Privacy, drones and IoT

This year I had the opportunity to give a presentation at the World Bank in Washington DC during one of their “brown bag sessions”, focused on Privacy, Drones and Internet of Things (IoT).

The World Bank is an organization that works worldwide with a wide range of projects, including some initiatives connected with new technologies, and every time, they should evaluate different risks involved, including privacy risks. The purpose of the presentation was to understand the concept of ‘privacy’ and its different meanings worldwide, how to define the privacy framework and assess the risks arising from the use of new technologies such as drones or IoT, and introduce the Privacy Impact Assessment as an effective tool that we can use in any jurisdiction.

I am going to share some thoughts of these broad and complex chapters that I had to sum up within one hour.

Understanding the concept of Privacy

Privacy dates back centuries, but the concept of “modern privacy” has evolved differently through various countries according to their culture and history.

Certainly, countries have a different approach to privacy protecting different types of information. This is an important factor to consider when assessing privacy risks that may arise from new technologies.

The United States uses a sectorial approach developing privacy laws as needed. In formal terms there is not a specific definition of personal data, but instead we can find multiple definitions in common law, the different federal and state laws and through the Federal Trade Commission consent agreements related to unfair or deceptive acts or practices.

In contrast, Europe has a comprehensive approach that recognizes the right to the protection of personal data as a fundamental right, stated in article 8 of the Charter of Fundamental Rights of the European Union.

Europe has general data protection regulation, including a broad definition of personal data. It can even have extraterritorial scope. After examining both privacy approaches, we can conclude that while in the US everything is allowed unless forbidden, in Europe everything is forbidden unless allowed.

Finally, Canada uses a co-regulatory framework and is somewhere between the US and the EU. It is one of the countries closest to the European Union in terms of comprehensive information privacy law.

Privacy and drones

Bearing in mind the myriad of privacy regulations that exist internationally, when it comes to drone’s privacy regulations, of course it isn’t less complicated.
In the US the current regulation on drones issued by the Federal Aviation Administration is basically focused on safety, registry requirements, training programs and airworthiness certification.

However, the concepts of ‘reasonable expectation of privacy’ and the limits of ‘private property’ are key factors to assess the impact on privacy of drone operations.

So, how can we define these key concepts and understand the limits and privacy risks of drone operations?

Right now, there are different tools that can be applied, such as common law, state and local regulations and the Voluntary Best Practices regarding UAS.

After examining different common law cases related to the concept of expectation of privacy and the limits of private property, we reviewed some examples of state regulations specifically targeted on drone operations that try to protect different understandings of what they consider “reasonable expectation of privacy”.

The same technology that makes drones so unique should be developed considering privacy challenges from the design stage.

We also reviewed the Voluntary Best practices for protecting privacy, civil rights and civil liberties in UAS programs approved by the US Department of Homeland Security, and the Best Practices approved on May 18 2016 by different privacy groups and industry stakeholders that participated in the National Telecommunications & Information Administration (NTIA) Multi-Stakeholder process concerning privacy, transparency, and accountability issues regarding commercial and private use of unmanned aircraft systems.

All of these resources can help sketch the aforementioned key concepts in order to assess the privacy impact of drone operations.

I also mentioned that I have been working with the Privacy by Design principle as a complementary tool that can help minimize the privacy impact effectively. The same technology that makes drones so unique should be developed considering privacy challenges from the design stage.

Finally, in Europe there are different state laws relating to surveillance activities or derived from the Directive 95/46/CE that apply to UAS operations. Most of these laws will be replaced by a General Data Protection Regulation in two years’ time.

However, some instances of processing of personal data arising from the use of drone operations may fall out of their scope in the light of exemptions or derogations that member states can lay down, e.g. public security, defense, freedom of expression and information or hobbyists. This means that we will have to continue checking local regulations in certain situations.

Privacy and the Internet of Things

The Internet of Things (IoT) is about connecting devices over the internet, letting them talk to us and each other. Everyday physical objects will be connected to the Internet and will be able to identify themselves to other devices. Of course, connected vehicles (cars and drones) also will be part of the IoT.

This section analyzes the risks that may arise from the use of IoT and metrics that should be considered for their assessment.

The starting point is to assume that IoT will be no more secure than any other Internet technology – and in some cases, may even be less secure. For this reason, it is important to consider different measures that can help minimize privacy risks.

Risk is dynamic, so it will be greater for the first generation of IoT devices. As we gain experience with IoT, the risk will decrease.

The solution: Privacy Impact Assessment (PIA)

A PIA is an effective tool that we can use in any jurisdiction in order to identify and minimize privacy risks of different projects involving IoT, drones or other emerging technologies.

The wingspan of a PIA depends to a large degree on the amount and type of information used in the project and the purpose, scope, and stakeholders involved.

A PIA usually includes the following steps: describe the project and the information lifecycle, identify privacy and related risks – including a compliance check against legal, regulatory and industry standards-, identify and evaluate privacy solutions and, finally, integrate these solutions into the project.

Privacy is a complex concept, especially regarding international projects and new technologies, where risks are still hypothetical and regulations are nonexistent or in the process of changing. For this reason, the PIAs is an excellent tool to assess privacy risks of newborn technologies, with the advantage that it can be used across different countries.