The data collection capabilities of drones are unprecedented. Cameras and imaging payloads can capture and transmit data and high-resolution images, enabling drone operators to identify and track people and vehicles. Further, drones with radiocommunication payloads can potentially intercept communications or collect data from Wi-Fi access points.
These capabilities raise new and difficult privacy challenges, including:
- Identifying when information captured by drones, alone or in combination with other information, is “personal information” (as defined by the relevant legislation);
- Obtaining meaningful consent from data subjects where necessary;
- Informing individuals about the collection, use and disclosure of their personal information, and ensuring that drone operators remain accountable for their practices; and
- Limiting collection and reducing the potential for indiscriminate over-collection of personal information.
Canada’s privacy laws apply to commercial and recreational drone operators alike, and should be considered before all operations. This article focuses on the central privacy concerns for commercial operators, and discusses: i) the most relevant privacy legislation for drone operators; ii) most common privacy torts committed by drone operators; and iii) best practices to avoid breaches of privacy.
Relevant law – PIPEDA
In Canada, the federal Personal Information Protection and Electronic Documents Act(PIPEDA), as well as substantially similar provincial legislation in the provinces of British Columbia, Alberta and Québec, establish rules on how private-sector organizations may collect, use or disclose “personal information” in the course of commercial activities.
What constitutes “personal information”?
One important threshold issue is whether information and data collected by drones is “personal information.” “Personal information” is information about an identified or identifiable individual, either alone or in combination with other information. For example, a grainy image of a vehicle captured by a drone may not constitute “personal information” on its own. However, if the drone captures the same vehicle parked in a driveway of a house overnight and then at an office building during the day, all of the information can be combined to identify the vehicle’s owner and track the owner’s movements, thereby constituting “personal information.”
PIPEDA’s 10 principles
Every organization subject to PIPEDA must comply with 10 principles. The most notable principles for commercial drone operators are:
- Accountability: An organization is accountable for personal information under its control, and must implement a governance structure and privacy policies to demonstrate compliance with privacy law;
- Consent: Consent (express or implied) of an individual is required to collect personal information. Whether consent be express or implied depends on the sensitivity of the information, the reasonable expectations of the individual in the circumstances and the risk of harm. Consent must be informed, free and meaningful;
- Limiting collection: An organization cannot collect information beyond what it needs to provide the goods or services offered;
- Safeguards: Personal information must be protected by security safeguards at a level appropriate to its sensitivity;
- Openness: An organization must proactively make available their policies and procedures on information management in clear and accessible language;
- Individual access: Individuals have the right to obtain access to their personal information upon request; and
- Remedies: Individuals must have recourse to complain about compliance concerns.
In Canada, statutory torts and common law torts are available for breaches of privacy by individuals and organizations. In tort law, an individual can launch an action in court to obtain a civil remedy, such as damages, against the person who committed the act or omission (e.g., an invasion of privacy).
Certain provinces have established a statutory tort for the invasion of privacy, which allows an individual to bring a civil action for improper access to or use of personal information. For example, under the Privacy Act in British Columbia, an individual has a right to sue for invasion of privacy. It is a tort for a person to use the portrait (or image) of another for commercial purposes without consent.
Individuals can also use common law torts to seek redress for breaches of privacy. This includes the tort of “intrusion upon seclusion” and the novel tort for “disclosure of private facts.” These torts and others (such as the tort of trespass) are potentially available to individuals who have their privacy invaded by drones.
The tort of intrusion upon seclusion may occur where:
- The drone operator’s conduct was intentional (including recklessness);
- The drone operator invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
- A reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish.
The tort of disclosure of private facts may occur where:
- The drone operator publicized an aspect of the plaintiff’s private life;
- The plaintiff did not consent to the publication;
- The matter publicized or its publication would be highly offensive to a reasonable person; and
- The publication was not of legitimate concern to the public.
There are no reported court cases in Canada alleging a drone operator had committed any of these privacy torts. When it does occur, the accused drone operator will be well advised to follow certain best practices of operations to avoid committing privacy breaches.
Steps to avoid privacy breaches
The following are actions that drone operators can take to limit the risk of breaching privacy laws or privacy rights of individuals in the course of their operations:
- Restrict the use of drones in privacy sensitive areas (e.g., residential areas, schoolyards, shelters, hospitals, etc.);
- Inform nearby public of presence of drones and types of operations;
- Use blurring technologies for faces and vehicle license plates when collected;
- Implement a mechanism to allow individuals to request that their images be blocked or taken down (e.g., for images that are posted online);
- Limit collection and retention of information that identifies a person (referenced above as “personal information”) to only what is necessary for the operator’s commercial purposes;
- Ensure appropriate security measures for data collected; and
- Institute mandatory privacy training for employee drone operators.