Inquiry into Remotely Piloted Aircraft Systems (RPAS), Unmanned Aerial Systems (UAS) and associated systems — submission to the Senate Standing Committees on Rural and Regional Affairs and Transport

1 January 2017

Our reference: D2016/009340

Dr Jane Thomson
Committee Secretary
Senate Standing Committees on Rural and Regional Affairs and Transport
PO Box 6100
Parliament House
Canberra ACT 2600

Via email: rrat.sen@aph.gov.au

Dear Dr Thomson

Submission to the Inquiry into Remotely Piloted Aircraft Systems (RPAS), Unmanned Aerial Systems (UAS) and associated systems

I welcome the opportunity to provide the Senate Rural and Regional Affairs and Transport References Committee (the Committee) with this submission to the Inquiry into Remotely Piloted Aircraft Systems (RPAS), Unmanned Aerial Systems (UAS) and associated systems, which I refer to in this submission as ‘drones’.

The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency. The OAIC was established by the Australian Parliament to bring together three functions:

  • privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Privacy Act), and other Acts)
  • freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982), and
  • information management functions (as set out in the Information Commissioner Act 2010).

Summary of the OAIC’s comments

The application of sophisticated drone technology raises some potential privacy issues that need to be addressed if the social and economic potential of drone technology is to be realised.

In certain circumstances existing privacy laws can provide protection for individuals from interferences with their privacy involving drone use. To the extent possible, I support regulating drones through principles-based and universally applicable law, as this accommodates changes to technology and provides consistency across industries and technologies. In that respect, the Australian Privacy Principles (APPs) in the Privacy Act, provide a principles-based approach that is flexible, technology neutral, and promotes national consistency of regulation by providing a minimum set of standards that are applicable to both federal government agencies and the private sector. The APPs regulate the collection, use, disclosure, security and handling of personal information.

However, there are limitations to the application of the Privacy Act in the context of the regulation of drones. The Privacy Act only regulates a defined group of entities known as ‘APP entities’, which include Australian government agencies and many, but not all, private sector organisations.[1] The Privacy Act does not generally regulate the actions of individuals in their private capacity or certain small business operators. In addition, the Privacy Act is primarily concerned with protecting the appropriate handling of ‘personal information’ contained in a record.[2] There are also differences in the protections afforded across States and Territories.

In February 2014, I appeared before the Standing Committee on Social Policy and Legal Affairs to give evidence at the Committee’s Roundtable on Drones and Privacy. Chapter 4 of that Committee’s subsequent report Eyes in the sky contains information on privacy issues that arise in the context of drones and makes a number of recommendations.[3] The issues considered regarding the extent to which current Federal, State and Territory privacy, surveillance, and criminal laws provide comprehensive protections which meet the risks and benefits of developing drone technologies and applications remain apt.

Since the Eyes in the sky report there has been further consideration of this issue. More broadly, the Australian Law Reform Commission’s report Serious Invasions of Privacy in the Digital Era recommended the creation of a statutory cause of action for serious invasion of privacy to be enacted by the Australian government through an Act.[4] I see merit in the extension of privacy law to cover the actions of individuals where there is a serious invasion of privacy. However in my submission to the ALRC’s discussion paper, I put the view that addressing serious privacy invasion would be most effectively achieved by amending the existing privacy regulatory framework in the Privacy Act to extend the complaint framework in that Act to cover serious invasions of privacy.[5]

A further development is that in March 2014 the Privacy Act was amended to allow me to register an APP code. Under the Privacy Act, I am able to register APP codes that apply to APP entities that use technology of a specified kind (s 26C (4)(d)).[6] A registered APP code would be a binding legislative instrument that could provide industry already covered by the Privacy Act with additional rules for handling personal information. An option would be to develop such a code in the context of drone use.

There are also other mechanisms which could be considered to improve privacy protections. For example, the aviation industry could look to embed operating practices that focus on privacy in drone training and licensing. The OAIC would be pleased to assist in this by providing guidance about how the APPs can apply as a practical, technologically-neutral model for industry guidance on privacy and drones. My office recently worked with CASA to update information on its website about privacy and drones in the context of complaint handling.[7]

I expand on these comments below against the Inquiry’s terms of reference.

The existing industry and likely future social and economic impact of RPAS technology

The experience of my Office and community research shows[8] that people are displaying an increasing level of awareness and concern about privacy issues. Rapidly changing technology often re-enforces these concerns. Unless people feel there is transparency in the collection and use of their personal information and that their privacy rights are being respected, there is a risk that a lack of community acceptance will undermine the application of new technologies.

