Legal and Ethical Recommendations

European countries have fragmented regulations about the manufacture and operation of civil drones; therefore, European institutions are trying to combine all these regulations into a common one by 2019. Until this common framework arrives, not only law but also ethics can give guidelines to the industry to satisfy national standards as well as users’ concerns. The European Aviation Safety Agency promotes the highest common standards of safety and develops common safety rules at the European level. This agency and its national equivalents monitor the activity of producers and operators, but, depending on the size of the drone, this activity could cover regulation measures or ethical recommendations. In this sense the aim of our analysis is to categorize the types of hard–soft regulations that we find in the European Union. Our study is based on a content analysis from four sources of information: scientific papers, policies and regulation proposals from the European Union, the regulation and co-regulation of some European countries, and the self-regulation of some drone companies’ associations. In general, few countries have chosen self-regulation as a solution to the problems, although in other economic sectors there are positive experiences. With our results we would like to give advice to the European industry as well as providing academia and policy makers with new insights.


Introduction
Different regions and countries in the European Union have diverse ways of regulating their commercial and professional activities. In some regions legal regulation is prominent, and there are different normative tools to regulate every economic activity in a detailed manner (the French model, regulation-centred countries).

Drones' European Legal and Ethical Framework
As Clarke (2014a: 291) highlights in relation to the drone surveillance sector, "the aviation industry has operated for the last seven decades within the framework provided by an international convention, resulting in considerable similarities across almost the entire world", but "no such cohesive influence exists in the field of …" other regulations, such as for civil drones. Furthermore, he is quite critical of soft forms of regulation, as he underlines that the impact of organizational and industry self-regulation is very limited.
Moreover, "despite its theoretical promise, co-regulation too appears unlikely to satisfy the need. Formal regulation therefore appears to be essential" (Clarke 2014a: 291). He gives examples of other successful sectors, and in Clarke (2016: 153) he shows some co-regulation initiatives that could provide more commitment to the drone sector in the short-medium term, due to the fact that in "co-regulation … industry or user organisations perform regulatory functions within a framework set by a government agency". That is because interaction among stakeholders may produce a consensus on a public policy approach in an area in which there is considerable uncertainty (Freeman and Freeland 2014).
As a starting point, and agreeing with Stöcker et al. (2017), all drone regulations have one common goal: "minimizing the risks to other airspace users and to both people and property on the ground". They propose to analyse the different parts that national regulations cover: • Technical requirements (regarding the product); • Operational limitations (regarding the operator: distance to airports/strips, limitations to flying over people, limitations over congested areas, prohibited areas, maximal flying height, visual line of sight, beyond visual line of sight, and so on); • Administrative procedures (certificates, registration, insurance); • Human resource requirements (qualification of pilots); • Implementation of ethical constraints (here they include requirements for data protection and privacy).
Thus, as we can observe, the majority of concerns are related to safety, and they only give ethical concerns in relation to privacy. Safety tests are necessary before marketing a drone, and different key attributes of the product should be checked (Clarke 2014b). However, from our point of view, safety can also be included in ethical limitations. Moreover, different current regulations, at least in the European Union, can cover privacy issues.
Regarding data protection, the current European Directive guarantees rights of access, rectification, erasure, and blocking. In addition, the new Directive and Regulation on Data Protection (to commence at the end of May 2018) include the same standards (European Parliament 2016a, b). However, to apply them, it is essential to inform the subjects. Besides, the necessary storage measures should be adopted when processing, according to the European Union Directive.
As mentioned in the chapter "Spain-UK-Belgium Comparative Legal Framework", the European Union has developed some documents to clarify the regulation of civil drones. The current national harmonization actions undertaken by the EASA define riskless open and riskier specific categories. The main European documents are the following: To reach a common legal framework, the European Union has developed several stakeholder consultations, although no legislation has been approved yet.
Furthermore, in other regions, such as the United States, Kaminski (2016) underlines the efforts of the National Telecommunications and Information Administration (NTIA) at the Department of Commerce to host multi-stakeholder negotiations on consumer privacy around drones for industry self-regulation and co-regulation. Moreover, in some specific sectors, the different stakeholders should be informed of the advantages of using drones. For example, Sandbrook (2015) remarks on the importance of identifying the social risks of drones for biodiversity conservation and how they could be mitigated to ensure good ethical practice and minimize the risk of unintended consequences. Accordingly, self-regulation and co-regulation could be adjusted to the different actors' needs.
Industrial manufacturers and professional users are expected to play a key role and contribute to the decision regarding whether UAVs will be a tool for everyone or just for professionals (Stöcker et al. 2017). Codes of conduct are the most-used self-regulation tool to set rules and standards, such as the promises by companies to regulate themselves in the general interest of society (Laudon and Laudon 2016). Some associations of manufacturers and operators of drones have developed codes of conduct (Arkin 2016) that could also provide guidance to the regulators of in-place legal standards and practices (Freeman and Freeland 2014).
As drones' technology changes fast, new organizations' adoption of drone technologies must be paired with clear articulation of their ethical use and full transparency with the public (Culver 2014). For example, information security seems to have received less attention in regulations. However, some measures could be designed by default (Coopmans 2014) to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction (Braun et al. 2015). Some security concerns include hacking, hijacking, cyber-attacks, or other types of vulnerability. Thus, the encryption of communications among all the devices could permit secure computer-RPAS communication and avoid unauthorized access by third parties. For example, there is the possibility of data anonymization, such as pixels to avoid facial recognition when using a camera (Ruchaud and Dugelay 2015).

