[Federal Register Volume 78, Number 220 (Thursday, November 14, 2013)] [Rules and Regulations] [Pages 68360-68364] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2013-27216] ----------------------------------------------------------------------- DEPARTMENT OF TRANSPORTATION Federal Aviation Administration 14 CFR Part 91 [Docket No. FAA-2013-0061] Unmanned Aircraft System Test Site Program AGENCY: Federal Aviation Administration (FAA), DOT. ACTION: Notice of availability of final privacy requirements for the unmanned aircraft system (``UAS'') test site program; response to comments. ----------------------------------------------------------------------- SUMMARY: On February 22, 2013 the FAA published and requested public comment on the proposed privacy requirements (the ``Draft Privacy Requirements'') for UAS test sites (the ``Test Sites'') that the FAA will establish pursuant to the FAA Modernization and Reform Act of 2012 (``FMRA''). This document responds to the public comments received and publishes the FAA's final privacy requirements for the Test Sites (the ``Final Privacy Requirements''). [[Page 68361]] DATES: November 14, 2013. ADDRESSES: You may review the public docket for this rulemaking (Docket No. FAA-2013-0061) on the Internet at http://www.regulations.gov. You may also review the public docket at the Docket Management Facility in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE., Washington, DC 20590-0001 between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. FOR FURTHER INFORMATION CONTACT: For technical questions concerning the test site program, contact Elizabeth Soltys, Unmanned Aircraft Systems Integration Office, Federal Aviation Administration, 800 Independence Avenue SW., Washington, DC 20591; email: [email protected]. For legal questions concerning the FAA's privacy requirements for the Test Sites contact Carlos Siso, Office of the Chief Counsel, Federal Aviation Administration, 800 Independence Ave. SW., Washington, DC 20591; email: [email protected]. SUPPLEMENTARY INFORMATION: This document summarizes and responds to the public comments received in response to the following Federal Register documents seeking public comment on the Draft Privacy Requirements for the Test Sites: (i) Notice of availability and request for comments published in the Federal Register on February 22, 2013 (78 FR 12259), Docket No. FAA-2013-0061-0001; and (ii) Notice of public engagement session published in the Federal Register on March 28, 2013 (78 FR 18932), Docket No. FAA-2013-0061- 0050. In addition, this document publishes the FAA's Final Privacy Requirements for the Test Sites which are set forth under the ``Conclusion'' section below. Discussion of Comments The FAA received 99 comments through Regulations.gov and 53 comments through the public engagement session. A transcript of the public engagement session is available at: http://www.faa.gov/about/initiatives/uas/media/UAStranscription.pdf. Public comments ranged from recommending that the FAA not impose any privacy requirements on the Test Sites to recommending that the FAA impose extensive privacy requirements on the Test Sites. The FAA also received comments that were not responsive to the notice or that were unclear. The FAA analyzed the responsive comments and grouped them into ten categories. The following sections address the comments by category. (1) The FAA should focus on its safety mission; it should not engage in regulating privacy. The FAA received a number of comments advocating that the FAA should focus on its safety mission and should not engage in regulating privacy. The following comments were received:The FAA should focus on safety; Regulating privacy is outside the FAA's mission; The FAA does not have statutory authority to regulate privacy; The FAA does not have the authority to impose privacy requirements on the Test Sites; The FAA should allow privacy to be addressed by other more appropriate government bodies including: Federal agencies that have expertise and authority to deal with privacy concerns; Congress; state or local legislative bodies; and the judicial system; The Federal Government should not regulate privacy impacts of UAS; these issues should be left to states, cities, and counties to address; The FAA should only require compliance with privacy laws that are already in place and focus on developing safe operation of UAS; The FAA should not deny access to the national airspace for reasons other than safety; Existing privacy laws are sufficient to cover the responsible use of UAS. There already exist Federal, state and other laws that protect privacy. In addition, tort law may also provide avenues of recourse for plaintiffs to protect their privacy rights; The FAA should not implement privacy regulations that make entry into the market prohibitive for small businesses; The FAA should not allow privacy issues to hinder commercialization of UAS; There is no evidence that the operations at the Test Sites will harm privacy interests. Restricting activities at the test sites at this early stage will likely overprotect privacy at the expense of innovation; The