UAS capture of images from the prism of recent privacy developments in Europe

01 June 2015

Gabriel Voisin

UAS fitted with cameras are capable of recording or taking images whilst airborne.

EU Data Protection Law and Domestic Exemption Refresher

Under the EU Data Protection Directive[1], the term “personal data” is defined as any information relating to a living individual who can be identified, directly or indirectly, “in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. Typically, this means that recognisable images of individuals captured by video or photograph systems embedded in UAS qualify as personal data (direct identification). The same would be true for instance if the images would just record vehicle registration marks but would then cross reference the collected information with other databases to identify individuals (indirect identification). In both cases, UAS pilots and clients of UAS operator services become subject to the relevant Member State’s data protection law.

To avoid being caught by Member States’ data protection law, many UAS pilots, especially hobbyists, have for a long time benefitted from a so-called domestic exemption provided in the EU Data Protection Directive. It applies when photographs or videos are captured/processed by a pilot who is acting as an individual (not in his professional capacity) only for the purposes of his personal, family or household affairs. In such circumstances, none of the EU data protection requirements apply and the pilot is free to go.

The above exemption was clearly recognised by many Member State Data Protection Authorities, including the UK Data Protection Authority (ICO) in its CCTV guidelines[2]: “A distinction should be drawn between those individuals who can be considered as ‘hobbyists’ and are therefore generally using their device for domestic purposes, and those individuals or organisations who use the device for professional or commercial purposes. Where UAS are used for non-domestic purposes, operators will need to comply with data protection obligations and it will be good practice for domestic users to be aware of the potential privacy intrusion which the use of UAS can cause to make sure they’re used in a responsible manner.

A Recent Court of Justice of the European Union (“CJEU”) Decision Changes the Domestic Exemption Landscape

However, since December 2014, a CCTV related decision[3] from the CJEU (i.e. the highest court within the EU) seriously narrows this exemption. In this case, a Czech resident had decided to install a camera at his family home. The camera was installed in a fixed position and recorded the entrance to his home, the public footpath and the entrance to the house opposite. A few days after the installation, one of the windows of the property was broken and the camera made it possible to identify two suspects. One of the suspects sought clarification from the Czech Data Protection Authority as to whether or not the use of the camera was lawful under Czech data protection law. The answer from the Czech regulator was negative. The owner of the property appealed to the Supreme Administrative Court of the Czech Republic arguing that his use of the CCTV was exempt under the domestic exemption. The Supreme Administrative Court referred the question to the CJEU.

For the CJEU, the domestic exemption only applies where the processing activities are carried out in the purely personal or household setting of the person who is processing the personal data. As the camera covered (or even partially covered) a public space and was directed outwards from the private setting, the CJEU considered that it could not be regarded as an activity that is a purely personal or household activity. As a result, the domestic exemption cannot apply and the property owner was regarded as subject to the Czech Data Protection Act.

This case is just another recent illustration that European courts and data protection regulators wish to ensure a high level of protection of fundamental rights and freedoms such as privacy. Transposed to the UAS world, it means that those using UAS with cameras to take or record images for their personal and recreational use will no longer benefit from the domestic exemption if they (i) collect personal data outside of their property or (ii) capture personal data in the public space or another private area from their property. In other words, if a UAS hobbyist was to go and operate his device in London Green Park and capture personal data, he will be subject to the UK Data Protection Act. The same would apply if a UAS hobbyist was to operate his device in his property but capture personal data coming from the footpath bordering his property.

Where to Go From There and Key Practical Recommendations to Consider

Starting with hobbyists, if they are able to stay within the scope of the revised domestic exemption outlined above, they will still be not subject to EU data protection requirements and are free to go.

On the other hand, hobbyists falling outside of the scope of the revised domestic exemption will join the list of other UAS pilots and clients of UAS operator services having to comply with EU data protection requirements (for details please see table below). Note that conducting a Privacy Impact Assessment[4] (PIA) and implementing Privacy by Design[5] will help meet these rules.

Data Protection Requirements


Personal data must be processed fairly (usually based on notice to individuals) and lawfully meeting one of the conditions for processing provided in the Member State’s data protection law

  • Develop data protection notices; consider public awareness campaigns ahead of data collection
  • It can be difficult to meet a condition for processing if 'sensitive' personal data is processed. This includes data about health and religious belief: consider strategies to avoid collection of such data

Personal data must only be processed for one or more specified purposes and cannot then be processed for an incompatible purpose

  • Clearly identify all purposes for which personal data will be processed at the outset

Personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed

  • Identify and document why each category of personal data is necessary

Personal data must be accurate and where necessary up to date

  • Consider the implications of inaccuracy and assess if checking or updating is necessary

Personal data must not be kept for longer than necessary for the purpose for which it is being processed

  • Identify potential prescriptive retention periods, otherwise define such periods (it cannot be unlimited)

Data must be processed in accordance with the rights of individuals (to access, correct and delete data) under the Member State’s data protection law

  • Adopt a strategy for responding to requests. Depending on the quality of the images, it can be difficult to verify the identity of the person making a request to access image data.

You must take appropriate technical and organisational measures to keep personal data secure

  • Appropriate security is a key focus for many Member States’ data protection authorities such as in the UK or Spain

Personal data must not be transferred to countries outside of the EEA unless the country has adequate levels of protection in relation to the processing of personal data.

  • Establish data flows. If data is transferred, use an EU approved method to protect the data (e.g. SCCs).

Possible filing requirements

  • Duty to register your processing of personal data with certain Member States’ data protection authorities (e.g. UK, France, Spain, Belgium)

[1] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 

[2] In the picture: A data protection code of practice for surveillance cameras and personal information

[3] František Ryneš v Úřad pro ochranu osobních údajů C-212/13

[4] Privacy impact assessment is a process which helps an organisation to identify and reduce the privacy risks of a project

[5] Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start