MHC Tech Law: Regulating drones for safety, security and privacy

19 Dec 2016

Image: concept w/Shutterstock

The use of drones has become much more prevalent, but how does this affect our privacy? The team at Mason Hayes & Curran investigate their regulation at EU level.

Drones are becoming increasingly more commonplace in Ireland and across the globe. From aerial photography to assisting search and rescue operations, drones can be put to a variety of beneficial uses. However, the use of drones also carries concerns relating to both safety and privacy.

We examine how drones are regulated in Ireland and review the upcoming proposals at EU level. We also consider the privacy issues surrounding the use of drones and the steps that should be followed if a drone is being used for commercial purposes.

The Irish regulations

The Irish rules that govern drones are the Irish Aviation Authority Small Unmanned (Drones) and Rockets Order and the Irish Aviation Authority (Nationality and Registration of Aircraft Order).

These regulations provide that all drones weighing over 1kg must be registered with the Irish Aviation Authority (IAA). Also, a drone should not be operated if it will be a hazard to another aircraft in flight or operated in a negligent or reckless manner so as to endanger life or property of others. The regulations include a variety of other restrictions and prohibitions, including that drones should not be flown:

  • closer than 5km to an aerodrome
  • more than 120m above ground level
  • further than 300m from the operator of the drone

To fly drones outside these limits, permission of the IAA must be obtained.

Potential measures in the EU

On 1 December, the Council of the EU agreed a draft regulation that represents proposed EU-wide rules for civil drones. Currently, the EU is responsible for regulating unmanned aircraft above 150kg, with lighter drones being subject to national rules.

This draft will apply to all varieties of drone, from small toy drones to large unmanned aircraft. The rules seek to set down basic principles to ensure safety, security and privacy. The main rule affecting drones is that national aviation authorities will have to certify certain drones. The certification process will be proportionate and risk-based. The larger the drone, and the higher the risk it poses, the more likely the drone will be required to be certified. Privacy will also be taken into consideration during the certification process.

It’s worth highlighting that the legislative process is ongoing and that the draft currently provides the European Aviation Safety Agency with the power to develop more detailed rules on drones.

Privacy and data protection

Both the Article 29 Working Party and the Data Protection Commissioner (DPC) have expressed concerns about the use of drones in such a way that could affect individuals’ privacy. These concerns are particularly focused on instances where sensors such as smart cameras and radio frequency equipment are added to drones.

1. Proportionality

The DPC suggests that the data collected by drones, which are equipped with additional sensors, should be limited to what is strictly necessary in order to achieve a specific purpose or purposes. For example, a drone used for taking aerial photographs of landscapes should not be used to record people’s faces.

2. Transparency

Transparency is another key privacy-related issue for drones. The DPC recommends that drones should be visible and easily identifiable in appearance. In addition, the DPC suggests that efforts should be made to highlight the fact that recording of data is taking place. This might entail making clear to the general public in the area in which a drone will operate by using signage or advertisements in local newspapers.

3. Security

The DPC states that robust security and access controls should be put in place. This ensures that any personal data collected by the drones can only be accessed by authorised people.

4. Retention and anonymisation

Personal data must only be retained for as long is necessary for the purpose or purposes for which it was collected. A drone owner, who is also a controller of personal data, may look at installing software that automatically deletes personal data when a task is completed.

As an alternative to this, it may be appropriate to install technology that automatically blurs or obscures faces of people that were inadvertently collected.

Privacy and commercial drone use

According to the DPC, if a drone is being used for a commercial purpose, a privacy impact assessment should be undertaken before the drone is used. This assessment should take into account the purpose the drone is being used for, the potential risks to data protection, and the necessity to implement safeguards to address any concerns.

It would also be prudent to put a drone usage policy in place which would outline the uses of any personal data and the security and retention policies that surround the collected data.

Before take off

Drones, and their use, are becoming subject to increased regulation, both from an aviation safety and a data protection standpoint. Given the likely implementation of EU-wide measures on the regulation of drones, it is important to keep up to date on applicable rules and obligations. In particular, both consumer and commercial operators of drones should ensure to familiarise themselves and comply with rules on safety, security and privacy.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Contact a member of the MHC Technology team or visit for more information.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.