The Rise of Drone “Auditors” – Data Protection Considerations

There has been a recent rise in the number of online content creators turning up outside industrial sites in the UK and recording video footage using both body camera footage and flying drones above the premises. The leading “auditors”, as they are known, draw in thousands of views on each video they produce on social media platforms such as YouTube and TikTok.

The purpose of the video content is unclear but is typically justified under the guise of checking health and safety compliance or that the property is being filmed as it is allegedly a point of interest. In reality, the purpose of the content appears to be aimed at frustrating security staff to elicit heightened reactions – giving the auditor confrontational footage to share with their online followers. This type of content is likely to increase clicks on social media platforms which in turn increases the opportunity to obtain advertisement revenue out of the video content. The aim is to make the content go viral. There are currently several individuals producing this type of content online and many examples of employees reacting verbally or physically.

An “auditor” will typically attempt to film from outside the industrial premises, usually from a public road. This can conflate the lawful basis behind recording video footage. Generally speaking, consent to film is not required where an individual is filming on public land. However, if the “auditor” steps foot onto private property and films without first obtaining permission, this may amount to a civil trespass.

The position is further nuanced where video footage of private property is taken from the air using a drone. In certain circumstances, using a drone to fly over private property and take video footage can amount to trespass.

Case law dictates that a property owner only owns the airspace above the land to such height as is necessary for the ordinary use and enjoyment of their land. The threshold for an aerial trespass will therefore vary depending on the use of the land. For example, a wind farm could reasonably expect greater aerial clearance than a commercial office building. In determining whether there is a trespass it is necessary to consider all of the circumstances, including the height of the land in question and at what proximity to any structures the drone is being flown at. Guidance from the Civil Aviation Authority states that “drones and remotely piloted aircraft should be flown at a height over the property of another person which is ‘reasonable’ in all circumstances”. Accordingly, there is no precise lower limit at which airspace ceases to be owned by a landowner and begins being available for public use.

Importantly, trespass is a civil matter and the police are often able to do little to help.

Some “auditor” footage contains video of individuals, some of who are employees of the businesses that occupy the industrial site in question. Often these individuals do not have their faces blurred and are clearly identifiable.

The UK General Data Protection Regulation (UK GDPR) requires that personal data is obtained, held and processed fairly and lawfully. Personal data is “any information relating to an identified or identifiable living individual” (the data subject). If the video footage taken by an “auditor” identifies a specific individual (i.e. is not blurred), then the video potentially falls within the scope of personal data.

Under UK GDPR a person who uploads video content online which includes personal data may be considered a data controller. Where a person is determined to be a data controller, they are responsible for complying with UK GDPR and must be able to demonstrate compliance with data protection principles. In short, the processing of personal data will only be lawful where it is collected for a specific and legitimate purpose. Examples include where one of the following conditions are met:

• The individual (data subject) has consented to the processing of their personal data;
• Processing is necessary to perform a contract with the individual;
• Processing is necessary to comply with a legal obligation;
• Processing is necessary to protect the vital interests of the individual data subject;
• Processing is necessary for the performance of a task carried out in the public interest or;
• Processing is necessary for the purposes of the legitimate interests pursued by the controller.

Where individuals are identifiable in video footage uploaded to social media, the “auditor” may have fallen foul of UK GDPR unless any of the above conditions have been met.

Unlawful processing of an individual’s personal data provides the individual with a right to pursue compensation from the data controller or make a complaint to the Information Commissioners Office (ICO). This right is however limited to the data subject and does not extend to employers or companies.

In addition to the above, if the auditor is deemed a data controller, they will also be required to comply with the statutory obligations placed on a controller. This could include, registering as a data controller with the ICO, paying the applicable fee to register, producing a privacy policy detailing how personal data is used and carrying out a Data Protection Impact Assessment.

It will not always be clear whether an “auditor” is on the correct side of the law. The specific factual circumstances will be very relevant. Overall, individuals or employees should tread carefully when dealing with an “auditor” as it is possible that they are complying with current legislation. For guidance on how to deal with an “auditor” please see our related blog here.