Privacy Law Implications of Unmanned Aerial Surveillance
Tags:Blog
There is no denying that the need to safeguard all individuals’ life, rights and interests is at an all-time high, particularly as the ability to cause harm through technical means has only grown as technology advances. That said, Law Enforcement Agencies (“LEAs”) also benefit from technological advancement, and alongside dedicated engineers, developers and other experts within the field, can use technology advancements to enhance the protection of human rights as long as the right balance is struck between safeguarding societal interests and the rights of the individual. This is no easy task to achieve.
One such example which seeks to confront this challenge is the recent developments in Unmanned Aerial Vehicle (“UAV”) technologies. These lightweight devices come with myriad opportunities, both for personal and enforcement purposes. The BorderUAS project (the “Project”) has zoned-in on the advantages which UAV technology can bring about for LEAs and other public authorities, in a bid to provide a holistic UAV surveillance approach integrating aerial and ground components using next generation sensors and technologies and developing a consistent platform used for daily border operations.
To achieve this goal, the Project brings together 17 organisations from 11 European countries, forming a multidisciplinary team to develop novel technologies with the aim of enhancing border and external security. Technological development must be considered in tandem with the broader legal implications, particularly those of privacy and data protection, and much focus is being given to these aspects throughout the lifespan of the Project.
The right to the protection of one’s privacy is a fundamental right. This right is founded upon the basis that every person should have the capacity to determine the use (or its restriction) of one’s personal information. Surveillance through UAV technologies may significantly impact one’s right to protect their personal data which in turn, may constitute a violation of their fundamental rights and freedoms. It is therefore essential that any form of technology – particularly those conducting surveillance operations which are covert in nature – adhere to the data protection laws, including Regulation 2016/679 (the “GDPR”). The GDPR should not however be seen as preventing the use of such technologies, but rather, fostering innovation and pushing creative boundaries to develop novel technology and conduct operations in a manner which both protects public safety and respects individuals’ fundamental rights.
The Project necessarily uses a significant amount of personal data in order to function. In particular, the innovative technologies of the Project will use ground-based infrastructure, innovative data models (to identify irregular crossing patterns and preferred routes) and advanced audio/video analytics and storage (to provide additional detection capabilities). Depending on the level of identification of the individual this data may also become classified as biometric data, which is defined as a special category of personal data which in turn, requires a higher degree of protection at law. This high-risk processing would trigger additional requirements which must be complied with under data protection law.
From a GDPR perspective, biometric data is defined “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images…”.
One such additional requirement which may be triggered when processing biometric data is found in Article 35 GDPR, which states that when processing – particularly through new technologies – is likely to result in a high risk to the rights and freedoms of natural persons (considering the nature, scope, context and purposes of processing), the controller (being the person that determines the means and purposes of processing the personal data) must carry out an data protection impact assessment to determine the likely impact of the envisaged processing operations on the protection of personal data.
The practical approach to mitigating such high risk is through the implementation of appropriate technical and organisational measures which are proportionate to the level of risk entailed. These include robust, state-of-the-art private encryption models which are engaged prior to the transmission of data. Additional measures include physical/virtual access control, authentication & authorisation control, transmission and disclosure control and change management & database security. From the organisational perspective, such measures include the implementation of internal policies such as data protection policies, access procedures, retention policies, and data breach notification procedures. Such internal policies should clearly allocate responsibilities for data transfers, reporting channels and standard operating procedures, particularly for cases of access requests from public authorities.
Further to the above, one must also consider the cross-border implications of how personal data is transferred. The GDPR imposes restrictions on the transfer of personal data outside the European Union or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined once the personal data leaves the EU. With that being said, the GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations.
In conclusion, the delicate balance between individual rights on the one hand, and the very real societal interest which LEAs face on the daily to protect society at large, is a topic which brings with it a lot of debate. The law applies indiscriminately to all persons, which although can prove challenging at times (to implement systems which are GDPR-compliant), gives rise to truly remarkable feats in overcoming these obstacles.
The BorderUAS website https://borderuas.eu/ is owned by the BorderUAS Consortium and managed by the Center for Security Studies (KEMEA), as a Consortium member.
BorderUAS is a research project that has received funding from the European Union’s Horizon 2020 – Research and Innovation Framework Programme, SU-BES02-2018-2019-2020– Technologies to enhance border and external security, under grant agreement no. 883272. The project started on June 2020 and ends in June 2023. The BorderUAS’ consortium consists of 19 partners from academia and industry, as well as public bodies. The present website is part of the dissemination and communication activities undertaken by the BorderUAS consortium within the aim to successfully communicate its research output on a rather innovative topic to a wider public and facilitate the creation of synergies with interested stakeholders.
This Website can provide all (hereafter referred to as ‘users’/‘visitors’) with information, participation, content delivery or content collection services regarding the project BorderUAS, under the terms of use included in this document.
