Appendix B: Voluntary Best Practices for UAS Privacy, Transparency, and Accountability
I. INTRODUCTION
The benefits of commercial and private unmanned aircraft systems (UAS) are substantial. Technology has moved forward rapidly, and what used to be considered toys are quickly becoming powerful commercial tools that can provide enormous benefits in terms of safety and efficiency. UAS integration will have a significant positive economic impact in the United States. Whether UAS are performing search and rescue missions, allowing farmers to be more efficient and environmentally friendly, inspecting power lines and cell towers, gathering news and enhancing the public’s access to information, performing aerial photography to sell real estate and provide insurance services, surveying and mapping areas for public policy, delivering medicine to rural locations, providing wireless internet, enhancing construction site safety, or more—society is only just beginning to realize the full potential of UAS. UAS technology is already bringing substantial benefits to people’s daily lives, including cheaper goods, innovative services, safer infrastructure, recreational uses, and greater economic activity. Inevitably, creative minds will devise many more UAS uses that will save lives, save money and make our society more productive.
However, the very characteristics that make UAS so promising for commercial and non-commercial uses, including their small size, maneuverability and capacity to carry various kinds of recording or sensory devices, can raise privacy concerns. As a result, individuals may be apprehensive about the adoption of this technology into everyday life. In order to ensure that UAS and the exciting possibilities that come with them live up to their full potential, operators should use this technology in a responsible, ethical, and respectful way. This should include a commitment to transparency, privacy and accountability.
The purpose of this document is to outline and describe voluntary Best Practices that UAS operators could take to advance UAS privacy, transparency and accountability for the private and commercial use of UAS.1 UAS operators may implement these Best Practices in a variety of ways, depending on their circumstances and technology uses, and evolving privacy expectations. In some cases, these Best Practices are meant to go beyond existing law and they do not—and are not meant to—create a legal standard of care by which the activities of any particular UAS operator should be judged. These Best Practices are also not intended to serve as a template for future statutory or regulatory obligations, in part because doing so would make these standards mandatory (not voluntary) and could therefore raise First Amendment concerns.
II. APPLICABILITY
These voluntary Best Practices for UAS focus on data collected via a UAS, which includes both commercial and non-commercial UAS. The only section applicable to newsgatherers and news reporting organizations is Section V considering that their activity is strongly protected by the First Amendment to the Constitution of the United States. There is also an Appendix entitled, “Guidelines for Neighborly Drone Use” that is intended to be a quick and easy reference guide for recreational UAS operators.
These Best Practices do not apply to data collected by other means—for instance, a company need not apply these Best Practices to data collected via the company’s website. These Best Practices do not apply to the use of UAS for purposes of emergency response, including safety and rescue responses.
Nothing in these Best Practices shall:
UAS operators should comply with all applicable laws and regulations. These Best Practices are intended to encourage positive conduct that complements legal compliance. Operators who are aware of other best practices that may apply specific guidance to technologies deployed on or through UAS should consider how to incorporate that guidance into their privacy and security policies and practices.
These Best Practices are also not intended to serve as a template for future statutory or regulatory obligations, in part because doing so would raise First Amendment issues.
Voluntary Best Practices for UAS Privacy, Transparency, and Accountability
The term “consent” means words or conduct indicating permission. Consent must be informed and conduct indicating permission may be express or implied, depending on the context.
“Covered data” means information collected by a UAS that identifies a particular person. If data collected by UAS likely will not be linked to an individual’s name or other personally identifiable information, or if the data is altered so that a specific person is not recognizable, it is not covered data.
The term “data subjects” refers to the individuals about whom covered data is collected.
The terms “where practicable” and “reasonable” depend largely on the circumstances of the UAS operator, the sensitivity of data collected, and the context associated with a particular UAS operation.
IV. VOLUNTARY BEST PRACTICES
1. INFORM OTHERS OF YOUR USE OF UAS
1(a) Where practicable, UAS operators should make a reasonable effort to provide prior notice to individuals of the general timeframe and area that they may anticipate a UAS intentionally collecting covered data.
