Wexford County Council has used drones to monitor lockdown compliance in private dwellings, holiday homes, and 68 caravan parks without carrying out a privacy assessment — which has 'stunned' a local data protection consultant.
The local authority had been carrying out the surveillance since at least early April, according to documents released under freedom of information legislation, with any allegedly pertinent information to be passed onto gardaí.
However, no Data Protection Impact Assessment (DPIA — a prerequisite under the EU’s General Data Protection Regulation for any project involving potential privacy implications) was carried out, while the county council appeared to be at a loss as to what legal basis it had for carrying out the surveillance.
The issue is the latest example of drone technology being used by Ireland’s local authorities with seemingly dubious legal pretexts, while an official complaint has now been made to the Data Protection Commission over the lack of a DPIA for the Wexford project.
In late April it emerged that Wexford County Council had redeployed its fleet of six UAV drones to monitor compliance with the movement restrictions put in place by the Taoiseach on March 27.
However, internal emails suggest that council officials were non-specific at best as to how their patrols had been GDPR compliant, with discussions as to how to conduct a DPIA carried out long after surveillance began.
Local authorities serve no law enforcement function here. Wexford County Council said it would not be in a position to answer queries regarding the surveillance until next week as “a number of staff who have been dealing with this issue are currently on leave”.
On April 27, after reports of the surveillance programme emerged in national media, a county council official wrote to his colleague to discuss what legal basis could be given for the project, saying “as a council the only basis that I believe we could possibly rely on for using drones in this manner would be the following...”.
He then cited a section of the 2018 Data Protection Act which details restrictions on the rights of data subjects for “important objectives of general public interest”.
However that section, numbered 60 (7) (a), has been dismissed by data protection experts as “not a lawful basis for processing data”.
Meanwhile, a communication from a senior scientist to the authority on the same date said he was “anticipating some public disquiet on what we are doing with the drones”.
“I have been aware of GDPR etc from the very beginning and this has been run strictly in accordance with its requirements,” he added, without adding specifics.
Privacy solicitor, Rossa McMahon, said: “It is surprising and disappointing that local authorities are continuing to experiment with highly invasive surveillance technology which, in reality, they have no need or legal basis for using, even when the Data Protection Commission is still investigating the use of CCTV and surveillance by county councils in Ireland.
It goes without saying that county councils are not policing authorities and have no role in enforcing the Covid-19 regulations.
Meanwhile, data protection consultant — and Wexford resident — Daragh O’Brien has filed a complaint to the DPC specifically “in respect of the failure of the county council to conduct a DPIA”.
“I am stunned that a local authority has not done a DPIA for the deployment of what amounts to a mass surveillance technology. It is not sufficient for their staff to ‘be aware of GDPR’ as one of the officials states in the correspondence released to me, they have to put it into practice,” he said.
At a council meeting on Apr 15, an official referred to his perceived public approval of the drone surveillance after he had “noted 1,700 likes on Twitter”.