The sUAS Guide Issue 02, July 2016 | Page 70

Why you should have a comprehensive data protection plan

Mark Del Bianco Attorney at Law









Commercial UAS operators and service providers face some unusual challenges related to their acquisition, use, and sharing of data. That is why it is crucial for them to have a comprehensive, accurate and up to date privacy policy and a coherent internal policy on the ownership and use of data generated in the course of their UAS operations. For purposes of this article, we use “operators” to refer to entities (such as utilities or insurance companies) that have their own Section 333 exemption and use the UAS as adjuncts to their main business, and “service providers” to identify firms that provide either:








(i) Outsourced UAS services to third party clients in any of a wide range of industries; or

(ii) A platform through which service providers in category (i) can upload, store, manipulate and disseminate data they have generated through their operations.

Like other businesses, commercial UAS operators and service providers receive and use personally identifiable information (“PII”) from customers, potential customers and members of the public who visit their website or use their mobile app. Designing and
























maintaining privacy policies that address this data is no different than creating a policy for any other firm.

The unusual challenges facing both operators and service providers arise from the fact that the major existing and contemplated near term uses of UAS revolve around the acquisition of actionable data: still photographs, video, or infrared or LIDAR images. UAS operations inevitably generate data related to property or to identifiable persons who are in places where traditionally there has been an expectation of privacy, based at least partly on the difficulty of access. Think license plates, facial recognition or factory effluent discharge trails. These issues are not unique to UAS – many of the same objections are being and have been made to Google Maps and other similar projects. But the flight component of UAS and the ease of access it affords to formerly inaccessible places has amped up people’s concerns.

Privacy policies are not typically addressed to third parties who do not use a company’s services or visit its website. However, forward looking UAS firms are recognizing the need to address the public concerns about misuse of UAS-acquired data, and concluding that one way to do this is to use their privacy policy. Indeed, the National Telecommunication and Information Administration (“NTIA”) best practices discussed below recognize the value of this approach.




know that even if DroneZone’s terms of use provide that the farm owns the data generated by the UAS, it is likely granting DroneZone a royalty to free license to use (and in some cases distribute) the farm’s data. This is important because aggregation of individual farms’ data into large datasets (a/k/a “Big Data”) provides information that is itself valuable. For example, if DroneZone’s customers provide data for 5 or 10% of the corn acreage in Nebraska, that may be enough to make an estimate of the state or even the national corn yield that is more accurate than that of the Commerce Department. The value of such an accurate estimate for a futures trader on the Chicago Board of Trade is obvious.

The government, UAS industry firms, and other stakeholders have begun to recognize the public concerns about Big Data and the deliberate or accidental acquisition of personal data by UAS and the need to minimize the “creepy” factor associated with UAS. To that end, NTIA, as part of the Commerce Department, in early 2015 convened a multi-stakeholder process to develop privacy best practices to “help guide the development and growth of UAS in the United States.” The process turned out to be a side skirmish in a larger, ongoing debate (some might say “war”) over personal privacy and Big Data.

Nonetheless, a diverse group of stakeholders came to consensus on a best practices document that was released in May 2016. See https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-unmanned-aircraft-systems. A number of groups who participated in the process declined to sign on to final document because they felt it was too narrow in scope and failed to address other technologies (such as CCTV cameras) that raised similar issues as UAS operations.

The NTIA document outlined voluntary best practices that “UAS operators could take to advance UAS privacy, transparency and accountability for the private and commercial use of UAS.” These best practices go beyond existing law and “they do not—and are not meant to—create a legal standard of care by which the activities of any particular UAS operator should be judged.” However, the best practices are limited in scope and fail to provide much guidance for UAS service providers.
The best practices address “covered data,” which is “information collected by a UAS that identifies a particular person.” If data collected by UAS likely will not be linked to an individual’s name or other personally identifiable information, or if the data is altered so that a specific person is not recognizable, it is not covered data.
The best practices document has three strategies operators and service providers could take:
First, the document advises UAS operators to inform others of their use, prior to the operation. This includes letting others know the general time frame and area the UAS will be operating in, but it also includes creating a publicly-available privacy policy for when the UAS may result in the collection of covered data. The NTIA suggests that the policy include:
• The purposes for which the UAS will collect covered data;
• The kinds of covered data that will be collected;
• Examples of the types of entities with whom covered data will be shared (as applicable);
• Information on how to submit privacy and security complaints or concerns; and
• Information describing practices in responding to law enforcement requests.