*4.1. Specific Legislation on Remote Sensing Technologies*

Satellite remote sensing is subject to international space law. The Outer Space Treaty and the four follow-on treaties consist the most important documents for international space law. They have not been recently modified. There is to observe a lack of relevant and precise guidance in the Outer Space Treaty on issues of privacy related to VHR satellite data. Further, in the four follow-on treaties on space no specific provision is included, as no consideration has been given to privacy aspects and the respective protection. This is due to the fact that at the time these major space treaties were drafted no consideration was given to privacy protection (Dunk 2013). Only the Convention on International Liability for Damage Caused by Space Objects rules in Article II that "A launching State shall be absolutely liable to pay compensation for damage caused by its space object on the surface of the earth or to aircraft in flight10". Taking into account that the term "damage" in Article I (a) is defined as the "loss of life, personal injury or other impairment of health", it can be claimed that a violation of an individual's privacy right can be potentially construed as an impairment of health under this Convention. Such an interpretation is based on the World Health Organization's definition of health11, according to which health is "a state of complete physical, mental and social well-being and not merely the absence of disease or infirmity" (Santos and Rapp 2019). In this sense, targeted surveillance or even the fear of constant surveillance by satellite remote sensing may disturb people's mental and social well-being and cause "damage" under the Convention on International Liability for Damage Caused by Space Object. Finally, neither the Resolution 41/65 on the Principles of Remote Sensing of the Earth from Outer Space focuses at all on privacy matters.

International law regarding unmanned aircraft systems clearly states a need for harmonization comparable to that of manned operations, even though drones are subject to national civil aviation law of the member States12. However, in such international contexts there is again no clear reference to privacy and personal data matters.

Nevertheless, especially for drones, there is to mention a recent trend for detailed regulation in European level. Regulation (EU) 2018/1139 clearly recognizes the threats for privacy and personal data protection by the use of drones: "The rules regarding unmanned aircraft should contribute to achieving compliance with relevant rights guaranteed under

<sup>9</sup> According to the Collingridge dilemma 'Regulators having to regulate emerging technologies face a double- bind problem: the effects of new technology cannot be easily predicted until the technology is extensively deployed. Yet once deployed they become entrenched and are then difficult to change' (Collingridge 1980).

<sup>10</sup> Convention on International Liability for Damage Caused by Space Objects (1972), Available online: https://www.unoosa.org/pdf/gares/ARES\_26 \_2777E.pdf (accessed on 5 May 2021).

<sup>11</sup> Preamble to the Constitution of the World Health Organization, reprinted in Final Acts of the International Health Conference, U.N. Doc. E/155, at 11 (1946).

<sup>12</sup> See: ICAO Cir 328, Unmanned Aircraft Systems (UAS), Available online: https://www.icao.int/meetings/uas/documents/circular%20328\_en.pdf (accessed on 5 April 2021).

Union Law, and in particular the right to respect for private and family life, set out in Article 7 of the Charter of Fundamental Rights of the European Union, and with the right to protection of personal data, set out in Article 8 of that Charter and in Article 16 TFEU, and regulated by Regulation (EU) 2016/679 of the European Parliament and of the Council13". Generally, the Regulation (EU) 2018/1139 serves for the protection of privacy in such use by setting what should be achieved. Recent Commission Delegated Regulation (EU) 2019/945<sup>14</sup> which applies since 1 July 2020 has divided drones into classes in terms of their technical characteristics (open, specific and certified category) and lays down the requirements for the remote identification of drones, which is very important in helping to determine the operator of the drone, serving thus for more effective privacy protection in the use of drones (Puraite and Silinske 2020). However, for classes C0 and C4, which are technically simpler and therefore more accessible to the majority of people, no requirement of a direct remote identification equipment is included. In addition, Commission Implementing Regulation (EU) 2019/947 of 24 May 2019<sup>15</sup> on the rules and procedures for the operation of unmanned aircraft, being in effect and applying since 1 July 2020, includes requirements for the implementation of three foundations of the U-space system, namely registration, geo-awareness and remote identification, which will need to be further completed. According to the Preamble of this Regulation par. 14 and 16: "Operators of unmanned aircraft should be registered where they operate an unmanned aircraft which, in case of impact, can transfer, to a human, a kinetic energy above 80 Joules or the operation of which presents risks to privacy, protection of personal data, security or the environment" . . . "Considering the risks to privacy and protection of personal data, operators of unmanned aircraft should be registered if they operate an unmanned aircraft which is equipped with a sensor able to capture personal data". This is a clear safeguard clause but it is still questionable how alone the registration of operators would be effective for privacy issues if for classes C0 and C4, there is no requirement of a direct remote identification equipment. In addition, Article 11 of the Regulation 2019/947 states the rules for conducting an operational risk assessment while Article 18 (h) and (i) of the Regulation imposes the development of a risk based oversight system and an audit planning for certain drone operators, but it seems difficult to perceive how Article 35 GDPR<sup>16</sup> vis a vis Article 11 and 18 of the Regulation 2019/947 could complement each other (Pagallo and Bassi 2020). To sum up, the new legislation at EU level, namely Regulations 2019/945 and 2019/947, establish registration and remote identification requirements in the use of drones, making thus a huge contribution to the effectiveness of privacy and personal data protection, but with exceptions that could possibly undermine this goal, while there are still some unclear points of the risk assessment mechanism set.
