legislation

Hate the Consumer Privacy Bill of Rights, but Love the Privacy Review Boards

Considering the criticism on all sides, it’s not a bold prediction to suggest the White House’s Consumer Privacy Bill of Rights is unlikely to go far in the current Congress. Yet while actual legislation may not be the cards, the ideas raised by the proposed bill will impact the privacy debate. One of the bill’s biggest ideas is the creation of a new governance institution, the Privacy Review Board.

The bill envisions that Privacy Review Boards will provide a safety valve for innovative uses of information that strain existing privacy protections but could provide big benefits. In particular, when notice and choice are impractical and data analysis would be “not reasonable in light of context,” Privacy Review Boards could still permit data uses when “the likely benefits of the analysis outweigh the likely privacy risks.” This approach provides a middle-ground between calls for permissionless innovation, on one hand, and blanket prohibitions on innovative uses of information on the other.

Instead, Privacy Review Boards embrace the idea that ongoing review processes, whether external or internal, are important and are a better way to address amorphous benefits and privacy risks. Whatever they ultimately look like, these boards can begin the challenging task of specifically confronting the ethical qualms being raised by the benefits of “big data” and the Internet of Things.

This isn’t a novel idea. After all, the creation of formal review panels was one of the primary responses to ethical concerns with biomedical research. Institutional review boards, or IRBs, have now existed as a fundamental part of the human research approval process for decades. IRBs are not without their flaws. They can become overburdened and bureaucratic, and the larger ethical questions can be replaced by a rigid process of checking-off boxes and filling out paperwork. Yet IRBs have become an important mechanism by which society has come to trust researchers.

At their foundation, IRBs reflect an effort to infuse research with several overarching ethical principles identified in the Belmont Report, which serves as a foundational document in ethical research. The report’s principles of respect for persons, beneficence, and justice embody the ideas that researchers (1) should respect individual autonomy, (2) maximize benefits to the research project while minimizing risks to research subjects, and (3) ensure that costs and benefits of research are distributed fairly and equitably.

Formalizing a process of considering these principles, warts and all, went a long way toward alleviating fears that medical researchers lacked rules. Privacy Review Boards could do the same today for consumer data in the digital space. Consumers feel like they lack control over their own information, and they want reassurances that their personal data is only being used in ways that ultimately benefit them. Moreover, calls to develop these sorts of mechanisms in the consumer space are also not new. In response to privacy headaches, companies like Facebook and Google have already instituted review panels that are designed to reflect different viewpoints and encourage careful consideration.

Establishing the exact requirements for Privacy Review Boards will demand flexibility. The White House’s proposal offers a litany of different factors to consider. Specifically, Privacy Review Boards will need to have a degree of independence and also possess subject-matter expertise. They will need to take the sizes, experiences, and resources of a given company into account. Perhaps most challenging, Privacy Review Boards will to balance transparency and confidentiality. Controversially, the proposed bill places the Federal Trade Commission in the role of arbiter of the board’s validity. While it would be interested to imagine how the FTC could approach such a task, the larger project of having more ethical conversations about innovative data use is worth pursuing, and perhaps the principles put forward in the Belmont Report can provide a good foundation once more.

The principles in the Belmont Report already reflect ideas that exist in debates surrounding privacy. For example, the notion of respect for persons echoes privacy law’s emphasis on fair notice and informed choice. Beneficence stresses the need to maximize benefits and minimize harms, much like existing documentation on the FTC’s test for unfair business practices, and justice raises questions about the equity of data use and considerations about unfair or illegal disparate impacts. If the Consumer Privacy Bill of Rights accomplishes nothing else, it will have reaffirmed the importance of a considered review process. Privacy Review Boards might not have all the answers – but they are in a position to monitor data uses for problems, promote trust, and ultimately, better protect privacy.

Sen. Markey’s Drone Aircraft Privacy and Transparency Act Summarized

On Monday, Sen. Markey introduced legislation designed to expand legal safeguards to protect individual privacy from invasion by commercial and government use of drones. The bill amends the FAA Modernization and Reform Act of 2012, which directed the FAA to integrate unmanned aircraft systems (UAS) into U.S. airspace by October 2015. The law, however, was silent as to the transparency and privacy implications of domestic drone use. Under pressure from advocacy groups and Congress, the FAA solicited public comment about potential privacy and civil liberties issues during its UAS test site selection process, ultimately suggesting only that UAS privacy policies “should be informed by the Fair Information Practice Principles.”

This section-by-section summary looks at how Sen. Markey’s bill would amend current law to establish national guidelines for domestic drone use.

Sec. 1 – Short Title

Drone Aircraft Privacy and Transparency Act of 2013

Sec. 2 –  Findings

The bill notes that the FAA projects that 30,000 drones could be in sky above the United States by 2020, and further, that current law provides for no explicit privacy protections or public transparency measures with regards to drone use by public or private entities.

Sec. 3 –  Guidance and Limitations for UAS

The major substance of this section details new requirements for data collection statements by commercial drone operators and data minimization statements by law enforcement. The bill’s provisions with regards to law enforcement appear to bolster significantly Fourth Amendment privacy protections. Agencies would be subject to a warrant requirement for any generalized drone surveillance absent exigent circumstances, such as (1) imminent danger of death or serious injury or (2) DHS has determined credible intelligence points to a high risk of terrorist attack. Moreover, any information collected that was unrelated to a potential exigency is required to be destroyed.

While these provide practical, procedural limitations on surveillance, the bill also forces law enforcement to consider how they plan to use drones prior to their implementation. Law enforcement offices will be required to file an explanation about any policies adopted to minimize the collection of data unrelated to a warrant-requirement, how excess data will be destroyed, and detailing any audit or oversight mechanisms. By making licenses contingent on these statements, the bill may encourage careful consideration of privacy challenges before law enforcement begins broad use of drones.

For commercial operators, the bill would prohibit the FAA from issuing licences without a statement that provides information about who will operate the drone, where the drone will be flown, what data will be collected and how that data will be used, including information about whether any information will be sold to third parties, the period for which information will be retained, and contact information to receive complaints. Depending upon how onerous these statement requirements become, this section may present some First Amendment challenges, particularly public efforts to advance newsgathering and the free flow of information.

The FAA would be charged with creating a publicly searchable website that would list all approved drone licenses, including copies of data collection or minimization statements, any data security breaches, and details about the time and location of all drone flights.

This section also calls for the Departments of Homeland Security, Commerce, and Transportation and the FTC to conduct a study to identify any potential challenges presented by drones to the OECD privacy guidelines. It would also require the current UAS rulemaking underway to take those privacy guidelines into consideration.

Sec. 4 – Enforcement

The section provides for concurrent enforcement by state authorities and the Federal Trade Commission under its Section 5 authority. It also allows for a private right of action for violations of either an entity’s data collection or data minimization statement. Remedies include equitable relief, and the greater of actual monetary damages or statutory damages of up to $1,000 for each violation.

Sec. 5 – Model Aircraft Provision

Finally, the bill provides for an exception for model aircraft.

***

Sen. Markey introduced a largely identical version of the Drone Aircraft Privacy and Transparency Act of 2013 earlier this year as a member of the House of Representative, and last year, as well.

 Scroll to top