Legal Implications of Data Collection at Airports (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

54    ACRP LRD 42 There is currently no federal law regulating the use of FRS. A. Provisions for Open Government In February, 2020, a U.S. Senate bill, the Ethical Use of Facial In his 1953 work evaluating government openness, Harold Recognition Act,560 was proposed to provide for a moratorium Cross systematically documented the limited nature of indi- on the use of FRS until the date on which Congress implements vidual access to governmental records.570 Cross’ comprehensive guidelines governing its use.561 The national dialogue in the review of federal and state laws concerning openness and in- United States has renewed focus on FRS as a police practice, formation practice was influential in the subsequent creation of and on June 8, 2020, the George Floyd Justice in Policing Act open records laws by both states and the federal government.571 of 2020 was introduced in the U.S. House of Representatives.562 In 1966, the United States enacted the Federal FOIA Statute.572 The proposed legislation would prohibit the real-time use of Effective a year later in July 1967, the Federal FOIA Statute has FRS on police body cameras and would require study of issues been updated over the years with the most recent revisions oc- relating to the constitutional rights of individuals on whom FRS curring in 2007. In a 2016 retrospective on the development is used.563 On June 17, 2020, Republicans in the U.S. Senate pro- of FOIA protections at both the state and federal levels, Davis posed another version of policing reform, the Just and Unifying Cuillier offers an excellent perspective on movement made with Solutions to Invigorate Communities Everywhere Act of 2020 respect to government openness since the 1950’s and 1960s. (the JUSTICE Act).564 However, the JUSTICE Act does not ad- While the Federal FOIA Statute applies only to records dress FRS.565 maintained by the federal government, its structure is like that On June 18, 2020, Senator Sherrod Brown (D-OH) intro- of statutes adopted in many states. The National Association of duced the Data Accountability and Transparency Act of 2020 Counties (NACo) offered a comprehensive collection of those (the DATA Act).566 The DATA Act focuses on the collection, statutes in a 2010 report entitled Open Records Laws: A State use, and sharing of individuals’ personal information and would by State Approach. At the time of the Federal FOIA Statute en- make it an unlawful practice to use FRS and to collect, use, or actment several jurisdictions already had provisions providing share personal data obtained from FRS.567 On June 25, 2020, for access to government records. In some states, access was two Democratic senators introduced the Facial Recognition ­granted by state constitutional provisions.573 and Biometric Technology Moratorium Act of 2020.568 Of spe- All states and the District of Columbia have their own ver- cial interest to airports, this broad-sweeping legislative initiative sion of the Federal FOIA Statute. Called freedom of informa- would deny federal funding to any state or local entity that does tion, open records, or “Sunshine” statutes, these provisions allow not enact an equivalent moratorium.569 While none of these for citizen access to a wide range of documents and ­records proposed federal regulations has been enacted, the enactment maintained by governments. Generically, this report will refer of a federal statute regarding FRS would undoubtedly impact to them as “state FOIA provisions.” While the exact parameters the airport space. of state FOIA provisions vary widely, there are some common patterns and trends that airports should consider as they collect X. INTERPLAY OF PRIVACY AND OPEN and share data. GOVERNMENT RECORDS The 2010 NACo Report notes that the general structure of The existence of measures to ensure open government gen- state FOIA provisions have the following common features: erates interesting implications for privacy law. While some advocacy organizations lament government access to private • Designation as to who may request records and purposes personal data, they simultaneously seek liberal access to govern- for which requests can be made; mental records. Meeting requirements for government to retain • Identification of the records covered under the law (in- data it collects in accordance with defined retention require- cluding specification of the particular entities covered); ments, combined with public access laws, can prove difficult. • Fees and costs that can be assessed to requestors; • Enforcement and sanctions provisions to ensure c­ ompliance; 560   Ethical Use of Facial Recognition Act of 2020, S. 3284, 116th • Designation of records which are exempt from ­production; Cong. (2020). • Provisions respecting production of Electronic record; 561   Id. and 562   George Floyd Justice in Policing Act of 2020, H.R. 7120, 116th • Limitation on “money-making” in connection with gov- Cong. (2020). ernment providing requested data.574 563   Id. 564   Just and Unifying Solutions to Invigorate Communities Every- 570   Harold L. Gross, The People’s Right to Know (1953). where Act of 2020, S. 3985, 116th Cong. (2020). 571   David Cuillier, Special Issue: The U.S. Freedom of Information Act 565   Id. at 50 Article: The People’s Right to Know: Comparing Harold L Cross’ Pre- 566  Data Accountability and Transparency Act of 2020, S. 2577, FOIA World to Post-FOIA Today, 21 Comm. L. & Pol’y 433, 433 (2016). 116th Cong. (2020). 572   5 USC § 552 et. seq. 567   Id. 573   Open Records Laws: A State by State Approach, Nat’l Ass’n of 568   Facial Recognition and Biometric Technology Moratorium Act Ctys (Dec. 2010), at 6, https://www.governmentecmsolutions.com/ of 2020, S. 4084, 116th Cong. (2020). files/124482256.pdf. 569   Id. 574   Id. 

