[Federal Register Volume 78, Number 220 (Thursday, November 14, 2013)]
[Rules and Regulations]
[Pages 68360-68364]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-27216]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Part 91

[Docket No. FAA-2013-0061]


Unmanned Aircraft System Test Site Program

AGENCY: Federal Aviation Administration (FAA), DOT.

ACTION: Notice of availability of final privacy requirements for the 
unmanned aircraft system (``UAS'') test site program; response to 
comments.

-----------------------------------------------------------------------

SUMMARY: On February 22, 2013 the FAA published and requested public 
comment on the proposed privacy requirements (the ``Draft Privacy 
Requirements'') for UAS test sites (the ``Test Sites'') that the FAA 
will establish pursuant to the FAA Modernization and Reform Act of 2012 
(``FMRA''). This document responds to the public comments received and 
publishes the FAA's final privacy requirements for the Test Sites (the 
``Final Privacy Requirements'').

[[Page 68361]]


DATES: November 14, 2013.

ADDRESSES: You may review the public docket for this rulemaking (Docket 
No. FAA-2013-0061) on the Internet at http://www.regulations.gov. You 
may also review the public docket at the Docket Management Facility in 
Room W12-140 of the West Building Ground Floor at 1200 New Jersey 
Avenue SE., Washington, DC 20590-0001 between 9 a.m. and 5 p.m., Monday 
through Friday, except Federal holidays.

FOR FURTHER INFORMATION CONTACT: For technical questions concerning the 
test site program, contact Elizabeth Soltys, Unmanned Aircraft Systems 
Integration Office, Federal Aviation Administration, 800 Independence 
Avenue SW., Washington, DC 20591; email: 9-ACT-UASTSS@faa.gov.
    For legal questions concerning the FAA's privacy requirements for 
the Test Sites contact Carlos Siso, Office of the Chief Counsel, 
Federal Aviation Administration, 800 Independence Ave. SW., Washington, 
DC 20591; email: 9-AGC-UASPrivacy@faa.gov.

SUPPLEMENTARY INFORMATION: This document summarizes and responds to the 
public comments received in response to the following Federal Register 
documents seeking public comment on the Draft Privacy Requirements for 
the Test Sites:
    (i) Notice of availability and request for comments published in 
the Federal Register on February 22, 2013 (78 FR 12259), Docket No. 
FAA-2013-0061-0001; and
    (ii) Notice of public engagement session published in the Federal 
Register on March 28, 2013 (78 FR 18932), Docket No. FAA-2013-0061-
0050.
    In addition, this document publishes the FAA's Final Privacy 
Requirements for the Test Sites which are set forth under the 
``Conclusion'' section below.

