National Academies Press: OpenBook

Legal Implications of Data Collection at Airports (2021)

Chapter: X. INTERPLAY OF PRIVACY AND OPENGOVERNMENT RECORDS

« Previous: IX. DEVELOPING STATE AND LOCAL LAWS, AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE
Page 54
Suggested Citation:"X. INTERPLAY OF PRIVACY AND OPENGOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 54
Page 55
Suggested Citation:"X. INTERPLAY OF PRIVACY AND OPENGOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 55
Page 56
Suggested Citation:"X. INTERPLAY OF PRIVACY AND OPENGOVERNMENT RECORDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 56

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

54 ACRP LRD 42 A. Provisions for Open Government In his 1953 work evaluating government openness, Harold Cross systematically documented the limited nature of indi- vidual access to governmental records.570 Cross’ comprehensive review of federal and state laws concerning openness and in- formation practice was influential in the subsequent creation of open records laws by both states and the federal government.571 In 1966, the United States enacted the Federal FOIA Statute.572 Effective a year later in July 1967, the Federal FOIA Statute has been updated over the years with the most recent revisions oc- curring in 2007. In a 2016 retrospective on the development of FOIA protections at both the state and federal levels, Davis Cuillier offers an excellent perspective on movement made with respect to government openness since the 1950’s and 1960s. While the Federal FOIA Statute applies only to records maintained by the federal government, its structure is like that of statutes adopted in many states. The National Association of Counties (NACo) offered a comprehensive collection of those statutes in a 2010 report entitled Open Records Laws: A State by State Approach. At the time of the Federal FOIA Statute en- actment several jurisdictions already had provisions providing for access to government records. In some states, access was granted by state constitutional provisions.573 All states and the District of Columbia have their own ver- sion of the Federal FOIA Statute. Called freedom of informa- tion, open records, or “Sunshine” statutes, these provisions allow for citizen access to a wide range of documents and records maintained by governments. Generically, this report will refer to them as “state FOIA provisions.” While the exact parameters of state FOIA provisions vary widely, there are some common patterns and trends that airports should consider as they collect and share data. The 2010 NACo Report notes that the general structure of state FOIA provisions have the following common features: • Designation as to who may request records and purposes for which requests can be made; • Identification of the records covered under the law (in- cluding specification of the particular entities covered); • Fees and costs that can be assessed to requestors; • Enforcement and sanctions provisions to ensure compliance; • Designation of records which are exempt from production; • Provisions respecting production of Electronic record; and • Limitation on “money-making” in connection with gov- ernment providing requested data.574 570 Harold L. Gross, The People’s Right to Know (1953). 571 David Cuillier, Special Issue: The U.S. Freedom of Information Act at 50 Article: The People’s Right to Know: Comparing Harold L Cross’ Pre- FOIA World to Post-FOIA Today, 21 Comm. L. & Pol’y 433, 433 (2016). 572 5 USC § 552 et. seq. 573 Open Records Laws: A State by State Approach, Nat’l Ass’n of Ctys (Dec. 2010), at 6, https://www.governmentecmsolutions.com/ files/124482256.pdf. 574 Id. There is currently no federal law regulating the use of FRS. In February, 2020, a U.S. Senate bill, the Ethical Use of Facial Recognition Act,560 was proposed to provide for a moratorium on the use of FRS until the date on which Congress implements guidelines governing its use.561 The national dialogue in the United States has renewed focus on FRS as a police practice, and on June 8, 2020, the George Floyd Justice in Policing Act of 2020 was introduced in the U.S. House of Representatives.562 The proposed legislation would prohibit the real-time use of FRS on police body cameras and would require study of issues relating to the constitutional rights of individuals on whom FRS is used.563 On June 17, 2020, Republicans in the U.S. Senate pro- posed another version of policing reform, the Just and Unifying Solutions to Invigorate Communities Everywhere Act of 2020 (the JUSTICE Act).564 However, the JUSTICE Act does not ad- dress FRS.565 On June 18, 2020, Senator Sherrod Brown (D-OH) intro- duced the Data Accountability and Transparency Act of 2020 (the DATA Act).566 The DATA Act focuses on the collection, use, and sharing of individuals’ personal information and would make it an unlawful practice to use FRS and to collect, use, or share personal data obtained from FRS.567 On June 25, 2020, two Democratic senators introduced the Facial Recognition and Biometric Technology Moratorium Act of 2020.568 Of spe- cial interest to airports, this broad-sweeping legislative initiative would deny federal funding to any state or local entity that does not enact an equivalent moratorium.569 While none of these proposed federal regulations has been enacted, the enactment of a federal statute regarding FRS would undoubtedly impact the airport space. X. INTERPLAY OF PRIVACY AND OPEN GOVERNMENT RECORDS The existence of measures to ensure open government gen- erates interesting implications for privacy law. While some advocacy organizations lament government access to private personal data, they simultaneously seek liberal access to govern- mental records. Meeting requirements for government to retain data it collects in accordance with defined retention require- ments, combined with public access laws, can prove difficult. 560 Ethical Use of Facial Recognition Act of 2020, S. 3284, 116th Cong. (2020). 561 Id. 562 George Floyd Justice in Policing Act of 2020, H.R. 7120, 116th Cong. (2020). 563 Id. 564 Just and Unifying Solutions to Invigorate Communities Every- where Act of 2020, S. 3985, 116th Cong. (2020). 565 Id. 566 Data Accountability and Transparency Act of 2020, S. 2577, 116th Cong. (2020). 567 Id. 568 Facial Recognition and Biometric Technology Moratorium Act of 2020, S. 4084, 116th Cong. (2020). 569 Id.