1(b) When a UAS operator anticipates that UAS use may result in collection of covered data, the operator should provide a privacy policy for such data appropriate to the size and complexity of the operator, or incorporate such a policy into an existing privacy policy. The privacy policy should be in place no later than the time of collection and made publicly available. The policy should include, as practicable:
(1) the purposes for which UAS will collect covered data;3
Voluntary Best Practices for UAS Privacy, Transparency, and Accountability
(2) the kinds of covered data UAS will collect;
(3) information regarding any data retention and de-identification practices;4
(4) examples of the types of any entities with whom covered data will be shared;
(5) information on how to submit privacy and security complaints or concerns; and
(6) information describing practices in responding to law enforcement requests.
Material changes to the above should be incorporated into the privacy policy.
2. SHOW CARE WHEN OPERATING UAS OR COLLECTING AND STORING COVERED DATA
2(a) In the absence of a compelling need to do otherwise, or consent of the data subjects, UAS operators should avoid using UAS for the specific purpose of intentionally collecting covered data where the operator knows the data subject has a reasonable expectation of privacy.
2(b) In the absence of a compelling need to do otherwise, or consent of the data subjects, UAS operators should avoid using UAS for the specific purpose of persistent and continuous collection of covered data about individuals.
2(c) Where it will not impede the purpose for which the UAS is used or conflict with FAA guidelines, UAS operators should make a reasonable effort to minimize UAS operations over or within private property without consent of the property owner or without appropriate legal authority.
2(d) UAS operators should make a reasonable effort to avoid knowingly retaining covered data longer than reasonably necessary to fulfill a purpose as outlined in § IV.1(b). With the consent of the data subject, or in exceptional circumstances (such as legal disputes or safety incidents), such data may be held for a longer period.
2(e) UAS operators should establish a process, appropriate to the size and complexity of the operator, for receiving privacy or security concerns, including requests to delete, de-identify, or obfuscate the data subject’s covered data. Commercial operators should make this process easily accessible to the public, such as by placing points of contact on a company website.5
3. LIMIT THE USE AND SHARING OF COVERED DATA
3(a) UAS operators should not use covered data for the following purposes without consent: employment eligibility, promotion, or retention; credit eligibility; or health care treatment eligibility other than when expressly permitted by and subject to the requirements of a sector-specific regulatory framework.
3(b) UAS operators should make a reasonable effort to avoid using or sharing covered data for any purpose that is not included in the privacy policy covering UAS data.
3(c) If publicly disclosing covered data is not necessary to fulfill the purpose for which the UAS is used, UAS operators should avoid knowingly publicly disclosing data collected via UAS until the operator has undertaken a reasonable effort to obfuscate or de-identify covered data —unless the data subjects provide consent to the disclosure.
3(d) UAS operators should make a reasonable effort to avoid using or sharing covered data for marketing purposes unless the data subject provides consent to the use or disclosure. There is no restriction on the use or sharing of aggregated covered data as an input (e.g., statistical information) for broader marketing campaigns.
4. SECURE COVERED DATA
4(a) UAS operators should take measures to manage security risks of covered data by implementing a program that contains reasonable administrative, technical, and physical safeguards appropriate to the operator’s size and complexity, the nature and scope of its activities, and the sensitivity of the covered data.
Examples of appropriate administrative, technical, and physical safeguards include those described in guidance from the Federal Trade Commission, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the International Organization for Standardization’s 27001 standard for information security management.
For example, UAS operators engaging in commercial activity should consider taking the following actions to secure covered data:
5. MONITOR AND COMPLY WITH EVOLVING FEDERAL, STATE, AND LOCAL UAS LAWS
5(a) UAS operators should ensure compliance with evolving applicable laws and regulations and UAS operators’ own privacy and security policies through appropriate internal processes.
V. BEST PRACTICES FOR NEWSGATHERERS AND NEWS REPORTING ORGANIZATIONS
Newsgathering and news reporting are strongly protected by United States law, including the First Amendment to the Constitution. The public relies on an independent press to gather and report the news and ensure an informed public.
For this reason, these Best Practices do not apply to newsgatherers and news reporting organizations. Newsgatherers and news reporting organizations may use UAS in the same manner as any other comparable technology to capture, store, retain and use data or images in public spaces. Newsgatherers and news reporting organizations should operate under the ethics rules and standards of their organization, and according to existing federal and state laws.