Recently, the US Department of Homeland Security (DHS) published guidance on the best practices to implement unmanned aircraft systems (UAS) (a.k.a. drones) programs that respect privacy interests, civil rights, and civil liberties. Although DHS drafted its best practices with federal, state, and local government partners in mind, DHS acknowledged that private sector actors would also find its guidance useful for the development and operation of UAS programs.1
Following the enactment of the Federal Aviation Administration (FAA) Modernization and Reform Act of 2012,2 which mandated the integration of governmental and commercial UAS into the national airspace system by 2015, DHS established the DHS Unmanned Aircraft Systems Privacy, Civil Rights and Civil Liberties Working Group (Working Group), in September 2012.3 In compiling and preparing its guidance, the Working Group’s stated goal was “simply to share the best practices we have identified as helping to sustain privacy, civil rights, and civil liberties throughout the lifecycle of a [UAS] program.”4 Moreover, the Working Group relied on the Customs and Border Patrol’s (CBP) experience over the past ten years using UAS for assistance in protecting and securing the United States’ borders.5
The Working Group’s guidance arrives as privacy advocates continue to express great concern about the use of drones by both private citizens and federal, state, and local government agencies. Because UAS are small, highly maneuverable, inexpensive, and often equipped with powerful recording and surveillance capabilities, the potential privacy implications are obvious (a very basic drone with an advanced video and still camera can be purchased for as little as a few hundred dollars). The Electronic Privacy Information Center (EPIC) has continued to advocate for privacy regulation of drones—with respect to both law enforcement use and use by commercial and private actors—but neither the FAA nor any other federal regulators have yet promulgated any regulations specifically addressing these issues.6 In February, alongside the FAA’s first round of UAS regulations, President Obama issued a Presidential Memorandum on “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems,”7 but for now the Working Group’s Best Practices are the most concrete and detailed statement on privacy and the government use of drones issued by a federal agency.
Significantly, the Working Group notes that its guidance is intended for key emergency management personnel, i.e., first responders, fire departments, security professionals, and emergency medical service, and so on.8 The Working Group did not design its best practices to respond to investigative uses of UAS.9 Thus, while law enforcement use of drones is controversial (and the focus of much discussion regarding the privacy and civil liberties impact of drones), the best practices do not confront this debate or offer solutions.
Nevertheless, the Working Group’s fifteen best practices for UAS programs designed to help protect privacy, civil rights, and civil liberties provide a helpful—if somewhat high level—framework for developing UAS programs, not only for government actors but also for commercial enterprises seeking to enter this space, particularly commercial actors that may be engaging in activities, such as photography or surveillance, that may draw the scrutiny of privacy regulators.
The best practices include:
- Consulting with Legal Counsel and Experts: Before establishing a UAS program, agencies should consult with legal counsel to ensure there is legal authority for UAS operation. In addition, agencies should seek guidance from legal counsel, privacy officers, and civil rights and civil liberties experts during the formulation, operation, and review of a UAS program to certify compliance with applicable laws.10
- Articulating the Primary Purpose of the UAS Program: Agencies should clearly identify the purpose behind the establishment of the UAS program in a plainly worded mission statement. The Working Group suggests also identifying the challenge the UAS program will address; determining an appropriate UAS payload for the program’s purpose; and describing the primary reasons for the UAS program online or in a publicly accessible document.11
- Keeping the Focus on the Primary Purpose: Although the reasons and function of the UAS program may develop over time, changes to the program’s stated purpose ought to be reviewed by legal counsel and individual rights experts. The Working Group proposes that changes to a program’s primary purpose should be noted in publicly available documents before the implementation of any changes.12
- Designating an Individual to be Responsible for Privacy, Civil Rights, and Civil Liberties Compliance: A senior-level individual, employed in the organization and with “working knowledge” of privacy, civil rights, and civil liberties laws, should be made responsible for overseeing compliance with those regulations. The Working Group suggests that the individual should directly report to the person with overarching responsibility for the UAS program.13
- Continuing to Consult with Experts Throughout Entire UAS Program: Individuals involved in the operation and maintenance of the UAS program should continue to consult with legal counsel, privacy officers, and civil rights and civil liberties experts for the entirety of the UAS program. The Working Group recommends establishing and publishing clear policies to ensure privacy and individual rights are respected. The Working Group notes the importance of “making it clear that some information may not be able to be made publicly available based upon other legal, investigative or operational security reasons.”14 Moreover, the Working Group suggests establishing a routine review process to evaluate whether the program’s purpose continues to be met or if modifications are necessary.15
- Conducting a Privacy Impact Assessment: Before implementing a UAS program, an agency should assess the potential privacy, civil rights, and civil liberties risks associated with the use of UAS. The Working Group recommends using a Privacy Impact Assessment (PIA) format or any other mode of assessment that will help the agency identify potential privacy risks, such as the collection of Personally Identifiable Information16 or other privacy issues.17
- Limiting UAS Recorded Data Collection, Use, Dissemination, and Retention: The UAS program’s data collection should be limited to legally acquired information that is relevant to the agency’s operations. The collection, use, dissemination, or retention of UAS-recorded data should be in compliance with all applicable laws and the agency’s authorizations to collect data. The Working Group suggests that all recorded images of individuals should not be kept beyond a reasonable period established in an agency’s guidelines, unless otherwise authorized.18
- Establishing a Redress Program: Agencies should establish a streamlined redress program that evaluates challenges to alleged improper capture of personally identifiable information by a UAS. The Working Group suggests employing an administrative process designed to resolve complaints within “a reasonable amount of time.”19 Moreover, the administrative process should be straightforward with publicly available instructions.20
- Maintaining Accountability in UAS Program Management: Agencies should ensure that oversight procedures are in place to record all access to and use of UAS-recorded data. The Working Group recommends that agencies supervise access to UAS-recorded data, create a process for reporting suspect misuse of data, and impose penalties for data misuse and non-compliance with the agency’s policies. In addition, the Working Group suggests devising a schedule for UAS program managers to submit a report, at least annually, to agency legal counsel and privacy and individual rights experts detailing UAS activities and complaints.21
- Securing and Storing UAS-Recorded Data with Appropriate Safeguards: Agencies should design the UAS-recorded data security standards so as to prevent or minimize data loss, unauthorized access, and disclosure and use of UAS-recorded data. For example, the Working Group suggests making sure that all access to UAS-recorded data is controlled with proper physical, personnel, or technical security measures designed to protect the data. Similarly, the Working Group also recommends that agencies create procedures to ensure the data and UAS system are only used as authorized.22
- Training Personnel on Privacy and Civil Liberties Polices: All personnel associated with the UAS program should be required to attend annual training on privacy and civil liberties policies as they pertain to UAS. The Working Group suggests that the agency’s offices responsible for privacy, civil rights, and civil liberties should help develop and conduct the training.23
The Working Group stresses that these best practices “are not prescriptive.”24 Instead, the Working Group intends for its best practices to serve as guidance, strongly encouraging agencies to work closely with one another and their legal counsel, privacy officers, and civil liberties experts to confirm a UAS program’s compliance with all applicable laws. While obviously framed as a set of practices for agencies, the issues raised by the Working Group (including the need to keep a UAS program focused, to think through information retention and security, and to carefully assess potential privacy risks in a UAS program) are broadly applicable to the private sector. Companies looking to use drones should do so carefully, strategically, and recognizing that there are myriad unanswered questions, particularly with respect to privacy and private property, that continue to raise some risk, even for fairly mundane or established drone usage.