such as video surveillance.
The installation of video cameras in public places for security purposes is the exclusive competence of the Security Forces and Bodies. The AEPD's recommendations for this type of operation are:
- In the event that a treatment is carried out on behalf of a third party, the third party will be responsible for the treatment and the drone operator will act as the person in charge, and their relationship must be governed by a treatment manager contract;
- Delete or anonymize any unnecessary data;
- Privacy-friendly default features;
- Make drones as visible and identifiable as possible.
- The purpose of the operation, initially, would not imply a processing of personal data, as is the case of field inspections or agricultural treatments, but that could have an impact on the right to protection of personal data.
Within this point, we find two variants:
A) Operations that do not include the processing of personal data: they are infrequent and in them operations with drones with very basic configurations can be circumscribed, lacking or, not making use of devices to capture images or any other type of data or information of a personal nature. In the event that these drones have cameras, their use must be restricted to domestic use or that said images do not allow the person to be identified.
The recommendation of the AEPD is that, before sharing the videos or images captured with a drone on the internet, it is necessary to verify that they do not contain personal data related to people, vehicles, homes or any other object that may facilitate the identification of subjects. If they contain this type of information, it will be necessary to anonymize them using, for example, blurring techniques.
B) Operations with the risk of processing personal data in a collateral or inadvertent way: in this case we can include operations such as treatments in agriculture or field inspections that, although their objective is not to capture personal data, there is a risk of their occurrence. The AEPD's recommendations for this type of operation are:
- Minimize the presence of people and objects that allow their identification, making flights at times with little public influx, for example;
- Minimize the capture of images to what is strictly necessary;
- Apply privacy measures by design, such as adjusting the resolution of the camera to the minimum necessary.
In this sense, the appearance of this type of technology in our society puts on the table different obligations and responsibilities regarding the treatment of our personal data and personal privacy.
In fact, Spain, by having a specific regulatory framework, makes the rules of the game clearer.
Let's go step by step, Peru just has a first sentence regarding privacy and the use of drones. What is coming now is a specific regulation or, in any case, a statement from the National Authority for the Protection of Personal Data.
*The opinions expressed in this article are those of the co-authors and do not necessarily reflect the views of the administrators of The Crypto Legal blog or the Lawgic Tec association.