DRONES4SEC is the first European Federation of Security Drones, bringing together drone manufacturers, suppliers of components or strategic expertise, and software solution providers who orchestrate drone deployment or exploit data from drones. DRONES4SEC aims in particular to define the criteria of trust, cybersecurity and personal data protection that the use of drones requires for new uses, and to make decision-makers aware of the importance of choosing trusted drones.
DJI is a Chinese technology company founded in 2006 and based in Shenzhen.
Its main activity is the design and manufacture of drones. The company is the world leader in the drone market for photography and videography, and also provides drones for first responders, police and militaries, along with enterprise use for mapping and inspection of various critical infrastructures
Based on its strong expertise of the drone technologies and ecosystem and on the investigation made so far, DRONES4SEC has serious reasons to believe that DJI breaches the General Data Protection Regulation (GDPR)1 and national data protection laws and that, for instance, users’ data can be transferred to China without appropriate safeguards or even users’ knowledge.
As a result, on April 12th, 2023, DRONES4SEC lodged a complaint with:
- The Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
B.V (Netherlands) and its parent company SZ DJI Technology Co. (China), and The Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht) against DJI GmbH (Germany) and its parent company SZ DJI Technology Co. (China).
The Dutch and Bavarian Data Protection Authorities both supervise processing of personal data in order to ensure compliance with the laws governing the use of personal data. Through this complaint, DRONES4SEC expects that data privacy laws can be fully applied to the global drone ecosystem. The collection of data captured by tens of thousands of consumers, as well as governments (such as police surveillance), especially in light of the important data sets available through drone imaging, must be done in a way that ensures privacy and cybersecurity.
Through a comprehensive report based on existing cybersecurity research, DJI’s privacy policies analysis and cookies tracking, DRONES4SEC asked Data Protection Authorities to investigate that:
(1) DJI transfers personal data4 to third countries (at least China) in breach with the rules laid down in Chapter V of GDPR. The European Data Protection Board (EDPB) report “Government access to data in third countries” concludes that “It is held that the PRC is not a democratic, liberal state, nor does it have a rule of law. Therefore, it cannot be considered as having the ability to provide people with the protection of personal data equivalent to the EU. […] It can be concluded that government access to personal data is not constrained”. As China does not benefit from an adequacy decision under Article 45 GDPR and does not offer equivalent protection to the EU, supplementary measures would need to be implemented by DJI. However, there is no proof of the implementation of such measures by DJI.
(2) DJI’s apps contain hidden dangerous features that do not comply with the data protection principles of the GDPR, in particular, the principle of fairness and transparency and the principle of data protection by design and default. As an example, several mobile apps from DJI have been sending for months private data from tens to hundreds of thousands of users to a Chinese intelligence data platform, MobTech (mob.com), whose goal is to collect as much personal data as possible. This feature was hidden to final users and DJI used obfuscation techniques toprevent cybersecurity researchers to identify such collection of personal data.
(3) DJI’s privacy policies are not compliant with the principles of transparency and fairness
as set out in GDPR.
(4) DJI collects personal data and tracks its users by using cookies in violation of the obligation to obtain consent and the obligation to provide information to users. This does provide an additional example of DJI tracking its users.
This action of DRONES4SEC is focused on privacy. Apart from privacy issues, the observations made raise important questions of sovereignty, especially for non-trusted drones used by enterprises for mapping or inspecting critical infrastructures, such as nuclear powerplants, electricity grids, oil and gas, drinking water, transport, etc.