Discussion of Comments

    The FAA received 99 comments through Regulations.gov and 53 
comments through the public engagement session. A transcript of the 
public engagement session is available at: http://www.faa.gov/about/initiatives/uas/media/UAStranscription.pdf. Public comments ranged from 
recommending that the FAA not impose any privacy requirements on the 
Test Sites to recommending that the FAA impose extensive privacy 
requirements on the Test Sites. The FAA also received comments that 
were not responsive to the notice or that were unclear.
    The FAA analyzed the responsive comments and grouped them into ten 
categories. The following sections address the comments by category.
    (1) The FAA should focus on its safety mission; it should not 
engage in regulating privacy.
    The FAA received a number of comments advocating that the FAA 
should focus on its safety mission and should not engage in regulating 
privacy. The following comments were received:
     The FAA should focus on safety;
     Regulating privacy is outside the FAA's mission;
     The FAA does not have statutory authority to regulate 
privacy;
     The FAA does not have the authority to impose privacy 
requirements on the Test Sites;
     The FAA should allow privacy to be addressed by other more 
appropriate government bodies including: Federal agencies that have 
expertise and authority to deal with privacy concerns; Congress; state 
or local legislative bodies; and the judicial system;
     The Federal Government should not regulate privacy impacts 
of UAS; these issues should be left to states, cities, and counties to 
address;
     The FAA should only require compliance with privacy laws 
that are already in place and focus on developing safe operation of 
UAS;
     The FAA should not deny access to the national airspace 
for reasons other than safety;
     Existing privacy laws are sufficient to cover the 
responsible use of UAS. There already exist Federal, state and other 
laws that protect privacy. In addition, tort law may also provide 
avenues of recourse for plaintiffs to protect their privacy rights;
     The FAA should not implement privacy regulations that make 
entry into the market prohibitive for small businesses;
     The FAA should not allow privacy issues to hinder 
commercialization of UAS;
     There is no evidence that the operations at the Test Sites 
will harm privacy interests. Restricting activities at the test sites 
at this early stage will likely overprotect privacy at the expense of 
innovation;
     The FAA should afford adequate time for non-governmental 
solutions such as industry norms and practices to develop before 
intervening administratively to protect privacy. These less restrictive 
solutions will reduce the need for administrative intervention and will 
allow for increased innovation in the national airspace;
     Requiring Test Site operators to develop privacy policies 
that are informed by Fair Information Practice Principles is onerous 
for commercial operators of UAS and its cost will likely outweigh any 
hypothetical benefits;
     Requiring Test Site operators to issue privacy policies 
informed by Fair Information Practice Principles will limit the 
diversity of data that will inform integration of UAS into the national 
airspace. The FAA's approach would exclude an important possible 
alternative from the discussion: some operators might choose not to 
issue a privacy policy or adopt a non-FIPPs-compliant policy; and
     The FAA should treat data gathered by UAS no differently 
than data gathered by a manned aircraft or by other electronic means. 
There is no significant difference in terms of surveillance between a 
UAS and a manned aircraft, and manned aircraft are permitted to operate 
in the national airspace with cameras.
    Response: The FAA's mission is to provide the safest, most 
efficient aerospace system in the world and does not include regulating 
privacy. At the same time, the FAA recognizes that there is substantial 
debate and difference of opinion among policy makers, industry, 
advocacy groups, and members of the public as to whether UAS operations 
at the Test Sites will raise novel privacy issues that are not 
adequately addressed by existing legal frameworks.
    The FAA will require the Test Site operators to comply with the 
Final Privacy Requirements. Congress mandated that the FAA establish 
the Test Sites to further UAS integration into the national airspace 
system. The Final Privacy Requirements advance this purpose by helping 
inform the dialogue among policymakers, privacy advocates, and industry 
regarding the impact of UAS technologies on privacy.
    The FAA's authority for including the Final Privacy Requirements in 
the Test Site OTAs is set forth in 49 U.S.C. 106(l)(6). That statute 
authorizes the FAA Administrator to enter into an OTA ``on such terms 
and conditions as the Administrator may consider appropriate.'' The FAA 
believes that it is appropriate to require Test Site operators to 
comply with the Final Privacy Requirements.
    (2) The FAA should require warrants before law enforcement can use 
UAS in the Test Sites to conduct surveillance or gather evidence.
    The FAA received a variety of comments advocating that:
     The FAA should include provisions in the OTA that require 
warrants to be obtained when UAS are used to conduct surveillance or 
gather evidence within the Test Site; and

[[Page 68362]]