Drones' National Legal and Ethical Frameworks
Following the analysis of the three European countries involved in the AiRT project, we have compared Spain, the UK, and Belgium. The situation in the different European countries is very similar. Normally co-regulation is used to provide the drones' pilots with practical training, while self-regulation in general is not developed in a specific code of conduct.
The training of drones' operators is a key factor for the industry (Clarke 2016). Requiring operators to be licensed and have insurance can impose standards and ensure safety (Luppicini and So 2016).
As a detailed legal study was undertaken in the chapter "Spain-UK-Belgium Comparative Legal Framework", we focus our analysis on ethical tools (Table 1): In Spain the National Agency of Aerial Safety (AESA) works with different organizations to provide pilots with practical training. In this sense authorization for training is given to (AESA 2017): • Drone manufacturers • Organizations authorized by a drone manufacturer • Licensed operators with their own pilots • Authorized training organizations (ATOs).
After the training and its assessment (as described by the AESA), these organizations have to send the Agency a dossier containing all the required official documents. This certificate should specify the drone type and model that the person is able to pilot. The certificate it is not necessary in all cases, although it could add value in the case of professional work. Moreover, licensed pilots normally contract insurance, and this constitutes another trust guarantee. On the side of self-regulation, even though the Spanish Association of RPAS (AERPAS) is the biggest companies' association as it includes manufacturers and operators, it has no code of conduct. There is a smaller association, AEDRON (2016), the Spanish Association of Drones and Similar, just for operators, which has developed one. According to it, some interesting points that the regulation does not cover are: • To help other pilots in the case of necessity; • To identify the environmental impacts of the activity in order to minimize them; • To use biodegradable materials and recycle them correctly; • To sign the operation's zone correctly.
In the UK, as well as in the previous case, the Civil Aviation Authority (CAA) does not provide training but gives this task to the national qualified entities (NQEs) to assess the competence of people operating small unmanned aircraft (CAA 2015). That is the standard permission to conduct commercial operations with a small unmanned aircraft (drone) weighing 7 kg or less.
Regarding self-regulation, the Association of RPAs (ARPAS-UK 2017) has its own code of conduct. The code, which is very brief and general, is built on three specific themes: safety, professionalism, and respect. Nevertheless, some of its statements could be useful: • To report incidents to the police, national authority, or relevant industry body; • To ensure that RPASs will be piloted by individuals who are properly trained and competent to operate the aircraft or its systems; • To ensure that RPAS flights will be conducted only after a thorough assessment of the risks associated with the activity. Reliability, performance, and airworthiness are established standards.
The case of Belgium is the same. The Belgium Civil Aviation Authority (BCAA) does not provide training, but the Direction Générale Transport Aérien (DGTA) gives this competence to certain organizations (approved training organizations-ATOs). According to article 35 of the Royal Decree of 10 April 2016 on the use of unmanned aircraft in Belgian airspace, the candidates for the position of instructor must meet the following prerequisites: • Hold a valid remote pilot license; • Have completed a teaching and learning course; • Have flight experience of at least 100 h as a remote pilot.
A flight instructor candidate who meets the previous cumulative conditions must pass a practical examination before becoming an RPAS examiner designated by the DGTA. The RPAS flight instructor rating is valid for a period of three years (SPF Mobilité et Transports 2015).
Concerning self-regulation, the BeUAS-La Fédération Belge de l'Aviation Télépilote or Belgian Unmanned Aircraft System Association-just provides a "Charter" (BeUAS 2017) containing a few ethical principles. Among them, we highlight the following: • Always fly over people with permission; • Always bear in mind the type or class of drone in use; • Do not fly a drone at night; • Respect the operating manual at all times if applicable, knowing the drone's limits and adapting the flight in function.
To sum up, we can observe that self-regulation is focused on operators and the main concerns regarding the ethical aspects of their work are the following: • To work in a helpful environment, prioritizing safety all the time; • To minimize the environmental impacts; • To give all the necessary information and request permission to the people affected by the activity; • To report incidents; • To pilot when there is the competence and training to do so in a safe way, respecting the operating manual; • To analyse the risks associated with the activity, bearing in mind the class of drone in use and the limits.
We think that these measures are in line with the draft of the new European Union regulation but could be useful while that regulation is being approved and implemented.

