The FAA Wants to Hear From You About Privacy and Domestic Drones
Robot watchers likely know about the FAA’s recent solicitation of applications from entities desiring to operate one of six experimental test sites for domestic drones.
Last year, Congress ordered the FAA to figure out how to bring drones into the national airspace, and on a broad scale, by late 2015. Thus the test site program, an interim measure meant to help the agency to compile operational data about domestic drone flights. Privacy comes into play here. In particular, the FAA in February also as
Published by The Lawfare Institute
in Cooperation With
Robot watchers likely know about the FAA’s recent solicitation of applications from entities desiring to operate one of six experimental test sites for domestic drones.
Last year, Congress ordered the FAA to figure out how to bring drones into the national airspace, and on a broad scale, by late 2015. Thus the test site program, an interim measure meant to help the agency to compile operational data about domestic drone flights. Privacy comes into play here. In particular, the FAA in February also asked for public comment on the sorts of privacy rules that site operators ought to follow, as experimental flights are conducted and information gathered up.
Here is the pertinent part of the FAA’s draft proposal, regarding privacy provisions that the FAA will include in agreements with successful test site bidders:
As I read this, the FAA proposes to require operators: (1) to have some sort of “privacy policy”; (2) to obey applicable privacy laws, and to acknowledge (among other things) the possibility of a test site project's revocation, upon proven violation of those laws; (3) to comply with any subsequently enacted privacy laws; and (4) to transmit certain kinds of collected data to the FAA.
(2) and (3) strike me as uncontroversial. A serious site operator probably does not plan to violate current law, and probably accepts the risk of having to comply with later-enacted law, too. (There aren't many realistic alternatives.) There’s also (4), the required transmission of certain data from the site operator to the FAA. Such data is described generically in procurement documents, which cannot be accessed easily online: I thus haven’t read them yet. That said, the operator-to-FAA data stream seemingly depends, at least in part, on the universe of information collected in the first instance---which itself could depend on how privacy rules eventually take shape.
Which bring us to (1), the operators’ privacy policies. As written, the draft says little about what these will look like. I count three hard-and-fast obligations: a privacy policy must be available publicly; the operator must be capable of receiving comments on the policy; and the policy must govern all of the operators' activities. Perhaps more interestingly, the draft also recommends conformity with Fair Information Practice Principles---uniform guidelines for the protection of personal information---but pointedly does not go so far as to require that.
Thus we might wonder: substantively, could an operator satisfy the FAA, by having a “privacy policy” wherein the operator committed to obey any applicable privacy laws, both current and future? Or must a policy do something that background privacy law does not do already? And may policies vary from one site operator to the next? It is too early to tell: The comment process ultimately might yield a more stringent privacy regime, or a more lenient one.
In any case, it matters that the FAA has asked for an open debate about the optimal privacy setup---as far as test sites go, anyway. That’s a good measure of just how much the issue has come to the fore, and the agency's current thinking. Cast your mind back to the 2012 statute requiring the integration of drones into our airspace, the FAA Modernization and Reauthorization Act. This law says zilch about privacy as it relates to drones; and in any event the FAA’s core mission has to do with aviation safety, not privacy. But the public and advocacy groups both pushed the issue before the FAA, which recently agreed to account for privacy matters before moving forward with the site designation process. That picked up where the agency left off last year. In November, the FAA’s acting Administrator had cited privacy as a reason why the agency had not yet sought proposals from aspiring test site operators.
Of course all of this has to do with privacy as it relates to six experimental drone flight facilities---and not, strictly speaking, to the long-term rules that will govern domestic drones after the 2015 “deadline." (Indeed, the FAA’s draft takes pains to emphasize as much.) But if the FAA considers privacy in the course of selecting test site operators, how could it not consider privacy down the road, as it devises other rules?
Privacy-conscious folks likely will want to know. In the meantime, guess how many people have registered their views on test sites and privacy online, at Regulations.gov? Three.
Wells C. Bennett was Managing Editor of Lawfare and a Fellow in National Security Law at the Brookings Institution. Before coming to Brookings, he was an Associate at Arnold & Porter LLP.