Drone Privacy Bills Attempt to Protect Americans from Governmental, Commercial Surveillance
With drones taking off both abroad and at home, several members of Congress have proposed bills designed to regulate the use of drones within the United States. These bills apply to both government and private drones, though there are critical differences among the bills, both in terms of scope and substance. As the FAA continues to accept comments on the privacy requirements that should apply to domestic drone test sites, examining the bills to determine what limitations on collection, retention, and use lawmakers are considering demonstrates the complex issues raised by domestic drone use.
The Drone Aircraft Privacy and Transparency Act of 2013
In March, Congressman Ed Markey (D-MA) re-introduced the Drone Aircraft Privacy and Transparency Act of 2013, governing the domestic use of drones, co-sponsored by Representative Joe Barton (R-TX). The Markey/Barton bill requires private operators to submit a “data collection statement” to the FAA prior to receiving a license to operate a drone. The statement must include the name of the operator of the drone; where it will be operated; what data will be collected and how the data will be used and retained; and whether data will be sold to third parties. We have previously advocated for such data collection statements, both for oversight purposes and to ensure that drone operators are considering individual privacy when they deploy their drones.
The Markey/Barton bill also requires law enforcement agencies (as well as their contractors and subcontractors) to submit data minimization statements. Those statements would be required to describe the procedures that law enforcement would use in order to ensure that data collected by drones unrelated to crimes isn’t collected or if irrelevant information is inadvertently collected, it is not retained. Because drones could prove very beneficial to law enforcement agencies, ensuring that law enforcement drones aren’t used for constant, comprehensive surveillance will be essential in protecting ordinary citizens’ constitutional rights. By requiring law enforcement agencies to think about data minimization before deploying drones, the bill helps ensure that the use of drones by law enforcement doesn’t become overbroad.
The bill encourages oversight of law enforcement drone use in some important ways. First, the bill mandates that law enforcement agencies need a warrant in order to use drones for “protective activities” or for law enforcement or intelligence purposes. The warrant requirement is excused in exigent circumstances – an exception that characterizes other warrant-based surveillance. Second, the bill wisely requires suppression of drone evidence that is collected illegally when the government attempts to use it in a court or regulatory proceeding. Third, the bill requires destruction of data collected that is unrelated to the exigency, and it requires destruction of data collected with a warrant when it is, or it becomes, irrelevant to the crime being investigated. These oversight mechanisms effectively balance Fourth Amendment privacy rights against the needs of law enforcement.
Some tweaks to law enforcement use will likely be developed as the legislation moves forward. For example, it might be wise to extend the suppression requirement to data illegally maintained as well as to data illegally collected. Additional exceptions to the warrant requirement may be needed. As it stands, the bill might, for example, bar the police from using a drone for the “protective activity” of observing traffic patterns to help police re-direct traffic around an accident; that would be an undesirable result.
The bill also encourages oversight of drone use by commercial and law enforcement entities. The FAA would be required to create a database of licensed drone operators, which would include the data collection and data minimization statements, security breaches that a licensee suffered, and the times and locations of drone flights. By encouraging transparency on how drones are actually used, the database would allow both the FAA and individuals to ensure that public and private operators aren’t using drones for improper purposes. Given that drones may be inconspicuous or invisible to the naked eye, the FAA database would provide important information on each drone and its operator that might not be otherwise noticeable. We have previously written on the need for drones to broadcast persistent radio-frequency identification signals for oversight; the database proposal would help in this endeavor. However, we think it makes sense for the bill to explicitly require the FAA to require licensed drones that co-occupy manned aircraft airspace to broadcast what is referred to as an “automatic dependent surveillance-broadcast out” (ADS-B Out) signal — including an identifier, location, altitude and velocity — exactly as manned aircraft will have to broadcast by 2020.
