United States: The Drone Privacy and Transparency Act of 2017: Overdue or Over-reaching?

Last Updated: April 7 2017
Article by Scott C. Hall

On March 15, 2017, Senator Edward Markey (D-Mass.) and Representative Peter Welch (D-Vt.) introduced federal legislation entitled the Drone Privacy and Transparency Act of 2017.1 The proposed legislation seeks to address growing concerns regarding personal privacy violations anticipated by (or, perhaps, already resulting from) the continuing increase of unmanned aircraft systems ("UAS" or "drones") in the nation's skies. To that end, the proposed legislation would require every person or entity seeking to use a drone for commercial purposes to provide certain information about where, when, and for what purposes the drone will be flown, and whether it will collect, sell, or otherwise use personal information about any individuals. The legislation would also require the FAA to publicly disclose this information on the Internet. Additionally, the legislation would ban any use of drones by law enforcement personnel without a warrant.

The proposed legislation purports to be a necessary response to the threat of "invasive and pervasive" drone surveillance that is predicted to occur as commercial drone use in the U.S. continues to expand.2 However, while certain privacy concerns based on the ever-increasing use and rapidly evolving technological capabilities of drones may be warranted, the proposed legislation appears to be both underinclusive and overbroad in its attempt to address potential violations of personal privacy. For example, if enacted, the bill would impose additional pre-authorization requirements on anyone seeking approval to operate a drone, and would also require public disclosure of the time and location of planned drone operations, as well as details regarding the specific technical capabilities of the drone – regardless of the drone's actual or intended operation. But, the bill does not specifically prohibit any particular type of drone operation or method of data collection as long as the required pre-authorization and disclosure requirements have been satisfied. Moreover, the bill explicitly does not apply to "model aircraft" (i.e., drones flown for hobby purposes), which are generally understood to be outside the Federal Aviation Administration's scope of authority. Yet, hobby drones are just as capable of violating personal privacy as drones used for commercial purposes. In fact, hobby drones are frequently involved in national news stories regarding privacy violations (such as drones hovering near bedroom windows or over backyard pools), and have likely contributed more to the current public sentiment of fear and distrust underlying the proposed legislation than commercial drones.

Additionally, the proposed legislation would have the federal government wade into – and most likely preempt – areas of law typically left to the states, such as privacy, trespass, and state and local police power. In recent years, many states and localities have enacted drone-specific laws aimed at protecting privacy. Several states have also passed laws regulating law enforcement use of drones. The proposed federal legislation would likely preempt many of these state and local laws. Therefore, before granting such broad federal power over drone regulation, more thought should be given to whether, and in what contexts, states are better suited to decide what drone operations should or should not be permitted in their jurisdiction and how their local law enforcement agencies should be permitted to conduct their work (within constitutional limits). Indeed, given that hobby drones are generally not subject to FAA regulation, state drone legislation has become increasingly important. Thus, the potential preemption of state laws that may occur as a result of vesting the federal government with broad authority over issues like privacy and state police power may impair the ability of state and local governments to effectively address drone concerns specific to their locale.

In light of the many valuable current and anticipated applications of drone technology – which the bill explicitly recognizes – the preferred course of action may be to avoid forcing a federal "one-size-fits-all" privacy law on drones. Rather, it may be better for the federal government to continue to work cooperatively with states to define respective areas of state and federal responsibility over drones and to target particularized unlawful or undesirable conduct for specific regulation, while avoiding imposing more burdensome pre-authorization requirements on all drone operators, which could discourage or inhibit beneficial drone use and innovation.

  1. The Proposed Legislation

The Drone Privacy And Transparency Act proposes three main methods to safeguard personal privacy threatened by drones: (1) required pre-authorization information statements about the intended use of the drone, including potential data collection and use; (2) public disclosure of information relating to the ownership, operation and capabilities of each drone authorized to operate in the national airspace; and (3) prohibition on law enforcement use of drones without a warrant, as well as required statements and policies to minimize collection of data outside the necessary scope of an investigation or warrant.

