New norms to regulate drones to guarantee safety and privacy in the European Union

Drones, small remote-controlled aircraft, can be used to take photographs from the air, film a football match from the air, spread herbicides and pesticides over crops and monitor forest fires. Despite their usefulness, they are also a risk to air safety and privacy.

The Transport Commission of the European Union gave its support to these new norms put forward by the European Commission to guarantee safety and privacy in the EU.

drone-407393_1920At present, drones weighing less than 150 kilos are regulated nationally. In the EU, the regulating framework is fragmented: different certificates and technical and safety standards, which cause a real headache for operators and transnational manufacturers. Members of the European Parliament want basic prerequisites which drones weighing less than 150 kilos have to comply with to be included in EU legislation to ensure coherence and clarity. Furthermore, they ask for an obligatory record of drones weighing more than 250 grams and demand that operators have the necessary skills to pilot a crewless plane in a public domain.

This way, most toy drones, which are currently the most commonplace, will not be affected by this prerequisite.

The present characteristics of the various national regulations concerning drones are the following:

  • Civil drones: different countries, different regulations. A drone is a crewless aircraft which is permitted as long as it is remote controlled, but it is still not authorised to operate if it is completely automated.
  • In most countries, crewless planes weighing over 20-25 kilos need special authorisation (record, flight permit, pilot’s licence and technical assessment).
  • Drones are regulated nationally if they weigh from 0 to 150 kilos, whereas if they are more than 150 kilos they are regulated by the European Union.
  • Small civil drones weighing less than 25 kilos are the most popular. In the European Union, during 2015 1.7 million were sold, 98% of which weighed less than 2 kilos.
  • At present there are over 3 millions drones in use -according to estimations made in several EU countries-, excluding “toys” and model aircraft.
  • The maximum flying capacity also differs depending on the country. The most restrictive is Belgium, with 90 metres. Spain is mid-table with a permitted height of 125 metres, and other countries like France and Italy permit a maximum of 150 metres.
  • Concerning the distance deemed to be safe as far as buildings, persons or vehicles is concerned,this is at least 50 metres.

Links of interest:


Aquest apunt en català / Esta entrada en español / Post en français

A step forward in the integration of local police forces in police statistics

On 18 July the decree to shape the Centre for the Elaboration of Police Data in the Basque Country , formally created by the Law 15/2012, of 28 June, for the organisation of the public security system in the Basque Country. The centre is defined as an administrative organ with competence for dealing with (gathering, storing, elaboration, classification and communication) data which is necessary for police agencies. The definition is very significant for a range of reasons.

28_udaltzaingoa01First of all, it aims to create a sole data base for both the Ertzaintza as well as Euskadi’s local police forces. The municipalities affected sign specific agreements with the Department of the Interior to give structure to the participation of local police forces, related to areas to be the focus of shared information, their characteristics and technical requirements necessary for the use of common data bases.

The Basque Country thereby joins the process initiated in Catalonia in 2002, which has meant that the immense majority of Catalonia’s local police forces (208 of 214) share the same data base with the Mossos d’Esquadra, with information of police interest. This process has also required signing ad hoc* agreements with each and every municipality to ensure the incorporation of its local police service.

Taking into account the development and dimensions that local police forces have had over recent decades, the inclusion of data relative to their activities is very relevant in a common instrument which facilitates an environment which is more in tune with the context of security. Police data shows one black spot because of the low level of complaints in reference to criminal activities for several reasons. If, furthermore, the data corresponding to police forces with the biggest presence within a territory are not added to police statistics, an important part of the information about police activity which may be of interest, for example, to resolve cases or generate intelligence, is lost.