ACRP LRD 42   55 The 2010 NACo Report includes excellent summary data will likely be required to be retained pursuant to record re- charts outlining the general requirements of each states FOIA tention statutes or ordinances. These retention regulations may ­provisions. in some instances be created by the airport. In other ­instances, The extent of records reached by these statutes and the rules however, these requirements may be imposed by external by which data can be obtained varies by jurisdiction. Some re- ­sources, like state legislation or administrative rules. This reality quire broad access. In others, access is narrower. While these may mean that retention of data may be placed on a schedule statutes almost universally have exceptions for privacy pro­ that is longer or shorter than an airport’s operational require- tected data and proprietary data, definitions of what is “private” ments for the data. Retention schedules may also be different and what is “proprietary” vary. Understanding what informa- depending on the type of data. For example, privacy concerns tion may be required to be disseminated publicly may signifi- may significantly limit the length of time video data can be re- cantly change collection and information sharing plans. The tained. This retention may differ from other types of records. Reporters Committee for Freedom of the Press Open Govern- It is critical for airports collecting data to understand record ment Guide575 contains a comprehensive compendium of state retention requirements and to develop schedules to ensure re- and federal open government laws on access to government- quired records are retained. Similarly, airports must ensure that controlled documents. records not required for retention are properly destroyed. The scope of these statutes and their interpretation by state As airports craft data collection strategies, there should be courts may significantly affect the amount and type of data an a clear understanding of state and local records requirements. airport may choose to collect or retain. It may also affect the Such knowledge is an essential part of any legal assessment of a relationship that an airport chooses to make with third-party particular data collection strategy. As a preliminary matter, ref- contractors that provide data collection or data services. erence to the comprehensive state by state compilation of record retention laws maintained by the Brechner Center for Freedom B. Public Records and Retention on Information579 may prove useful. As airports decide to engage in data collection or contract with third parties to do so or to access third-party data, it is im- C. Trends in State FOIA Provisions portant to understand what constitutes a “record” under state While determining what constitutes a record and the sched- and local law and what are the requirements for the production ule for retaining it, other critical components of an adequate of any such records. FOIA provisions at both the federal and data collection and retention strategy exist. As noted above, the state level are predicated on the existence of a record retained by Federal FOIA Statute as well as state FOIA provisions contain government that is being requested for production. When the exemptions for the production of records. The two common ex- federal and state FOIA statutes were initially enacted, subject emptions likely most applicable with respect to data collection records were written. With time, that has changed dramatically. at airports are for the protection of records concerning personal Prior to the development of modern FOIA protections, privacy and records concerning proprietary data. As with much ­Harold Cross, noted the difference in state laws regarding what of the other law concerning state FOIA provisions, the scope of constituted a public document required for production. How­ these protections varies. ever, “[t]oday the definitions of ‘public records’ at the federal and With respect to proprietary data, a 2005 Duke University state levels have more clarity, in line with what Cross had sug- Law and Technology Review article580 illustrates the difficulty gested, typically including any recorded materials—­including experienced by government entities when FOIA exemptions video, audio or electronic—created or held by a government are weak or inadequate. This article contrasts the protection of agency.”576 The expansion of what constitutes a record has been confidential and proprietary data from public disclosure under extended in states to a range of electronic communications.577 California and New Jersey law. The commentators conclude that In some states, this has even expanded to include the metadata while the exact economic harm is not quantified, the failure of generated in connection with the creation of the electronic data the California law to provide protections for confidential and in addition to the data itself.578 proprietary data makes the state a less attractive location for Broad definitions of what constitutes a “record” creates sig- private-public partnerships for research. nificant challenges for governmental entities. Once collected, A more recent assessment of protections from disclosure in an American Bar Association article by Christian L. H ­ awthorne, notes that the states remained inconsistent in their level of pro- 575   Open Government Guide, Reporters Comm. For Freedom of the Press (2019), https://www.rcfp.org/open-government-guide. 576   Id. at 446. 577   Id. at 446 n. 70. 579   Records Retention Schedules by State, Brechner Ctr. For Free- 578  Court decisions in Arizona, Washington, Pennsylvania, and dom of Info., Univ. Of Fla.. https://brechner.org/records-retention- Wisconsin have addressed the issue of metadata concluded that the schedules-by-state/. “records” include metadata. See Lake v. City of Phoenix, 218 P.3d 1004 580   Nader Mousavi & Mathew J. Kleiman, When the Public Does Not (Ariz. 2009); O’Neill v. City of Shoreline, 240 P.3d 1149, 1153 (Wash. Have a Right to Know: How the California Public Records Act is Deter- 2010); Paint Twp. v. Clark, 109 A.3d 796 (Pa. Commw. Ct. 2015); ring Bioscience Research and Development, 4 Duke L. & Tech. Rev., 1 ­Lueders v. Krug, 931 N.W.2d 898 (Wis. Ct. App. 2019). (2005), https://scholarship.law.duke.edu/dltr/vol4/iss1/22. 