  1. Pre-Authorization Data Collection Statements

First, the bill proposes to implement additional procedures for anyone seeking authorization to operate a drone for non-hobby use. Specifically, the bill would prohibit the FAA from approving, issuing or awarding any license, certificate or other grant of authority to operate a drone in the national airspace unless the person seeking such authorization or approval provides a "data collection statement" detailing, among other things: (1) the identity of individuals or entities that will use the drone, (2) the specific locations and time period in which the drone will operate, and (3) what types of information or data about individuals or groups will be collected by the drone, including (a) how such data will be used or sold, (b) how information unrelated to the specified use will be minimized, (c) how long any such data will be retained, and (d) how such data will be destroyed. The data collection statement must also identify the possible impact of the drone on individual privacy, the specific steps that will be taken to mitigate any such impact, and contact information for reporting complaints and/or requesting information related to the collection of personally identifiable data. The bill would allow individuals whose data has been collected to request and obtain such data, as well as to challenge the accuracy of that data and/or challenge the denial of access to the data.3

  1. Public Disclosure Of Authorized Drone Operations

Second, the bill seeks to promote transparency of drone data collection by requiring the FAA to make publicly available, on the Internet, the names and contact information for each owner and operator of an authorized drone, the tail/identification number for each authorized drone, a description of the technical capabilities of each authorized drone (including cameras, thermal imaging, mobile phone interception, facial recognition, license plate reader, etc.), information detailing where, when and for what purpose each authorized drone will be operated, and the applicable data collection statement, data minimization statement, and applicable license, approval or grant of authority for each authorized drone. The bill would also require public disclosure of any data security breach with respect to information collected by a drone.

  1. Restrictions On Law Enforcement Use Of Drones

Third, the bill seeks to address concerns over law enforcement use of drones by prohibiting a governmental entity (including any federal or state agency) from using drones for law enforcement or intelligence purposes without a warrant. Moreover, the bill would prohibit the FAA from authorizing any drone operation by a law enforcement agency (or its contractor or subcontractor) unless the agency submits a "data minimization statement." The data minimization statement must detail the specific policies adopted by that agency to minimize the collection by a drone of information that is unrelated to the investigation of a crime under a warrant, as well as to require the destruction of information no longer relevant to such an investigation or an ongoing criminal proceeding. The bill would also require law enforcement agencies to describe their audit and oversight procedures with respect to ensuring that the agency's drone operation is compliant with the submitted data collection statement and data minimization statement.

  1. Balancing Privacy Rights Against The Benefits Of Drone

The proposed legislation purports to apply to every person or entity that currently uses, or that seeks to use, drones for any non-hobby purpose. Thus, the effects of the legislation would be significant given the substantial increase in the use of drones by businesses across numerous industries over the past few years. Of course, because of the variety of technology that can be employed by drones to conduct surveillance, including cameras for photographs or video recording, thermal imaging, GPS trackers, license-plate readers, facial recognition software and more, public concern over potential violations of privacy and misuse of personal information is certainly valid. However, careful consideration is warranted before passing the proposed legislation given that its actual application is likely to have far-reaching effects that go beyond merely protecting privacy to potentially stifling desirable drone operation and innovation.

In fact, the bill's prohibition on any license, approval or other authorization to operate a drone absent compliance with the required data collection statement constitutes a sharp departure from the FAA's recent direction of reducing regulatory hurdles to drone operation. Just last summer, for example, the FAA adopted uniform rules for the operation of small drones (14 C.F.R. Part 107), which allow for the operation of drones for commercial or non-hobby purposes without a specific certificate of authorization or waiver from the FAA, as long as drone operators abide by certain rules and restrictions, including operating only during daylight hours, abiding by certain speed and weight limits, and having an operator with a remote pilot certificate. This recent relaxing of formal regulatory approval for commercial drone operation has been widely applauded by the drone industry. The proposed privacy legislation may therefore be seen as a step backwards for the industry, which, despite recent progress, still suffers from heavy regulation and uncertainty. Indeed, many blame the current regulatory restrictions on drones as the reason many drone companies have chosen to conduct research or operations in foreign countries that do not have such restrictions.4 Thus, while privacy concerns relating to drones need to be addressed, the proposed legislation's focus on pre-authorization procedures and public disclosures, rather than specific misconduct, may adversely impact drone operations that raise no serious privacy concerns.

