Last week, U.S. Supreme Court Justice Sonia Sotomayor suggested Americans should be more concerned about their privacy being invaded by the spread of drones, stating that “frightening” changes in surveillance technology should encourage citizens to take a more active role in the privacy debate. She said she’s particularly troubled by the potential for commercial and government drones to compromise personal privacy. According to reports, Sotomayor opined, “there are drones flying over the air randomly that are recording everything that’s happening on what we consider our private property. That type of technology has to stimulate us to think about what is it that we cherish in privacy and how far we want to protect it and from whom.”
While the Federal Aviation Administration (FAA) considers what we’ll call the safety issues attendant to the operation of commercial unmanned aerial systems (UAS) in U.S. airspace, President Obama reportedly intends to issue an Executive Order addressing the privacy concerns. Although the details of the Executive Order are not yet clear, we understand that it will in part task the National Telecommunications and Information Administration (NTIA) with convening a multi-stakeholder process to develop privacy guidelines, likely either in the form of best practices or a voluntary code of conduct, for commercial UAS. With the help of our partners, Nancy Victory and Anna Gomez, former head and deputy head of NTIA, respectively, below we answer the most pressing questions about what to expect from the NTIA process and the much-anticipated Executive Order.
What is a multi-stakeholder process?
Multi-stakeholder processes aim to incorporate the views of all relevant stakeholders, from government, the private sector, civil society, and others, with the goal of generating a consensus on industry best practices or voluntary and legally enforceable codes of conduct. Multi-stakeholder processes ensure that the views of all stakeholders are heard and integrated at all stages of the decision-making process through dialogue and consensus-building. The approach aims to create trust between stakeholders and solutions that provide mutual benefits. Because of the inclusive and participatory approach, the theory behind multi-stakeholder processes is that the stakeholders have a greater sense of ownership for decisions made and thus are more likely to comply with them.
Has the NTIA done this process before?
Yes. Starting in June 2012, NTIA convened a series of multi-stakeholder meetings to develop a code of conduct for mobile app transparency. NTIA launched this process in response to the White House’s call for a Consumer Privacy Bill of Rights in early 2012. Reaching consensus was difficult, but the process, which involved consumer groups, privacy advocates, and a wide range of businesses, concluded in July 2013, when stakeholders “froze” a code of conduct for short form disclosures for testing and possible implementation—an action NTIA Administrator Lawrence Strickling called a “milestone.” A year later, however, there are some that criticize the NTIA process, arguing that consensus on the code of conduct was never reached in July 2013, and that few companies actually have agreed to adhere to the code.
NTIA also is in the midst of its second privacy multi-stakeholder process, this time regarding the commercial use of facial recognition technology. On December 3, 2012, NTIA announced its goal to develop a voluntary, enforceable code of conduct that specifies how the Consumer Privacy Bill of Rights applies to facial recognition technology in the commercial context. A number of multi-stakeholder meetings have been scheduled for this year.
Who can participate? Is it open to the public?
We anticipate that the NTIA multi-stakeholder process will be open to any person or organization that wishes to participate. NTIA in the past has webcast all of the meetings, thereby allowing those who do not participate in the process to understand how participants reached their decisions.
Why isn’t the FAA or the FTC doing this? Is NTIA the right agency to do this?
Although some question whether NTIA is capable of leading an effort to protect consumer privacy following the multi-stakeholder meetings on mobile app privacy, NTIA is the logical agency to lead a multi-stakeholder process on UAS privacy issues. The process is an extension of the White House’s 2012 privacy initiative, which previously tasked NTIA with convening stakeholders to develop and implement enforceable privacy policies based on the Consumer Privacy Bill of Rights. Moreover, NTIA has significant experience with privacy issues in the tech sector as well as prior experience with leading multi-stakeholder processes.
The FAA, on the other hand, has never had a privacy mandate. Its mission is straightforward: to ensure the safety of the national airspace. Privacy issues quite simply fall outside that mission. In fact, in recent Congressional hearings, the FAA indicated that it would look to other agencies to develop any necessary privacy policies for commercial UAS as it works on rules for the integration of small UAS into the National Airspace System (NAS).
