The new European Union (EU) General Data Protection Regulation (GDPR) came into effect on May 25, 2018. This regulation, which is directly applicable across the EU Member States, applies to the collection, hosting, storage, use and other “processing” of personal data. The GDPR applies directly not just to companies in the EU, but also those outside of the EU to the extent that they offer goods or services (irrespective of whether a payment is required) to individuals in the EU or engage in monitoring the behavior of individuals located in the EU. The penalties for violating the GDPR are quite high, going up to 4% of the total worldwide annual turnover for the enterprise in the prior year or €20 million, whichever is greater. Operators, users, and manufacturers of unmanned aircraft systems (also known as “UAS” or “drones”) should be aware of the new EU requirements if they have operations or customers in the EU.
Drones provide an efficient means to take photographs and collect other information, which can trigger the GDPR—particularly if the information includes personal data on individuals. Industries such as agriculture, media, construction, mapping, and surveillance are using drone-based cameras and sensors to collect a large amount of data when operating, and therefore could be required to comply with the regulation. For example, a picture of an identifiable person is considered personal information under the GDPR, and photographers must handle that data according to the new regulation. Drone mapping and survey services may also collect personal data falling under the GDPR. Any organization taking photographs or collecting data involving EU individuals, should ensure it has taken appropriate steps to address its compliance obligations under GDPR.
While drone operators are the primary stakeholders responsible to comply with GDPR, drone manufacturers should also be aware of the new EU requirements and take appropriate steps to address any compliance obligations under GDPR that apply to them.
For more insights on the GDPR, read Baker McKenzie’s GDPR “Game Changers” report.