56    ACRP LRD 42 tection.581 Citing a decision of the Washington Supreme Court Certainly, airports and stakeholders looking to share pro- in Lyft, Inc. v. City of Seattle,582 Hawthorne observes that state prietary information or conduct joint data collection would protection for trade secret information did not necessarily benefit from an understanding of the analysis of Mousavi and shield information from production based on public interest, ­Kleiman587 and in understanding the structure of state FOIA even if it was a legitimate trade secret. Hawthorne provides ex- provisions with respect to protecting information from disclo- amples of some of the differing state approaches. sure. As the Hawthorne article explains, there is a wide variance Florida, Illinois, Utah, and Virginia require trade secrets to be labeled in statutory protection. Similarly, as the Food Market Instituted “confidential” to prevent disclosure under their public records acts. decision explains, attention needs to be paid to the statutory Other states, including Alabama, Michigan, New Mexico, Oklahoma, language and interpreting case law concerning exemptions for and Louisiana also provide trade secret protection for information confidential and proprietary information. Absent protections submitted to those state governments only under limited circum- stances. Like Washington, Nevada requires balancing the public’s under state law, airports and stakeholders may find themselves interest in disclosure against the privacy interests of the entity seek- compelled to disclose potentially valuable commercial informa- ing to prevent disclosure, which balance may not always adequately tion though compelled public disclosure. protect trade secrets.583 The collection of data, in addition to posing issues around In contrast, states providing more stringent protections in- proprietary or trade secret data, will also likely implicate the cluded Oregon, Georgia, Louisiana, Maryland, Mississippi, and protection of personal information. While exemptions for pro- South Dakota. In New Jersey, Rhode Island, and Vermont trade tecting some sensitive personal information are near universal secrets were not even considered to be public records.584 in federal and state FOIA provisions, the extent of those protec- With respect to the strength of Federal FOIA protections tions are uneven. As commentators have noted, there is a con- for confidential and proprietary information, the U.S. Supreme tinuing tension between the protection of private information Court has interpreted those provisions of that statute as protect- in public records and the goals of open government.588 More- ing information provided to the federal government that busi- over, as more and more records become digital, requests for ac- nesses treated as confidential (not publicly sharing it), without cess to large databases are becoming more common. requiring a further showing that disclosure would cause com- At the same time, digital transformation has increased the petitive harm. In Food Market Institute v. Argus Media Leader585 type of records maintained by government, there has been an the Court concluded that commercial entities providing sales increase in requests to produce those records. These requests data to the government that was otherwise treated as private come from a range of individuals and entities, including enti- were protected from having that information disclosed under ties that are seeking to monetize extensive records and data- an exemption to the Federal FOIA Statute. The Court held bases maintained by the government. States like Washington, At least where commercial or financial information is both customar- ­California, and Florida with broad open government provisions ily and actually treated as private by its owner and provided to the have noted the often-crushing burden of requests for govern- government under an assurance of privacy, the information is “con- ment records. One commentator chronicling the abuses of the fidential” within the meaning of Exemption 4 [of the Federal FOIA public records requests explained: Statute].586 The potential misuse of the public records laws, however, exceeds the This ruling eliminated any requirement of showing e­ conomic mere inconveniences and unintended consequences facing academia. harm because of disclosure, a requirement that would lead to As one columnist explained, broadly written laws designed to ensure costly litigation. While the ruling requires both a demonstration transparency can become weapons to discredit political opponents, of the entity’s prior treatment of the information and the gov- intimidate critics, and simply harass private citizens for no better reason than that they are government employees. Across the nation, ernment’s agreement to treat it as confidential, this type of ex- public records laws can become a source of consternation for public emption to the Federal FOIA Statute should provide some pro- servants who recognize the ideals of the public records laws, but who tections. While this ruling concerning the Federal FOIA Statute also endure the flaws.589 will not be precedential for most airports or for construing state This increase in the volume of FOIA requests can have sig- FOIA statutes, it is instructive concerning the type of exemption nificant cost. This cost can be extremely burdensome if e­ xtensive provisions that could protect proprietary commercial data from records must be reviewed and redacted to remove exempted disclosure. private information. That is particularly the case for unstruc- tured data like video or audio recordings. The administrative 581   Christian L. Hawthorne, Tips for Protecting your Trade Secrets When Dealing with Government, ABA, (Aug. 30, 218) https://www. 587   While this work examines research and data collection by public americanbar.org/groups/litigation/committees/business-torts-unfair- universities, it still offers helpful insights for other public entities competition/practice/2018/tips-for-protecting-your-trade-secrets- involved in data collection efforts with private entities. when-dealing-with-the-government/. 588   See, e.g., Jennifer A. Brobst, Reverse Sunshine in the Digital Wild 582   418 P.3d 102 (Wash. 2018). Frontier: Protecting Individual Privacy Against Public Record Requests for Government Databases, 42 N. Ky. L. Rev. 191 (2015). 583   Id. 589   Keith W. Rizzardi, Sunburned: How Misuse of the Public Records 584   Id. Laws Creates an Overburdened. More Expensive, and Less Transparent 585   139 S. Ct. 2356 (2019). Government, 44 Stetson L. Rev. 425, 435-36 (2015) (quotations 586   Id. at 2366. ­omitted).