     The OTA include appropriate safeguards to protect Fourth 
Amendment rights at and around our national borders.
    Response: The FAA's mission is to provide the safest, most 
efficient aerospace system in the world. The FAA is establishing the 
UAS Test Sites consistent with its mission and the direction in the 
FMRA. The FAA appreciates the commenters' concerns. Accordingly, the 
final privacy requirements provide that the Site Operator and its team 
members must comply with all applicable privacy laws.
    (3) The FAA should mandate specific privacy requirements for the 
Test Sites.
    The FAA received a variety of comments advocating that the FAA 
mandate specific privacy requirements for the Test Sites. The 
recommendations included the following:
     The FAA should specify minimum privacy requirements and 
require each Test Site to comply with them;
     The FAA should mandate compliance with Fair Information 
Practice Principles for all Test Site operators;
     The FAA should establish prohibitions on where UAS can 
operate within a Test Site and the kinds of surveillance activities 
that UAS conduct at the Test Sites;
     The FAA should require all UAS flown at the Test Sites to 
have unencrypted down links so that all their data collection can be 
viewed by the public, including records contained onboard and recovered 
after landing;
     The FAA should require each Test Site operator to conduct 
a full Privacy Impact Assessment;
     The FAA should require each Test Site operator to 
establish a Chief Privacy Officer and centralize privacy 
responsibilities in that person;
     The FAA should require each Test Site operator to 
establish a privacy advisory committee to review proposed UAS research 
at the Test Sites for privacy concerns;
     The FAA should require each Test Site operator to provide 
a detailed response to public input it receives regarding the Test 
Site's privacy policy;
     The FAA should prohibit the sharing of recorded 
surveillance footage beyond the scope of its original purpose;
     The FAA should prohibit UAS in the Test Sites from flying 
below a minimum altitude;
     The FAA should prohibit UAS in the Test Sites from 
carrying any equipment that could be used to conduct surveillance;
     The FAA should limit the use of the data collected at the 
Test Sites;
     The FAA should prohibit (i) the use of Test Sites for 
government surveillance, and (ii) sharing data collected with law 
enforcement for the purpose of investigating or prosecuting a crime;
     The FAA should limit the type of data that can be 
collected by UAS at the Test Sites including limiting the resolution of 
visual imagery that UAS can collect, prohibiting recording of audio 
data, and restricting the ability to collect WiFi and cellular signals;
     The FAA should require Test Site operators to provide data 
on the payload of each UAS flown at the Test Site including specific 
information on the data the payload is capable of collecting;
     The FAA should mandate privacy policies that require 
deletion of collected data within a certain time period;
     The FAA should prohibit the Test Site operator and UAS 
operators at the Test Sites from retaining any data collected longer 
than is necessary to fulfill the purpose of the Test Site;
     The FAA should require UAS operators to file data 
collection statements with the FAA for UAS operations that involve 
remote sensing and signals surveillance from the UAS platform; and
     The FAA should require UAS operating at altitudes over 400 
feet to carry an automatic dependent surveillance-broadcast transponder 
(ADS-B Out) so that UAS operations can be tracked.
    Response: The FAA's mission is to provide the safest, most 
efficient aerospace system in the world. Although there is a long 
history of placing cameras and other sensors on aircraft for a variety 
of purposes--news helicopters, aerial surveys, film/television 
production, law enforcement, etc.--the FAA is not, through awarding and 
supervising these Test Sites, taking specific views on whether or how 
the Federal Government should regulate privacy or the scope of data 
that can be collected by manned or unmanned aircraft.
    There was substantial difference of opinion among commenters as to 
whether UAS operations and manned aircraft operations present different 
privacy issues that justify imposing special privacy restrictions on 
UAS operations at the Test Sites. In addition, there was substantial 
difference of opinion among commenters regarding what elements would be 
appropriate for a Test Site privacy policy. Based on the comments 
received, the FAA will require Test Sites to comply with the following 
requirements in addition to those described in the Draft Privacy 
Requirements:
    (1) Test site operators must maintain a record of all UAS operating 
in the test sites;
    (2) Test site operators must require every UAS operator in the Test 
Site to have a written plan for the operator's use and retention of 
data collected by the UAS; and
    (3) Test site operators must conduct an annual review of test site 
operations to verify compliance with stated privacy policy and 
practices and share those outcomes annually in a public forum with an 
opportunity for public feedback.
    The above are reflected in the Final Privacy Requirements.
    The FAA has determined that it should not impose privacy 
requirements beyond those in the Final Privacy Requirements for the 
following reasons. First, there are many privacy laws and applications 
of tort law that may address some of the privacy issues that arise from 
UAS operations at the Test Sites.
    Second, the FAA believes that Test Sites operators will be 
responsive to local stakeholders' privacy concerns and will develop 
privacy policies appropriately tailored to each Test Site. The 
selection criteria for the Test Sites specify that only a ``public 
entity'' can serve as a Test Site operator. The term ``public entity'' 
is defined in the selection criteria to mean ``(A) any State or local 
government; (B) any department, agency, special purpose district, or 
other instrumentality of a State or States or local government; and (C) 
the National Railroad Passenger Corporation, and any commuter 
authority.'' The FAA expects that public entities will be responsive to 
stakeholder concerns.
    Third, if UAS operations at a Test Site raise privacy concerns that 
are not adequately addressed by the Test Site's privacy policies, 
elected officials can weigh the benefits and costs of additional 
privacy laws or regulations. Forty-three states have already enacted or 
are considering legislation regulating use of UAS. See Drone 
Legislation All the Rage; Varies Widely Across 43 States, According to 
WestlawNext, June 17, 2013, available at: http://thomsonreuters.com/press-releases/062013/drone_legislation_varies_across_states_according_to_Westlaw.
    (4) The FAA should conduct audits of the Test Sites to ensure 
compliance with privacy policies.
    Various commenters recommended that the FAA should audit each Test 
Site to ensure compliance with the privacy policies in the OTA.

