Providing Internet or other wireless services

You are a private company that wants to use drones to disperse some kind of wireless signal to, for example, remote areas. You are providing access to different kinds of communication services that run through your drone. By doing this, you may inadvertently also collect personal data such as the IP addresses of computers or devices connected to your network, as well as the traffic passing through them.

Below you will see some of the main privacy and data protection issues that could arise in this situation and tips/ safeguards for how to avoid them. Keep in mind the detailed information provided in the Handbook.

Privacy and Data Protection

PRIVACY

Transparency, visibility and accountability: Drones that disperse communication signals tend to be large enough to be noticeable. Even if people are aware of the presence of the drone, however, they may still not be aware what kind of personal information the drone may collect, nor who exactly operates it. Generally, people should be aware of who and why is operating the drone.

Privacy of personal communication: Individuals have the right to privacy of their communication. The interception, recording or access to their private communication is forbidden. If you are offering Internet or other wireless communication services through your drone, this aspect of the right to privacy may be jeopardized if the transfer of their communication through your platform is not secure and private.

Chilling effect: People may not be aware of exactly what the drone is doing or whether or not it can collect visual data. If they feel like they are being surveilled, they may change their behaviour. This could apply also with regard to their online behaviour, if they believe their use of the network could be monitored.

DATA PROTECTION

Remember there are special requirements that apply if you collect personal data. The personal data you are most likely to collect in this scenario includes the personal communication of the people on the ground that passes through the drone, as well as their IP addresses. IP addresses may also allow the identification of individuals and, therefore, are considered personal data in the EU.
Lawfulness, fairness, transparency: Your collection and processing of personal data must be lawful, based on one of the options laid down by EU law. It must be fair, meaning that it must not cause any harm to the individuals. It must also be transparent – people have to know which of their personal data has been collected, by whom and what it will be used for.

Purpose limitation: People have the right to know exactly for what purpose their data is collected and, once you inform them of the reason (wireless communication), you cannot use their data for a different incompatible purpose (e.g. advertising) without informing them again and ensuring your actions are lawful (see above).

Data minimisation: You should collect the minimum amount of personal data possible for your legitimate purpose.

Accuracy: You should ensure that the personal data that passes through your platform is accurate and up-to-date. If there are inaccuracies, they should be deleted or fixed without delay. Storage limitation: You should not keep any personal data in a manner that would allow a person’s identification for longer than necessary. IP addresses can lead to the identification of people too.

Integrity and confidentiality: You should make sure that any data on the drone platform is secured and protected both from unauthorised access and from possible file corruption. The data should be protected both by third parties and your own employees. Accountability: Remember that if you collect personal data and can choose what to do with it, you will be accountable if you don’t follow any of these principles.

SAFEGUARDS

TIPS - Consider informing the people living in the area of the various channels or functions of the drone, what it can and cannot do, the information it collects and what it uses it for. Give your own contact information to answer any questions the people may have.

TIPS – Ensure that people are informed of the way their data will be processed when they use the wireless network from the drone, e.g. by showing them a message when they connect to the wireless services. Also, inform them of their rights, including their right to receive access to all their data and to request that it be deleted.

TIPS - Implement strong encryption systems in your drone to ensure the security of communication that passes through it and to protect the files from being corrupted. Store any data in a secure manner and ensure that it is not stored for excessive lengths of time. TIPS – Only collect and store data that is relevant or necessary for the purposes for which it is being collected, for the task you are carrying out, e.g. communication facilitation. Collect the minimum amount of data possible.

TIPS – Consider taking anonymising steps as soon as possible, e.g. giving users pseudonyms, scrambling and encrypting data end-to-end, etc. to minimise the amount of personal data collected. Note that pseudonyms may also be considered personal data if they may be linked to identifiable persons.

TIPS - Do not share data on identifiable persons with third parties without the persons’ consent.

TIPS – Be aware who the data controller and processor is in this case, especially if you are carrying out this activity together with another company. Remember that data controllers and data processors are subject to various legal obligations in the EU.

Disclaimer

The purpose of this site is to provide a centralised information platform for entities, including private and professional users, interested in the various existing rules of European Union (EU) Member States related to activities with drones.

Information posted on this site does not alter, fulfil, or replace States’ reporting and notification requirements, or other similar obligations, as provided by the Chicago Convention on International Civil Aviation, its Annexes, or any other applicable instruments of law.

This site is purely informational in nature and its contents are made available without warranties of any kind, either express or implied.

The content of this website, including all materials uploaded in the online library, shall not be considered as the official position of the Executive Agency for Small and Medium Enterprises (EASME) or the EU Commission nor any person acting on behalf of EASME or of the EU Commission is responsible for the use which might be made of this content.

The Commission is in the process of updating some of the content on this website in light of the withdrawal of the United Kingdom from the European Union. If the site contains content that does not yet reflect the withdrawal of the United Kingdom, it is unintentional and will be addressed.

The information on this site is compiled and provided by the DroneRules Consortium, applying great diligence and care. However, the DroneRules Consortium does not warrant that the contents are accurate, valid, reliable, complete, comprehensive, correct or up-to-date, that this website will be available at any particular time or location, that any defects or errors will be corrected, or that the content is free of viruses or other harmful components. Any opinions posted on this site, explicit or implied, reflect the opinion of the indicated author’s alone or, in case no individual indication is provided, the opinion of the DroneRules Consortium.

DroneRules Consortium shall not be liable for any direct, indirect, punitive, incidental, special or consequential damages (including, but not limited to, damages for loss of business profits, business interruption, or loss of programs or information) that result from the use or inability to use such site, or from the use or non-use of the information provided herein, in particular for, but not limited to, errors or omissions in the contents of the website, consequences of its use or non-use, or inaccurate transmission or misdirection.