Privacy and UAS: Different approaches in the US and the EU lead to similar results

The US National Telecommunications and Information Administration published recently Voluntary Best Practices for UAS Privacy, Transparency, and Accountability. Under EU law, extensive studies on privacy aspects of UAS have been conducted. Although the legal framework is different in the US and the EU regarding both centralized regulation and material content of the applicable legislation, the general compliance requirements for operators share some common points.

In the US, the federal rules on protection of privacy and personal data by private entities are mainly sector specific and seem to allow considerable flexibility, resulting sometimes in regulatory gaps or overlaps with state laws. Federal laws focus on the conduct of governmental entities. 

In the EU, there is a tendency to increase harmonization of rules on data protection, which apply to both public and private entities. Currently, applicable is Directive 95/46/EC and the national laws transposing it into the national legislation of the Member States. As of 25 May 2018, the new General Data Protection Regulation will apply directly to all EU Member States, achieving full harmonization. EU rules on data protection would appear rather strict to the eyes of a US lawyer.

Against this background, it is interesting to note that the recent US recommendations correspond to a large extent to the recommendations under EU law issued by WP29, an advisory body on data protection in the EU, and the European Data Protection Supervisor. In both cases, it has been recognized that the general rules on privacy and data protection apply, and some common elements can be observed, like:

- raising awareness among UAS operators,

- informing third parties and the public on possible personal data gathering,

- proportionate personal data collection in relation to the objective of the collection,

- responsibility of UAS operators for personal data security,

- accountability and possible legal liability of UAS operators for violations of the applicable provisions.

Nevertheless, there is a main difference between the US and the EU: In the US, these elements correspond mainly to general best practices, at least at the federal level, whereas in the EU they reflect general legal obligations. 

Hence, despite the lack of special rules on personal data and privacy regarding UAS operations, by no means do UAS operate in a legal gap as to privacy and data protection. General rules apply, which, especially in the EU, can entail unpleasant surprises for ignorant UAS operators.