Wexford County Council has had to start filing a flight plan for data if they want to put drone mounted cameras in the air. The Data Protection Commission has determined that, not withstanding the fact that the recorded images were not distinct enough to allow the identification of any individual, the deployment of drone mounted cameras as part of Wexford County Council’s Easter Week response to Covid-19 travel restrictions constituted the deployment of a mass surveillance technology in a publicly accessible area. Therefore, it is a category of data processing for which a DPIA is mandatory.

The Irish Examiner has the story today. However I’m not surprised by this decision, for a number of reasons.

  1. Since 2014 I’ve been asked multiple times, in the Law Society’s Certificate in Data Protection, on the data protection implications of deploying a drone-mounted camera in a public place.
  2. My DPIA practical review lecture in the Law Society’s Data Protection Certificate Course regularly features a  scenario called “Weddings On Wings” which (you’ve guessed it) features the use of drone-mounted cameras by a wedding photographer
  3. I live in Wexford and sent an FOI to Wexford County Council in May looking for a copy of the DPIA that they should have done
  4. I filed the complaint with the DPC on this issue and received communication of a decision in the issue last week.

What was my complaint

My complaint was not about the legality or necessity or proportionality of the deployment of a mass surveillance technology during a pandemic. I can see a possible public interest basis and, under the 1947 Health Act, an Officer of Public Health can request the collection of any data that is deemed necessary to monitor or manage the spread of an infectious disease.

My complaint was very specific. The FOI response I received when seeking a copy of any DPIA or similar assessment confirmed that no DPIA had been done. Therefore, my complaint was that, in respect of a category of processing falling within the scope of processing which the EDPB and DPC Guidance on DPIAs says requires a DPIA to be done, a DPIA had not been done. This was, in my assessment, a breach of Article 35(1), Article 35(3)(c) and Article 35(7) of GDPR (because that was the answer to the exam questions, I’ve been setting for almost a decade).

In effect, my complaint was that, while there were flight plans and site safety plans filed for the use of drones, there was no “flight plan” filed for the processing of personal data, or the safeguards that would be in place to avoid/minimise processing of personal data when using a mass surveillance technology.

Embedded below is the cover letter from the FOI Decision from Wexford County Council back in June in respect of my FOI request filed in May 2020. Note where they say the record doesn’t exist or couldn’t be found.

The total FOI pack I received from Wexford County Council in May ran to over 130 pages. If anyone wants to read it it’s linked to here and contains some good insight into the nature of the processing activities. There appears to have been a lot of retrospective DPIA-like activity undertaken that might better have been done BEFORE launching.

My complaint was filed in a personal capacity.

The Outcome

The DPC agreed with me. They determined that the use of drone mounted cameras constituted the deployment of a mass surveillance technology and therefore a DPIA should have been done. In mitigation they pointed to the fact that Wexford County Council had introduced new policies in June 2020 requiring DPIAs to be undertaken before drones were purchased or deployed. They also pointed to the fact that the footage recorded was not of sufficient quality to allow any individual or vehicle to be identified. However, the DPC’s position is clear.

Although WCC stated in its detailed written response to the clarifications sought by this office that it categorically did not collect personal data, the DPC considers that the drones deployed by WCC constituted a system carrying out surveillance which had the potential to collect personal data and therefore a DPIA should have been carried out by WCC prior to the drones being deployed.

The emphasis in the quote above is mine. The full DPC response is embedded at the bottom of this blog post for reference.

The Upshot and Lessons Learned

The key lessons to learn from this is that

  1. The DPC takes DPIAs seriously and will look for them (remember the Facebook Valentines Day Massacre?)
  2. Even if in practice there is no processing of identifiable personal data or there are practical mitigations put in place, if that isn’t written down and formalised it still constitutes a contravention of obligations under the GDPR and under Part 5 of the Data Protection Act 2018. In this way, it is a bit like the flight plan or the site safety survey that Wexford County Council included in their FOI response. In practice the flight plan might be within IAA restrictions and the take-off and landing locations and flight safety risks might be well managed, but if they are not written down various regulatory issues arise.

I won’t get into the minutiae of why a complaint under GDPR was investigated as a compliant under Part 5 of the Data Protection Act 2018. I am not entirely convinced that there actually was a law enforcement purpose at the time (in the early days of movement restrictions it was largely ‘mandatory but not compulsory’). I’ll just note that in Document 4 of the FOI bundle released to me, the Council didn’t seem to think it was a Competent Authority within the scope of the Law Enforcement Directive for this purpose.

Regardless of the route, the decision on my specific complaint is correct and should clarify the position for any public body or company that is deploying drones with cameras mounted on them.

  • They are a mass surveillance technology
  • If flown over public spaces or spaces accessible by the public a DPIA is required
  • The DPIA should address what aspects of the equipment, flight plan, or other controls will avoid the processing of personal data or ensure compliance with data protection law when recording.

Not all Drones are created equal

It’s also worth noting that the drone image used by the Irish Examiner in their tweets about this story is not a surveillance drone with a camera. It is a delivery drone from Manna that has cameras for very specific navigation and landing purposes not for recording people or places. This highlights the importance of a clear statement of what the business objective is and how it is going to be met as part of a DPIA so that the different types of technology are used correctly and appropriately.

It also means that responsible drone operators should invest in documenting their DPIAs and ensuring that there are appropriate controls in place to prevent misuse or abuse or novel secondary use of recorded imagery in a way that would impact on the rights and freedoms of individuals.

Some Relevant Posts

We have written on the importance of DPIAs in the past as a planning and governance tool.

Castlebridge is also running a training course on Data Protection Impact Assessments starting on the 15th of this month.

 


The DPC’s Decision Letter

Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.