Website is the sole responsibility of the Parties of the Consortium and cannot be considered to reflect the views of the European Commission. The use / visit of this website and / or its services is provided under the unconditional acceptance of the terms of use described herein. Navigating through this website, staying on this website, creating links to it (URL) or to its files / services, archiving / bookmarking it, constitute acceptance of its terms of use.
The use of the Website must be conducted solely under legitimate purposes and in a manner that does not restrict or impede its use by third parties. The user / visitor of this Website is obligated to use it in accordance with the law and the present terms of use. The user / visitor of the Website shall not commit any acts or omissions that may cause damage or malfunction and may adversely affect or endanger the provision of services provided through the Website to citizens.
The content of the Website, including (indicatively and not exhaustively) texts, graphics, images, videos, sounds, services, etc. (hereafter referred to as ‘Content’) is legally protected under Intellectual Property Rights Law and we reserve all rights of use and ownership of the Content, all copies created based on it, as well as all intellectual property rights and all other property rights pertaining to it.
We use all endeavours to ensure that the information and content that appears on the Website is as accurate, true and up to date as possible. It also provides the content (e.g. information, names, photographs, pictures, images, data, etc.) and the services made available through the Website ‘AS IS’. Under no circumstances, can we be held liable for any legal claims, civil or criminal or damages of any kind (direct loss, special damage or indirect loss) to the user / visitor of this website.
The Website may contain links to third party websites for the sole purpose of providing information to the user / visitor. The referral to links belonging to third-party websites does not constitute an endorsement of their views and actions or the acceptance of the content they express, publish or post. Third-parties -owners of the websites/responsible under the law- are solely responsible for the content of their websites or for any damage that may result from their We make all efforts to ensure the proper function of our network but we do not guarantee that our server operations will be uninterrupted or error-free, free from viruses, malicious software or other similar elements.
The terms and conditions of use of this website, as well as any amendment thereof, are governed by and supplemented by national and European law and the applicable international treaties. Any provision of these terms which is found to be against the above legal framework or is rendered invalid ceases to be valid and enforceable and shall be withdrawn from the present terms, without in any way undermining the validity of the remaining terms.
The terms and conditions of use of this Website constitute the overall agreement between the Consortium and the users / visitors of its webpages and services and bind solely them. No modification of the terms of use is taken into account and is part of this agreement, unless it is expressed in writing and is incorporated in the present Terms of Use. Unless otherwise stated on this Website, the above terms of use are immediately applicable in their entirety. We unilaterally reserve the right to modify, add, alter the content or services of the Website and its terms of use, whenever it deems necessary, without prior notice, through this website, always within the legal framework in force.
The website is uploaded on Plesk platform. Plesk is a privately-owned corporation headquartered in Schaffhausen, Switzerland, a country which has an adequacy decision by European Commission for protection of personal data. You can read the privacy policy of Plesk here.
You may access the website https://borderuas.eu/ without having to disclose any data about your person. Nevertheless, the installed browser on your device sends automatically information to the server of the BorderUAS website, including information about your browser type and version, as well as the date and time of access, so as to establish a connection and permit your access to the website.
We use cookies and analytics services to maintain and monitor the performance of the BorderUAS website and to optimize our services, as well as to receive aggregate data that we can use in our dissemination reports for the European Commission.
Cookies are data files that are transferred from a web server to the Website visitor’s computer, in order to keep statistics and to provide the best experience to the visitor -strictly necessary and functional cookies. Cookies are an industry standard used by most websites to facilitate the user’s repeated access to a website and its use through the personalisation of the service provided as they can store the personal choices of the user. Cookies are not harmful to the user’s computer system or its files, and apart from the user himself, only the website from which a particular cookie has been transferred to his or her computer can read, modify it or delete it.
If the user / visitor does not wish his or her information to be collected through cookies, he or she can use the “reject” option on banner. It should be noted, however, that discarding cookies may result in making it more difficult or impossible to use certain parts of the Website, and / or that there is a change in its intended appearance and operation, as a permanent connection will be required. At all events, the user/ visitor can manage the collection of any cookies through the website’s settings.
We may also use reCAPTCHA, a free service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (Google). This tool, which may have different forms, helps protect websites from spam, malicious behavior and abuse, by checking whether the data entered on the website (for instance, via a contact form) is being entered by a human or by a bot, i.e. an automated program. This determination occurs based on the monitoring and analysis of the behavior of the website visitor. The collected data, which include user and browser information, such as cookies placed by Google, the number of clicks you have made on that screen and installed browser plug-ins, are forwarded to Google and stored in servers in USA. Data processing for the version of reCAPTCHA used by our website (reCAPTCHA v2 – “I am not a robot” sign and ticking box) is based on your consent under Art. 6 (1) (a) GDPR.