FAA should afford adequate time for non-governmental solutions such as industry norms and practices to develop before intervening administratively to protect privacy. These less restrictive solutions will reduce the need for administrative intervention and will allow for increased innovation in the national airspace; Requiring Test Site operators to develop privacy policies that are informed by Fair Information Practice Principles is onerous for commercial operators of UAS and its cost will likely outweigh any hypothetical benefits; Requiring Test Site operators to issue privacy policies informed by Fair Information Practice Principles will limit the diversity of data that will inform integration of UAS into the national airspace. The FAA's approach would exclude an important possible alternative from the discussion: some operators might choose not to issue a privacy policy or adopt a non-FIPPs-compliant policy; and The FAA should treat data gathered by UAS no differently than data gathered by a manned aircraft or by other electronic means. There is no significant difference in terms of surveillance between a UAS and a manned aircraft, and manned aircraft are permitted to operate in the national airspace with cameras. Response: The FAA's mission is to provide the safest, most efficient aerospace system in the world and does not include regulating privacy. At the same time, the FAA recognizes that there is substantial debate and difference of opinion among policy makers, industry, advocacy groups, and members of the public as to whether UAS operations at the Test Sites will raise novel privacy issues that are not adequately addressed by existing legal frameworks. The FAA will require the Test Site operators to comply with the Final Privacy Requirements. Congress mandated that the FAA establish the Test Sites to further UAS integration into the national airspace system. The Final Privacy Requirements advance this purpose by helping inform the dialogue among policymakers, privacy advocates, and industry regarding the impact of UAS technologies on privacy. The FAA's authority for including the Final Privacy Requirements in the Test Site OTAs is set forth in 49 U.S.C. 106(l)(6). That statute authorizes the FAA Administrator to enter into an OTA ``on such terms and conditions as the Administrator may consider appropriate.'' The FAA believes that it is appropriate to require Test Site operators to comply with the Final Privacy Requirements. (2) The FAA should require warrants before law enforcement can use UAS in the Test Sites to conduct surveillance or gather evidence. The FAA received a variety of comments advocating that: The FAA should include provisions in the OTA that require warrants to be obtained when UAS are used to conduct surveillance or gather evidence within the Test Site; and [[Page 68362]] The OTA include appropriate safeguards to protect Fourth Amendment rights at and around our national borders. Response: The FAA's mission is to provide the safest, most efficient aerospace system in the world. The FAA is establishing the UAS Test Sites consistent with its mission and the direction in the FMRA. The FAA appreciates the commenters' concerns. Accordingly, the final privacy requirements provide that the Site Operator and its team members must comply with all applicable privacy laws. (3) The FAA should mandate specific privacy requirements for the Test Sites. The FAA received a variety of comments advocating that the FAA mandate specific privacy requirements for the Test Sites. The recommendations included the following: The FAA should specify minimum privacy requirements and require each Test Site to comply with them; The FAA should mandate compliance with Fair Information Practice Principles for all Test Site operators; The FAA should establish prohibitions on where UAS can operate within a Test Site and the kinds of surveillance activities that UAS conduct at the Test Sites; The FAA should require all UAS flown at the Test Sites to have unencrypted down links so that all their data collection can be viewed by the public, including records contained onboard and recovered after landing; The FAA should require each Test Site operator to conduct a full Privacy Impact Assessment; The FAA should require each Test Site operator to establish a Chief Privacy Officer and centralize privacy responsibilities in that person; The FAA should require each Test Site operator to establish a privacy advisory committee to review proposed UAS research at the Test Sites for privacy concerns; The FAA should require each Test Site operator to provide a detailed response to public input it receives regarding the Test Site's privacy policy; The FAA should prohibit the sharing of recorded surveillance footage beyond the scope of its original purpose; The FAA should prohibit UAS in the Test Sites from flying below a minimum altitude; The FAA should prohibit UAS in the Test Sites from carrying any equipment that could be used to conduct surveillance; The FAA should limit the use of the data collected at the Test Sites; The FAA should prohibit (i) the use of Test Sites for government