ACRP LRD 42 55 data will likely be required to be retained pursuant to record re- tention statutes or ordinances. These retention regulations may in some instances be created by the airport. In other instances, however, these requirements may be imposed by external sources, like state legislation or administrative rules. This reality may mean that retention of data may be placed on a schedule that is longer or shorter than an airport’s operational require- ments for the data. Retention schedules may also be different depending on the type of data. For example, privacy concerns may significantly limit the length of time video data can be re- tained. This retention may differ from other types of records. It is critical for airports collecting data to understand record retention requirements and to develop schedules to ensure re- quired records are retained. Similarly, airports must ensure that records not required for retention are properly destroyed. As airports craft data collection strategies, there should be a clear understanding of state and local records requirements. Such knowledge is an essential part of any legal assessment of a particular data collection strategy. As a preliminary matter, ref- erence to the comprehensive state by state compilation of record retention laws maintained by the Brechner Center for Freedom on Information579 may prove useful. C. Trends in State FOIA Provisions While determining what constitutes a record and the sched- ule for retaining it, other critical components of an adequate data collection and retention strategy exist. As noted above, the Federal FOIA Statute as well as state FOIA provisions contain exemptions for the production of records. The two common ex- emptions likely most applicable with respect to data collection at airports are for the protection of records concerning personal privacy and records concerning proprietary data. As with much of the other law concerning state FOIA provisions, the scope of these protections varies. With respect to proprietary data, a 2005 Duke University Law and Technology Review article580 illustrates the difficulty experienced by government entities when FOIA exemptions are weak or inadequate. This article contrasts the protection of confidential and proprietary data from public disclosure under California and New Jersey law. The commentators conclude that while the exact economic harm is not quantified, the failure of the California law to provide protections for confidential and proprietary data makes the state a less attractive location for private-public partnerships for research. A more recent assessment of protections from disclosure in an American Bar Association article by Christian L. Hawthorne, notes that the states remained inconsistent in their level of pro- 579 Records Retention Schedules by State, Brechner Ctr. For Free- dom of Info., Univ. Of Fla.. https://brechner.org/records-retention- schedules-by-state/. 580 Nader Mousavi & Mathew J. Kleiman, When the Public Does Not Have a Right to Know: How the California Public Records Act is Deter- ring Bioscience Research and Development, 4 Duke L. & Tech. Rev., 1 (2005), https://scholarship.law.duke.edu/dltr/vol4/iss1/22. The 2010 NACo Report includes excellent summary charts outlining the general requirements of each states FOIA provisions. The extent of records reached by these statutes and the rules by which data can be obtained varies by jurisdiction. Some re- quire broad access. In others, access is narrower. While these statutes almost universally have exceptions for privacy pro- tected data and proprietary data, definitions of what is “private” and what is “proprietary” vary. Understanding what informa- tion may be required to be disseminated publicly may signifi- cantly change collection and information sharing plans. The Reporters Committee for Freedom of the Press Open Govern- ment Guide575 contains a comprehensive compendium of state and federal open government laws on access to government- controlled documents. The scope of these statutes and their interpretation by state courts may significantly affect the amount and type of data an airport may choose to collect or retain. It may also affect the relationship that an airport chooses to make with third-party contractors that provide data collection or data services. B. Public Records and Retention As airports decide to engage in data collection or contract with third parties to do so or to access third-party data, it is im- portant to understand what constitutes a “record” under state and local law and what are the requirements for the production of any such records. FOIA provisions at both the federal and state level are predicated on the existence of a record retained by government that is being requested for production. When the federal and state FOIA statutes were initially enacted, subject records were written. With time, that has changed dramatically. Prior to the development of modern FOIA protections, Harold Cross, noted the difference in state laws regarding what constituted a public document required for production. How- ever, “[t]oday the definitions of ‘public records’ at the federal and state levels have more clarity, in line with what Cross had sug- gested, typically including any recorded materials— including video, audio or electronic—created or held by a government agency.”576 The expansion of what constitutes a record has been extended in states to a range of electronic communications.577 In some states, this has even expanded to include the metadata generated in connection with the creation of the electronic data in addition to the data itself.578 Broad definitions of what constitutes a “record” creates sig- nificant challenges for governmental entities. Once collected, 575 Open Government Guide, Reporters Comm. For Freedom of the Press (2019), https://www.rcfp.org/open-government-guide. 576 Id. at 446. 577 Id. at 446 n. 70. 578 Court decisions in Arizona, Washington, Pennsylvania, and Wisconsin have addressed the issue of metadata concluded that the “records” include metadata. See Lake v. City of Phoenix, 218 P.3d 1004 (Ariz. 2009); O’Neill v. City of Shoreline, 240 P.3d 1149, 1153 (Wash. 2010); Paint Twp. v. Clark, 109 A.3d 796 (Pa. Commw. Ct. 2015); Lueders v. Krug, 931 N.W.2d 898 (Wis. Ct. App. 2019).