The OAIC’s experience in responding to privacy inquiries and complaints demonstrates that individuals consistently expect a measure of privacy protection regarding the application of new and developing technologies.

However, the OAIC also recognises that drones are increasingly relevant to business, government and individuals both directly and indirectly. Goldman Sachs recently forecast that drone technology and its applications will represent a global US$100 billion market opportunity between 2016 and 2020; and that Australia’s drone spending will be an estimated US$3.1 billion between 2017 and 2021.[9]

Drones also play an increasingly important role in community safety in areas such as monitoring surfing beaches and as a tool in search and rescue operations.

Along with the benefits of drone technology, drones also present a risk to Australians’ privacy given their capacity to easily intrude on a person’s privacy. Privacy risks presented by drone use range from inadvertent privacy breaches through the collection of personal information such as photographs of individuals and their activities, to potential conduct that meets criminal offence thresholds such as stalking.

The international regulatory/governance environment for RPAS technology and its comparison to Australian regulation

Overseas regulators face similar challenges to Australian regulators regarding privacy protection and drone use. In general, the approach of many other jurisdictions is for civil aviation regulators to regulate commercial operators through legislative mechanisms and to issue best practice guidance for recreational users.[10] In Australia, I understand CASA is responsible for the regulation of commercial drone operators similar to other jurisdictions, and it has some rules for recreational aircraft but those rules do not cover privacy issues.

The European Aviation Safety Agency (EASA) is currently reviewing the European regulatory environment for drone operations.[11] I understand that EASA proposes developing a regulatory framework for all drones that includes minimum requirements for all drone operators to comply with ‘applicable regulations, in particular those related to security, privacy and data protection...’[12]

In the United States, the National Telecommunications and Information Administration (NTIA) recently released voluntary guidelines for drone use.[13] The guidelines encourage operators to use the technology ‘in a responsible, ethical and respectful way’, that includes ‘a commitment to transparency, privacy and accountability’.[14]

Key best practices from the NTIA guidelines that apply to drone operators include:

  • Where practicable make a reasonable effort to provide prior notice that personal data may be collected, including the general timeframe for collection.
  • Have a publicly available privacy policy where personal data is collected.
  • Avoid data collection in the absence of consent or unless there is a compelling need where the operator knows the data subject has a reasonable expectation of privacy, and avoid the persistent and continuous collection of data about individuals.
  • Limit the use and sharing of personal data.
  • Protect the security of data collected, appropriate to the size and complexity of the operator, the nature and scope of its activities, and the sensitivity of the data.

The NTIA best practice principles are similar to a number of the APPs.

The relationship between aviation safety and other regulation of RPAS for example, regulation by state and local government agencies on public safety, security and privacy grounds

The Privacy Act and other State and Territory privacy laws provide protections for personal information about individuals. In relation to drone technology, the Privacy Act, and its State and Territory equivalents where they exist, are applicable to the handling of personal information that may be collected by drones (in respect of the activities these laws regulate).

The primary challenge for protecting privacy regarding drone use lies in the confined scope of existing Federal and State privacy laws. The Privacy Act regulates acts and practices of Australian government agencies and private sector organisations, however some small business operators and individuals are generally exempt from the Privacy Act.[15] State-based information privacy laws generally regulate State government agencies only.[16]

To address the gaps in privacy protections in Australia, the ALRC recommended the creation of a statutory cause of action for serious invasion of privacy to be enacted by the Australian government through an Act.[17] The ALRC recommended that the tort address both types of invasions of privacy: intrusion of seclusion and misuse of personal information.[18]

The ALRC report Serious Invasions of Privacy in the Digital Era outlines that there is a patchwork of privacy legislation in Australia, including jurisdictional inconsistencies and limitations, and the legal distinction between physical invasions of privacy and the misuse of personal information.[19] The fractured nature of privacy protections in relation to drone use in Australia is well canvassed in the House of Representatives Standing Committee on Social Policy and Legal Affairs Committee’s final report, Eyes in the sky: Inquiry into drones and the regulation of air safety and privacy.[20]

The regulation of physical invasions of privacy includes surveillance, trespass, and nuisance laws. The Surveillance Devices Act 2004 (Cth) and some State-based surveillance laws, regulate the use of surveillance devices by law enforcement agencies and others, although these laws may be limited in their application to drone technology.[21] Some State and Federal criminal laws extend to some egregious practices that meet criminal offence thresholds.

Current and future options for improving regulatory compliance, public safety and national security through education, professional standards, training, insurance and enforcement

The OAIC supports a practical, priority-based approach to protecting the privacy of individuals in relation to drone use. While the OAIC supports efforts to ensure that appropriate civil and criminal remedies are available to individuals who are subject to privacy-invasive drone use (as outlined above), my office also encourages improvements through training requirements and licensing, supported by best practice principles.

