There can be no doubt that connected devices are revolutionizing the ways that we collect and share data. 

We’ve become accustomed to seeing them in the fitness world, in our smartphones and even in our homes, but these devices are swiftly and pervasively invading the transportation industry, as well. From Uber’s self-driving car project to Amazon’s budding drone delivery service, it’s impossible to ignore the impact these “vehicles” are having, including presenting unique and complex challenges to privacy.  

At first blush, it may not seem like an airborne drone has much in common with an earthbound car, but when it comes to privacy risks, they actually are more alike than different. Many of the same headwinds creating turbulence in the drone market are also throwing up similar roadblocks in the path of car manufacturers and OEMs in the driverless technology market.

Shared privacy risks

While by no means exclusive, some of the common concerns of privacy experts, regulators and enthusiasts include the fact that drones and driverless cars are:

• mobile and able to move with little restriction into commercial and residential areas, in some cases undetected;
• equipped with cameras, capturing video, images and sound without a clear indication that recording is taking place;
• controlled by unidentified operators, making it hard to identify how to resolve concerns, questions or complaints;
• transmitting data wirelessly to myriad parties, many of which are unidentified;
• collecting vast amounts of data, resulting in an increased risk of breach, misuse and creating practical challenges to data subject access rights;
• likely to change ownership (intentionally or unintentionally) without proper deletion of data prior to transfer;
• not a ready fit for traditional privacy principles (i.e., how can consents or opt-in/express notices be presented on a rapidly moving, possibly airborne, vehicle?);
• repositories of sensitive data, for example health information, loaded into a vehicle for the purpose of informing emergency medical support of a drug allergy or pre-existing medical condition;
• subject to search and seizure or used to collect surveillance on behalf of law enforcement, where contents may be disclosed without the need for a warrant. The Trump administration is seeking unrestricted ability to detain, seize, track and inspect drones, allowing the government to effectively search and seize a repository of personal data without a warrant (see also the transcript of “The Future of Drones in America: Law Enforcement and Privacy Considerations”).

How are regulators responding?

Dedicated laws on self-driving cars are still nascent, but the administrative guidance, regulations and proposed bills pertinent to drones may be predictors of future legislation. Last summer, the FAA released guidance on the operation of “small unmanned aircraft.” That guidance was focused primarily on safety risks and associated standards. Prior to that, under President Obama, the National Telecommunications Information Administration conducted a multi-stakeholder engagement process (in which Intel participated) that released a limited set of “Guidelines for Neighborly Drone Use” in May 2016. These guidelines were fairly high level and benign, and stressed fundamental privacy mindfulness. For example, they state: “Don’t gather personal data for no reason, and don’t keep it for longer than you think you have to.” Beginning this year, the FAA has begun to release maps of “No Drone Zones” aimed to protect safe operations at commercial airports and military facilities/bases.

The real action has been at the state level. 

At least 38 states are in the process of evaluating legislation relating to unmanned aircraft systems. Fourteen states have already passed 19 separate laws, and three more have adopted resolutions this year. What makes this flurry of activity so interesting is how diverse and comprehensive the legislative proposals are, going far beyond issues of safety and air traffic regulation, and how vocal and active some of the states have been.  

Consequences for breaking state laws may include fines, private rights of action allowing punitive damages and recovery of attorney’s fees and criminal penalties including jail time. For example, Hawaii’s proposed Senate Bill 454 aims to restrict the use of drones for “eavesdropping or other surveillance in a private place” to “peer or peep into a window or opening of a dwelling.” Some states, such as Alaska, have proposed or initiated drone specific task forces with stated duties, including “identifying potential privacy and public safety concerns associated with unmanned aircraft systems and determining whether legislation is necessary to address them” and “conducting a public hearing concerning privacy and the capture of data.” California passed Civil Code Section 1708.8(b), which makes an individual “liable for constructive invasion of privacy when the defendant attempts to capture … any type of visual image, sound recording, or other physical impression of the plaintiff engaging in personal or familial activity under circumstances in which the plaintiff had a reasonable expectation of privacy.” South Dakota modified its criminal surveillance laws to include intentional use of a drone to observe, photograph or record someone in a private place with a reasonable expectation of privacy, and in Kansas, it is illegal to stalk someone using a drone.

Is it different outside the U.S.?

Consistent laws on any topic in Europe are a challenge in the sense that there are many different countries with their own district and individual legislation, priorities and political agendas. There currently is no uniform set of UAS laws, and yet many commercial operators are anxious to offer in-demand services, such as agriculture mapping and construction planning that may extend across country lines. 

The regulatory body equivalent to the FAA in Europe is the European Aviation Safety Agency. The EASA currently only has authority over much larger aircraft, resulting in a vacuum of oversight when it comes to much smaller drones that often weigh in at 10 pounds or less. Not surprisingly, the EU is also sensitive to the adaptation of their privacy rules as applied to drones, for example, recording a person without their consent can already be a violation of the Data Protection Act in the U.K. — but a case actively applying this law to a recording violation executed by use of a drone has not been presented. 

And, as is true in any country, just because a drone flies over your backyard and appears to be unlawfully recording video through your open window, doesn’t mean you can identify who is piloting the drone to report them to law enforcement. 

In Asia, operation of a drone may require a permit, and there is a surprising number of restrictions around protection of national monuments, government facilities and public safety, but only a few countries (such as Japan, Laos, and Thailand) mention privacy in their legislation and, even then, the mention is a passing reference to “Respect others privacy when flying your drone”). 

Unchartered territory – The open road and open sky

Given the numerous privacy questions raised by vehicles that essentially operate without human intervention — or even supervision — how does one take advantage of this new frontier without finding themselves in the oncoming headlights of a data breach, PR nightmare or regulatory violation of a law that was just passed yesterday? 

There is no easy answer, but there is comfort in the knowledge that globally we are all in the same boat (or drone, or self-driving car…). 

Collaborative efforts, such as those between auto manufacturers to develop common methodologies, regulatory guidance and working committees, software systems and data exchanges will provide a platform for the right questions to be asked. Think tanks and groups such as the Future of Privacy Forum continue their ongoing advocacy for privacy, transparency and accountability best practices. An organization’s understanding of the concerns and efforts to identify and implement mitigating controls, such as anonymization approaches to mask facial features, inquiry portals for individuals to access privacy notices or FAQs, and only keeping personal data for as long as it is needed, will reduce risk both to the individual and to the companies involved. 

All in all, it’s an exciting road ahead — let’s go for a drive.

photo credit: PokemonaDeChroma Early morning rolling via photopin (license)