The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...02 May 2016
Privacy and Drone Fever: Consensus Reached on Industry Best Practices
The benefits of using Unmanned Aircraft Systems (UAS) for tasks from catastrophe response to infrastructure inspection to construction site monitoring, and everything in between, are great. But while the American people are excited about these benefits, the data shows that they also have strong privacy concerns. Existing laws and rules already prevent the violation of somebody’s reasonable expectation of privacy, including with a UAS. Indeed, in many ways, a UAS is just a platform for a camera, similar to a pole camera or helicopter – and technology-neutral laws such as trespass and “peeping tom” laws apply to UAS use too. But the data shows that Americans have stronger privacy concerns related to the use of UAS than related to other similar technologies.
As a result, the White House issued a Presidential Memorandum in February 2015 that established a multi-stakeholder process, to be run by the National Telecommunications and Information Administration (NTIA) at the Department of Commerce, to craft best practices for privacy, transparency, and accountability related to the private and commercial use of UAS. That process kicked off last summer.
After months of negotiations, heated debate, and at times fiery rhetoric from both sides, yesterday a diverse group of drone industry members and civil society representatives reached consensus on a set of Best Practices. All UAS operators and users should review the Best Practices and determine whether to incorporate any or all of the practices into their UAS operations.
Importantly, the Best Practices are not mandatory; they are strictly voluntary. This is on purpose. The White House memorandum set up the multi-stakeholder process within the NTIA, which does not have regulatory or enforcement authority over the Best Practices. Although, companies should note that if they publicly state they will adopt the Best Practices, they must uphold this promise in accordance with federal and state consumer protection standards.
In sum, the Best Practices set forth a series of privacy principles that some companies may choose to use as a guide for managing the data they collect via UAS. It encourages practices such as:
- providing notice of your use of UAS and notice of your data handling practices;
- avoiding the collection of data when the UAS operator knows the data subject has a reasonable expectation of privacy;
- avoiding the persistent and continuous collection of data on individuals without a compelling need to do so or consent;
- minimizing the operation of UAS over private property without legal authority or consent;
- avoiding publicly disclosing personal information captured by UAS when it is not necessary to fulfill the stated purpose for which the UAS is used; and
- managing security risks by implementing reasonable administrative, technical and physical safeguards to protect personal information collected by UAS.
Importantly, the Best Practices explicitly carve out newsgatherers and news reporting organizations since their journalistic activities are subject to unique considerations and protections under the First Amendment to the United States Constitution. The Best Practices also includes a separate set of guidelines for hobbyists for "Neighborly Drone Use."
The Best Practices represent a significant accomplishment and received broad and wide support at yesterday's NTIA meeting. This is a strong sign that the commercial UAS industry is serious about operating UAS responsibly. Given the fear surrounding UAS use, our hope is that the Best Practices will inspire privacy practices and conduct that meet or exceed the public's expectation of privacy.
That said, the Best Practices raise valid concerns. Just the fact that they single out UAS is troublesome, as UAS have many similarities with other data-collecting platforms. And a few of the provisions are particularly onerous, for example suggesting that UAS data should be deleted after being used.
But even given these shortcomings, the Best Practices mark an important step forward for the UAS industry. The Hogan Lovells UAS team was an active participant on behalf of many of our clients in the process, working closely with other industry leaders and privacy advocates to push for common sense provisions that provide needed flexibility for UAS users while retaining core privacy protections that the American public expects. While we don't agree with all of the language in the Best Practices, we are pleased with the progress.
Whether you agree or disagree with the Best Practices, NTIA is accepting statements for the record to post on their website. If you need help with this or with dissecting the Best Practices, do not hesitate to reach out to us.
Additionally, on October 13, 2016, the Federal Trade Commission will host a seminar on UAS as part of its "Fall Technology Series." The seminar will explore, among other issues, whether privacy and data security concerns are being addressed by businesses and self-regulatory efforts and whether there is a need for more guidance. We expect the Best Practices will be a focus of this workshop and will present an opportunity to assess the effectiveness and utility of the Best Practices nearly six months after the conclusion of the NTIA process. If you would like to participate in this workshop or provide comments on the issue, do not hesitate to reach out.
Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted two...29 March 2016
Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted...29 March 2016