We shall contain such data in hardcopy and electronic files and / or databases in full compliance with data protection legislation, including security and confidentiality requirements based on the principles of good practice, proportionality and transparency regarding processing.
The BorderUAS website may use Google Analytics. Google Analytics is a free web analytics service offered by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (Google). Its purpose is to monitor, keep record of website traffic and report website usage statistics. You can read in detail how Google processes your data when you use sites or apps, which employ Google Analytics tools here.
The BorderUAS website may use Google Analytics exclusively with the extension “_anonymizeIp()”, which ensures an anonymization of the IP address by shortening it. The IP address sent from your browser is not merged with other data by Google.
Please, note that you will be asked to consent on the use and storage of these cookies .
The present data protection policy clarifies in a layered manner the processing of personal information of visitors of the BorderUAS’ website. The data processing on the BorderUAS website is pursuant to Regulation (EU) 2016/679 (General Data Protection Regulation), Greek Law 4624/2019 on the protection of personal data and any other applicable law.
The Data Controller is the Center for Security Studies (KEMEA) with offices in Athens, at P. Kanellopoulou str., 4, 10177 Greece. The Data Controller can be contacted by writing to the address above or by sending an e-mail message to kemea@kemea.gr , or by calling at Telephone: +30 2107710805 or sending a Fax at Fax number: +30 211 100 4499.
KEMEA’s Data Protection Officer may be reached at dpo@kemea-research.gryou have any question about the processing of your data when using the BorderUAS website or you wish to exercise any of your rights as data subject.
3.1. When visiting the BorderUAS website
The IT systems and applications designated for the operation of this Website detect, during the course of their ordinary operation, certain data – the transmission of which is implicit in the use of Internet communication protocols – not associated with directly identifiable users.
The data collected may include cookies, IP addresses of computers used by Users connecting to the site, the URI – Uniform Resource Identifier – addresses of the resources requested, the time of the request, the method used to send the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response from the server (completed successfully, error, etc.) and other parameters relating to the operating system and the user’s IT environment.
3.2. When filing a question/request via our contact form
Other personal data collected are those provided by the user/visitor when corresponding with the e-mail addresses indicated on our Site or when filling our online contact form or registering on the Site (providing e.g. Name, Surname, Username, password, e-mail address, Institution/Body etc.).
The sending of personal, non-mandatory data also by email on an optional, explicit and voluntary basis to the addresses indicated on this website means that the address of the sender is then acquired, this being necessary in order to respond to the request, together with any other personal data included in the message.
The personal data of the user/ visitor are processed for the following purposes:
The data processing takes place according to article 6(1)(a) GDPR, your informed consent. You may withdraw your consent at any time with future effect, by sending an informal email to dpo@kemea-research,gr. We may also process personal data based on art. 6(1)(c), when the processing is necessary for our compliance with a legal obligation.
Data recipients for:
The Consortium shall not disclose, assign, exchange, grant or otherwise dispose, without the consent of the user / visitor, to third parties, natural or legal persons, personal data other than the cases mentioned above within the scope of national laws provisions.
No transfer to non- EU countries/ international organizations is foreseen.
You have the following rights:
If you wish to exercise any of your rights, you may contact us via e-mail at dpo@kemea-research.gr.
Your personal data is retained only for as long as it is necessary to fulfil the purposes described above, and they will not be retained more than 5 years after the end of the project, unless a longer retention period is required by legal obligations or regulations.
Your personal data are processed by electronic means in compliance with the provisions of art. 32 of GDPR 2016/679, national law and in compliance with the principles of data’s confidentiality, integrity, and availability. Your personal data are transferred in an encoded manner using the widely used and secure TLS (Transport Layer Security) encryption standard. You will recognise a secure TLS connection by the additional “s” after “http” (i.e., https://..) in the address bar of your browser or from the lock icon. Moreover, we use suitable technical and organizational measures, which are being continuously enhanced, to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties.
This data protection policy is effective as of September 2020.
We keep our Data Protection Policy under regular review to make sure it is up to date and precise. Thus, it may become necessary to change it due to the potential addition of new features to the BorderUAS website or due to further legal requirements. You can have access to the latest data protection information on the BorderUAS website at “permanent link of data protection policy”.
Strictly Necessary - Essential Cookie should be enabled at all times so that we can save your preferences for cookie settings.
Name | Purpose | Expiration |
moove_gdpr_popup | This Cookie is used to save your Cookies Setting Preferences. | 1 year |
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Advertising services are not used by BorderUAS website. This website uses Matomo Analytics to gain in-depth knowledge of the audience by collecting anonymous information such as the number of visitors to the site or to the most popular pages, the number of downloads for specific material, etc.
Please enable Strictly Necessary Cookies first so that we can save your preferences!