There is no denying that the need to safeguard all individuals’ life, rights and interests is at an all-time high, particularly as the ability to cause harm through technical means has only grown as technology advances. That said, Law Enforcement Agencies (“LEAs”) also benefit from technological advancement, and alongside dedicated engineers, developers and other experts within the field, can use technology advancements to enhance the protection of human rights as long as the right balance is struck between safeguarding societal interests and the rights of the individual. This is no easy task to achieve.
One such example which seeks to confront this challenge is the recent developments in Unmanned Aerial Vehicle (“UAV”) technologies. These lightweight devices come with myriad opportunities, both for personal and enforcement purposes. The BorderUAS project (the “Project”) has zoned-in on the advantages which UAV technology can bring about for LEAs and other public authorities, in a bid to provide a holistic UAV surveillance approach integrating aerial and ground components using next generation sensors and technologies and developing a consistent platform used for daily border operations.
To achieve this goal, the Project brings together 17 organisations from 11 European countries, forming a multidisciplinary team to develop novel technologies with the aim of enhancing border and external security. Technological development must be considered in tandem with the broader legal implications, particularly those of privacy and data protection, and much focus is being given to these aspects throughout the lifespan of the Project.
The right to the protection of one’s privacy is a fundamental right. This right is founded upon the basis that every person should have the capacity to determine the use (or its restriction) of one’s personal information. Surveillance through UAV technologies may significantly impact one’s right to protect their personal data which in turn, may constitute a violation of their fundamental rights and freedoms. It is therefore essential that any form of technology – particularly those conducting surveillance operations which are covert in nature – adhere to the data protection laws, including Regulation 2016/679 (the “GDPR”). The GDPR should not however be seen as preventing the use of such technologies, but rather, fostering innovation and pushing creative boundaries to develop novel technology and conduct operations in a manner which both protects public safety and respects individuals’ fundamental rights.
The Project necessarily uses a significant amount of personal data in order to function. In particular, the innovative technologies of the Project will use ground-based infrastructure, innovative data models (to identify irregular crossing patterns and preferred routes) and advanced audio/video analytics and storage (to provide additional detection capabilities). Depending on the level of identification of the individual this data may also become classified as biometric data, which is defined as a special category of personal data which in turn, requires a higher degree of protection at law. This high-risk processing would trigger additional requirements which must be complied with under data protection law.
From a GDPR perspective, biometric data is defined “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images…”.
One such additional requirement which may be triggered when processing biometric data is found in Article 35 GDPR, which states that when processing – particularly through new technologies – is likely to result in a high risk to the rights and freedoms of natural persons (considering the nature, scope, context and purposes of processing), the controller (being the person that determines the means and purposes of processing the personal data) must carry out an data protection impact assessment to determine the likely impact of the envisaged processing operations on the protection of personal data.
The practical approach to mitigating such high risk is through the implementation of appropriate technical and organisational measures which are proportionate to the level of risk entailed. These include robust, state-of-the-art private encryption models which are engaged prior to the transmission of data. Additional measures include physical/virtual access control, authentication & authorisation control, transmission and disclosure control and change management & database security. From the organisational perspective, such measures include the implementation of internal policies such as data protection policies, access procedures, retention policies, and data breach notification procedures. Such internal policies should clearly allocate responsibilities for data transfers, reporting channels and standard operating procedures, particularly for cases of access requests from public authorities.
Further to the above, one must also consider the cross-border implications of how personal data is transferred. The GDPR imposes restrictions on the transfer of personal data outside the European Union or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined once the personal data leaves the EU. With that being said, the GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations.
In conclusion, the delicate balance between individual rights on the one hand, and the very real societal interest which LEAs face on the daily to protect society at large, is a topic which brings with it a lot of debate. The law applies indiscriminately to all persons, which although can prove challenging at times (to implement systems which are GDPR-compliant), gives rise to truly remarkable feats in overcoming these obstacles.