05 Apr 2021

FAA takes first flight in privacy with new drone rules

The rules allow drones to be flown in a wider set of conditions but also require them to have remote ID. Ice Miller’s Reena Bajowala, Mason Clark and Tiffany Kim analyse how they add complexity to the thorny issue of drones and privacy


The US Federal Aviation Administration recently issued sweeping regulations that alter the privacy landscape for unmanned aerial vehicles – or drones. It lifted prohibitions on the operation of drones over people, over moving vehicles, and at night, which, given increased drone capabilities to capture data, renewed interest in privacy concerns. The FAA also issued regulations requiring remote identification (ID), which will be a tool in regulating drone usage, but also add complexity to the privacy landscape.

Until now, the FAA has disclaimed responsibility for regulating privacy. Without any national data protection legislation, US drone privacy regulations are woefully inadequate. Instead, the US has a patchwork of frameworks that may apply, like analysis of aerial surveillance and digital data collection, that appear in common law cases. Simultaneously, various states have issued drone laws that provide useful data points that inform the overall US landscape for privacy in drone operations. With the FAA’s adoption of the new remote ID rules, the US has an opportunity to create a national regulatory framework for data protection and information security of drones, but any path forward will not be without its critics. 

Drones and Privacy before 2021

US courts have developed analytical frameworks applicable to drones used in certain locations or utilising certain capabilities that focus on enjoyment of private property, causation of harm and captures of sensitive, private information. 

Drones over private property

When drones fly above a private landowner’s property, property rights are implicated. There is a tension between the rights of drone operators to fly below 400 feet above ground in compliance with the FAA regulation and private landowners’ property rights to exclude drones from flying above their property—specifically in the low-altitude airspace.  Neither the FAA nor the courts have resolved this tension with a bright line.  In many cases, rulings turn on whether the drone’s physical intrusion substantially interfered with the landowner’s enjoyment of the land.

Flight patterns that are a nuisance

Some states have enacted drone-specific laws in the context of private nuisance, which is implicated if flight patterns are repetitive or may be perceived as a nuisance. Plaintiffs must prove there was unreasonable and substantial harm. Factors affecting liability include the characteristics of a specific community, frequency, magnitude and duration of the allegedly unreasonable conduct and the utility of the conduct.

Offensive intrusion into private affairs

Most states have adopted the tort of intrusion upon seclusion, which is the privacy tort most applicable to drone operations. It prohibits intentionally intruding upon the seclusion of another or their private affairs. The intrusion must be highly offensive to a reasonable person. Capturing images in a public place, for example, would not be “highly offensive.”  Unlike with property right violations, a highly sophisticated drone payload and ability to capture high quality images and live video at a high altitude make physical proximity to the target less relevant. These claims come down to expectations of privacy, which inform what is considered “highly offensive. These expectations are ever evolving. In 1989, the US Supreme Court found no reasonable expectation of privacy in a property owner’s backyard activities because visible from the vantage point of a helicopter flying 400 feet above the property. But public discomfort with drones flying over private backyards is rising and technology is advancing, so privacy expectations will change alongside it.  

Public disclosure of private facts

In many states, a person is liable for public disclosure of private facts if they publicise a matter concerning the private life of another that would be highly offensive to a reasonable person and is not of legitimate public concern. Liability may arise in the drone context if a highly offensive image is captured by a drone and then published on social media.

State approaches to drone law

Without a comprehensive framework for regulating privacy in drone operations, individual states have been left to their own devices. These laws ask the same question as common law: what is “offensive” to reasonable expectations of privacy? The state of Florida has been at the forefront of enacting restrictive drone legislation, prohibiting drone operators from collecting images of persons or objects on private property without prior consent if the expectation of privacy is “reasonable.” Florida presumes that an expectation of privacy is reasonable on “privately owned real property . . . not observable by persons located at ground level in a place where they have a legal right to be, regardless of whether he or she is observable from the air with the use of a drone.” Essentially, Florida enhances residents’ privacy by eliminating the aerial vantage point, which the Supreme Court deemed a vantage that lacks any reasonable expectation of privacy in the law enforcement context.

