Pilots call to arms, REMOTE ID, GDPR

@SimonDale , FYI I am proposing that we all write to the information commissioner regarding the proposals from the CAA to require remote ID by 2018. I have done some research regarding possible conflict with data privacy legislation (2018) and how this is in conflict with the proposals by the CAA. Time is short as the CAA will look for approval on it’s suggestions. I have prepared a letter which I will be sending to the information commissioner as follows:

I am asking that we start a writing campaign to the commissioner otherwise expect endless Karen interactions while you enjoy your hobby. The CAA and DT need to be challenged on this proposal. DM me is you would like to help me campaign on this item. Below is my letter to the commissioner.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

[Your Address]
[City, Postcode]
[Email Address]
[Telephone Number]
[Date]

Subject: Concerns Regarding Privacy Implications of CAA’s Remote ID Proposals for UAS Operations

Dear Information Commissioner,

I am writing to formally express my concerns regarding the Civil Aviation Authority’s (CAA) recent proposal outlined in CAP 3105, specifically the proposed mandate for Remote ID broadcasting for Unmanned Aircraft Systems (UAS), commonly known as drones.

The proposed regulations, as detailed in CAP 3105 (Chapter 5), aim to require drones to transmit real-time identification and location information, explicitly including the precise location of the pilot. This proposal raises significant data protection and privacy concerns, notably under obligations established by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

In particular, I would like to draw your attention to several specific areas of concern:

1. Transparency and Fairness (Article 5(1)(a) UK GDPR):
   The requirement to broadcast pilot location data without clear transparency measures and robust consent mechanisms may result in the unfair processing of personal data. Pilots must have explicit clarity regarding who can access their personal location data and how it will be used.

2. Purpose Limitation (Article 5(1)(b) UK GDPR):
   While the stated aim of Remote ID is to enhance security and safety, unrestricted or inadequately controlled public access could lead to uses beyond these legitimate purposes, thus violating the principle of purpose limitation.

3. Data Minimisation (Article 5(1)(c) UK GDPR):
   The transmission of precise pilot location data in real-time appears excessive relative to the stated aims of safety and security. Less intrusive measures should be thoroughly considered before implementing a measure of this scope.

4. Integrity and Confidentiality (Security) (Article 5(1)(f) UK GDPR):
   The proposal risks the potential misuse of pilot location data, exposing pilots to unnecessary risks including theft, harassment, or unauthorised surveillance, significantly compromising the principle of data security.

5. Accountability (Article 5(2) UK GDPR):
   The CAA must demonstrate robust compliance with data protection requirements through comprehensive Data Protection Impact Assessments (DPIAs). Currently, the proposal lacks detailed evidence of such assessments and considerations of privacy impacts.

Given these substantial concerns, I respectfully request that the Information Commissioner’s Office engages proactively with the CAA to:

• Clearly articulate the necessary limitations and controls regarding access to pilot location data.
• Ensure that robust DPIAs are completed and published transparently to evaluate necessity, proportionality, and security measures associated with Remote ID.
• Mandate comprehensive transparency and fairness measures, ensuring explicit consent and clear communication with drone pilots about how their data will be used, stored, and accessed.

I firmly believe it is crucial for the Information Commissioner’s Office to uphold and reinforce the rights of UAS pilots to privacy and data protection. I trust that your intervention will help ensure that any forthcoming legislation from the CAA fully respects and aligns with data protection laws established to safeguard the rights of UK citizens.

Thank you for your attention to this critical issue. I look forward to your response.

Yours sincerely,

[Your Name]

Hi @Gusisin

That is a good idea. There are a few issues you should be aware of though.

1. Remote ID is the law. It has been the law for 4 or 5 years. The implementation date is 2026.

It is not that the law has to be passed or approved/ratified. It is already the law.

(Your post and letter makes several references to ‘proposal/proposed’, ‘any forthcoming legislation’, etc.

That is not accurate. Remote ID is already the law - with the implementation date of 2026).

2. The recently released document isn’t a proposal. It is the response to a ‘Call for input’, which closed a long time ago. (To which we, and our members who responded, objected to Remote ID).

Here is my thread about that Call For Input. CAA Call For Input

3. Remote ID has been (successfully?) rolled out in the USA and Europe. (You could argue it was demonstrably useless in the New Jersey mass-hysteria event where people convinced themselves they were seeing drones en masse, which were in fact airliners. The fact that no remote ID was present didn’t help convince them).

All of that said, letters to the ICO seems like a good approach, that could feasibly be effective.

Bulk letters that are all the same, with a different name at the bottom, are no good. They will be treated as one letter.

I wonder if we could make an AI letter generator tool, which takes the person’s name and address, and writes a letter to the ICO, making the same broad points, but in a slightly different way, hundreds or thousands of times?

The letters need to all be different, but making the similiar general points.

All the best

Simon

@SimonDale Not meaning at all to challenge you, just curious … what legislation brought RemoteID into law? For example, even the CAA’s own website seems to imply at least that such a regulation remains a future activity.

Just catching up on stuff following a long time away from the hobby!

Implementing Regulation (EU) 2019/947, and delegated regulation (2019/945), which came into force in 2019.

The rules on drone operation in the UK, laid out in 2019/947 (Retained EU Law), require that from 2026, all drones over 250g used in either the ‘Open’ or ‘Specific’ categories must be equipped with Direct Remote ID.

This is one of several technical requirements that will apply to drones placed on the UK market from 2026, in line with the associated delegated regulation (2019/945).

Originally, this legislation specified that Remote ID compliance would be required from 1 January 2024. However, as part of the UK’s post-EU transition and the review of retained EU law, the implementation date was deferred to 1 January 2026. This decision was made in 2022 and represented the latest point at which the requirement could legally be delayed.

Direct Remote ID has been compulsory across the EU since 2024.