surveillance, and (ii) sharing data collected with law enforcement for the purpose of investigating or prosecuting a crime; The FAA should limit the type of data that can be collected by UAS at the Test Sites including limiting the resolution of visual imagery that UAS can collect, prohibiting recording of audio data, and restricting the ability to collect WiFi and cellular signals; The FAA should require Test Site operators to provide data on the payload of each UAS flown at the Test Site including specific information on the data the payload is capable of collecting; The FAA should mandate privacy policies that require deletion of collected data within a certain time period; The FAA should prohibit the Test Site operator and UAS operators at the Test Sites from retaining any data collected longer than is necessary to fulfill the purpose of the Test Site; The FAA should require UAS operators to file data collection statements with the FAA for UAS operations that involve remote sensing and signals surveillance from the UAS platform; and The FAA should require UAS operating at altitudes over 400 feet to carry an automatic dependent surveillance-broadcast transponder (ADS-B Out) so that UAS operations can be tracked. Response: The FAA's mission is to provide the safest, most efficient aerospace system in the world. Although there is a long history of placing cameras and other sensors on aircraft for a variety of purposes--news helicopters, aerial surveys, film/television production, law enforcement, etc.--the FAA is not, through awarding and supervising these Test Sites, taking specific views on whether or how the Federal Government should regulate privacy or the scope of data that can be collected by manned or unmanned aircraft. There was substantial difference of opinion among commenters as to whether UAS operations and manned aircraft operations present different privacy issues that justify imposing special privacy restrictions on UAS operations at the Test Sites. In addition, there was substantial difference of opinion among commenters regarding what elements would be appropriate for a Test Site privacy policy. Based on the comments received, the FAA will require Test Sites to comply with the following requirements in addition to those described in the Draft Privacy Requirements: (1) Test site operators must maintain a record of all UAS operating in the test sites; (2) Test site operators must require every UAS operator in the Test Site to have a written plan for the operator's use and retention of data collected by the UAS; and (3) Test site operators must conduct an annual review of test site operations to verify compliance with stated privacy policy and practices and share those outcomes annually in a public forum with an opportunity for public feedback. The above are reflected in the Final Privacy Requirements. The FAA has determined that it should not impose privacy requirements beyond those in the Final Privacy Requirements for the following reasons. First, there are many privacy laws and applications of tort law that may address some of the privacy issues that arise from UAS operations at the Test Sites. Second, the FAA believes that Test Sites operators will be responsive to local stakeholders' privacy concerns and will develop privacy policies appropriately tailored to each Test Site. The selection criteria for the Test Sites specify that only a ``public entity'' can serve as a Test Site operator. The term ``public entity'' is defined in the selection criteria to mean ``(A) any State or local government; (B) any department, agency, special purpose district, or other instrumentality of a State or States or local government; and (C) the National Railroad Passenger Corporation, and any commuter authority.'' The FAA expects that public entities will be responsive to stakeholder concerns. Third, if UAS operations at a Test Site raise privacy concerns that are not adequately addressed by the Test Site's privacy policies, elected officials can weigh the benefits and costs of additional privacy laws or regulations. Forty-three states have already enacted or are considering legislation regulating use of UAS. See Drone Legislation All the Rage; Varies Widely Across 43 States, According to WestlawNext, June 17, 2013, available at: http://thomsonreuters.com/press-releases/062013/drone_legislation_varies_across_states_according_to_Westlaw. (4) The FAA should conduct audits of the Test Sites to ensure compliance with privacy policies. Various commenters recommended that the FAA should audit each Test Site to ensure compliance with the privacy policies in the OTA. [[Page 68363]] Response: Each Test Site will be operated by a public entity (see response to Category 3 above). The FAA expects that the public entity operating each test site will already be subject to oversight and audit requirements. The FAA does not believe that it is appropriate for the FAA to impose additional audit requirements on the Test Site operators. (5) The FAA should require Test Site operators to keep records that will allow for effective citizen participation and reporting of privacy violations. One