Similarly, the FTC is less well-suited to lead a multi-stakeholder process on UAS privacy issues than NTIA. As a privacy regulator and enforcer, it is more difficult for the FTC to serve a convener role and facilitate open discussion between stakeholders in a consensus-driven process. The FTC previously has participated in multi-stakeholder processes led by NTIA, and likely will do so again here.
Since the NTIA process won’t result in rules, how will the privacy guidelines be enforceable?
It is unclear whether the multi-stakeholder process on UAS privacy issues will result in a voluntary code of conduct—as in NTIA’s previous multi-stakeholder processes—or best practices. Best practices generally are not enforceable. A voluntary code of conduct, however, is legally enforceable against companies that affirmatively commit to follow it. While the decision to adopt a code of conduct is voluntary, a public pledge to follow the code generally would amount to a representation enforceable by the FTC under its consumer protection authority.
There are incentives to adopting voluntary codes of conduct. Companies build consumer trust by engaging with consumers and other stakeholders in multi-stakeholder processes and by adopting privacy codes of conduct developed during those discussions. Enforceable codes of conduct provide the public clear, understandable baseline protections and offer businesses greater certainty about how agreed upon privacy principles apply to them. Indeed, in any enforcement action based on conduct covered by a code, the FTC likely would consider a company’s adherence to such a code favorably. In the absence of a generally-agreed upon code of conduct, the FTC could enforce privacy guidelines on a case-by-case basis, with less predictability and thus greater risk for businesses.
What are the benefits of this?
Consumer privacy is the primary concern raised in the commercial UAS context. Indeed, some have painted UAS as “privacy catalysts” that may well precipitate more comprehensive privacy protections. A multi-stakeholder discussion that results in best practices or a voluntary code of conduct may alleviate consumer concern, allowing UAS to go to market more quickly. Indeed, as explained above, companies build consumer trust by engaging in multi-stakeholder discussions that result in best practices or codes of conduct that document how consumers’ privacy will be protected.
Will best practices preempt state/local privacy laws?
No. Because a code of conduct would be voluntary, and not required by a law or regulation, the best practices would not preempt state or local law regulating UAS.
We hope, however, that a successful multi-stakeholder process will address any state and local concerns about privacy, as the process aims to develop a sensible set of safeguards that industry would take up broadly. And, the code of conduct would be enforceable (by federal, state and local authorities), once a company voluntarily agrees to follow it. So, an effective multi-stakeholder process should signal to state and local regulators that commercial UAS is protecting privacy, and thus, imposing rigid restrictions is not necessary.
Are there First Amendment issues with regulating UAS privacy?
Journalists are eager to put drones to work for aerial newsgathering. As it has been with many emerging technologies that enhance the ability to collect information—whether a telephoto lens, sensitive microphone, or high-resolution satellite imagery—privacy is a central concern, and it could impact journalists’ ability to use UAS. Journalists and press advocates undoubtedly will participate in the stakeholder process to ensure that the law and policy governing the use of UAS is not crafted so broadly so as to unconstitutionally interfere with their right to gather and publish newsworthy information.
Camera-equipped UAS engaged in newsgathering conceivably would enjoy First Amendment protection. Photographing and filming matters of public interest in public places fall under the umbrella of free expression and are limited only by reasonable time, place, and manner restrictions (although it remains to be seen whether being filmed by UAS might be viewed as an intrusion even in a public place). Indeed, in May 2014, 16 major media companies, including the Associated Press, the New York Times Co., Hearst Corp., and The Washington Post, filed an amicus brief in federal court in support of Raphael Pirker, a UAS enthusiast fined $10,000 by the FAA for his “careless and reckless” flying of a small UAS. The brief argues that restrictions on the use of UAS for newsgathering violate the First Amendment.
While the First Amendment prohibits the government from abridging the freedom of the press, this freedom is not absolute. The use of UAS will pose many of the same risks that more traditional methods of newsgathering and reporting do. Existing state tort law and statutes of general applicability have evolved that govern journalists and their subjects’ privacy, and what kinds of publications give rise to liability. Wiretap, anti-paparazzi, stalking, harassment and other statutes that address conduct involving recording or following individuals may all provide guidance. Certainly, balancing privacy and First Amendment interests will be raised in NTIA’s multi-stakeholder process.
We’ll have more on the EO once it is released by the White House.