[[Page 68363]]

    Response: Each Test Site will be operated by a public entity (see 
response to Category 3 above). The FAA expects that the public entity 
operating each test site will already be subject to oversight and audit 
requirements. The FAA does not believe that it is appropriate for the 
FAA to impose additional audit requirements on the Test Site operators.
    (5) The FAA should require Test Site operators to keep records that 
will allow for effective citizen participation and reporting of privacy 
violations.
    One commenter recommended that the FAA require Test Site operators 
to keep accurate, detailed, frequent, and accessible records to allow 
for effective citizen participation and reporting of privacy 
violations.
    Response: Each Test Site operator will be a public entity (see 
response to Category 3 above). Public entities are generally subject to 
laws that establish record keeping requirements and provide the public 
access to records. The FAA does not believe that it is appropriate for 
the FAA to impose additional record keeping requirements on the Test 
Site operators other than those specified in the Final Privacy 
Requirements.
    (6) The FAA should establish a searchable database or registry of 
UAS operators and operations at the Test Sites.
    The FAA received a variety of comments advocating that:
     The FAA should create a public, searchable database or 
registry of all UAS operators. Some commenters recommended that the 
database include information about surveillance equipment used and the 
operator's data collection practices;
     The FAA should require UAS operators at the Test Sites to 
provide public statements describing the surveillance equipment that 
will be carried by a UAS, the geographical area where the UAS will be 
operated, and the purposes for which the UAS will be deployed; and
     The FAA should establish a means for the public to access 
the data on UAS flights collected by the FAA.
    Response: The FAA believes that it is not appropriate for the FAA 
to create a public registry or database of UAS operations at the Test 
Sites. However, the FAA has included a contractual provision in the 
Final Privacy Requirements that will require each Test Site operator to 
maintain a record of all UAS operating at the Test Site.
    (7) The FAA should modify its Test Site selection criteria to take 
into account privacy concerns.
    Various commenters recommended that the FAA revise its selection 
criteria. Suggestions included the following:
     The FAA should choose an applicant that has an established 
UAS research program with active engagement with UAS privacy issues;
     The FAA should choose at least one Test Site in a state 
with strong privacy protective UAS laws and regulations;
     The FAA should select one or more Test Sites in or near a 
densely populated urban area in order to avoid a bias towards privacy 
issues relevant for rural UAS operations; and
     The FAA should consider the privacy track record of 
applicants as part of the selection process.
    Response: The FAA believes that it is not appropriate to modify the 
Test Site selection criteria to include the recommended privacy 
considerations. Applicants have already submitted complete applications 
based on the announced selection criteria and the application period 
has closed.
    The FAA published the Test Site selection criteria and application 
instructions on February 14, 2013 on https://faaco.faa.gov under 
Solicitation number DTFACT-13-R-00002. The selection criteria 
incorporate the factors that Congress directed the FAA to consider in 
the FMRA, including, geographic and climatic diversity; location of 
ground infrastructure; and research needs. The FAA required applicants 
to submit seven volumes of extensive and detailed information that 
address a broad set of considerations including safety, airspace use, 
experience, research objectives, and risk considerations. This 
information will allow the FAA to make a selection based on the 
direction provided by Congress in the FMRA and on the FAA's mission.
    The FAA developed the Test Site selection criteria after seeking 
public input and consulting with other agencies regarding what 
selection criteria would be appropriate. In March 2012, the FAA 
published a request for comment in the Federal Register and in April 
2012, the FAA hosted two public webinars to obtain public input on the 
FAA's proposed selection criteria. Although there was significant 
public participation, the FAA did not receive comments advocating that 
privacy issues be used as a factor in choosing the Test Sites.
    (8) The FAA should require Test Site operators to conduct specific 
tests related to privacy and surveillance.
    Commenters recommended that the FAA should:
     Require UAS operators at Test Sites to conduct specific 
tests related to surveillance and privacy;
     Require Test Site operators to design the sites--including 
the creation of ``fake'' houses or businesses--to allow UAS operators 
to test how accurate their surveillance systems are and test how much 
data those systems collect; and
     Develop and require Test Sites to implement a standard 
battery of privacy tests that each UAS operating within a Test Site 
should have to perform in order to collect data that the FAA can use to 
make decisions about privacy issues.
    Response: The FAA is not planning to have the Test Site operators 
conduct specific research.
    (9) The FAA should not take punitive actions against a Test Site 
operator for privacy violations without due process.
    One commenter noted that if charges are filed by law enforcement 
against a Test Site operator due to potential violations of privacy 
laws, the OTA allows the FAA to suspend or modify the relevant 
operational authority for a Test Site (e.g. Certificate of Operation, 
or OTA). That commenter recommended that a Test Site operator be 
entitled to due process before the operational authority be suspended 
or modified.
    Response: A Test Site operator's rights to operate a Test Site are 
set forth in the OTA and are subject to the terms and conditions in the 
OTA. The FAA believes that it is appropriate to include contractual 
provisions in the Final Privacy Requirements that allow the FAA to 
protect the public interest by suspending or modifying the relevant 
operational authority for a Test Site if charges are filed by law 
enforcement against a Test Site operator due to potential violations of 
privacy laws.
    (10) The FAA should establish sanctions for violations of privacy 
policies or rights.
    One commenter recommended that the FAA rescind the OTA for a Test 
Site where serious privacy violations have occurred and levy fines 
against operators that fail to comply with privacy policies.
    Response: The Final Privacy Requirements provide that violations of 
privacy laws can result in suspension or termination of the OTA.
    The FAA will not monitor a Test Site's compliance with its own 
privacy policies. The FAA expects the public entities operating the 
Tests Sites and their respective state/local oversight bodies to 
monitor and enforce a Test Site's compliance with its own policies.