Industry Perceptions
We conducted focus groups in Spain, the UK, and Belgium during February 2017 to contrast with the creative industry the concerns about safety and security when using civil drones for their work. Each group was formed by six to seven expert informants from different sectors, and half of them have a pilot drone license. In total we collected information from twenty people.
The participants attribute the most importance to the experience of the pilot, particularly regarding professional work. For them, trust can be gained when there is training and insurance to cover any eventuality. Additionally, an encrypted Wi-Fi connection is necessary in all cases to give information to the subjects when recording.
Furthermore, the role of the producers is more focused on default measures and giving advice and instructions to the operators.

Conclusions
From our point of view, manufacturers and operators are different actors, even though the traditional way of distinguishing standards is to categorize them into active and passive measures all together for both groups. Manufacturers are key actors, as they develop safety and security measures, but operators can just use them, so they are less involved in the design of the product. Manufacturers should work with operators and other stakeholders to improve those measures, because knowing actors' concerns can add considerable value to the product.
Manufacturers could be more centred on safety by default and security by default in designing drones to avoid risky situations in their use. Operators should have the appropriate training to avoid any risk, even for small drones. Maybe if the industry is able to develop very precise drones, the pilots could be inexperienced, but at this moment we think that these cases should be reduced to indoor environments where the risks can be better assessed.
Even if ethics and codes of conduct can help manufacturers and operators of drones, co-regulation whereby public agencies could give some kind of certificate would be an additional element to reinforce other kinds of work in which flight licenses are not compulsory.
As we have observed, in the European countries, co-regulation now is only centred on operators and practical training. The participation of other stakeholders to ensure safety and security is not included. However, other agencies could be involved in the industry, for example to ensure information security, product safety, or data protection by applying different best-practice standards.
Moreover, on the side of regulation, and following Rao et al. (2016: 89), the introduction of compulsory specific insurance could be helpful to create a registry of devices to link each drone to its owner and to help to assign responsibility for illegal activities. On the same line, Boucher (2016Boucher ( : 1409 stresses that citizens see drone regulations as analogous to car regulations; therefore, they should have "mandatory licensing, registration of devices, and mandatory third-party insurance". For him the current focus on public acceptance of civil drone development will move to the development of civil drones that are acceptable to society. The European Union (2015) recommends that producers can help by giving advice on their packaging and using codes of conduct to self-regulate the industry. Other tools, such as impact assessment or the participation of a Data Protection Officer, could improve clients' reliability. The industry could be proactive in case regulation is not enough.