Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42 41 enterprise-owned network boundary.335 This defense approach is particularly relevant during the COVID-19 pandemic and has broad-scale applicability to airport stakeholder employees working from home. E. Future Trends The FTC continues to press for expansion of consumer pri- vacy protections. Through its advocacy programs, the FTC has pressed for congressional approval of comprehensive privacy and data security measures. Through its enforcement actions, the FTC has built an incremental common law of data pro- tection law. Those efforts align with international initiative to strengthen data protection. Understanding FTC recommended best practices and implementing them where possible will help in establishing sound data collection and sharing practices at airports. The FTC is clearly looking to expand its authority in privacy protection. In its 2020 report to the Senate Appropriations Committee, it noted to better equip the Commission to meet its statutory mission to pro- tect consumers, we urge Congress to enact privacy and data security legislation, enforceable by the FTC, which grants the agency civil penalty authority, targeted APA rulemaking authority, and jurisdic- tion over non-profits and common carriers.336 VII. OVERVIEW OF STATE CONSTITUTIONAL PRIVACY PROTECTIONS Just as the U.S. Constitution affords protections for civil liberties, so do the constitutions of the individual states. In fact, many state constitutional provisions offer greater individual protections than those contained in the federal system. There- fore, understanding the privacy protections established by state constitutions is necessary when advising airports about data collection. In some instances, state constitutions reflect specific protec- tions for privacy. In others, the differences may not be readily apparent from the plain language of the constitutional provi- sions. While such language may appear to parallel federal con- stitutional provisions, the interpretation of those provisions by state courts may be different than the ones applied by federal courts. An examination of state law treatment of GPS track- ing technology illustrates the way in which state constitutional provisions can impact policies with respect to data collection and use. While those cases concern criminal proceedings, their teachings with respect to government activities in data collec- tion, particularly those activities that do not involve notice and consent form individuals whose data is collected. With respect to express privacy protections, twelve states have specific constitutional provisions relating to a right to pri- vacy. Other states have more generalized provisions with respect 335 Id. 336 FTC Use of Its Authorities to Protect Consumer Privacy and Security, F.T.C. (2020), at 5, https://www.ftc.gov/system/files/documents/reports/ reports-response-senate-appropriations-committee-report-116-111-ftcs- use-its-authorities-resources/p065404reportprivacydatasecurity.pdf. These materials from the FTC offer examples of measures that the FTC considers best practices in data protection and security. Naturally, consideration of these measures would be helpful in the development of data protection practices. D. Other Executive Branch and Congressional Initiatives Addressing the increase in use of artificial intelligence, the United States, by Presidential Executive Order,327 has established a federal initiative to promote U.S. leadership in the AI field. The initiative requires federal agencies to consider fairness, trans- parency, safety, and security in deploying AI systems. It requires agencies to consider appropriate measures to disclose when AI is in use and to consider controls to ensure confidentiality and integrity of information processed, stored, and transmitted in an AI system.328 In addition to addressing AI, the executive branch has used the NIST to examine privacy issues. The NIST Privacy Framework,329 published in January 2020, offers guidelines for enterprises to manage privacy issues. This work complements other NIST efforts in cybersecurity.330 The FTC has also pro- vided supportive comments on the proposed NIST Privacy Framework.331 Among the efforts by NIST in cybersecurity is its Special Publication entitled Zero Trust Architecture.332 Zero trust archi- tecture uses an evolving set of cybersecurity paradigms that employs defenses from network-based perimeters to focus on users, assets and resources.333 The basic premise assumes that there is no implicit trust granted to assets or user accounts based solely on their physical or network location or on asset owner- ship.334 NIST views zero trust as a response to enterprise net- work trends that include remote users, bring-your-own-device (BYOD), and cloud-based assets that are not located within an 327 Proclamation No. 13,859, 84 Fed. Reg. 3967 (Feb. 11, 2019), https://www.federalregister.gov/documents/2019/02/14/2019-02544/ maintaining-american-leadership-in-artificial-intelligence. 328 See American Artificial Intelligence Initiative: Year One Annual Report, The White House Office of Sci. & Tech. Policy (Feb. 2020), https://www.whitehouse.gov/wp-content/uploads/2020/02/American- AI-Initiative-One-Year-Annual-Report.pdf. 329 NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0, Natâl Int. of Standards & Tech. (Jan. 16, 2020), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST. CSWP.04162018.pdf. 330 See, e.g., Framework for Improving Critical Infrastructure Cyber- security, Version 1.1, Natâl Inst. of Standards & Tech. (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018. pdf. 331 Federal Trade Commission Staff Comment on the Preliminary Draft for the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, FTC (Oct. 24, 2019), https:// www.ftc.gov/news-events/press-releases/2019/10/ftc-staff-offers- comment-nists-proposed-privacy-framework. 332 Zero Trust Architecture, Natâl Inst. Sci. & Tech. (Aug. 11, 2020), https://www.nist.gov/publications/zero-trust-architecture. 333 Id. 334 Id.