Secondly, the Basque centre offers an interesting new concept: the organism is defined within the framework of the Department of the Interior (more specifically of the Deputy Council of Security), but beyond the structure of the police, which may create a small distance from the day-to-day organisation of the main police force (the Ertzaintza) and offers a more global idea as a data base for the whole police service in the Basque Country. The incorporation of a representative of the Ertzaintza, and another from local police forces, with a computer expert and another expert in fundamental rights, means that the Centre of Data Elaboration is a technical organ with plenty of autonomy in relation to the organisations which will provide it with data.

If this initiative is consolidated —we must think so—, other actors will have to take measures in the same direction, as, otherwise, comparing police statistics will become impossible, as in the rest of the country police data does not include local police records. This is the current situation when the Ministry of the Interior compares data with the Department of the Interior of the Generalitat, which respond to different realities and therefore create confusion. The Ministry only includes data from the Policia Nacional and the Guardia Civil, whereas the Department of the Interior, as well as the Mossos d’Esquadra’s data, also includes data from Catalonia’s local police forces, and obviously records higher crime rates.

* Refer to this example,agreement.


Aquest apunt en català / Esta entrada en español / Post en français

More security on the network and information systems in the European Union

Last 19 July, the Official Journal of the European Union (OJ) published the Directive (UE) 2016/1148 of the European Parliament and of the Council of 6 July, concerning measures for a high common level of security of network and information systems across the European Union.

25-ue_seguretatThe text includes 75 legal foundations, 27 articles and 3 annexes. Article 25 establishes that the member states must adopt and publish, by 9 May 2018 at the latest, the legal, regulative and administrative provisions to complement the directive’s requirements and apply the planned measures from 10 May of the same year.

According to article 1, measures to be applied to meet the objective of improving the workings of the internal market, within the framework of achieving a common high level on networks and information systems within the European Union, are the following:

  • Oblige all member states to adopt a national security strategy for the network and information systems.
  • Create a cooperation group to provide support and facilitate strategic cooperation and information exchange between the member states and develop trust and security among them.
  • Create a network of teams to respond to situations involving computer security (the CSIRTnetwork – Computer Security Incident Response Teams) to contribute to the development of trust and safety among member states and promote operational cooperation which is fast and efficient.
  • Set requirements concerning security and information for essential service operators1) and digital providers.
  • Set out obligations so that member states can appoint competent national authorities, single points of contact and CSIRT with functions related to network security and information systems.

1) Article 4.4 of the directive defines them as a public or private entity of energy subsectors (electricity, crude oil and gas); transport (air, rail, sea and river, and by road); banking; the infrastructure of financial markets; the healthcare sector; provision and distribution of drinking water, and digital infrastructure.


Aquest apunt en català / Esta entrada en español / Post en français

Measures to control the increase in crime and threats to air space using drones

17_dronesWhen in 2013 a drone landed on the stage during a talk by the German chancellor, Angela Merkel, the incident ended up being little more than an anecdote. But since then the number of such cases and crimes recorded using such devices has increased, many of which have received media attention: in 2014, a drone flew over seven French nuclear power plants; in April 2015, a drone landed in the office of the Japanese Prime Minister; in October 2015, a drone exploded near the Washington Monument, and last July, a Lufthansa plane with 108 passengers on board had to modify its route to avoid hitting a drone.

2015 was the year when statistics revealed a notable increase in the use of drones in many European countries and especially the United States, where 28 of a total of 241 reports were made related to drones which involved pilots having to make manoeuvres to avoid a crash.

The case of the UK illustrates this increase. The Thames Valley Police recorded an increase of 21 incidents in 2014 and of 80 in 2015; London’s Metropolitan Police, one more case in 2014 and 21 in 2015, and the Greater Manchester Police, the first 58 incidents in 2015. According to Scotland Yard, some of the drone-related crimes in the country include sexual crimes and transporting drugs to a prison.

This has led to several countries such as Spain, France, Germany and the UK itself, to intensify laws regulating the use of drones, controlling distances for safety purposes and controlling the permitted weight and altitude.