California – home to Hollywood – recognised a more expansive definition of privacy intrusion tailored to the needs of its residents.  The “Anti-Paparazzi” statute prohibits “knowingly enter[ing] onto the land or into the airspace above the land of another person without permission . . . to capture any type of visual image, sound recording, or other physical impression of the plaintiff engaging in a private, personal, or familial activity if the invasion occurs in a manner that is offensive to a reasonable person.” Physical trespass is explicitly not required, so use of high power lenses or ultra-sensitive microphones to collect information is within its scope.

Further, some states, like Nevada and Oregon, give real property owners the right to bring claims against drone operators who fly over their private property when they fly too low or are on notice of an objection, respectively.

In order to enhance the longevity of a drone program (especially if more states adopt similar approaches), drone designers should keep in mind the key question: would this offend reasonable expectations of privacy?

FAA addresses privacy: remote ID

Adding to the competing interests of drone operators and bystanders are the FAA’s new remote identification (ID) regulations. These regulations have been controversial, with proponents praising the long-awaited guidelines for tracking bad actors and critics citing privacy concerns for both operators in the air and bystanders on the ground. Remote ID for drones is analogous to a license plate for a car or an IP address for a computer in that it can provide location and user information regarding identity, location and flight path of the drone, as well as its “home” (control) station. And although the FAA and critics agree that remote ID is essential to promoting safe and efficient drone operation, drone operators and bystanders have differing privacy concerns.

Broadcast remote ID addresses privacy and security concerns 

The new regulations require the drone to broadcast radio signals directly from the air to ground receivers in the drone’s vicinity using one of three options:

  1. Standard Remote Identification: a drone with built-in remote ID broadcast capability.
  2. Broadcast Modules: a drone with a retrofitted device that broadcasts the necessary information.
  3. FAA-recognised Identification Areas (FRIAs): areas in which operators can fly drones without any remote ID elements, such as universities and community centers.

The information to be broadcasted includes a unique drone identifier, a time mark and latitude, longitude, geometric altitude and velocity for the drone and either the control station (Standard) or take-off location (Module).

Critics of broadcast remote ID—including Alphabet subsidiary Wing, Kittyhawk and AirMap—disfavour the vicinity constraints and cited privacy concerns. Wing argued that broadcast remote ID is less secure and could welcome real-time tracking by the general public. Broadcast messages are available to anyone, with little room for customisation based on drone type or objective (eg, delivery service versus hobbyist), which could expose operators’ information to both law enforcement and the general public.

The FAA countered that any personally identifiable information “beyond the public remote identification message elements will be strictly limited to authorised FAA and other government and law enforcement personnel who are operating in their official capacities.” The agency further assured critics that although the information broadcast from a drone is publicly available information, registration data pertaining to individuals is protected in accordance with the requirements of the Privacy Act (5 U.S.C. 552a) and will only be disclosed if an exception applies.

“Network” remote ID left out of rule

Companies like Wing and Kittyhawk were advocating instead for network remote ID, which uses an Internet connection to provide similar information to broadcast remote ID. According to Wing, signals sent over the network aren’t available to the general public and will be subject to additional cybersecurity requirements as a “drone’s complete flight path or flight history[,] which can be more sensitive, is not displayed to the public and only available to law enforcement if they have proper credentials and a reason to need that information.” Although the general public will have access to some of the basic message elements, only the FAA, law enforcement and other regulatory authorities should be able to access detailed data about the drone or its operator.

The FAA, on the other hand, specifically noted in the text of the rule that stakeholders raised several privacy issues with network remote ID. First, network remote ID requires Wi-Fi or another Internet connection and would not work in areas without service. This is particularly concerning for those bystanders on the ground who need to quickly identify a rule-breaking drone so they may exercise rights to exclude drones below a certain height. Second, a network-based remote ID requires significant data transfers via the Internet between the drone and the service supplier and invites a distributed denial of service (DDoS) on service suppliers. If commercial drones do indeed become ubiquitous, these concerns will be amplified as more consumer data is shared between operators, consumers and service suppliers. It is possible that drone operators in certain commercial contexts could be required to have heightened data protection requirements over its network.

US regulation of drone privacy has previously been left to individual states, but with the FAA stepping in, we have reason to hope for national, comprehensive legislation. Legislators should aim to strike the right balance between the rights of drone operators and bystanders.

Reena Bajowala is a partner and Mason Clark and Tiffany Kim are attorneys in Ice Miller’s data security and privacy practice

related topics