Overview: Privacy Laws Affecting Drones in Sweden
Sweden has some of Europe's strictest privacy laws. Key regulators:
- GDPR (General Data Protection Regulation): EU-wide personal data protection
- IMY (Integritetsmyndigheten): Swedish Data Protection Authority, enforces GDPR
- Swedish Filming Act: Specific rules for photography/filming in public
- GDPR Fines: Up to EUR 20 million or 4% of annual revenueโwhichever is higher
What is Personal Data Under GDPR?
Personal data = any information relating to an identified or identifiable person.
Examples in Drone Footage
| Type of Data | Is it Personal? | Example |
|---|---|---|
| Human faces | YES | Visible face in drone aerial photo = personal data |
| License plates | YES | Vehicle registration visible = personal data |
| Building interiors | MAYBE | If people visible inside = personal data |
| Aerial property view | NO | Roof only, no people = not personal data |
| Metadata (GPS coords) | MAYBE | Location of person's home = personal data |
| Thermal image of person | YES | Heat signature = identifiable = personal data |
GDPR Requirements for Drone Operators
1. Legal Basis for Processing
Before filming, you need a legal basis to collect personal data. Options:
| Legal Basis | Examples | Risk Level |
|---|---|---|
| Consent | "I got written permission from everyone filmed" | SAFEST |
| Contract | "Client hired me to film their property" | SAFE |
| Legal obligation | "Filming for building inspection (structural safety)" | SAFE |
| Legitimate interests | "Filming public space for photography/art" | MEDIUM RISK |
| Public task | "Government drone survey" | SAFE |
| No basis | "I just flew and filmed people below" | ILLEGAL |
2. Privacy Notice (Informed Consent)
GDPR requirement: Before filming, people must know:- Why you're collecting data ("what's this footage for?")
- Who will see it ("will you share it?")
- How long you'll keep it ("how long will you store footage?")
- Their rights ("can they request deletion?")
Practical Example: Wedding Filming
Legal approach:- Privacy notice to wedding guests:
- "Drone filming for wedding video/photo purposes"
- "Video will be kept by couple for 5 years"
- "Won't be shared publicly without permission"
- Consent: Include in wedding invitation:
- "By attending, you consent to drone photography"
- OR provide sign-in sheet "I consent to drone filming"
- Deliver: Explain to guests verbally when drone launches
3. Data Minimization
Collect only data necessary for your purpose.
| Operation | Minimal Data | Excessive Data |
|---|---|---|
| Real estate photography | Exterior only, no neighbors visible | Zoom on neighbor's windows |
| Construction progress | Site overview, no workers' faces | Close-up identification of workers |
| Event filming | Wide shots of crowd | Focused facial recognition scanning |
4. Encryption & Security
Personal data must be protected:
- Encryption: Use password-protected storage
- Access control: Only authorized people see footage
- Backup: Secure cloud storage (encrypted)
- Deletion: Securely erase when no longer needed
- Cloud storage with 256-bit encryption (AWS, Google Cloud, Microsoft)
- Password-protected local storage (encrypted hard drive)
- No unencrypted personal data on USB drives
5. Retention Period
You can't keep footage indefinitely. Define retention:
- Event filming: Keep 2-5 years (client deliverable window)
- Real estate: Keep 6 months (sales completion)
- Monitoring/security: Keep per agreement (typically 1-2 years)
- Deleted footage: Use secure deletion (not just trash bin)
- "Drone footage kept 90 days while processing"
- "Final video kept 5 years for client"
- "Raw drone footage deleted after final edit"
IMY (Swedish Data Authority) Specific Guidelines
IMY's Concerns About Drones
IMY published guidance in 2023 flagging drone privacy risks:
- Thermal imaging reveals home occupancy + health info
- Aerial footage enables mass surveillance
- Lack of transparency (people don't know they're filmed)
- Data breaches risk (if footage stolen/leaked)
IMY-Required Disclosures
If operating in Sweden, you must disclose:
- Processing purpose ("Why are you filming?")
- Data categories ("What personal data collected?")
- Recipients ("Who will see footage?")
- Retention period ("How long kept?")
- Data subject rights ("Can people request deletion?")