Other measures, in the case of the United States, have included an agreement signed in September 2015 by the Federal Aviation Administration (FAA) and the company California Analysis Center, Inc. (CACI) to develop technology which facilitates the monitoring of the connection between a drone and the person operating it. The very FAA says that it receives approximately 100 complaints monthly from pilots who see devoices flying near airports and in air space where the presence of drones is prohibited.

In an effort to foresee risks and combat possible incidents, the Netherlands police force has published a video with the collaboration of the company Guard From Above, in which birds of prey intercept drones, a procedure regarded as one of the possible mechanisms to control threats.

• For further information about the FAA agreement CACI you can consult the official statement.

• You can consult the 2005 Report of London’s Metropolitan Police related to drones.

• If you would like further information about the company which offers a training service for birds to be able to catch drones, Guard From Above, you can visit its webpage.


Aquest apunt en català / Esta entrada en español / Post en français

Critical infrastructures: basic guidelines, safety plans and specific protection plans


The normal working of essential services for the general population is based on a series of infrastructures administered both publicly and privately, the functioning of which does not allow for alternative solutions: the so-called critical infrastructures. For this reason, a homogeneous and global policy needs to be designed within organisations, specifically aimed at critical infrastructures, defining subsystems of security which will be introduced to protect them. The objective is to prevent their destruction, interruption and disruption, thereby avoiding any subsequent damage to the provision of essential services to the population.

Law 8/2011, 28 April, in accordance with which measures are established for the protection of critical infrastructure, aims to establish appropriate organisational strategies and structures which allow for the management and coordination of the workings of a range of organs of public administration in relation to the protection of critical infrastructure, once they are identified and confirmed. The collaboration and involvement of the organisms and companies (critical operators) of these infrastructures are also encouraged in order to optimise the level of protection in the face of these intentional attacks which may affect the provision of essential services. Royal decree 704/2011, 20 May, which approves the regulations corresponding to the protection of critical infrastructure, sets out this law.

Article 13 of the same Law 8/2011 specifies commitments for public and private critical operators, stressing the need to elaborate an operator security plan (PSO) and specific protection plans to be determined (PPE).

There are further details available in Resolution 8 September 2015 of the State Department of Security, in accordance with which new minimum components of the security plans of the operator and of plans of specific protection are passed.


Aquest apunt en català / Esta entrada en español / Post en français

The Spanish Agency for Data Protection informs of the progress made in relation to Google privacy policies

Agencia espanyola de protecció de dades

The Spanish Agency for Data Protection (AEPD) has recently taken part in a plenary meeting of European authorities for the protection of data (GT29). The group analyses, among other issues, the progress made in national procedures undertaken as part of the Google privacy policy of 2012. In December 2013, the AEPD declared the existence of three serious offences against data protection and fined the company involved 900,000 euros, and also demanded that it adopted the necessary measures to adapt its privacy policy to Spanish regulations.

The AEPD was able to confirm that the company had introduced important modifications involving providing users with information, consent and how to exercise their rights. Some of the measures applied to the company by the Spanish agency are the following:

  • A “Personal information and privacy” centre has been set up via the link “My account” for users of a Google account, which offers additional information and options for administering information gathered by Google.
  • A campaign has been launched to remind users on-line when he / she intends to use Google services that they must access privacy-related information and establish configuration parameters.
  • The user is able to selectively disconnect services which were previously activated necessarily and which contained data corresponding to the user’s activity, and there will be the possibility of eliminating such an account completely.
  • Limiting the use of several accounts by the same user is no longer applicable. The user can now have a number of these and avoid any leakage of data to the others.
  • The company has included a form for the application of “the right to forget”, a link available to contact the company and access the tools to be able to consult previous activities.

Google has committed itself to adopt a series of additional improvements specifically requested by the AEPD, such as increasing the list of services with privacy policies and expand on the privacy-reminder campaign so that it applies to other Google services and Android users.

Spanish Agency for Data Protection: Press release


Aquest apunt en català / Esta entrada en español Post en français