Skip to the content

Key Data Privacy & Security Issues in the use of Drones

This is a guest post provided by Bristows LLP.

The uses to which drones can be put – from surveillance and photo-journalism to a range of leisure pursuits – is increasing exponentially. So too is the potential for drones to collect mass amounts of data about individuals and operators. This trend raises a number of data privacy and security concerns. If a drone operator collects, uses or stores personal data (i.e. information from which an individual can be indentified), it must comply with data privacy and security laws. A separate but related issue is that the types of communications data collected by drones might make operators and manufacturers subject to disclosure requirements under current and future investigatory powers laws. We touch on these key privacy and security aspects of the use of drones further in this post.


The UK Data Protection Act 1998 (“DPA”) applies to the processing (collecting, using, storing and disclosing) of personal information. Such processing must be ‘fair and lawful’, which means, among other things, that individuals whose data is being processed must be notified of the processing, the nature and purpose of the data being collected, and the identity of the data controller (i.e. the entity or person that decides how and why the personal data is processed, usually the drone operator).

Notifying people that you are going to collect and process their personal information via a drone may sometimes be difficult, particularly at large public events. However there are steps drone operators can take to try to achieve legal compliance. Making drones highly visible (e.g. with flashing lights or bright colours) would help alert the public to the presence of a drone. Individuals could also be notified through signposting or information leaflets in specified areas, or through social media. Notices should explain how individuals can exercise their rights in respect of any information collected about them. In certain circumstances, data controllers may require an individual’s consent before using a drone to collect their personal information.

Drone operators should be careful to only process the minimum types and amounts of personal information required for their intended purpose, and to retain such data no longer than necessary. Additionally, the DPA requires data controllers to have security measures in place to protect against unauthorised or unlawful processing and accidental loss or damage to personal information. Further, UK-based drone operators should be mindful that they must comply with the DPA even where they operate a drone outside of the UK.

In June 2015 the Article 29 Working Party (“WP29”) – the EU’s data privacy advisory board – issued its opinion on the use of drones. The opinion contains some helpful recommendations for drone operators and manufacturers seeking to ensure legal compliance, such as drones should be designed with privacy in mind to ensure legal compliance from day one (so-called “privacy by design”), and assessments should be carried out in the early development stages to evaluate the data privacy impact of the drone. The WP29 also suggests that drone operators adopt policies which explain how they will operate drones lawfully and responsibly. Drone operators who follow the WP29 guidance can generally expect to be compliant with data privacy laws as they apply to the use of drones.

In the near future we will see changes in data privacy law that drone operators processing personal information will need to be aware of. During 2018, the DPA will be replaced by the recently-published EU General Data Protection Regulation (“GDPR”). The GDPR aims to catch data privacy law up with current and emerging technologies including drones, and to give individuals greater control over the use of their personal information. In particular, drone operators should be mindful that the GDPR imposes significantly increased fines for data breaches and non-compliance.


Under the Regulation of Investigatory Powers Act 2000 (“RIPA”), law enforcement bodies (including the police and intelligence services) have rights to require a telecommunications operator to disclose certain communications data. The purposes for requiring disclosure are wide-ranging and include national security grounds, prevention/detection of crime, and public health and safety.

Depending on the circumstances, it may be that a drone operator constitutes a telecommunications operator for the purposes of RIPA. If so, it can be compelled to disclose information it has collected about individuals and their use of drones – such as telemetry information, geolocation, and time and date metadata – to a law enforcement body.

In November 2015, the government published the draft Investigatory Powers Bill (the so-called “snoopers charter”) which aims to update and replace existing laws governing the investigatory powers of the state, police and intelligence and security agencies. Once passed into law, drone operators are likely to have wider obligations with respect to storing information collected through drones and assisting the police and security services to combat threats to national security.


As indicated above, regulators of various types are making attempts to catch up with the pace of technological change. As drones come to feature more prominently in the public consciousness, it is likely that data privacy concerns will figure highly on the radar of regulators who may seek to enforce new data privacy laws strongly against drone operators who are not compliant. Similarly, as the types and breadth of data collected by drones increases, it is likely that security agencies will be keen to use new and existing powers to require operators to hand over data they may believe will help in tackling crime and terrorism.

Drone operators are advised to ‘watch this space’ as the law develops in this area, and the impact of their activities from a privacy and security perspective become better understood.

Altitude Angel

Altitude Angel

Altitude Angel is an award-winning provider of UTM (Unified Traffic Management) software, enabling those planning to operate, or develop UTM/U-Space solutions, to quickly integrate robust data and services with minimum effort.

From a consistent, well-documented and standards-based platform, drone manufacturers such as DJI and cutting-edge software developers around the world use our Developer Platform to obtain rich, relevant and local geofencing data, exchange and share flight plans, de-conflict their own flights in real-time and interface with national flight authorisation systems. A growing portfolio of enhanced capabilities help our customers to comply with current and future regulations and interface with changing national systems with only minimal effort.

Altitude Angel’s first party solutions also power some of the world’s leading ANSPs, aviation authorities and Enterprises, including LVNL (Netherlands) and Avinor (Norway), empowering them with new capabilities to safely manage and integrate drone traffic into national operations.

Today, Altitude Angel’s market-defining technology is providing a critical, enabling service on which the future of UTM, especially in controlled airspace, will be built across the globe.

By unlocking the potential of drones and helping national aviation authorities, ANSPs, developers and enterprise organisations, Altitude Angel is establishing new services to support the growth in the drone industry.

In 2021 Altitude Angel won a prestigious Air Traffic Management (ATM) Magazine Award in the ‘UTM Service Suppliers’ category, which recognises pioneering technologies and procedures developed by UTM service suppliers to advance safety and complex operations, for its Pop-Up UTM platform.  Read more about the awards here.

Altitude Angel was founded by Richard Parker in 2014 and is headquartered in Reading, UK.

Altitude Angel’s developer platform is open and available to all at


For further information please contact:

Stephen Farmer, Altitude Angel, Head of Corporate Communications & PR

+44 (0)118 391 3503

[email protected]