The Data Protection Commission has ruled that Wexford County Council failed to adhere to the law by using drones to monitor public movement during the Covid-19 lockdown.
The ruling sets a noteworthy precedent, given the prevalence of drone use by Irish local authorities, that any such use of unmanned aerial technology is answerable to data protection law and the EU’s General Data Protection Regulation (GDPR).
It emerged in April of this year that the Wexford council had been redeploying its UAV drones from monitoring of illegal dumping to surveillance of caravan parks and holiday homes.
That move was designed to ensure compliance with the Covid-19 travel limits of two kilometres that were in place at the time.
However, when it became clear that no data protection impact assessment (DPIA), a prerequisite for any project likely to have privacy implications under GDPR, had been carried out prior to the project’s start, a complaint was lodged with the DPC against the council by local data protection consultant Daragh O’Brien.
In its investigation the Commission learned that 13 hours of drone footage had been captured by the county council between April 10 and 29, relating to drone observations of beaches, caravan parks, and holiday home estates.
The local authority had told the DPC that it had no case to answer as any people or vehicles filmed were unidentifiable.
“Images captured were distant and of low image quality and thus did not contain any personal identifiable information,” the council said in its submission to the DPC.
“As there was no personal data captured in the drone deployment, it is the Council’s view that no data processing took place.”
The DPC said that it was satisfied however that the use of the drones fell under the law enforcement provisions of the Data Protection Act 2018.
"While the commissioner, having examined the drone footage available, agreed that the captured film by design did not contain any personal or vehicle registration data, it said that a DPIA should still have been carried out.
“The DPC considers that the drones deployed by WCC constituted a system carrying out surveillance which had the potential to collect personal data and therefore a DPIA should have been carried out by WCC prior to the drones being deployed,” Eunice Delaney, assistant commissioner, said in her ruling.
However, she said that, given the county council had moved to amend its drone policy so that a DPIA will be carried out before the future purchase or use of drones, and given that no identifiable footage had been recorded, no further action would be taken.
Wexford County Council could have stood liable for a heavy fine for the GDPR breach.
However, in the two years since GDPR first went live, the DPC has only applied two fines - both to child and family agency Tusla.
:: This article was updated as an earlier version mistakenly displayed an image of a Manna drone. Manna drones do not have surveillance capability and are not used to record data on people.