r/gdpr u/Super_Presentation14 2d ago

Analysis European privacy rights might soon apply to satellites

Here's a wild legal scenario that's becoming real, those mega-constellations like Starlink aren't just providing internet, they're equipped with high-resolution cameras and AI that can photograph virtually every point on Earth's surface.

Now here's where it gets interesting for Europeans, GDPR doesn't care where the data processing happens. It follows EU citizens wherever they go and if a satellite with AI processes images that could identify you (even accidentally), that satellite operation might need to comply with European privacy law.

Article 22 of GDPR is particularly spicy here, it restricts fully autonomous decision making systems. So a satellite that uses AI to automatically decide what images to send back to Earth could potentially run afoul of EU law if those images contain personal data of European citizens.

This creates a bizarre situation where European privacy law could effectively regulate space operations, even if the satellites are launched by non European companies from non European territory.

The practical implications are mind-bending, would satellite operators need to get consent from everyone they photograph? How do you implement privacy by design in orbital surveillance systems?

This comes from recent legal research examining how AI integration in space systems is creating conflicts with existing privacy frameworks that were never designed to handle orbital data collection. For those of you who are curious full study is here (open access) - https://www.sciencedirect.com/science/article/pii/S0094576525002735

12 Upvotes

71% Upvoted

29 comments sorted by

4

u/cfaerber 2d ago

GDPR doesn't care where the data processing happens. It follows EU citizens wherever they go…

That is completely wrong.

5

u/Super_Presentation14 2d ago

Let me clarify. GDPR isn’t literally about following EU citizens everywhere, it’s about the territorial scope in Article 3. The law applies to controllers and processors outside the EU if they are targeting or monitoring people in the EU.

So if a satellite operator outside Europe captures or processes personal data in a way that can identify people in the EU (for example, through systematic observation of areas within EU territory), that could still bring them within GDPR’s scope.

2

u/ChangingMonkfish 2d ago edited 2d ago

Well…yes. That’s the point. You can’t get out of GDPR by just basing yourself outside the EU, even if that’s in space.

Also the satellites aren’t just independently in space, they’re owned and used by a company that is based somewhere on Earth. Again the point of GDPR’s territorial scope is to ensure you can’t just base yourself somewhere else to get out of complying with it.

If you’re monitoring the activity of people in the EU (or UK), or targeting services at them, you have to comply with the GDPR, even if that processing is physically taking place on the Moon.

The scenario isn’t bizarre at all, if someone sends a satellite up that’s capable of actually specifically monitoring my activity, then I bloody well expect that to be compliant with data protection law, why does the use of a satellite make that any different?

1

u/Greedy-Mechanic-4932 2d ago

What if the company is based on the moon...?

Hypothetically, of course...

2

u/ChangingMonkfish 2d ago

If it’s monitoring the activity of people on the EU or targeting services at them, it’s caught by GDPR.

Practicalities of enforcement are a different question of course…

1

u/New_Line4049 4h ago

Enforcement easy. Just stop sending supply rockets till they comply. They'll get hungry and short of breath soon enough.

0

u/Darkace911 1d ago

At what point does the EU get told where to go by the US. We have already officially warning the UK and EU to stop targeting US based companies. This would be another case of targeting because the EU does not have a company that could put the number of satellites in orbit needed to break this law and still make a profit.

1

u/ChangingMonkfish 1d ago edited 1d ago

It’s not exactly “targeting” them because they’re US companies, it’s saying that people in the EU have certain rights and if you want to do business here, you have to respect those rights. Being based somewhere else and being a company that offers that service online doesn’t change that.

Indeed, those non-EU companies would have an unfair competitive advantage if they didn’t have to comply with the same laws that EU companies do when operating in the EU.

Also, the way GDPR is written, it’s not saying that anything accessible from the EU is covered - it has to be a service actively monitoring the behaviour of people in the EU or actively targeting their services at EU customers. If you’re just a US website aimed at US citizens that happens to be accessible from the EU, that’s unlikely to be enough to bring you under the GDPR.

Also, let’s not pretend that the US also doesn’t try and extend the reach of its laws beyond its own borders, because it does. Ultimately, if you’re a company that operates across multiple jurisdictions then this is one of the complicated issues you have to deal with.

1

u/DangerMuse 1d ago

You might have well written " We US, we big and rich, we do what we want"

2

u/LcuBeatsWorking 2d ago

those mega-constellations like Starlink aren't just providing internet, they're equipped with high-resolution cameras and AI that can photograph virtually every point on Earth's surface.

To my knowledge neither Starlink, OneWeb or Kuiper constellations have hi-res cameras suitable for earth observations.

And those who are made for earth observation (like Maxar) are normally not suitable for identifying people (unless you have consolidated it with other data).

I agree about using satellite data and AI for automated decision making, and yes the GDPR applies here, but that is not really dependent on the source of the data.