The Preserving American Privacy Act of 2013
Congressman Ted Poe of Texas introduced the Preserving American Privacy Act, which regulates governmental and private use of drones within U.S. borders. The bill, co-sponsored with Representative Zoe Lofgren of California, focuses much more on governmental use of drones compared to the Markey/Barton bill proposed by Congressman Markey. For example, public entities that operate drones must submit to the Attorney General a data collection statement that includes the purpose for which the drone will be used, whether it can collected “covered information” (information that would be reasonably likely to aid in identifying an individual, or information about a person’s property not in plain view), how long such information will be retained, and contact information for the individual at the agency charged with operating the drone. Presumably, this is designed to create limits upon law enforcement when operating drones in criminal investigations. By requiring law enforcement to detail in advance the use, collection, and retention limitations of drones, the risk of inadvertent over-surveillance is automatically lowered.
The Poe/Lofgren bill creates very specific limits for use of data collected by governmental drones, even beyond the data collection statement requirement. Like the Markey/Barton bill, it requires data collected by government agency drones to be minimized, though it does not create specific timetables or requirements for minimization. Governmental agencies cannot operate a drone to collect covered information or disclose such information, unless one of a few circumstances applies. The first exception applies if the information was collected pursuant to a warrant; in this instance, law enforcement must disclose the collection to the person observed (unless a court determines that would jeopardize the investigation). Alternately, a government agency can collect covered information pursuant to a judicial order, but only based upon reasonably suspicion of criminal activity, and for limited periods, followed by disclosure to the observed party (or notice placed prior to the collection, if the collection takes places in a public area). There are also exceptions for use of drones by law enforcement within 25 miles of the United States border, in cases of extreme emergency, or upon consent.
The Poe/Lofgren bill also contains provisions detailing the consequences for violating any of its provisions. Violations, both inadvertent and intentional, require internal investigation to determine if disciplinary action should be taken; if no action is determined necessary, that finding and its justifications must be communicated to the relevant Inspector General. If a public entity operates a drone without falling within one of the exceptions, any covered information that has been collected must be destroyed. By creating very specific carve-outs from the general ban on collection of covered information, the Poe/Lofgren bill provides strong judicial oversight over governmental use of drones. It also ensures that the government doesn’t use drones to constantly track individuals without adequate cause, given the limited uses of data collected by pervasive tracking.
While the Poe/Lofgren bill focuses mostly on governmental operation of drones, it also prohibits private drone operators from capturing data (including visual and sound recordings) in “highly offensive” ways of personal or familial activity that would violate a reasonable expectation of privacy. While the bill admirably seeks to protect individual privacy, restricting private collection of data about public spaces may conflict with the First Amendment “right to record”. Indeed, such legislation can raise serious First Amendment problems, as in the case of the recent “Steven Tyler Act” anti-paparazzi bill proposed in Hawaii’s legislature. Any bill that regulates private data collection must be drafted carefully in order to ensure that free expression values and the First Amendment aren’t violated.
Bills that Regulate Weaponized and Law Enforcement Drones
There are also several bills introduced that regulate the domestic use of drones for law enforcement or for lethal purposes. One bill, introduced by Representative Austin Scott of Georgia, creates limits on the use of data collected by law enforcement drones. The Scott bill requires a warrant in order to use a drone to gather evidence, except in cases of exigency, a high risk of a terrorist attack, or for border patrols.
Representative Michael Burgess of Texas, along with Representative Chris Gibson of New York, has introduced a bill prohibiting the use of drones as weapons, or as weapon delivery systems, within the United States. Relatedly, Representative Reid Ribble of Wisconsin and Senator Ted Cruz of Texas (along with Senator Mike Lee of Utah and Senator Rand Paul of Kentucky) have introduced bills outlawing the use of drones within the United States to kill American citizens. All three of these bills focus only on the use of drones as weapons, and don’t contain any other regulatory provisions.
What these various bills all indicate is the importance of ensuring that the introduction of drones into domestic airspace respects individual privacy from both governmental and private intrusion. The FAA rulemaking is a good start to this process, but introducing limits on data collection, retention, and use, as well as incorporating FIPPs principles into drone regulations, will provide the strongest level of protections. We hope that future versions of the bills incorporate such provisions to regulate drone use.