42 ACRP LRD 42 ing greater protections to individual conduct than that afforded under the U.S. Constitution. The action of some state courts, starting in the 1970âs to move of away from a âlockstepâ inter- pretation of their constitutions with similar provisions in the federal constitution is well documented.349 The introduction of new data collection and surveillance capability resulting from a proliferation of tracking technologies, and particularly the enhancements in tracking made possible by GPS technology, raised challenges that some states courts found inadequately addressed by federal law. The application of these technologies offers a clear example of how state courts have used the provi- sions of their state constitutions to address privacy concerns that they believed federal protections did not adequately address. This developing state jurisprudence involved both the rejection of the lockstep doctrine and the reference to enhanced privacy protections within the provisions of their stateâs constitutions. State constitutional divergence from federal protections con- cerning surveillance and tracking begins with the Oregon State Supreme Court decision in State v. Campbell.350 There, that court provided additional protection against public surveillance activ- ities based on its interpretation of provisions in the stateâs con- stitution. While the U.S. Supreme Court had concluded that the use of beepers to track suspects across public space was permis- sible without a warrant,351 the Campbell court concluded that such a practice was prohibited by the Oregon Constitution.352 As the capability of tracking surveillance was enhanced with the advent of GPS technology, additional state courts addressed associated privacy issues. In 2003, the Washington Supreme Court concluded that its constitution prohibited the practice of government use of GPS for tracking without a warrant.353 In 2009, courts in Massachusetts354 and New York355 also con- cluded that their constitutions precluded GPS tracking in the absence of a warrant. Unlike the decision of the Washington Supreme Court in Jackson, which relied on express protections in the Washington Constitution, the courts in Massachusetts in Connolly, and New York in Weaver, rejected the lockstep doc- 349 See, e.g., Robert F. Williams, State Courts Adopting Federal Con- stitutional Doctrine: Case-by-Case Adoptionism or Prospective Lockstep- ping, 46 Wm. & Mary L. Rev. 1499, 1499 (2005); Helen W. Gunnarsson, The Limited Lockstep Doctrine, 94 Ill. Bar J. 340, 340 (July 2006). 350 759 P.2d 1040 (Or. 1988). 351 U.S. v. Knotts, 460 U.S. 276 (1983). 352 Movement by state courts away from the federal interpretation of privacy rights regarding use of tracking devices was not universal. The Nevada Supreme Court expressly rejected adoption of the approach in Campbell to provisions of the Nevada Constitution. See Osburn v. State, 118 Nev. 232 (Nev. 2002). 353 State v. Jackson, 76 P.3d 217 (Wash. 2003). 354 In Commonwealth v. Connolly, 913 N.E.2d 356 (Mass. 2009) (provisions of Article 14 of the Massachusetts Declaration of Rights addressing privacy are more expansive than Fourth Amendment pro- tections requiring a warrant for GPS tracking). 355 People v. Weaver, 909 N.E.2d 357 (N.Y. 2009) (holding that pro- visions of the New York Constitution addressing privacy are more expansive than Fourth Amendment protections requiring a warrant for GPS tracking, and that a similar outcome would occur under the Fourth Amendment). to search and seizure, like those in the U.S. Constitution. How- ever, under federalism, courts in those states are free to interpret their constitutions as providing greater protections than those afforded by the U.S. Constitution. The states with explicit privacy protections for privacy in- clude: Alaska,337 Arizona,338 California,339 Florida,340 Hawaii,341 Illinois,342 Louisiana,343 Missouri,344 Montana,345 New Hampshire,346 South Carolina,347 and Washington.348 While privacy protections follow no standard or pattern or template, commonalities exist. Importantly, however, the interpretation of a stateâs constitutional protections falls under the exclusive province of that stateâs courts. While state courts occasionally look to decisions of other states or federal courts in reaching conclusions over similar provisions, no deference to the deci- sions of other state or federal courts is required. Therefore, no such deference should be expected, although other state or fed- eral opinions addressing analogous constitutional provisions may be persuasive for matters of first impression. Some state constitutions declare an express right of privacy. Those states include Alaska, California, Illinois, Florida, and Montana. The constitutions of Arizona and Washington discuss protection of âprivate affairs.â The distinction between âprivacyâ and âprivate affairs,â if any, is unclear, and case law addressing any potential distinction is scant. The state constitutional provisions establishing privacy rights generally reference the need to limit government activ- ity or provide protection concerning government actions like searches and seizures. Some of the state constitutional provi- sions like those found in Hawaii, Illinois, Louisiana, and South Carolina, provide protection for âinvasions of privacyâ in addi- tion to protections against âunreasonable searches and seizures.â In four states, Hawaii, Illinois, Louisiana, and Missouri, consti- tutional protections for electronic communications are explicit. Moreover, some provisions guaranteeing a privacy right, like those found in the constitutions of Alaska, Arizona, California, and Washington, are drafted so broadly that they might be in- terpreted to address private conduct. The implications of these broad grants of privacy right have yet to be fully explored by state courts. In addition to the provisions in state constitutions that ex- pressly protect âprivacy,â however styled, there are instances where provisions of state constitutions protecting against un- reasonable searches and seizures have been interpreted as grant- 337 Alaska Const. art. 1, Â§Â 22. 338 Ariz. Const. art II, Â§Â 8. 339 Cal. Const. art. I, Â§Â§Â 1, 23. 340 Fla. Const. art. 1, Â§Â 12. 341 Haw. Const. art. I, Â§Â§ 6, and 7. 342 Ill. Const. art. I, Â§ 6. 343 La. Const. art. I, Â§ 5. 344 Mo. Const. art. I, Â§ 15. 345 Mont. Const. art. II, Â§Â 10. 346 N.H. Const. art. 2-b. 347 S.C. Const. art. I, Â§Â 10. 348 Wash. Const. art.1, Â§Â 7.