Hungarian Data Protection Authority urges the legislator to tackle the privacy and security risks of RPAS

17 December 2014

On 14 November 2014, the Hungarian National Authority for Data Protection and Freedom of Information (the NAIH) published its recommendations on the civil use of Remotely Piloted Aircraft Systems (RPAS) to provide the Ministry of National Development, which has been working on draft legislation on RPAS, with information on the privacy and security risks of this technology. The NAIH outlines certain issues triggered by the use of RPAS and urges the legislator to adopt specific provisions to address the security risks resulting from inappropriate and bad faith RPAS. The NAIH intends to establish the basic principles of a longer legislative process for a framework of RPAS operations so these recommendations are a call for legislation rather than practical guidelines for the users addressing each and every aspect of RPAS operation. Yet the NAIH also sets some basic principles for users although the legal background is either missing or controversial.

On 7 November 2014, a Report on Privacy, Data Protection and Ethical Risks in Civil RPAS Operations (the Report) was published on the website of the European Commission. This study has been carried out for the European Commission by consultants so the Report does not necessarily express the opinion of the European Commission. A brief comparison of the approaches of this European report and the Hungarian data protection regulator follows below.

Hungarian approach

The NAIH believes that the current regulatory environment governing specific data processing technologies does not fully address the use of RPAS. For the NAIH, the use of RPAS is centred on an entirely new technology of data processing to which the existing legal framework on aviation and data protection hardly fits, either directly or by analogy. In its recommendations, the NAIH describes in detail the RPAS features which trigger novel risks concerning individuals' privacy and security.

The NAIH feels that apart from the current general personal data provisions, including the Hungarian Data Protection Act (Act 112 of 2011 on Informational Self-determination and Freedom of Information), a specific instrument addressing RPAS is required. Conversely, the European Report concludes that the existing and future legal framework – the Data Protection Directive transposed by Member States and the coming General Data Protection Regulation – supplemented by soft law measures, such as Privacy Impact Assessments and Privacy-by-Design measures, are adequate. The European Report ­states that the main focus should be on informing the RPAS industry about its obligations, such as creating dialogue between the authorities and industry representatives.

The NAIH views civil use of RPAS in three categories: (i) governmental, (ii) commercial and (iii) private (i.e. leisure/recreational). While the NAIH has made some pioneering recommendations (e.g. to extend the scope of legislation to data processing for private purposes), in general it promotes enhancement of the existing data protection framework in relation to RPAS by extending the existing data protection provisions applicable to the special features of RPAS.  It is worth noting that the NAIH addresses neither the use of RPAS for journalistic use nor the issue of governmental use falling outside the scope of the Data Protection Directive, contrary to what the European Report says.

NAIH recommendations

Scope of the new legislation

The territorial scope should cover all data produced, collected or transferred by RPAS used in Hungarian airspace, such as data concerning natural or legal persons and other organizations located in Hungarian territory.

Extending the scope of existing data protection provisions to private use

One of the NAIH's most novel recommendations is that, in relation to RPAS use, the scope of the current Data Protection Act should be extended to data processing for private purposes. This would mean a new era for data protection legislation as it does not currently cover processing for private purposes alone. While data collected by natural persons in the course of purely personal or household activities falls outside the scope of the Directive, the above approach is not surprising in light of the recent ruling in Ryneš (C‑212/13) of the Court of Justice of the European Union (CJEU) and also the opinion of the Article 29 Working Party 29 on the Internet of Things (IoT). In the previous ruling the CJEU has found that domestic CCTV which films a public area cannot be exempt from the obligations contained in the EU Data Protection Directive by virtue of the household exemption. In latter opinion the WP29 stressed that the household exemption is of limited application in the context of the IoT, particularly because the business model of IoT implies that user’s data is systematically transferred to device manufacturers, application developers and other third parties.

The approach of the NAIH on the household exemption and its practical implications is quite vague. It seems that currently the NAIH does not wish to decide what is private use and what falls outside the household exemption. However, the document makes it clear that sharing and making available footage recorded by an RPAS operations to an indefinite number of individuals cannot be exempt from the obligations contained in data protection legislation by virtue of the household exemption.

The need for prior authorisation

The NAIH believes that it is vital to keep the current authorization system for commercial and private use of RPAS. According to the NAIH, authorization licenses should be issued on a case-by-case basis by a competent authority such as the Aviation Authority. The paper also stresses that the NAIH is open to collaboration in the course of approving such applications. The applicant will be required to indicate the purpose, legal basis, date, place and duration of the data processing. Such requirements would be similar to the approach being taken in Italy where RPAS operators must provide details about data protection compliance in the applications submitted to the attention of the Italian Civil Aviation Authority. This opinion is in line with the Report as the NAIH also believes that the Civil Aviation Authorities should have the power to issue 'aerial work permits' and ensure that the appropriate risk assessment measures have been taken.

Key data protection principles – the need for a valid purpose and proportionality

The NAIH stresses that key data protection principles must be observed by the operators of RPAS. This means that personal data should be collected and processed – for both private and public purposes – for a specific purpose, during a specified period of time, covering a well-located geographical area and a well-specified group of individuals. Collection of personal data of an unidentified group of individuals, such as collection of data for warehousing, should be expressly prohibited.

Furthermore, the NAIH also recommends applying the principles of privacy-by-design and privacy-by-default, which means that the data controller should implement appropriate technical and organisational measures and procedures both at the time of determining the means for processing and at the time of the actual processing. Furthermore, it should implement data processing techniques from the outset in a way that they should not exceed the principle of proportionality. These measures would be in line with the principles of the coming General Data Protection Regulation.

According to the NAIH, all data processing equipment installed on the RPAS must be authorized and then adjusted in such a way that they will not be able to collect a disproportionate amount of data or data different from the original purpose.

Rights and remedies of individuals

The NAIH also urges the need of identification of RPAS as the absence of this would mean that data subjects will not be able to exercise their rights. Therefore, the new legislation should oblige RPAS operators to establish an identification method by which data subjects can easily identify operators and exercise their rights provided under the law. In that regard, data subjects should be able to obtain information at the beginning of the processing of their personal data, and be able to object to the processing of their personal data. The paper also mentions that identification can be a difficult question as RPAS are significantly smaller than a civil aircraft. Even if RPAS were to carry identification signs, these could not be read from the ground.

The NAIH further recommends that it would be useful to establish websites for such purposes, appoint a contact person to whom requests can be addressed, set up a system which would contain real time and subsequent flight itinerary details, and also maintain an official register containing the names of persons operating RPAS for commercial purposes. However, it remains to be seen how these provisions can be put into practice. This would echo similar calls from the UK and French Data Protection Authorities.

Data security

The NAIH's recommendations also address data security. For example, commonly used Wi-Fi systems are not secure and other technical data transfer solutions must be developed. The Report also points out that Wi-Fi systems are subject to the potential threat of hacking.

Restricted areas

The NAIH recommends that authorization for the use of RPAS solely for personal purposes should be restricted to specified areas for aviation safety, as well as for certain other purposes.

Governmental use

As for governmental use of RPAS, the NAIH mentions that similar to the existing framework on secret surveillance and interception of messages, this should be carried out on a case-by-case basis, under criminal or national security proceedings based on prior approval by a judge.

Summary

The report of the NAIH urges the Hungarian legislation to address the privacy and security risks of RPAS, even in the case of private use, and to extend the scope of existing data protection legislation to private use. Even though the report of the NAIH also contains recommendations for data controllers under the current legislative framework, these are to be considered as recommendations rather than strict legal requirements.

Authors