Question: Should you have a comprehensive data protection plan?

 

markfmantone

Mark Del Bianco

Commercial UAS operators and service providers face some unusual challenges related to their acquisition, use, and sharing of data. That is why it is crucial for them to have a comprehensive, accurate and up to date privacy policy and a coherent internal policy on the ownership and use of data generated in the course of their UAS operations. For purposes of this article, we use “operators” to refer to entities (such as utilities or insurance companies) that have their own Section 333 exemption and use the UAS as adjuncts to their main business, and “service providers” to identify firms that provide either:

  1. Outsourced UAS services to third party clients in any of a wide range of industries; or

  2. A platform through which service providers in category (i) can upload, store, manipulate and disseminate data they have generated through their operations.

Like other businesses, commercial UAS operators and service providers receive and use personally identifiable information (“PII”) from customers, potential customers and members of the public who visit their website or use their mobile app. Designing and maintaining privacy policies that address this data is no different than creating a policy for any other firm.

The unusual challenges facing both operators and service providers arise from the fact that the major existing and contemplated near term uses of UAS revolve around the acquisition of actionable data: still photographs, video, or infrared or LIDAR images. UAS operations inevitably generate data related to property or to identifiable persons who are in places where traditionally there has been an expectation of privacy, based at least partly on the difficulty of access. Think license plates, facial recognition or factory effluent discharge trails. These issues are not unique to UAS – many of the same objections are being and have been made to Google Maps and other similar projects. But the flight component of UAS and the ease of access it affords to formerly inaccessible places has amped up people’s concerns.

Privacy policies are not typically addressed to third parties who do not use a company’s services or visit its website. However, forward looking UAS firms are recognizing the need to address the public concerns about misuse of UAS-acquired data, and concluding that one way to do this is to use their privacy policy. Indeed, the National Telecommunication and Information Administration (“NTIA”) best practices discussed below recognize the value of this approach.

A second unusual issue that arises from UAS operations is the ownership, aggregation and use of the data processed through service provider platforms. The issue is most easily understood in the precision agriculture context. A farm may hire a service provider to survey its fields to determine the need for water or fertilizer, or to estimate crop yields. The service provider and many of its competitors may use a platform we will call DroneZone. Based on surveying existing platforms’ terms of use, we know that even if DroneZone’s terms of use provide that the farm owns the data generated by the UAS, it is likely granting DroneZone a royalty to free license to use (and in some cases distribute) the farm’s data. This is important because aggregation of individual farms’ data into large datasets (a/k/a “Big Data”) provides information that is itself valuable. For example, if DroneZone’s customers provide data for 5 or 10% of the corn acreage in Nebraska, that may be enough to make an estimate of the state or even the national corn yield that is more accurate than that of the Commerce Department. The value of such an accurate estimate for a futures trader on the Chicago Board of Trade is obvious.

The government, UAS industry firms, and other stakeholders have begun to recognize the public concerns about Big Data and the deliberate or accidental acquisition of personal data by UAS and the need to minimize the “creepy” factor associated with UAS. To that end, NTIA, as part of the Commerce Department, in early 2015 convened a multi-stakeholder process to develop privacy best practices to “help guide the development and growth of UAS in the United States.” The process turned out to be a side skirmish in a larger, ongoing debate (some might say “war”) over personal privacy and Big Data.

Nonetheless, a diverse group of stakeholders came to consensus on a best practices document that was released in May 2016. See https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-unmanned-aircraft-systems. A number of groups who participated in the process declined to sign on to final document because they felt it was too narrow in scope and failed to address other technologies (such as CCTV cameras) that raised similar issues as UAS operations.

The NTIA document outlined voluntary best practices that “UAS operators could take to advance UAS privacy, transparency and accountability for the private and commercial use of UAS.” These best practices go beyond existing law and “they do not—and are not meant to—create a legal standard of care by which the activities of any particular UAS operator should be judged.” However, the best practices are limited in scope and fail to provide much guidance for UAS service providers.

The best practices address “covered data,” which is “information collected by a UAS that identifies a particular person.” If data collected by UAS likely will not be linked to an individual’s name or other personally identifiable information, or if the data is altered so that a specific person is not recognizable, it is not covered data.

The best practices document has three strategies operators and service providers could take:

First, the document advises UAS operators to inform others of their use, prior to the operation. This includes letting others know the general time frame and area the UAS will be operating in, but it also includes creating a publicly-available privacy policy for when the UAS may result in the collection of covered data. The NTIA suggests that the policy include:

  • The purposes for which the UAS will collect covered data;

  • The kinds of covered data that will be collected;

  • Examples of the types of entities with whom covered data will be shared (as applicable);

  • Information on how to submit privacy and security complaints or concerns; and

  • Information describing practices in responding to law enforcement requests.

Operators and service providers should note that their efforts to provide notice may differ by industry – real estate professionals should anticipate contacting neighbors of the property to be filmed.

Second, the NTIA advises operators to take care both when operating the UAS and when collecting and storing covered data. Unless there is a compelling need, UAS operators should not use “UAS for the specific purpose of intentionally collecting covered data where the operator knows the data subject has a reasonable expectation of privacy” – whether it is a one time use or whether it is for “persistent and continuous” data collection. Additionally, “UAS operators should make a reasonable effort to minimize UAS operations over or within private property without consent of the property owner or without appropriate legal authority,” and additionally, operators should “avoid knowingly retaining covered data longer than reasonably necessary,” unless the data subject consents or there are exceptional circumstances, such as “legal disputes or safety incidents.” The NTIA also advises that operators establish a process for receiving privacy and security concerns, including requests to delete data.

Third and finally, the NTIA’s best practices advise operators to limit the use and sharing of covered data. The document advises operators to obtain consent to use covered data for “employment eligibility, promotion or retention; credit eligibility; or healthcare treatment, and advises against using or sharing covered data in ways that are not included in the privacy policy. Prior to disclosing covered data to the public, UAS operators should ‘black out’ any identifying information, unless the data subjects have consented to the release. Although the NITA encourages UAS operators to avoid using covered data for marketing purposes without obtaining consent, it does not suggest restriction on using or sharing aggregated covered data for broader marketing campaigns.

So far, the privacy issue has gotten the most publicity, but in the long run the Big Data issues may be more important. Both long-standing companies looking to enter the UAS market and new organizations starting out should create and implement policies that cover the concerns listed above. If you do not have the internal capabilities to put together these policies, consider retaining outside help from an attorney who is well-versed in these matters. Doing so will not only help business grow, it will set these companies apart from their competition.