  1. Balancing Federal And State Responsibility Over Drones

The proposed legislation would also raise new preemption issues and fresh ambiguity about the proper role of state and local governments in regulating drones. Indeed, the bill is in direct conflict with statements currently maintained on the FAA's website regarding the proper role of state and local regulation of drones, which identify privacy and law enforcement operations, among other issues, as generally not being subject to federal regulation.5 Consistent with this position, the small drone rules adopted by the FAA last summer explicitly avoided privacy issues and warned drone operators that "state and local authorities may enact privacy-related laws specific to UAS operations."6 To the extent the proposed legislation is viewed as a decision by Congress to legislate privacy issues for drones at the federal level, this departure from the previous federal-state division of authority could have wide-ranging impacts, particularly given that many states have already passed laws regulating various aspects of drone operation.

Although states differ in their approaches to privacy protection, several states have recently passed or revised laws to protect personal privacy against drone misuse. Some states, for example, have passed laws prohibiting the use of drones to commit voyeurism, stalking, or other surveillance in violation of an individual's reasonable expectation of privacy. Other states, including California, have attempted to protect privacy by prohibiting, as trespass, the capture of images, sounds, or other data of a personal nature by drones over private property. Still other states prohibit surveillance or capture of images or data in specific locations, such as schools, prisons, or at public events. At least one state (Oklahoma) has even recently proposed legislation that would permit property owners to shoot down or otherwise destroy drones flying over their property or "where a reasonable expectation of privacy exists." Thus, although there is still much work to be done to ensure a comprehensive legal framework sufficient to safeguard personal privacy against all potential drone intrusions, this area appears to be one in which states are actively involved and uniquely positioned to address the specific concerns and needs of their locale. It is therefore questionable whether a broad, federal privacy law that might preempt such state and local laws is the preferred course of action.

Additionally, many states have already passed laws regulating the use of drones by law enforcement personnel. The proposed legislation, however, purports to apply to all federal and state law enforcement agencies and imposes a blanket prohibition on any drone use not authorized by a warrant. While it makes sense to require a warrant to use certain drone technology, such as thermal imaging, facial recognition software, or GPS tracking, there is less justification for prohibiting use of drones by law enforcement personnel for simple aerial monitoring or the capture of images or video available to any member of the public. In fact, the U.S. Supreme Court has specifically held that any place that could theoretically be viewed by a member of the public, including from an aircraft, can also be observed by a government agency without constituting a violation of the Fourth Amendment.7 Of course, the Court left open the question of when any specific instance of observation might constitute a violation of privacy, but suggested that it should be addressed on a case by case basis, as opposed to the uniform ban contemplated by the proposed legislation. To be sure, misuse of drones by law enforcement is certainly cause for concern. But state and local governments have typically been given authority to regulate their own police power within constitutional limits, and nothing suggests that this should change merely because the methods of surveillance continue to change.

  1. Protecting Against Privacy Violations By Hobby Drones

Notably, the proposed legislation explicitly does not apply to "model aircraft," which includes small drones that are flown strictly for hobby or recreation purposes, as opposed to commercial use. Thus, although the legislation would monitor and disclose the collection, sale or other commercial use of personal information by drone operators, it does not cover activity such as stalking, voyeurism, or other surveillance in which drone operators collect private images, video, or other data for their own personal use. While large-scale collection and commercial exploitation of personal data is certainly one type of privacy harm that could be committed by drones, the instances of drones "peeping" in bedroom windows, hovering over swimming pools, or personally stalking or harassing individuals also constitute serious privacy concerns that are more likely to be committed by hobby drone users not covered by the proposed legislation.

It may therefore be preferable to allow state and local governments to continue to enact privacy-related legislation focused on specific unlawful or undesirable conduct that applies to both commercial and non-commercial drone operation. At the same time, certain existing federal and state laws that already regulate the maintenance and disclosure of personally identifiable information could be updated to explicitly apply to personal data collected by drone technology. This combination of federal and state protection to prohibit particularized, objectionable drone conduct, while also regulating the maintenance, use and disclosure of personal data, could be far more effective – and much less burdensome on those seeking to use drones for purposes other than data collection – than to require all drone operators to comply with burdensome pre-authorization and public disclosure requirements.

  1. Other Issues

A few other issues in the proposed legislation are worth noting:

The bill specifically excepts from its coverage drones "operated for news-gathering activities protected by the First Amendment." Although this is an important exception in principle, the ambiguity regarding what drone operation might properly be covered by this provision will undoubtedly raise difficulties in application.

