On February 15, the White House released a Presidential Memorandum titled "Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems" (the "Memorandum"). The Memorandum (or a similar executive order addressing this topic) had been expected since June 2014, in particular because the Federal Aviation Administration's future unmanned aircraft systems (UAS) regulations were not expected to include privacy provisions. The Memorandum reflects an attempt by the Obama administration to address emerging privacy and data security concerns with respect to domestic drone use. The Memorandum also comes at a time when cybersecurity is of increasing concern, and as certain types of domestic drones are increasingly viewed for their value as platforms for data acquisition, storage, and analysis.
The Memorandum provides that as UAS become integrated into the National Airspace System (NAS), the federal government "will take steps to ensure that the integration takes into account not only our economic competitiveness and public safety, but also the privacy, civil rights, and civil liberties concerns these systems may raise." The Memorandum takes two steps in furtherance of that goal. First, it orders federal agencies to implement policies to limit and advise the public on their UAS data collection operations. Second, it establishes a multi-stakeholder engagement process coordinated by the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, to develop best practices for protecting individual rights in the commercial and private UAS sphere.
On March 4, in accordance with the Memorandum, NTIA launched a public comment period concerning UAS privacy issues, issuing a list of specific privacy-related questions. The NTIA is now accepting comments concerning UAS privacy issues, which are due by April 20. Individuals and companies that have a stake in the future restrictions that may be imposed on UAS use, as well as an interest in helping assure the public about noninvasive commercial drone uses, should take the opportunity to get involved in this important process. The emergence of aerial data collection devices also presents an opportunity to engage on cybersecurity and privacy issues in the context of physical data collection, a topic about which interest has recently grown due to the popularity of internet-connected consumer devices and wearable technologies (i.e., the "Internet of Things").
UAS Policies and Procedures for Federal Government Use
The first section of the Memorandum requires that any information the federal government obtains using UAS be "collected, used, retained, and disseminated consistent with the Constitution, Federal law, and other applicable regulations and policies." In particular, the Memorandum states that agencies must comply with the Privacy Act of 1974 (5 U.S.C. § 552a), which restricts the collection and dissemination of individuals' information that is maintained in systems of records.
The Memorandum also orders federal agencies to examine, at least every three years, their existing UAS policies and procedures relating to information collection, use, retention, and dissemination.The Memorandum requires agencies to enact several specific policies and procedures relating to such information. For instance, agencies should collect information using UAS only "to the extent that such collection or use is consistent with and relevant to an authorized purpose."
Additionally, the Memorandum orders agencies to ensure that their collection, use, retention, or dissemination of data does not violate the First Amendment or illegally discriminate against any persons based upon their ethnicity, race, gender, national origin, religion, sexual orientation, or gender identity. Agencies must also ensure that adequate procedures are in place to receive, investigate, and address privacy, civil rights, and civil liberties complaints.
Further, the Memorandum mandates that agencies take various actions intended to ensure accountability. Among other required measures, the Memorandum orders agencies to "provide for effective oversight" of their UAS use by maintaining oversight procedures (including audits or assessments) that comply with existing agency policies and regulations; rules of conduct and training for federal government personnel and contractors; and policies and procedures for overseeing individuals who may have access to sensitive information.
The Memorandum also orders agencies to enact measures aimed to "promote transparency" among UAS activities "while not revealing information that could reasonably be expected to compromise law enforcement or national security." Agencies are required to keep the public informed of UAS use and to publish an annual "general summary" of their UAS operations, including "a brief description of types or categories of missions flown, and the number of times the agency provided assistance" to other agencies or governments.
Finally, this section of the Memorandum orders all agencies to provide the president with a status report on the implementation of privacy protections within 180 days of the Memorandum's release. Within one year of the Memorandum's release, the agencies must publish information about how the public can access their policies and procedures regarding privacy protections.
