On 29 March, the Hong Kong Privacy Commissioner for Personal Data (the “Commissioner”) published a guidance note that supplements previous guidance on the use of closed circuit television systems and for the first time addresses the increasing use of unmanned aircraft systems (UAS, or, more popularly, drones). The Commissioner’s guidance is the first significant regulatory engagement on the use of UAS by a Hong Kong regulator.
The guidance is timely, as the potential commercial applications for UAS are now becoming more fully understood and are clearly vast, ranging from infrastructure maintenance, crop management and security through to the more headline catching possibilities of delivery of consumer products to your doorstep.
The Consumer Electronics Association forecasts the global market for consumer UAS will approach US$300 million by 2018 on factory-to-dealer sales of just under a million units, up from an anticipated US$84 million in global revenues on sales of 250,000 units in 2014.
Earlier this year, the e-commerce giant Alibaba announced the launch of commercial UAS delivery testing in China from its warehouses in Beijing, Shanghai and Guangzhou. Less well-publicised, Hong Kong is itself something of an innovator in the UAS space. In 2013, the Civil Engineering and Development Department acquired a number of UAS vehicles for property surveying purposes, citing tremendous efficiency gains from UAS imaging, particularly in difficult terrain.
Hong Kong currently has an estimated 5,000 UAS and that number is predicted to increase as prices fall and people and businesses become more aware of the possibilities for their use. UAS technology is also improving. Manufacturers are experimenting with UAS that can collect thermal images, provide telecommunications services, take environmental measurements and even collect “big data” using a range of different sensors at the same time.
The possibilities raised by UAS raise significant regulatory concerns, but current regulations are very limited in their scope and do not yet address important issues of privacy. The Commissioner’s guidance is a first step in Hong Kong towards a broader debate about UAS.
The Hong Kong Regulatory Regime for UAS
The Civil Aviation Department of Hong Kong (CAD) is responsible for regulating non-recreational UAS weighing over seven kilograms. Flying a UAS weighing 7kg or less for purely recreational purposes is classified as model aircraft flying and no CAD oversight is required.
The expected increase in use of UAS calls the basic regulatory parameters into question. Hong Kong’s urban density and unique geographical features make safety a key concern. For commercial UAS flights in Hong Kong the CAD rules stipulate that no flights are permitted within five kilometres of an aerodrome, over 300 feet above ground and in visibility conditions of less than five kilometres. There is also a requirement that the pilot of the drone must have qualifications to show that he has the required training to fly the device. That being said, the CAD does not issue separate pilots licenses for the operation of UAS. The UAS operator must make an application to the CAD with the relevant information to support the application and to demonstrate their flying experience. Each application is then reviewed by the CAD on a case by case basis. A flight plan must also be submitted to the CAD at least 28 days before take-off although it can take up to 90 days to get flight approval.
The CAD’s rules are clearly directed at pilot qualifications and safety concerns. It is not clear that the department is under any duty to consider privacy concerns when it issues its permits. In a blog entry he made last year concerning UAS, Hong Kong’s Privacy Commissioner for Personal Data expressed his concern that the privacy rights of individuals in Hong Kong need to be better protected as the use of UAS increases. In the Commissioner’s view, UAS present unique privacy challenges and their ability “to collect data with great resolution and granularity at distant vantage points, often for long periods, and on a continuous and covert basis, enables them to conduct effective aerial surveillance of persons of interest in a sustained and surreptitious manner.”
The Commissioner’s new guidance adds further force to these comments, and suggests some specific compliance measures that UAS operators should take, including carrying out privacy impact assessments as part of flight planning, minimising the amount and types of personal data collected by the drone to that which is essential and taking measures to ensure that data is secure should the drone be lost. The Commissioner also suggests means of alerting the public to the presence of UAS collecting personal data, such as incorporating flashing lights into the aircraft to signal that recording is taking place and pre-announcing through social media and other means that a UAS flight is taking place.
The Commissioner has separately appealed to technology providers to commit to building privacy and data protection into their products and services. As a keen advocate of the “privacy by design” concept, the Commissioner considers it vital to maintaining a privacy-assuring ecosystem.
A Bird’s Eye View of Global UAS Regulation
It goes without saying that the issues surrounding the use of UAS are by no means unique to Hong Kong. The approach to regulation of UAS is being evaluated in a number of jurisdictions and by a number of international agencies, but given that the policy remits of the agencies taking the lead relate to aviation, in most cases privacy concerns appear to be hovering at a distance.
European aviation experts and regulators have recently agreed a set of principles for the regulation of UAS, with an overriding objective of seeking to rapidly develop the industry across Europe. The Riga Declaration on Remotely Piloted Aircraft published by the European Commission on 6 March 2015 highlights privacy as a fundamental concern, but defers to national and European Data Protection Authorities on the specific policy-making.
In February 2015 the Federal Aviation Administration (the FAA) issued proposals for new UAS regulation in the United States. These proposals would require UAS to be kept within the operator’s line of sight at all times while airborne and prohibit flights over crowds of people. Significantly though, while the new proposals establish safety procedures, despite extensive lobbying from experts and members of the public, the proposals do not address any privacy concerns, a matter which the FAA understands to be beyond the scope of its rule making powers.
The International Civil Aviation Organisation has embarked on the development of international standards to regulate UAS, particularly in airspace used by manned aircraft. The work covers areas such as certification of UAS, competency requirements of the UAS operator/pilot, and guidance on UAS operations, but privacy concerns do not form part of the review.
Blue Sky Thinking About UAS Regulation
The Commissioner’s guidance on the use of UAS in Hong Kong adds some helpful discussion to what will likely be an important but complex area of regulation in the coming years. The capacity for UAS to impact personal space in high density urbanised regions such as Hong Kong is clear. The means of ensuring that UAS flights in Hong Kong are compliant with the PDPO will be a matter requiring attention.
This entry originally appeared as a Hogan Lovells client alert. To view the client alert, click here.