The bill also makes any operation of a drone in violation of the statutory provisions unlawful, and vests enforcement power principally with Federal Trade Commission. It also permits civil actions by states (subject to notice to and coordination with the FTC) against violators that are deemed to have threatened or harmed the interests of residents of the state.

Notably, the bill also creates a private cause of action for any person injured by an act in violation of the statute and allows both injunctive relief and monetary damages, including the greater of actual monetary loss or $1,000 per violation. As discussed above, because the proposed legislation focuses on compliance with pre-authorization and public disclosure requirements – as opposed to any actual misuse of personal information – it is questionable whether this private right of action would be effective in terms of safeguarding privacy, or whether it would become simply another statute under which individuals seek monetary damages based solely on an individual's or entity's failure to comply with regulatory requirements.

  1. Conclusion

Given the current technological landscape, protection of personal privacy and personally identifiable information has never been more important. But there are already various federal and state laws that govern how personal information may be collected, used and disclosed. Drones merely present a new method by which personal information and data may be collected. However, not all drones are, or will be, operated for the purpose of collecting personal information. Many individuals and businesses seek to operate drones to perform tasks related to precision agriculture, aerial photography, infrastructure monitoring, product delivery, search and rescue, disaster response, and many other beneficial services that do not involve the collection of individuals' personal data or personally identifiable information. Rather than imposing additional regulatory hurdles on all drone users, it may be preferable to focus on regulating specific conduct or data collection and disclosure practices by those seeking to engage in such conduct. This may be most effectively accomplished by having the federal government share – rather than usurp – authority over drone privacy-related regulation. Caution should therefore be taken before enacting the proposed legislation, which would potentially nullify a substantial amount of state legislation already addressing drone impacts on personal privacy.

Ultimately, the proposed legislation, at least in its current form, may never become law. In fact, similar legislation was introduced in 2015 without success. However, the proposed legislation highlights important issues of privacy that should be considered and discussed as drone use and capabilities expand. The difficult task is finding the right balance between safeguarding individuals' reasonable expectations of privacy while still fostering innovation and expansion of the many beneficial current and anticipated uses of drones. To the extent the bill's purpose is to put the conversation regarding drones and privacy issues front and center, that mission will hopefully be accomplished. The public should be informed and aware of potential privacy concerns caused by drones and participate in legislative processes aimed at addressing those concerns. However, with regard to privacy protection, at least some of that legislation may be best handled at the state and local level. In any event, with the drone industry expected to continue its rapid growth for the foreseeable future, it is likely that public discussion and debate about drones and privacy has only just begun.

Footnotes

1 A copy of the proposed legislation is available at: https://www.markey.senate.gov/imo/media/doc/2017-03-14-DronePrivacy-Bill-text.pdf

2 The proposed legislation references estimates indicating that commercial drone sales may reach 2.7 million annually by 2020.

3 Although the bill only purports to require data collection statements for any drone approval or authorization as of the date of the enactment of bill, it nonetheless requires the FAA to publicly disclose information required in the data collection statement for every drone authorized to operate in the national airspace, including those operating pursuant to licenses or grants of authority awarded before the date of enactment. (See Sec. 339(a), (b)(1).) Thus, as a practical matter, the provisions of the bill would apply to all drones authorized to operate in the national airspace, whether approved before or after passage of the proposed legislation.

4 Although the proposed legislation does not discuss how its requirements would interact with the current regulatory framework, including the FAA's small drone rules, the legislation purports to require compliance with its provisions for any certificate, license, "or other grant of authority" to operate a drone – including authority granted prior to enactment of the law – which presumably encompasses any authorization bestowed by Part 107, as well as the remote pilot certificate required for operation under that section.

5 December 7, 2015 Fact Sheet: State and Local Regulation of Unmanned Aircraft Systems (UAS).

6 The FAA's decision not to address privacy issues in its small drone rules caused an uproar among many groups who hoped to see privacy regulation addressed by the FAA's drone rules. In fact, following release of the FAA's rule last year, the Electronic Privacy Information Center ("EPIC") sued the FAA for failing to address privacy issues in its rules.

7 See Florida v. Riley, 488 U.S. 445, 455 (1989).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.