Drones and the End of Lockdown: How to balance surveillance with the right to privacy?
State surveillance has always been a globally controversial topic – and is more of a focus now than ever before as a result of the pandemic. Each country has their own method, and the framework and extent of monitoring by governments varies greatly depending on the jurisdiction concerned.
But, one recurring theme we have seen is the reconciliation of surveillance for global health purposes, and the right to privacy of individuals. This has perhaps been felt nowhere more than Europe, the privacy epicenter of the world and the birthplace of the GDPR.
Recently, Paris, amongst other French cities, has been the home of new drones introduced to monitor and break-up any mass gatherings in violation of isolation and lockdown measures. However, as France moves to its second phase of relaxing lockdown, this has been abruptly brought to a standstill, as French courts are trying to figure out how to manage this unprecedented situation and avoid the creation of a “Big Brother” state.
The call for surveillance to end “immediately” : a case study from Paris
On Monday 18 May 2020, the Conseil d’État ordered the Préfecture de Police to immediately stop the use of drones in the surveillance of Parisians. The Préfecture de Police had put in place drones in order to monitor the respect (or rather the lack of respect) of the strict confinement measures that have been placed on French citizens.
The Quadrature du Net and the Ligue des Droits de l’Homme, two organisations devoted to the protection of consumer privacy rights, had brought the case to the Tribunal administratif de Paris in order to stop such surveillance, which they argued breached data privacy laws. With this request having been rejected by the Tribunal, the two actors then appealed to the Conseil d’État, France’s highest administrative court.
At this stage, the juge des référés of the Conseil d’État, which allow for the adoption of temporary, yet urgent measures in cases of immediate threats to fundamental rights, ordered the State to immediately stop surveillance by drones. This is in place before a full judgment is given and for “as long as a ministerial order or decree has not been issued on the subject after consulting the CNIL, or for as long as the drones are not equipped with a device likely to make it impossible to identify the persons filmed”.
The data privacy issues at stake
Collection and processing of personal data
The judges highlighted the fact that the use of such drones involves the collection of data that can be used to identify individuals; thus, making it personal data under the definition accorded by Article 4 of the General Data Protection Regulation (Regulation (EU)2016/679) (hereafter the GDPR). As such, this data is subject to the protections accorded by this Regulation, as well as the Loi informatiques et libertés du 6 janvier 1978 (the French law on information technology and rights, as amended from time to time) and any guidance of the Commission nationale de l’informatique et des libertés (the CNIL), France’s supervisory data protection authority.
In the case mentioned above, it was found that these drones were not equipped with any technical device guaranteeing the confidentiality and anonymity of the data collected, but that the Préfecture de Police does indeed have an obligation, as data controller, to process the data collected in such a way as to “ensure appropriate security…by means of appropriate technical or organisational measures” as stated in Article 5(1)(f) of the GDPR.
To this end, it was noted that these drones lacked technical safeguards such as a full encryption of files, transforming them into text files and deleting the original copy, or other such technical measures, as required by Article 32 of the GDPR. In fact, at the time of writing, we have very little information on: (i) how such data is processed and stored; and (ii) the legal guarantees in terms of the purposes for which it is processed.
Furthermore, such personal data could easily fall under one of the special categories of data under Article 9 of the GDPR, namely biometric data, which is accorded a higher level of protection. However, not all facial images are automatically classed as biometric data – facial images only become biometric data if you “carry out specific technical processing, which usually involves using the image data to create an individual digital template or profile, which in turn you use for automated image matching and identification”. Therefore, the lack of knowledge on the details of such processing of data is a concern for data subjects and regulators alike.
However, the Préfecture de Police have indicated that their drones are solely used to identify mass public gatherings in contravention of the measures put in place, and not for tracking and identifying individuals. Furthermore, the Préfecture have stated that these drones are not even capable of capturing images as they do not have a memory card. But the Conseil d’État has stated that this is not satisfactory, as these cameras have an optical zoom function and therefore the capacity to be able to identify individuals.