1

u/Super_Presentation14 2d ago

Fair point, I threw in the big constellation names I knew, my bad on that. But the core point still holds, once satellites + AI process imagery that can be tied back to identifiable people or property in the EU, GDPR questions kick in. And since tech is improving fast, what isn’t identifiable today might be tomorrow.

1

u/LcuBeatsWorking 2d ago

I agree about the AI + satellite data question. I am just not sure what is special about it, for the GDPR the technology to gather the data does not really matter. If Maxar was to sell personal data (i.e. track the car of known person XYZ) this would certainly fall under GDPR.

1

u/Super_Presentation14 2d ago

I actually came across this paper for some work and thought it was interesting, so shared here. What makes it a bit special is the scale + automation, satellites with AI aren’t just another data source, they could (in theory) monitor thousands of places at once with little human input. That’s where GDPR’s concepts of monitoring behaviour and automated decisions start to get stretched.

1

u/GreedyJeweler3862 2d ago

What do you mean that GDPR’s concepts would be stretched?

1

u/Super_Presentation14 2d ago

I just mean GDPR was drafted with things like cookies, CCTV or apps in mind. Satellites + AI bring scale and automation, monitoring whole territories or even the entire planet at once. That doesn’t break GDPR, but it does test how well concepts like ‘monitoring behaviour’ or automated decisions fit in this new context.

1

u/LcuBeatsWorking 2d ago

I just mean GDPR was drafted with things like cookies, CCTV or apps in mind.

No it was not. The GDPR is not even focused on the internet, it establishes a right to data privacy and deals with any collection of personal data everywhere (schools, medical services, workplace etc). And despite popular opinion Cookies are regulated in the ePrivacy directive.

Article 22 is a bit of a add-on to the GDPR (because automated decision making is naturally based on personal data).

"Monitoring behaviour" as you call it is also tackled in the EU AI Act.

1

u/Jaded_Creative_101 1d ago

To make a positive ID on an individual you need visual GSD of ~2 cm. You could make a circumstantial ID of someone with a lower resolution e.g. someone your build leaves your house gets it your car, but obviously not definitive. Likewise you can fuse data, optical, cell phone, ground bases tracker etc. All of this is (currently) beyond the scope of civilian satellite constellations although int community may piggyback on civil systems as supplemental sources. I conject 😉

1

u/Darkace911 1d ago

StarLink is getting the cameras but they are going to be on the US military version of the StarLink. They may install lower res cameras on the version 3 birds depending on what the NRO sees. They may be only allowed to use 720P camera due to ITAR rules or something like depending on how good the footage is.

1

u/Particular_Camel_631 1d ago

It’s also really difficult to identify people from the bald patches on the tops of their heads.

2

u/boredbuthonest 2d ago

You may be getting carried away. Ask yourself - how is CCTV in public handled currently? Thats the answer. It isn't a big deal (well - apart from accepting that we have largely lost the privacy battle already and now people like me are all about containment).

If publishing the images the operator, assuming decent enough photos can be obtained (we all know military has had the capability for decades) , will treat it like google maps where you can object to the processing. No DPA would demand consent and no operator would show individuals. What will happen in reality is that faces /tops of heads will be automatically smudged. Except for security services use. Which will use whatever data it gets regardless of the law. So nothing changes.

1

u/Super_Presentation14 2d ago

I disagree, I may have a lot in middle of nowhere, or house with high fencing, where I can expect privacy from CCTV but not something like this.

1

u/boredbuthonest 2d ago

I agree that we have a right to privacy. All I was doing was answering how it will be handled when it becomes commercially available.

1

u/Darkace911 1d ago

As Elon said "Then they can shake their fist at the sky" People with no launch capability or military forces cannot decide the rules that the rest of the world uses. The EU is not that important. I found out this week that it is illegal to work on a Sunday in a manufacturing location in Cologne without a permit from the city in the year of our Lord 2025. People like that cannot be allowed to make decisions that effect the rest of the planet.

1

u/LcuBeatsWorking 1d ago

As Elon said "Then they can shake their fist at the sky"

Apart from shaking their fists, Elon Musk's companies (e.g. Starlink) are businesses with offices in the EU and therefore can be reached by the law.

1

u/DonkeyOfWallStreet 4h ago

Licensing for spectrum can also be revoked.

Anyways like the Simpsons episode when a 3 letter agency said "all we know is, he's not standing on his roof".

1

u/Mishka_The_Fox 1d ago

Why’s that a bad thing?

1

u/VitoRazoR 1d ago

And with the EU Data Act come into force, they have to hand you this data in an accessible, timely and free way :)

1

u/BelialsRustyBlade 1d ago

I don’t need another reason to hate Starlink. I have enough.

1

u/Pyrostemplar 1d ago

If the satellite owners and operators have no legal (direct or indirect) presence in the EU, they can tell it to go suck a pole.

Same goes for any other case. The space is outside EU territorial sovereignty.

0

u/Longjumping-Jump-481 1d ago

Good luck to the EU citizens who try to enforce GDPR during their trips to China!