commenter recommended that the FAA require Test Site operators to keep accurate, detailed, frequent, and accessible records to allow for effective citizen participation and reporting of privacy violations. Response: Each Test Site operator will be a public entity (see response to Category 3 above). Public entities are generally subject to laws that establish record keeping requirements and provide the public access to records. The FAA does not believe that it is appropriate for the FAA to impose additional record keeping requirements on the Test Site operators other than those specified in the Final Privacy Requirements. (6) The FAA should establish a searchable database or registry of UAS operators and operations at the Test Sites. The FAA received a variety of comments advocating that: The FAA should create a public, searchable database or registry of all UAS operators. Some commenters recommended that the database include information about surveillance equipment used and the operator's data collection practices; The FAA should require UAS operators at the Test Sites to provide public statements describing the surveillance equipment that will be carried by a UAS, the geographical area where the UAS will be operated, and the purposes for which the UAS will be deployed; and The FAA should establish a means for the public to access the data on UAS flights collected by the FAA. Response: The FAA believes that it is not appropriate for the FAA to create a public registry or database of UAS operations at the Test Sites. However, the FAA has included a contractual provision in the Final Privacy Requirements that will require each Test Site operator to maintain a record of all UAS operating at the Test Site. (7) The FAA should modify its Test Site selection criteria to take into account privacy concerns. Various commenters recommended that the FAA revise its selection criteria. Suggestions included the following: The FAA should choose an applicant that has an established UAS research program with active engagement with UAS privacy issues; The FAA should choose at least one Test Site in a state with strong privacy protective UAS laws and regulations; The FAA should select one or more Test Sites in or near a densely populated urban area in order to avoid a bias towards privacy issues relevant for rural UAS operations; and The FAA should consider the privacy track record of applicants as part of the selection process. Response: The FAA believes that it is not appropriate to modify the Test Site selection criteria to include the recommended privacy considerations. Applicants have already submitted complete applications based on the announced selection criteria and the application period has closed. The FAA published the Test Site selection criteria and application instructions on February 14, 2013 on https://faaco.faa.gov under Solicitation number DTFACT-13-R-00002. The selection criteria incorporate the factors that Congress directed the FAA to consider in the FMRA, including, geographic and climatic diversity; location of ground infrastructure; and research needs. The FAA required applicants to submit seven volumes of extensive and detailed information that address a broad set of considerations including safety, airspace use, experience, research objectives, and risk considerations. This information will allow the FAA to make a selection based on the direction provided by Congress in the FMRA and on the FAA's mission. The FAA developed the Test Site selection criteria after seeking public input and consulting with other agencies regarding what selection criteria would be appropriate. In March 2012, the FAA published a request for comment in the Federal Register and in April 2012, the FAA hosted two public webinars to obtain public input on the FAA's proposed selection criteria. Although there was significant public participation, the FAA did not receive comments advocating that privacy issues be used as a factor in choosing the Test Sites. (8) The FAA should require Test Site operators to conduct specific tests related to privacy and surveillance. Commenters recommended that the FAA should: Require UAS operators at Test Sites to conduct specific tests related to surveillance and privacy; Require Test Site operators to design the sites--including the creation of ``fake'' houses or businesses--to allow UAS operators to test how accurate their surveillance systems are and test how much data those systems collect; and Develop and require Test Sites to implement a standard battery of privacy tests that each UAS operating within a Test Site should have to perform in order to collect data that the FAA can use to make decisions about privacy issues. Response: The FAA is not planning to have the Test Site operators conduct specific research. (9) The FAA should not take punitive actions against a Test Site operator for privacy violations without due process. One commenter noted that if charges are filed by law enforcement against a Test Site operator due to potential violations of privacy laws, the OTA allows the FAA to suspend or modify the relevant operational authority for