Privacy, data protection and drone operations: the new EASA Guidance
Trilateral’s DroneRules PRO materials on privacy and data protection have been included in official European Aviation Safety Agency Guidance to assist the drone industry to comply with the new EU wide drone Regulations and the General Data Protection Regulation (GDPR).
In 2018 the European Aviation Safety Agency (EASA) took over regulatory responsibility for the use of drones in Europe via Regulation 2018/1139. Previously the regulation of small aircraft resided with Member States. Afterwards, in June 2019, the EC published the first harmonized European rules on drones, the Commission Delegated Regulation (EU) 2019/945 and the Commission Implementing Regulation (EU) 2019/947. These new Regulations have specific rules for Pilots, Operators and Manufacturers and harmonise the playing field across Europe to govern and support the drone industry. The Commission Implementing Regulation (EU) 2019/947 also requires drone professionals to comply with European legislation around privacy and data protection, and names the GDPR explicitly.
As part of the preparation for this change, the Directorate General for Internal Market, Industry, Entrepreneurship and SMEs (DG GROW) funded the DroneRules PRO project to develop materials to assist the drone industry in meeting their privacy and data protection obligations. The project seeks to educate drone professionals about their privacy and data protection obligations and has built an interactive, e-learning course to provide relevant training. Examples of areas treated by the course include:
- Function creep
- Definitions of personal data
- Data minimisation practices
- Purpose limitation practices
- Anonymisation techniques
- Data security requirements
The course includes a user-friendly, scenario-based approach and has been tested and positively evaluated by approximately 100 drone professionals across Europe.
“The course offers clarity on what many operators in this area consider to be a minefield” Drone Operator, Ireland, June 2019
The project also developed a Data Protection Impact Assessment (DPIA) Template for the drone industry to assist organisations who may need to conduct a DPIA as per the requirements of Art 35 GDPR. Other materials produced by the project include:
- A privacy-by-design guide (Art 25 GDPR)
- A pre-flight checklist for drone pilots
- A privacy code of conduct for drone operators and pilots
Combined, these resources will assist drone professionals to protect their business by ensuring they meet their legal obligations and preventing them from falling foul of Data Protection Authorities in their Member States. This is particularly important as GDPR fines can be up to up to €20 million or 4% of global turnover.
EASA has recognised the value of these DroneRules PRO materials and included them in their official guidance to assist the drone industry to meet their obligations under this new Regulation. Reference to the materials is included within the EASA-published Acceptable Means of Compliance (AMC) and Guidance Material (GM) to the Commission Implementing Regulation 2019/947. This publication combines guidance on the aviation-related requirements of the Regulation and guidance on privacy and data protection requirements.
DroneRules PRO is delighted with this take-up of taxpayer-funded materials produced within the project and we look forward to continuing to collaborate with the drone industry to support data protection compliance across all their activities.
For more information on our commitment to Privacy and Data Protection please visit our Data Protection and Cyber-Risk Service page and do not hesitate to contact our team for more information on this research area:
Rachel Finn, Senior Practice Manager & Head of Irish Operations
Panagiotis Loukinas, Research Analyst at Trilateral Research