Ide kerülhet az előadás címe
Data protection implications of the use of RPAS
Ide kerülhet az előadás címe
and recommendations –
Budapest, 5th February 2015
Data protection implications of the use of drones
• Benefits are numerous for
• Industry
• Agriculture
• Commerce
• Governmental use
• Private use
• BUT Privacy at stake !!!
 NAIH issued an opinion on 14th November 2014
(http://www.naih.hu/files/ajanlas_dronok_vegleges_www1.pdf; NOW available in
English)
• Main reasons:
• by using drones personal data are processed most of the time
• atypical data processing activity
• no analogy can be used for such a data processing
• Why atypical?
• not because of the mere use of drones but because of the variety of accessories it
can be mounted on a drone and the fact that they are designed to process personal
data
• data processing is done from the air (unusual) by small device often undetectable
which is capable of moving very fast
• possibility of gathering data without purpose limitation (more difficult to comply
with the purpose limitation principle than not to comply with)
• unprecedentedly large breadth of view
• capable of following persons, objects
• fully automated data processing, no possibility of changing the processing
environment when in the air
• large amount of data collected (ideal for bulk data gathering, database building,
multipurpose use)
• data processing is done where and from it was not done before
• undetectable, even if detected no information on data processor
• ideal for spying, bullying
• Why no analogy can be used?
• Drone vs. Modelling, sport aircraft, hot air balloons, imaging from the
air:
• size, functionality, noise, perceptibility etc. are not the same
• Drone vs. CCTV:
• CCTV is fix while the drone is moving (very fast)
• Drone vs. Google Street View:
• Goggle Street View is not repetitive, done from cars, low altitude
(don’t see above fences), not capable of moving fast, no possibility
of streaming, online processing
• Main conclusions:
•
•
•
•
•
•
•
the fear of being observed may alter the behaviour of
people;
the use of drones makes the violation of people’s dignity
easier and simpler than ever before;
for the time being, the technology is complicated;
there is an extremely high risk of non-compliant data
processing;
a high degree of vulnerability in human dignity;
a high degree of vulnerability in the privacy of the home
and private property;
the significance of negative impacts on the right to
freedom and safety, on the freedom of association and
assembly, on religious freedom, on the freedom of
expression and on the principle of non-discrimination
Opinion on the use of drones
• Recommendations for the
• Legislator
• Governmental users
• Commercial users
• Advices for private users
•
Main aim of the recommendations:
• for the government users
•
data processing by drones should be conducted for the purposes laid down
in the relevant legislation and should not be used for
• secret surveillance,
• bulk data gathering
• data pooling
• unlawful profiling
• for the commercial users
•
•
•
•
enforcement of data protection and privacy legislation
mandatory administrative permit procedure
fundamental rights affected by the technology should remain under
adequate protection
for private users:
•
•
the scope of Privacy Act to be extended to the private use when it is in
public spaces
registration, identification of users
•
Recommendations for the legislator
•
Administrative permit procedure for authorising the drone to
operate which includes a data protection impact assessment
•
done by a national authority (DPA can assist in difficult case or can
issue guidelines for specific sectors)
•
5 main questions:
•
Is the purpose of the data processing is legal?
•
Is the legal base of the data processing is appropriate?
•
Is the data processing necessary, proportionate in order to
achieve the aim of the data processing?
•
Is the data processing is within the purpose?
•
Has the data controller complied with its obligation of
information?
• during the procedure the authority has to check the legality and compliance
of the followings:
• name, address and contact person of the data controller and /or data
processor
• purpose, location, time and timeframe of the data processing
• details of how the data subject(s) has(ve) been informed
• details of the data storing system and the main characteristics of the
data security measures
• details of the technology used for unmasking, blurring, anonymisation
the unnecessary personal data
• details of data erasure
• details on how access rights can be exercised
•
Mechanism for informing data subjects
•
depending on the nature of operation
•
the authority has to decide on case-by-case basis
•
BUT, minimum requirements:
•
•
use of a identifying technology (can be universal or customised)
possibility of checking the flying itinerary of the RPAS
•
•
•
•
•
in advance (for a reasonable time)
in real time
afterwards (for a reasonable time)
when sufficient online
offline
•
Mechanism for guaranteeing the exercise of access rights
• mandatory registration  information on data controller
• mandatory operating permission + mandatory information to data
subjects  information on data processing
• data subject has to have all the necessary information in order to decide
on his/her rights to privacy and to data protection, i.e. access rights
before, during and after the data processing operation
• data subject can turn to the contact person of the data controller
• they can agree on the details how he/she wants to exercise the rights of
access, BUT minimum requirement: at the official premises of the data
controller with the data subject present (other way can also be envisaged
if consented by both parties, ex: sending the video by email, uploading to
a restricted area, etc…)
• data subject shall
• request information on personal data processed on him/her
• request the rectification, correction of his/her personal data
• request deletion of his/her personal data
• when not possible request that the data is made unidentifiable
• request the blocking of his/her personal data
•
Advices for private users
•
•
•
•
•
•
•
•
•
Inappropriate use of drones may easily constitute a crime or infringement (Section
219 of the Criminal Code, Section 166 of the Act on Infringement, Section 222 of the
Criminal Code)
For data processing by drones the provisions of the Privacy Act shall apply when it is
used in public spaces.
Subjects of data processing by drones shall be informed in a way it enables them to
act efficiently in the protection of their personal rights and personal data.
Drones may record large amounts of data of third persons and may largely infringe
upon the privacy of third persons. These data and privacy shall be protected in line
with the stipulations of the Privacy Act and this recommendation.
Drones may not be used to observe and track others (unless a prior written consent
has been obtained from the data subject)
Recordings that violate other people’s dignity may not be taken by drones, not even
for private use.
Special attention shall be paid to the protection of the personal data of minors and
vulnerable people even when using drones.
Drones may not be used for activities that are of the authorities’ competency (e.g.
public safety, law enforcement, catastrophe relief, etc.).
When using drones for private purposes, the data controller shall fully comply with
the obligation of registration and identification
Thank you!
Dr. Attila Péterfalvi, president
H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
H-1530 Budapest, Pf. 5.
Tel.: +36 391-1400
Fax: +36 391-1410
peterfalvi.attila@naih.hu
ugyfelszolgalat@naih.hu
www.naih.hu