These directives are intended to address widely reported privacy concerns from a data collection and retention perspective, and thus may overlap with existing policies and procedures that already exist within federal agencies, particularly with respect to the collection of personally identifiable information (PII). The Memorandum may be viewed as an attempt to catch up with, if not head off, the increasing number of state legislatures that have considered, and in over a dozen instances passed, legislation imposing restrictions on government agency use of drones, or requiring warrants to be issued before drones are used by law enforcement personnel. In shifting the focus from the issue of who may use this technology and how, to issues of the collection, retention, and security of data that is obtained by governmental agencies, the Memorandum appears to take a more progressive approach overall. Because these directives will require agency action in the next few months, they will likely have a larger impact on current UAS use than the FAA's small UAS regulatory proposals (also announced the same week), which are anticipated to take up to two years to implement. Federal and state agencies have been operating UAS under FAA certificates of waiver or authorization (COAs) for several years.
Vision of Multi-Stakeholder Engagement Process
The Memorandum recognizes that UAS may soon be a "transformative technology in the commercial and private sectors." At the same time, the Memorandum states, "our Nation must be mindful of the potential implications for privacy, civil rights, and civil liberties. The Federal Government is committed to promoting the responsible use of this technology in a way that does not diminish rights and freedoms."
Toward this end, the Memorandum establishes a "multi-stakeholder engagement process to develop and communicate best practices for privacy, accountability, and transparency issues regarding commercial and private UAS use in the NAS." The Memorandum specifies that this process will include stakeholders from the private sector. Further, the Memorandum orders that, within 90 days of the Memorandum's release, the NTIA consult with other agencies to initiate this process and develop a framework. The Memorandum specifies that this process will affect the use of UAS for commercial purposes as civil aircraft even if the use would qualify as a public aircraft (e.g., a governmental operation) under 49 U.S.C. 40102(a)(41) and 40125.
Although the "best practices" framework does not appear intended to result in actual privacy regulations, it is possible that the standards that emerge from the multi-stakeholder process will be adopted by commercial UAS operators and could form the basis for future regulations or statutory provisions.
Multi-Stakeholder Process Launched; Comments Due April 20
On March 4, NTIA announced that it is seeking comment on the multi-stakeholder engagement process, as directed by the Memorandum. NTIA has invited the public to submit suggestions for the process by April 20 and expects to convene an initial public meeting by early June. In its Request for Comment (RFC), NTIA states that the engagement process is intended to help address privacy concerns raised by commercial and private UAS use as well as promote transparent and accountable UAS operation by companies and individuals. The RFC specifically seeks public input on various questions, including:
- Do some UAS-enabled commercial services raise unique or heightened privacy issues?
- Which commercial and private uses of UAS raise the most pressing privacy challenges
- What information should commercial UAS operators make public?
- How can companies and individuals best keep the public informed about UAS operations that significantly impact privacy, anti-nuisance, or safety interests?
- What rules regarding conduct, training, operation, data handling, and oversight would promote accountability regarding commercial and private UAS operation?
- What specific best practices would promote transparent UAS operation while supporting innovation?
NTIA's RFC can be found here: http://www.ntia.doc.gov/federal-register-notice/2015/request-comments- privacy-transparency-and-accountability-regarding-comm.
Comments on the NTIA request may be submitted by email by April 20 to UASrfc2015@ntia.doc.gov .
The NTIA process is the first instance in which the public has been formally asked for input concerning UAS privacy issues nationwide, a topic that has previously been addressed only on a state-by-state basis through legislation. Please feel free to contact a member of our Unmanned Aircraft Systems and Cybersecurity, Privacy and Data Protection practices if you have any questions about the multi- stakeholder process.
The Unmanned Aircraft Systems Team
Kramer Levin's Unmanned Aircraft Systems practice group is the first of its kind in the United States, featuring a multidisciplinary team of attorneys thoroughly versed in the legal complexities of the nascent commercial drone revolution. Our lawyers provide sophisticated and creative problem-solving strategies in this uncharted legal territory.