Article written by Haim Ravia, Dotan Hammer and Adi Shoval
The French Council of State, the nation’s Supreme Court for administrative affairs, ruled that French police’s use of drones to enforce compliance with the Ministry of Health’s instructions on social distancing and prohibiting gatherings of over 100 people violates the GDPR.
The court dismissed the police’s claim that the drones are merely used to allow them to locate significant violations and allocate police force more efficiently, rather than to enforce compliance on specific individuals.
In its decision, the Court held that such use of drones qualifies as processing personal information under the GDPR. The court found that the drones at issue are technically able to zoom-in and process information on identifiable individuals. According to the court, the mere possibility of such processing constitutes the processing of personal data under the GDPR, even if the function is not used de facto.
The Court reiterated that under the GDPR, processing of personal data is permissible only in accordance with a recognized legal basis. Processing personal data by the police absent an explicit order by the legislature violates the legal basis requirement. Finally, the court also mentioned that this form of processing lacks transparency to the data subjects and violated the GDPR’s notice requirements since the public was not notified and given sufficient information before the processing.
CLICK HERE to read the French Supreme Court’s decision (in French).