Ide kerülhet az előadás címe Data protection implications of the use of RPAS and recommendations – Budapest, 5th February 2015

Data protection implications of the use of drones Benefits are numerous for Industry Agriculture Commerce Governmental use Private use BUT Privacy at stake !!!  NAIH issued an opinion on 14th November 2014 ( NOW available in English)

Main reasons: by using drones personal data are processed most of the time atypical data processing activity no analogy can be used for such a data processing Why atypical? not because of the mere use of drones but because of the variety of accessories it can be mounted on a drone and the fact that they are designed to process personal data data processing is done from the air (unusual) by small device often undetectable which is capable of moving very fast possibility of gathering data without purpose limitation (more difficult to comply with the purpose limitation principle than not to comply with) unprecedentedly large breadth of view capable of following persons, objects fully automated data processing, no possibility of changing the processing environment when in the air large amount of data collected (ideal for bulk data gathering, database building, multipurpose use) data processing is done where and from it was not done before undetectable, even if detected no information on data processor ideal for spying, bullying

Why no analogy can be used? Drone vs. Modelling, sport aircraft, hot air balloons, imaging from the air: size, functionality, noise, perceptibility etc. are not the same Drone vs. CCTV: CCTV is fix while the drone is moving (very fast) Drone vs. Google Street View: Goggle Street View is not repetitive, done from cars, low altitude (don’t see above fences), not capable of moving fast, no possibility of streaming, online processing

Main conclusions: the fear of being observed may alter the behaviour of people; the use of drones makes the violation of people’s dignity easier and simpler than ever before; for the time being, the technology is complicated; there is an extremely high risk of non-compliant data processing; a high degree of vulnerability in human dignity; a high degree of vulnerability in the privacy of the home and private property; the significance of negative impacts on the right to freedom and safety, on the freedom of association and assembly, on religious freedom, on the freedom of expression and on the principle of non-discrimination

Opinion on the use of drones Recommendations for the Legislator Governmental users Commercial users Advices for private users

Main aim of the recommendations: for the government users data processing by drones should be conducted for the purposes laid down in the relevant legislation and should not be used for secret surveillance, bulk data gathering data pooling unlawful profiling for the commercial users enforcement of data protection and privacy legislation mandatory administrative permit procedure fundamental rights affected by the technology should remain under adequate protection for private users: the scope of Privacy Act to be extended to the private use when it is in public spaces registration, identification of users

Recommendations for the legislator A dministrative permit procedure for authorising the drone to operate which includes a data protection impact assessment done by a national authority (DPA can assist in difficult case or can issue guidelines for specific sectors) 5 main questions: Is the purpose of the data processing is legal? Is the legal base of the data processing is appropriate? Is the data processing necessary, proportionate in order to achieve the aim of the data processing? Is the data processing is within the purpose? Has the data controller complied with its obligation of information?

during the procedure the authority has to check the legality and compliance of the followings: name, address and contact person of the data controller and /or data processor purpose, location, time and timeframe of the data processing details of how the data subject(s) has(ve) been informed details of the data storing system and the main characteristics of the data security measures details of the technology used for unmasking, blurring, anonymisation the unnecessary personal data details of data erasure details on how access rights can be exercised

Mechanism for informing data subjects depending on the nature of operation the authority has to decide on case-by-case basis BUT, minimum requirements: use of a identifying technology (can be universal or customised) possibility of checking the flying itinerary of the RPAS in advance (for a reasonable time) in real time afterwards (for a reasonable time) when sufficient online offline

Mechanism for guaranteeing the exercise of access rights mandatory registration  information on data controller mandatory operating permission + mandatory information to data subjects  information on data processing data subject has to have all the necessary information in order to decide on his/her rights to privacy and to data protection, i.e. access rights before, during and after the data processing operation data subject can turn to the contact person of the data controller they can agree on the details how he/she wants to exercise the rights of access, BUT minimum requirement: at the official premises of the data controller with the data subject present (other way can also be envisaged if consented by both parties, ex: sending the video by , uploading to a restricted area, etc…)

data subject shall request information on personal data processed on him/her request the rectification, correction of his/her personal data request deletion of his/her personal data when not possible request that the data is made unidentifiable request the blocking of his/her personal data

Advices for private users Inappropriate use of drones may easily constitute a crime or infringement (Section 219 of the Criminal Code, Section 166 of the Act on Infringement, Section 222 of the Criminal Code) For data processing by drones the provisions of the Privacy Act shall apply when it is used in public spaces. Subjects of data processing by drones shall be informed in a way it enables them to act efficiently in the protection of their personal rights and personal data. Drones may record large amounts of data of third persons and may largely infringe upon the privacy of third persons. These data and privacy shall be protected in line with the stipulations of the Privacy Act and this recommendation. Drones may not be used to observe and track others (unless a prior written consent has been obtained from the data subject) Recordings that violate other people’s dignity may not be taken by drones, not even for private use. Special attention shall be paid to the protection of the personal data of minors and vulnerable people even when using drones. Drones may not be used for activities that are of the authorities’ competency (e.g. public safety, law enforcement, catastrophe relief, etc.). When using drones for private purposes, the data controller shall fully comply with the obligation of registration and identification

Thank you! Dr. Attila Péterfalvi, president H-1125 Budapest, Szilágyi Erzsébet fasor 22/c. H-1530 Budapest, Pf. 5. Tel.: Fax: