US agency issues privacy guidance for drone operators

Safety regulations for drone usage continue to be formulated, with the US Federal Aviation Administration last month proposing a four-tiered classification system with different rules for how drones can and can’t interact with crowds. The FAA also has a task force weighing in on the issue.

But there are other considerations here too — not least how drones will impact personal privacy. Given drones are basically flying cameras there’s no shortage of eye-in-the-sky concerns as usage of the tech proliferates.

In February last year U.S. president Barak Obama asked the National Telecommunications and Information Administration (NTIA), which advises on telecoms policy issues, to bring various stakeholders together to help develop best practices to address privacy, transparency and accountability issues relating to private and commercial use of UAS (aka drones).

Balancing such concerns with the commercial imperative to leverage drones for services such as delivery (as Amazon is keen to, for example) or niche industry use-cases, from farming to remote inspection, is going to be a key piece of policy work in the coming years.

The NTIA has now published the fruit of its labors — setting out best practice privacy guidelines for using drones to gather personally identifiable data. The guidance was drafted by the various stakeholders involved in the process, which included drone companies, consumer privacy groups and news organizations. Not all stakeholders agreed with the guidelines but the NTIA says a consensus was reached.

But don’t get too excited; the recommendations are voluntary, so there are no teeth to be found here. Add to that, not only are the suggestions not legally enforceable they aren’t exactly reassuringly robust — with plentiful use of qualifiers like ‘where/as practicable’, ‘reasonable effort/expectation’, and so on.

Still, it’s a first pass at trying to set some expectations about what might and might not be considered overly creepy behavior from drone operators. (NB: The guidance does not apply to newsgathering and news reporting organizations owing to their strong constitutional protections, with the NTIA noting they “may use UAS in the same manner as any other comparable technology to capture, store, retain and use data or images in public spaces”.)

Voluntary best practice for drone operators

Among the recommendations suggested, drone operators are urged (with some caveats) to provide prior notice to individuals of the “general timeframe and area that they may anticipate a UAS intentionally collecting covered data” — where ‘covered data’ means data that can identify a particular person.

When they are anticipating that drone use might result in collecting covered data they should also provide a privacy policy that is “appropriate to the size and complexity of the operator, or incorporate such a policy into an existing privacy policy”, and have it in place and publicly available no later than the time of collection.

This policy is suggested to include:

  1. the purposes for which UAS will collect covered data;
  2. the kinds of covered data UAS will collect;
  3. information regarding any data retention and de-identification practices;
  4. examples of the types of any entities with whom covered data will be shared;
  5. information on how to submit privacy and security complaints or concerns;
  6. information describing practices in responding to law enforcement requests.

Other general suggestions in the guidelines include that drone operators should:

  • avoid using drones to intentionally collect covered data “where the operator knows the data subject has a reasonable expectation of privacy”;
  • avoid using drones “for the specific purpose of persistent and continuous collection of covered data about individuals” — excepting “compelling need” to do so or consent from the data subjects;
  • minimize drone usage over/within private property without consent/appropriate legal authority;
  • not hold on to covered data longer than the purpose it was acquired for;
  • establish an easily accessible process for receiving privacy/security concerns from the public, including requests to delete, de-identify or obfuscate the data subject’s covered data

On specific suggested usage limits for personally identifiable data gathered by drones, the guidance suggests the following areas should be off-limits (i.e. without express consent from the data subject):

  • employment eligibility, promotion, or retention;
  • credit eligibility;
  • healthcare treatment eligibility

So your boss should not really be deploying a drone over your house to check if you are sunbathing in your garden that time you called in sick. Although, legally speaking, it may still be possible.

Sharing covered data gathered via drone is also addressed in the guidance. And when it comes to sharing drone-harvested data for marketing purposes this should only be with consent, the guidance suggests.

However no limits are placed on the use/sharing of “aggregated covered data as an input (e.g., statistical information) for broader marketing campaigns”. So drones being deployed as data gathering tools for market research appears to be considered fair game.

Drone operators are also urged to properly secure any personally identifiable data they do collect, as you’d hope they would.

And the guidance also includes an appendix on ‘neighborly’ use of drones — with suggestions including “don’t harass people with your drone”.

The NTIA says the guidance represents “an important step in building consumer trust, giving users the tools to innovate in this space in a manner that respects privacy, and providing accountability and transparency”.

“These guidelines provide the flexibility to evolve as the industry grows while ensuring a baseline understanding of ethical practices,” it adds. “We will work with stakeholders on the best ways to disseminate and promote these practices broadly so that businesses and users that were not able to be at the table can take advantage of the collective wisdom in these documents while growing their UAS-related businesses or using their personal UAS responsibly.  We look forward to continuing the conversation with stakeholders as this industry develops and grows.”

This story was updated to clarify that the guidelines are based on a consensus opinion of stakeholders