Mark Del Bianco
Outsourced UAS services to third party clients in any of a wide range of industries; or
A platform through which service providers in category (i) can upload, store, manipulate and disseminate data they have generated through their operations.
Like other businesses, commercial UAS operators and service providers receive and use personally identifiable information (“PII”) from customers, potential customers and members of the public who visit their website or use their mobile app. Designing and maintaining privacy policies that address this data is no different than creating a policy for any other firm.
The unusual challenges facing both operators and service providers arise from the fact that the major existing and contemplated near term uses of UAS revolve around the acquisition of actionable data: still photographs, video, or infrared or LIDAR images. UAS operations inevitably generate data related to property or to identifiable persons who are in places where traditionally there has been an expectation of privacy, based at least partly on the difficulty of access. Think license plates, facial recognition or factory effluent discharge trails. These issues are not unique to UAS – many of the same objections are being and have been made to Google Maps and other similar projects. But the flight component of UAS and the ease of access it affords to formerly inaccessible places has amped up people’s concerns.
The government, UAS industry firms, and other stakeholders have begun to recognize the public concerns about Big Data and the deliberate or accidental acquisition of personal data by UAS and the need to minimize the “creepy” factor associated with UAS. To that end, NTIA, as part of the Commerce Department, in early 2015 convened a multi-stakeholder process to develop privacy best practices to “help guide the development and growth of UAS in the United States.” The process turned out to be a side skirmish in a larger, ongoing debate (some might say “war”) over personal privacy and Big Data.
Nonetheless, a diverse group of stakeholders came to consensus on a best practices document that was released in May 2016. See https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-unmanned-aircraft-systems. A number of groups who participated in the process declined to sign on to final document because they felt it was too narrow in scope and failed to address other technologies (such as CCTV cameras) that raised similar issues as UAS operations.
The NTIA document outlined voluntary best practices that “UAS operators could take to advance UAS privacy, transparency and accountability for the private and commercial use of UAS.” These best practices go beyond existing law and “they do not—and are not meant to—create a legal standard of care by which the activities of any particular UAS operator should be judged.” However, the best practices are limited in scope and fail to provide much guidance for UAS service providers.
The best practices address “covered data,” which is “information collected by a UAS that identifies a particular person.” If data collected by UAS likely will not be linked to an individual’s name or other personally identifiable information, or if the data is altered so that a specific person is not recognizable, it is not covered data.
The best practices document has three strategies operators and service providers could take:
The purposes for which the UAS will collect covered data;
The kinds of covered data that will be collected;
Examples of the types of entities with whom covered data will be shared (as applicable);
Information describing practices in responding to law enforcement requests.
Operators and service providers should note that their efforts to provide notice may differ by industry – real estate professionals should anticipate contacting neighbors of the property to be filmed.
Second, the NTIA advises operators to take care both when operating the UAS and when collecting and storing covered data. Unless there is a compelling need, UAS operators should not use “UAS for the specific purpose of intentionally collecting covered data where the operator knows the data subject has a reasonable expectation of privacy” – whether it is a one time use or whether it is for “persistent and continuous” data collection. Additionally, “UAS operators should make a reasonable effort to minimize UAS operations over or within private property without consent of the property owner or without appropriate legal authority,” and additionally, operators should “avoid knowingly retaining covered data longer than reasonably necessary,” unless the data subject consents or there are exceptional circumstances, such as “legal disputes or safety incidents.” The NTIA also advises that operators establish a process for receiving privacy and security concerns, including requests to delete data.
So far, the privacy issue has gotten the most publicity, but in the long run the Big Data issues may be more important. Both long-standing companies looking to enter the UAS market and new organizations starting out should create and implement policies that cover the concerns listed above. If you do not have the internal capabilities to put together these policies, consider retaining outside help from an attorney who is well-versed in these matters. Doing so will not only help business grow, it will set these companies apart from their competition.