Conclusion

    Based on the comments submitted, the FAA intends to require each 
test site

[[Page 68364]]

operator to comply with all of the privacy requirements included in the 
Draft Privacy Requirements as well as the following additional privacy 
requirements:
    (1) Test site operators must maintain a record of all UAS operating 
in the test sites;
    (2) Test site operators must require every UAS operator in the Test 
Site to have a written plan for the operator's use and retention of 
data collected by the UAS; and
    (3) Test site operators must conduct an annual review of test site 
operations to verify compliance with stated privacy policy and 
practices and share those outcomes annually in a public forum with an 
opportunity for public feedback.
    Accordingly, the FAA intends to include the following terms and 
conditions into Article 3 of the OTA:

``ARTICLE 3 PRIVACY; APPLICABLE LAW

a. Privacy Policies

    The Site Operator must:
    (i) Have privacy policies governing all activities conducted under 
the OTA, including the operation and relevant activities of the UAS 
authorized by the Site Operator.
    (ii) Make its privacy policies publicly available;
    (iii) Have a mechanism to receive and consider comments from the 
public on its privacy policies;
    (iv) Conduct an annual review of test site operations to verify 
compliance with stated privacy policy and practices and share those 
outcomes annually in a public forum with an opportunity for public 
feedback;
    (v) Update its privacy policies as necessary to remain 
operationally current and effective; and
    (vi) Ensure the requirements of its privacy policies are applied to 
all operations conducted under the OTA.
    The Site Operator's privacy policies should be informed by Fair 
Information Practice Principles.

b. Compliance With Applicable Privacy Laws

    For purposes of this agreement, the term ``Applicable Law'' shall 
mean (i) a law, order, regulation, or rule of an administrative or 
legislative government body with jurisdiction over the matter in 
question, or (ii) a ruling, order, decision or judgment of a court with 
jurisdiction over the matter in question. The Site Operator and its 
team members must operate in accordance with all Applicable Law 
regarding the protection of an individual's right to privacy 
(hereinafter referred to as ``Privacy Laws''). If the U.S. Department 
of Justice or a state's law enforcement authority files criminal or 
civil charges over a potential violation of a Privacy Law, the FAA may 
take appropriate action including suspending or modifying the relevant 
operational authority (e.g., Certificate of Operation, or OTA) until 
the proceedings are completed. If the proceedings demonstrate the 
operation was in violation of the Privacy Law, the FAA may terminate 
the relevant operational authority.

c. Change in Law

    If during the term of this Agreement an Applicable Law comes into 
effect which may have an impact on UAS, including impacts on the 
privacy interests of individuals or entities affected by any operation 
of any UAS operating at the Test Site, such Applicable Law will be 
applicable to the OTA and the FAA may update or amend the OTA to 
reflect these changes.

d. Transmission of Data to the FAA

    The Site Operator should not provide or transmit to the FAA or its 
designees any data other than the data the data requested by the FAA 
pursuant to Article 5 of this OTA.

e. Other Requirements

    The Site Operator must:
    (i) Maintain a record of all UAS operating at the test sites; and
    (ii) Require each UAS operator in the Test Site to have a written 
plan for the operator's use and retention of data collected by the 
UAS.''

    Issued in Washington, DC, on November 7, 2013.
Marc L. Warren,
Acting Chief Counsel, Federal Aviation Administration.
[FR Doc. 2013-27216 Filed 11-8-13; 11:15 am]
BILLING CODE 4910-13-P