27 March 2012
The Federal Aviation Administration (FAA) has issued more than 300 licenses to fly drones in the U.S. The FAA is ready to start issuing a lot more drone licenses, now that Congress passed a law requiring the agency to open the skies to government and private drones of all kinds within a few years. Yet nothing in the drone law requires the FAA to create any privacy protections.
(CDT has made a timeline of deadlines for drone rules that are required by the law.)
However, on its own authority, the FAA can – and should – investigate the possible negative effects of flying drones in U.S. airspace. These investigations – called "Privacy Impact Assessments” or PIAs — are intended to ferret out potential privacy problems and find solutions.
The drone law – officially titled the FAA Modernization and Reform Act of 2012 or P.L. 112-95 – requires the FAA to conduct studies on the safe use of drones, as well as develop operation rules and certification standards. These studies and rules could cover privacy issues, but the FAA may claim it only has authority over traditional safety issues, such as making sure drones don’t crash into airplanes. The FAA is more likely to leave the task of developing privacy rules for drones to Congress or, perhaps, the Department of Transportation (DOT).
If the U.S. had baseline privacy legislation that covered commercial and governmental data collection, there might be less to worry about because rules for aerial surveillance would already be in place. However, the U.S. has no baseline privacy law, and there is no real chance that Congress will pass such a law before the FAA starts issuing its drone rules, as soon as next month.
In the absence of a baseline consumer privacy law, Congress should consider a targeted approach to privacy and drones: amend the drone law to require the FAA or DOT to add civil liberties protections to its drone approval and oversight process.
Here is a basic sketch of what such an amendment to the current drone law might look like:
a. Require FAA/DOT to issue PIAs and rules on privacy and transparency for government and non-government use of drones. Provide FAA/DOT with specific authority to conduct these rulemakings and enforce the regulations.
b. Establish clear processes for law enforcement use of drones.
c. All applications to the FAA for a drone license should include a data collection statement defining whether the drone will collect information about individuals and, if so, the circumstances under which that information will be retained, used, and disclosed. Using the DHS FIPPs framework, an applicant should describe:
d. Law enforcement agencies and their contractors should be subject to extra disclosure requirements. Transparency requirements should not include the names of law enforcement surveillance targets or the exact times or locations of drone deployment; transparency requirements should focus on the criteria and supervisory controls under which drones will be deployed. In addition to the above items, law enforcement agencies and their contractors should also disclose:
e. The FAA should make all approved licenses, with the associated privacy statement of the drone operator, available online to the public in a searchable format. Note that the FAA already makes aircraft licenses available online in a public registry, searchable by license-holder name, craft tail number, or craft make and model. Although aircraft license-holders can opt out of the public registry if they have a security concern, the privacy and security risks associated with drones are different than those of traditional aircraft. The requirement that drone licenses be made public may have an exception for national security purposes, but generally not for law enforcement or private individuals.
While a strong general consumer privacy bill would be preferable, the
approach to drones outlined above would be consistent with the larger privacy
framework CDT has recommended for
general privacy legislation. Moreover, the tight
timeline set by the FAA Modernization and Reform Act of 2012 and the
seriousness of the privacy issues raised by drones demand that regulatory steps
be taken sooner rather than later.