Lawful bases
Aside from possible security breaches and/or failures to ensure adequate protection, the Préfecture de Police could nevertheless justify the use of such drones on the basis of the provisions of Article 6 of the GDPR concerning the lawfulness of the processing. Indeed, Article 6(1)(d) of the GDPR would authorise processing by the Prefecture where the processing is necessary for the protection of the vital interests of the data subject or of another natural person; whereas Article 6(1)(e) of the GDPR emphasises that such processing would be legitimate where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Clearly, in the context of the current pandemic, the Préfecture de Police has applicable legal bases to justify the processing operation. Likewise, in matters of sensitive data, and in particular the processing of biometric data, the Prefecture de Police could rely on the provisions of Article 9(2)(i) of the GDPR, in the sense that the processing carried out by the latter would be necessary for reasons of public interest in the field of public health.
Prior implementation of measures
Despite the urgency of the current situation, in order to secure the processing of personal data carried out by the use of drones, any data controller (including the Préfecture de Police) should ensure the conformity of its proposed processing, prior to any processing taking place. In addition to implementing appropriate security and confidentiality measures, it is necessary to ensure that relations with possible processors (e.g. the providers of drones, surveillance technology, tracking technology and any storage provider such as a cloud or integrated server) are well secured contractually in order to formalise the obligations and responsibilities of each party, in accordance with the provisions of Article 28 of the GDPR.
Similarly, when a processing operation involves the use of new technologies, or the processing of personal data will be carried out on a large scale on sensitive categories of data, or when it involves the systematic large-scale surveillance of an area accessible to the public, it is recommended that an impact assessment be carried out in order to better understand the issues at stake and the level of risk for the rights and freedoms of the natural persons concerned by the anticipated processing (Article 35 of the GDPR).
Where the controller finds that its anticipated processing would present a residual risk, Article 36 of the GDPR provides that it may consult its national supervisory authority, which in France is the CNIL and in the UK is the ICO, in order to seek advice on the compliance of the proposed processing operation.
The state of surveillance on a global scale
According to Technopolice, the French state now owns over 1,000 such drones after a tender was made in April for the order of 650 more, of which 565 were called “everyday drones”. The use of such drones has also been seen across the Channel in the UK, as well as a long-term use in China. Such mass tracking, and related data privacy concerns, have also arisen from new contact tracing apps, that are being developed and endorsed by the governments of each country.
Notably for the French version of the app, StopCovid, there was some controversy over the CNIL’s green light for the app to go ahead, when certain data privacy issues are still not clear. The protocol and source code used, called “ROBERT”, is available for inspection on Inria’s Gitlab, in order to allow for collaboration and transparency.
There are also debates about whether such apps should be centralised or decentralised – who should be in charge of the data, the functions, the processes? Google and the rest of the tech giants? Or the states themselves?
France and the UK are two countries who want to retain such control. Cedric Villani, a prominent French politician and mathematician who has been charged with transforming France’s tech regime by Macron, spoke at the Ordre des Avocats de Paris about how strong the debate surrounding privacy rights and surveillance has been in French policy.
He highlighted that whilst countries like South Korea have handled this pandemic with astonishing success, mostly down to their fast response, heightened surveillance and contact tracing, the truth is that such a model cannot simply be copy and pasted over to France due to legal and cultural differences.
To this end, can such surveillance techniques ever be reconciled with the right to privacy?
A huge part of this relates to the proportionality of the action (in this case the use of drones) to the purpose (to dissemble large groups of people not respecting instructions under the current state of emergency). The French government has to ensure that these measures are and will only be used for this purpose and only for the period necessary, i.e. until such social distancing measures need to be in place.
On top of this, they also need to implement technical and organisational measures in order to ensure that the processing of data through these drones is secure and in line with the provisions of the GDPR. This includes only processing data under one of the six lawful bases given in Article 6 of the GDPR (in this case public and vital interests), minimising the risk of data breaches, only retaining data where necessary, anonymising and pseudonymising data where possible, and ensuring that the number of people who can access the data is limited to those necessary to meet the purpose.
Like all processing of personal data, data subjects need to be informed of the processing and there need to be procedures in place so that data subjects can exercise their rights under the GDPR.
Nonetheless, the balance between surveillance that is required in order for us to beat this virus and the protection of our fundamental right to privacy is a difficult one to achieve. States will have to proceed with transparency and European values at the forefront of any future plans.
If you have specific questions regarding your personal data processing operations, or specifically biometric or facial recognition data, please do not hesitate to contact us.
Article by Komal Shemar @ Gerrish Legal, June 2020