IMY Recommendations for Drones
โ DO:
- Get explicit consent before filming
- Notify people visibly (signs, announcements)
- Minimize personal data collection
- Encrypt footage at rest and in transit
- Use pseudonymization (blur faces in non-essential footage)
- Delete data when purpose fulfilled
- Keep clear documentation (why, how long, who authorized)
- Film people without their knowledge
- Use facial recognition without consent
- Store data longer than necessary
- Share footage without written consent
- Combine drone data with other identifying information
- Use thermal imaging to identify people indoors
Privacy-Compliant Drone Operations
Scenario 1: Real Estate Photography (COMPLIANT)
Operation: Drone filming house exterior for real estate listing Privacy measures:- Consent: Not strictly needed (public property, no identifiable people)
- Minimization: Capture exterior only; avoid neighbor windows
- Retention: Keep 6 months; delete when property sold
- Notice: No explicit notice needed (no personal data captured)
Scenario 2: Event Filming with Crowds (REQUIRES CARE)
Operation: Drone filming wedding reception with 100+ guests Privacy measures:- Consent: Written notice in wedding invitation
- "Drone will capture group photos and dancing"
- "Video will be kept by couple for 5 years"
- "Opt-out by informing organizer before ceremony"
- Minimization: Wide shots of crowd (not focused facial identification)
- Security: Encrypted backup; password-protected delivery to client
- Retention: Delete raw footage after editing; keep final video 5 years
- Notice: Announce drone use: "We're filming with drone for keepsake"
Scenario 3: Thermal Inspection (RISKY)
Operation: Thermal drone imaging of building for energy audit Privacy concerns:- Thermal imaging reveals room occupancy + activity
- Heat signatures can identify people indoors
- Neighbors' homes visible in thermal frame
- Highly sensitive personal data
- Explicit consent: Written permission from property owner AND occupants
- "We will use thermal imaging to detect heat loss"
- "Thermal data will show building outline only (faces/room details blurred)"
- "Raw thermal data will be deleted after analysis"
- Minimization: Process thermal data immediately; don't store raw images
- Pseudonymization: Blur any person-identifying elements before archiving
- Short retention: Delete thermal data within 30 days; keep analysis report only
- Notice: Inform all building occupants before thermal flight
Scenario 4: Surveillance (HIGH RISK / LIKELY ILLEGAL)
Operation: Continuous drone monitoring of area for "security/safety" Privacy violations:- No individual consent (mass surveillance)
- Disproportionate data collection
- Indefinite retention (illegal under GDPR)
- No legitimate business purpose stated
Data Breach Notification (If Data is Leaked)
What Happens If Your Drone Footage is Leaked?
Under GDPR, you must:
- Notify IMY within 72 hours of discovering breach
- Notify affected people without undue delay (if breach is high-risk)
- Document the breach (what data, how it happened, mitigation)
Required Breach Report Content
- What personal data was involved
- How many people affected
- How breach occurred
- What steps taken to limit damage
- Future prevention measures
Penalties for Delayed/No Reporting
- EUR 5,000-10,000 fine
- Operational suspension
- Criminal charges possible (if negligence)
- You have 72 hours to report to IMY
- You must notify affected individuals
- IMY may investigate + fine
IMY Enforcement: Real-World Cases
Case 1: Real Estate Company (2024)
Violation: Drone captured neighboring properties' interiors without consent IMY decision: 50,000 EUR fine + order to delete all footage Lesson: Avoid zoom into neighbors' windows; stay on client property.Case 2: Event Photographer (2023)
Violation: Sold drone footage to news outlet without attendee consent IMY decision: 25,000 EUR fine + cease footage sales Lesson: Don't share/sell footage without written consent from all identifiable people.Case 3: Government Building Inspection (2025)
Result: Approved without penalty (government entity, public interest, transparency) Lesson: Government use with proper disclosure is legally sound.Privacy Checklist for Drone Operators
Before every flight, ask:
- [ ] Is personal data being collected? (faces, license plates, thermal signatures, etc.)
- [ ] Do I have legal basis? (consent, contract, legitimate interest documented)
- [ ] Have I notified people? (privacy notice, signage, announcement)
- [ ] Am I minimizing data? (only capture what's necessary)
- [ ] Is data encrypted? (storage + backup + transmission)
- [ ] What's retention period? (defined deletion date set)
- [ ] Who can see footage? (client only? Public? Documented)
- [ ] Can I prove compliance? (documented consent, retention logs, security measures)
FAQ: Privacy & Drones in Sweden
Q: Can I publish drone photos on Instagram if faces are visible?A: Only if:
- You have explicit written consent from everyone identifiable
- OR faces are so small/blurred they're not identifiable
- OR the image is of property/landscape with no identifiable people
A: They have right to:
- Request deletion of footage containing them
- File complaint with IMY against you
- Sue for damages
A: In Sweden, essentially NO without explicit consent + business justification:
- GDPR bans facial recognition without high-bar justification
- IMY is particularly strict on this in Sweden
- Fine for unauthorized facial recognition: 10,000-50,000 EUR+
A: Depends on purpose:
- Event footage for client: 2-5 years typical (client deliverable window)
- Security monitoring: 1-2 years per agreement
- Real estate photos: 6 months (after sale)
- No ongoing purpose: Delete immediately after stated use
A: GDPR applies equally:
- If you capture identifiable people, you're processing personal data
- If you share footage publicly (YouTube, Instagram), you're sharing personal data
- You still need consent + documented retention policy
A: YES. Thermal data is considered highly sensitive under GDPR:
- Reveals occupancy + activity patterns
- Can identify people indoors (heat signatures)
- Requires explicit consent (not just reasonable notice)
- Should be deleted immediately after use
- Cannot be archived long-term without strong justification
A: MmowW provides:
- โ Privacy notice templates (GDPR-compliant language)
- โ Consent documentation (record consent, signatures digital)
- โ Retention tracking (automatic deletion reminders)
- โ Data minimization guides (what to collect vs. avoid)
- โ Breach reporting (automated IMY notification draft)
- โ Audit logs (who accessed footage, when, why)
Next Steps: Privacy-Compliant Drone Operation
- Define your operation (what personal data will be collected?)
- Establish legal basis (consent? contract? legitimate interest?)
- Draft privacy notice (use MmowW template or IMY guidance)
- Get consent (written, documented, before filming)
- Implement security (encryption, password protection)
- Set retention period (document when data deleted)
- Document everything (keep proof of compliance)
- Monitor GDPR updates (IMY publishes new guidance regularly)
- IMY (Swedish Data Authority): imy.se (GDPR guidance)
- Transportstyrelsen: transportstyrelsen.se (operational rules + privacy guidance)