Educating drone manufacturers and users about best practice privacy principles and responsible drone use is an important step towards regulatory compliance as the legislative framework develops. I encourage the aviation industry to include a focus on privacy in drone training and licensing requirements. The OAIC would be pleased to support industry to develop best practice guidance and drone operation requirements.

The Eyes in the sky report recommended that CASA support industry by providing information about Australia’s privacy laws.[22] The OAIC has recently worked with CASA to update its website, including clarifying CASA and the OAIC’s roles in relation to privacy and drones.[23]

To the extent that the use of drones requires more specific regulation, one option could be to develop an APP code under the Privacy Act. Under the Privacy Act, I am able to register APP codes that apply to APP entities that use technology of a specified kind (s 26C (4)(d)).[24] A registered APP code would be a binding legislative instrument that could provide industry with additional rules for handling personal information in the context of drone use.

Such a code could, for example, include factors such as those covered in the NTIA best practice principles discussed earlier. It is also important to point out that any entity covered by such a code would be subject to all the regulatory powers available to me in the Privacy Act in the event of any non-compliance with the code.

While compliance with an APP code would only be an obligation for APP entities, it could provide best privacy practice guidance applicable to all drone users, including recreational drone users, support existing training and licensing requirements, and mitigate against existing limited privacy protections.

If you would like to discuss any of the comments above or have any questions, please contact Jacob Suidgeest on [contact details removed].

Yours sincerely

Timothy Pilgrim
Australian Information Commissioner
Australian Privacy Commissioner

January 2017

Footnotes

[1] See How do I know if my small business is covered by the Privacy Act? for more information about coverage and small business.

[2] See section 6 of the Privacy Act 1988 (Collects, Personal Information, and Record)

[3] See House of Representatives Standing Committee on Social Policy and Legal Affairs, Eyes in the Sky: Final Report (14 July 2014)

[4] Recommendations 4, ALRC, Serious Invasions of Privacy in the Digital Era: Final Report, ALRC Report 123 (June 2014)

[5] See OAIC, Submission to the ALRC on Discussion Paper 80: Serious invasions of privacy in the digital era

[6] See Division 2 of the Privacy Act 1988 (Registered APP codes) for more information on APP Codes and the registration process.

[7] See ’Report unsafe operation of drones and remotely piloted aircraft’ and ’Flying drones/remotely piloted aircraft in Australia’.

[8] Community Attitudes to Privacy survey, a longitudinal survey into community attitudes to privacy run by the OAIC, with the most recent survey conducted in 2013.

[9] Goldman Sachs, Technology Driving Innovation: Drones (infographic).

[10] The US, Europe, NZ, Canada, and the UK appear to be adopting models similar to this approach.

[11] See the EASA website for the current status of the European review

[12] EASA Commission Regulation on Unmanned Aircraft Operations (Prototype) and Explanatory Note (released August 2016), page 6.

[13] NTIA, Voluntary Best Practices for UAS Privacy, Transparency and Accountability (consultation draft).

[14] NTIA, Voluntary Best Practices for UAS Privacy, Transparency and Accountability, page 2.

[15] See section 6D of the Privacy Act 1988 (Small business and small business operators).

[16] See Chapter 4, House of Representatives Standing Committee on Social Policy and Legal Affairs, Report: Eyes in the Sky.

[17] Recommendations 4, ALRC, Serious Invasions of Privacy in the Digital Era: Final Report.

[18] Recommendations 5, ALRC, Serious Invasions of Privacy in the Digital Era: Final Report.

[19] ALRC, Serious Invasions of Privacy in the Digital Era: Final Report.

[20] See Chapter 4, House of Representatives Standing Committee on Social Policy and Legal Affairs, Eyes in the sky: Final Report.

[21] For detail on Australia’s various State and Federal surveillance laws refer to Catherine Smith, Assistant Secretary, Telecommunications and Surveillance Law Branch, Attorney-General’s Department response to Questions taken on notice at the 20 March 2014 House of Representatives Standing Committee on Social Policy and Legal Affairs Roundtable on Drones and Privacy [PDF].

[22] See Recommendation 2, House of Representatives Standing Committee on Social Policy and Legal Affairs, Eyes in the Sky: Final Report.

[23] See ‘Report unsafe operation of drones and remotely piloted aircraft’.

[24] See Division 2 of the Privacy Act 1988 (Registered APP codes) for more information on APP Codes and the registration process.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au