The following piece, written by the Hogan Lovells privacy team, was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Tracker on April 1st. The post, Is Drone Privacy Ready to Take Off?, is reprinted in its entirety below with permission from the IAPP.
Over the next five years in the United States, thousands of drones are expected to be deployed for an array of commercial and governmental purposes. This prospect has captured the public’s imagination, and there are concerns about the privacy implications and whether new laws and regulations are needed. We here provide an overview of existing privacy requirements for Unmanned Aerial Systems (UAS) operating in the United States, describe new privacy proposals, and outline three scenarios that, depending on decisions by policymakers, could govern the privacy requirements for the commercial use of UAS for years to come.
UAS operators already must comply with a host of common law, state and federal privacy requirements.
Most states recognize the tort of “intrusion upon seclusion,” which can impose liability on those who intentionally intrude upon the seclusion of others in a manner that would be highly offensive to a reasonable person. Conducting surveillance in a person’s home would likely implicate this privacy right, and overzealous surveillance of public activities may constitute an intrusion upon seclusion as well. See Nader v. Gen. Motors Corp., 255 N.E.2d 765 (N.Y. 1970). Relatedly, state “peeping tom” laws prohibit capturing compromising images of individuals without their consents when those individuals have reasonable expectation of property. Taken together, these rules provide basic protections against potentially invasive surveillance by UAS. Indeed, it is reasonable to expect that more widespread use of UAS could lead to more lawsuits brought under these causes of action.
UAS operators face a patchwork of state laws impacting their operations. In 2013, thirteen states passed laws governing UAS operations, and three states – Idaho, Oregon and Texas – enacted laws that specifically address UAS use by private entities. Idaho’s law prohibits UAS from photographing or recording an individual for purposes of disseminating the information without written consent. The Oregon law allows landowners to sue UAS operators that fly UAS over property at an altitude of less than 400 feet. The Texas law prohibits the collection of images by UAS unless the collection falls within one of nineteen enumerated uses.
These state laws complement an emerging federal legal framework. The Congress required the FAA to designate six UAS test sites as part of a requirement for the FAA to establish a program to safely integrate UAS into the national airspace system. The FAA has imposed a number of requirements on the test sites, including the requirement that the six UAS test site operators must comply with all local, state and federal laws concerning privacy and civil liberties, and that UAS operators at the test sites must have a written plan for UAS use and information retention procedures. Additionally, test site administrators will be required to conduct annual privacy reviews and share the outcomes with the public. The FAA’s requirement that test site administrators review privacy practices and share those outcomes with the public also could subject UAS operators to the oversight of the United States Federal Trade Commission (FTC). The FTC has general authority to take action against companies when commercial privacy practices do not live up to privacy representations.
Proposals for Further Regulation
In spite of the rules already in place, there have been recent calls for additional UAS privacy requirements. At a recent Congressional hearing on UAS, Sen. Ed Markey (D-MA) pushed strongly for the passage of his comprehensive UAS privacy bill. Senator Markey’s proposal would, among other requirements, force UAS operators to publish flight plans, data collection practices and information sharing and retention policies. Both the FTC and State Attorneys General would be empowered to bring enforcement actions against operators for privacy violations related to these policies.
Markey’s policy prescriptions reflect many of the privacy rules proposed by privacy and civil liberty advocacy organizations. The Center for Democracy and Technology, for instance, has urged the FAA to adopt baseline enforceable standards for UAS privacy such as data minimization rules and transparency requirements that would inform the public about who operates UAS that may affect their privacy. Relatedly, the ACLU has called for mechanisms to allow citizens to opt out of property surveillance. There is no shortage of ideas for reform in the realm of UAS.
Future Regulatory Scenarios
Given this activity, we see three scenarios for the future of privacy and UAS.
The first scenario basically is a continuation of the status quo. Common law causes of action for privacy invasions would continue to be relevant, states would continue to enact laws addressing jurisdiction-specific privacy concerns, and the federal government would continue – over time – to develop piecemeal privacy rules addressing UAS. This scenario might include enforcement actions by the FTC for UAS activity that does not comply with privacy promises; class action lawsuits whenever an alleged privacy violation makes the news, and basic oversight of privacy policies and practices by the FAA or test site administrators.
The second scenario stems from the passage of federal legislation and/or significant new rules adopted by the FAA. In this scenario, new federal rules might not expressly preempt state law. Consequently, all of the aforementioned liability in the first scenario would still exist, and new liability pursuant to federal regulation would be imposed. Federal rules could take the form of Markey’s bill or follow the comments proposed by privacy and civil liberty organizations or other less prescriptive ideas.
The third scenario is the passage of federal law that preempts state regulations. Such a scenario would create the most consistency for UAS operations and, even if some uncertainty still existed, would allow operators and manufacturers to focus their attention on one set of rules rather than an ever-changing patchwork of state requirements. Additionally, this scenario could promote the use of industry standards, as the Obama Administration has shown an interest in relying on industry standards as an alternative to federal privacy regulation.
As the debate over the integration of UAS moves forward, it will be important for manufacturers and operators to monitor state and federal proposals and continue to help inform the discussion over the scope and breadth of future regulation. UAS undoubtedly is ready to take off; now is the time to ensure that privacy concerns do not interrupt the flight.