a Test Site (e.g. Certificate of Operation, or OTA). That commenter recommended that a Test Site operator be entitled to due process before the operational authority be suspended or modified. Response: A Test Site operator's rights to operate a Test Site are set forth in the OTA and are subject to the terms and conditions in the OTA. The FAA believes that it is appropriate to include contractual provisions in the Final Privacy Requirements that allow the FAA to protect the public interest by suspending or modifying the relevant operational authority for a Test Site if charges are filed by law enforcement against a Test Site operator due to potential violations of privacy laws. (10) The FAA should establish sanctions for violations of privacy policies or rights. One commenter recommended that the FAA rescind the OTA for a Test Site where serious privacy violations have occurred and levy fines against operators that fail to comply with privacy policies. Response: The Final Privacy Requirements provide that violations of privacy laws can result in suspension or termination of the OTA. The FAA will not monitor a Test Site's compliance with its own privacy policies. The FAA expects the public entities operating the Tests Sites and their respective state/local oversight bodies to monitor and enforce a Test Site's compliance with its own policies. Conclusion Based on the comments submitted, the FAA intends to require each test site [[Page 68364]] operator to comply with all of the privacy requirements included in the Draft Privacy Requirements as well as the following additional privacy requirements: (1) Test site operators must maintain a record of all UAS operating in the test sites; (2) Test site operators must require every UAS operator in the Test Site to have a written plan for the operator's use and retention of data collected by the UAS; and (3) Test site operators must conduct an annual review of test site operations to verify compliance with stated privacy policy and practices and share those outcomes annually in a public forum with an opportunity for public feedback. Accordingly, the FAA intends to include the following terms and conditions into Article 3 of the OTA: ``ARTICLE 3 PRIVACY; APPLICABLE LAW a. Privacy Policies The Site Operator must: (i) Have privacy policies governing all activities conducted under the OTA, including the operation and relevant activities of the UAS authorized by the Site Operator. (ii) Make its privacy policies publicly available; (iii) Have a mechanism to receive and consider comments from the public on its privacy policies; (iv) Conduct an annual review of test site operations to verify compliance with stated privacy policy and practices and share those outcomes annually in a public forum with an opportunity for public feedback; (v) Update its privacy policies as necessary to remain operationally current and effective; and (vi) Ensure the requirements of its privacy policies are applied to all operations conducted under the OTA. The Site Operator's privacy policies should be informed by Fair Information Practice Principles. b. Compliance With Applicable Privacy Laws For purposes of this agreement, the term ``Applicable Law'' shall mean (i) a law, order, regulation, or rule of an administrative or legislative government body with jurisdiction over the matter in question, or (ii) a ruling, order, decision or judgment of a court with jurisdiction over the matter in question. The Site Operator and its team members must operate in accordance with all Applicable Law regarding the protection of an individual's right to privacy (hereinafter referred to as ``Privacy Laws''). If the U.S. Department of Justice or a state's law enforcement authority files criminal or civil charges over a potential violation of a Privacy Law, the FAA may take appropriate action including suspending or modifying the relevant operational authority (e.g., Certificate of Operation, or OTA) until the proceedings are completed. If the proceedings demonstrate the operation was in violation of the Privacy Law, the FAA may terminate the relevant operational authority. c. Change in Law If during the term of this Agreement an Applicable Law comes into effect which may have an impact on UAS, including impacts on the privacy interests of individuals or entities affected by any operation of any UAS operating at the Test Site, such Applicable Law will be applicable to the OTA and the FAA may update or amend the OTA to reflect these changes. d. Transmission of Data to the FAA The Site Operator should not provide or transmit to the FAA or its designees any data other than the data the data requested by the FAA pursuant to Article 5 of this OTA. e. Other Requirements The Site Operator must: (i) Maintain a record of all UAS operating at the test sites; and (ii) Require each UAS operator in the Test Site to have a written plan for the operator's use and retention of data collected by the UAS.'' Issued in Washington, DC, on November 7, 2013. Marc L. Warren, Acting Chief Counsel, Federal Aviation Administration. [FR Doc. 2013-27216 Filed 11-8-13; 11:15 am] BILLING CODE 4910-13-P