The United States Department of Justice (“DOJ”) issued guidance on May 22, 2015 regarding its domestic use of unmanned aircraft systems (“UAS”), more commonly known as drones, which was developed by an internal working group at the DOJ over the last several years. The guidance states that it is “intended only to improve the internal management of the [DOJ],” and does not create any right that is enforceable by any party against the DOJ. While the guidance creates various retention, reporting, and review procedures, it leaves unanswered questions related to the implementation and management of these procedures.
The following are some of the key new retention, reporting, and review procedures described in the guidance.
Retention of Personally Identifiable Data
The guidance creates a time limit on the retention of personally identifiable information, stating that the DOJ “shall not retain information collected using UAS that may contain personally identifiable information for more than 180 days unless retention of the information is determined to be necessary for an authorized purpose or is maintained in a system of records covered by the [Privacy Act of 1974 (5 U.S.C. § 552a)].”
The guidance, however, does not provide a test or mechanism for how to determine if such information is “necessary for an authorized purpose,” or what individuals at DOJ have the authority to make such a determination. Thus, it is unclear how this time limit will be implemented by DOJ agencies or otherwise internally enforced.
Annual Reviews and Reports
The guidance requires “Senior Component Officials” to perform an annual privacy review of the use of UAS by their respective agencies to “ensure compliance with existing laws, regulations, and Department policy, and to identify potential privacy risks.” Senior Component Officials must also make recommendations to ensure that UAS will continue to be used in a manner consistent with the U.S. Constitution.
The guidance also creates an annual report requirement for the DOJ components: “Department agencies that use UAS must report annually to the Deputy Attorney General on the use of UAS. The report should incorporate privacy reviews, as well as the number of UAS operational deployments . . . conducted during the reporting period and a brief description of types or categories of missions flown along with the number of each type of mission.”
The guidance does not provide standards under which the privacy reviews or annual reports are to be conducted or recommendations made, or the consequences for not complying with the requirements.
The guidance requires training on the policy for DOJ personnel that use UAS, but does not specific any standards for that training.
The guidance also creates a requirement for the DOJ to “ update its website to reflect its current policy on UAS on an ongoing basis” as “appropriate.” The DOJ must also “provide a general summary of UAS operations conducted by the Department during the previous year, including a brief description of types or categories of missions flown and the number of times the Department provided assistance to other federal, state, local and tribal agencies or entities.”
While this guidance provides some direction on the use of UAS by the DOJ and creates greater transparency on such use, it is lacking in granular instructions on how individual agencies should implement such direction, which may lead to wide variances in privacy-related procedures being implemented by DOJ components and agencies.