The news and social media commentary of late reveals considerable discomfort with the idea that “drones,” or Unmanned Aircraft Systems (UAS), could be used to collect images and data for commercial purposes. The idea that a flying machine —say, a 6-inch quadcopter equipped with tiny cameras —might track people or record images and data about their movements and habits strikes many as invasive.1
Yet, for all the recent attention on commercial drones, commercial aerial data collection is hardly a new concept. Private companies have been capturing and commercializing images of the Earth and its inhabitants for decades2 —never mind that hobbyists have been flying cameras on model airplanes long before the term “drone” entered the public lexicon, or that governments have been peering at the planet from space since Sputnik first beeped across the skies.3
Indeed, a growing number of commercial operators are using satellites orbiting hundreds of miles above the Earth to gather data and images,4 a feat generally referred to as “remote sensing.” These operators process and sell the information to companies, research institutes, and even government agencies for various commercial and non-commercial uses.5 Many of the uses are undeniably beneficial, such as weather forecasting and monitoring disaster zones. Other uses, such as monitoring farmland, livestock movements, and energy and mining resources, give businesses an operational edge, while still other uses of satellite data, such as location-based services and detection of traffic patterns for smart phone apps, are now a daily part of life for countless people.
Few would argue that satellites are as easily accessible or potentially intrusive as drones —satellites are much more expensive to develop, operate, and launch, and not nearly as agile as drones. However, with their increasingly sophisticated optics, sensors, and processing technologies, satellites can record places, events, and people with a degree of precision and pervasiveness that is worrisome for data privacy advocates. From the perspective of commercial satellite and drone operators, issues of data privacy and consumer consent to collection of personal data present significant business challenges.
Existing regulations and proposed rules do little to quell these concerns. Different government agencies promulgate a patchwork of regulatory schemes and guidelines for operation of commercial drones and satellites, which do not consistently address personal data privacy protections.6 This makes it difficult for private citizens and commercial operators, alike, to know their rights and duties with respect to collection, storage, and dissemination of personal data and images via commercial aerial platforms.
Yet, even as some federal agencies are considering privacy issues in relation to commercial drone use, questions arise as to whether enactment of privacy regulations for aerial data collection should even be a federal initiative.7 Still, consistent and interoperable privacy protections cannot be achieved at any level if current initiatives do not contemplate all aerial data collection platforms.
To briefly explain, different regulations apply according to the type of aerial platform (such as satellite, aircraft, balloon, or UAS); the altitude at which it flies; the way it got there (such as self-propelled take-off or rocket launch); whether the platform is operated by a private individual, a commercial entity, or a public sector agency (such as the U.S. military or local law enforcement); and the manner of use and distribution of the imagery and data collected. The Federal Aviation Administration (FAA) regulates commercial drones,8 and an increasing number of states have proposed legislation to govern commercial drone use within state borders.9 The federal agencies that regulate aspects of commercial satellites use include the National Oceanic and Atmospheric Administration (NOAA)10 and Federal Communications Commission (FCC).10
Existing commercial satellite and drone regulations approach the issue of aerial data collection in various ways, emphasizing different security issues and priorities. However, none expressly contemplates the growing overlap of aerial data collection capabilities by different commercial aerial platforms. This overlap raises questions about whether privacy and data protections should differ according to the altitude at which a data collection platform flies.
Arguably, increased altitude does not mitigate privacy concerns. The 500-foot ceiling recently proposed by the FAA in its Notice of Proposed Rulemaking11 (NOPR) for commercial operation of small UASs is not the upper limit of aerial data-capture capabilities.12 Indeed, many commercial drones are capable of operating at altitudes above 500 feet, or even at suborbital altitudes,13 well above the reach of data privacy regulations that might stem from the FAA’s small UAS rules. At the same time, the resolution and quality of imagery and data captured by commercial satellites is steadily improving and increasingly in demand,14 yet existing data security regulations do not expressly account for technological improvements that implicate personal privacy. It is not far-fetched to imagine that, soon, a single company could operate both satellites and drones for aerial data collection. Under the current regulatory trajectory, that company could be subject to different degrees of data privacy requirements, despite the feasible similarity in images and other data collected by its satellites and drones.15
Of course, it’s a complicated issue, and there are no easy answers, but there are opportunities to start the discussion now. Privacy initiatives for protecting data collected by commercial drones are in formative stages and are receptive to input from all stakeholders, and there appear to be options for implementing privacy protections for data and imagery collected via commercial satellite without a complete overhaul of the regulations that currently govern commercial satellite systems.
At the request of President Obama,16 the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) recently issued a Request for Public Comment (RPC) on formulation of best practices for privacy, transparency, and accountability in the handling and collection of data by commercial and private drones.17Managing this effort will be no small task, and it may take years for a final policy to materialize. However, although the RPC is directed to commercial UAS data collection, NTIA provided a framework that could be used to prompt thoughtful discourse on implementing aligned safeguards for aerial data collection, retention, and dissemination, regardless of platform or altitude.
Likewise, although the existing regulations for commercial satellites heavily emphasize national security protections,18 there might be ways to address privacy concerns about commercial satellite data collection and implement balanced protections through the existing regulatory process.
For example, NOAA, the agency charged with licensing and regulating U.S. private remote sensing space systems,19 can require specific and enforceable limitations on operational performance of commercial satellites, which can include limitations on data collection and dissemination.20 Private satellite operators must submit a Data Protection Plan (DPP) as part of their license application to NOAA.21 In a DPP, a commercial satellite operator must describe its process for protecting data and information through all stages of collection, storage, and dissemination. The DPP must meet certain minimum requirements, but the DPP can be adjusted to accommodate agency needs and advancements in technology.22 Just as NOAA requires private satellite operators to describe and adhere to their data security plans, NOAA could require operators to include privacy protections in their DPPs, or similar plans, for imagery and data collected by commercial satellites.23
The looming question, then, is what should overarching privacy principles for aerial data collection look like? Who should structure them, and under what mandate? Should commercial drone and satellite operators be required to obtain consent from every person detected by an aerial lens or sensor? If so, when and by what means that will minimize the burden on commercial operators? To avoid regulatory inconsistencies, they would need to be flexible enough to apply to data collected by drones, satellites, aircraft, and even gliders and balloons, and take into account the diverse views, roles, and interests of all stakeholders, public and private alike. They would need to be interoperable with, and deferential to, federal, state, and local regulations and constitutional principles, and should not restrict innovation or inappropriately restrain companies from pursuing commercial opportunities.24
There are numerous other important considerations that need attention and analysis, such as whether and under what circumstances compliance should be voluntary, the costs of implementation and management, issues of accountability and enforcement, as well as alignment with international treaties. Components of the existing regulatory framework can be used to address some of these issues, but the discussions need to go beyond commercial UAS operations to include other commercial aerial data collection capabilities.
To be sure, commercial drones and satellites hold tremendous economic potential, and already are spurring growth of vibrant and exciting industries. But the privacy concerns are real. All stakeholders will need to participate in proactive development of balanced rules and policies to address those concerns—ideally, ones that can be implemented consistently across all aerial data collection platforms, current and future, and regardless of altitude.