56 ACRP LRD 42 Certainly, airports and stakeholders looking to share pro- prietary information or conduct joint data collection would benefit from an understanding of the analysis of Mousavi and Kleiman587 and in understanding the structure of state FOIA provisions with respect to protecting information from disclo- sure. As the Hawthorne article explains, there is a wide variance in statutory protection. Similarly, as the Food Market Instituted decision explains, attention needs to be paid to the statutory language and interpreting case law concerning exemptions for confidential and proprietary information. Absent protections under state law, airports and stakeholders may find themselves compelled to disclose potentially valuable commercial informa- tion though compelled public disclosure. The collection of data, in addition to posing issues around proprietary or trade secret data, will also likely implicate the protection of personal information. While exemptions for pro- tecting some sensitive personal information are near universal in federal and state FOIA provisions, the extent of those protec- tions are uneven. As commentators have noted, there is a con- tinuing tension between the protection of private information in public records and the goals of open government.588 More- over, as more and more records become digital, requests for ac- cess to large databases are becoming more common. At the same time, digital transformation has increased the type of records maintained by government, there has been an increase in requests to produce those records. These requests come from a range of individuals and entities, including enti- ties that are seeking to monetize extensive records and data- bases maintained by the government. States like Washington, California, and Florida with broad open government provisions have noted the often-crushing burden of requests for govern- ment records. One commentator chronicling the abuses of the public records requests explained: The potential misuse of the public records laws, however, exceeds the mere inconveniences and unintended consequences facing academia. As one columnist explained, broadly written laws designed to ensure transparency can become weapons to discredit political opponents, intimidate critics, and simply harass private citizens for no better reason than that they are government employees. Across the nation, public records laws can become a source of consternation for public servants who recognize the ideals of the public records laws, but who also endure the flaws.589 This increase in the volume of FOIA requests can have sig- nificant cost. This cost can be extremely burdensome if extensive records must be reviewed and redacted to remove exempted private information. That is particularly the case for unstruc- tured data like video or audio recordings. The administrative 587 While this work examines research and data collection by public universities, it still offers helpful insights for other public entities involved in data collection efforts with private entities. 588 See, e.g., Jennifer A. Brobst, Reverse Sunshine in the Digital Wild Frontier: Protecting Individual Privacy Against Public Record Requests for Government Databases, 42 N. Ky. L. Rev. 191 (2015). 589 Keith W. Rizzardi, Sunburned: How Misuse of the Public Records Laws Creates an Overburdened. More Expensive, and Less Transparent Government, 44 Stetson L. Rev. 425, 435-36 (2015) (quotations omitted). tection.581 Citing a decision of the Washington Supreme Court in Lyft, Inc. v. City of Seattle,582 Hawthorne observes that state protection for trade secret information did not necessarily shield information from production based on public interest, even if it was a legitimate trade secret. Hawthorne provides ex- amples of some of the differing state approaches. Florida, Illinois, Utah, and Virginia require trade secrets to be labeled “confidential” to prevent disclosure under their public records acts. Other states, including Alabama, Michigan, New Mexico, Oklahoma, and Louisiana also provide trade secret protection for information submitted to those state governments only under limited circum- stances. Like Washington, Nevada requires balancing the public’s interest in disclosure against the privacy interests of the entity seek- ing to prevent disclosure, which balance may not always adequately protect trade secrets.583 In contrast, states providing more stringent protections in- cluded Oregon, Georgia, Louisiana, Maryland, Mississippi, and South Dakota. In New Jersey, Rhode Island, and Vermont trade secrets were not even considered to be public records.584 With respect to the strength of Federal FOIA protections for confidential and proprietary information, the U.S. Supreme Court has interpreted those provisions of that statute as protect- ing information provided to the federal government that busi- nesses treated as confidential (not publicly sharing it), without requiring a further showing that disclosure would cause com- petitive harm. In Food Market Institute v. Argus Media Leader585 the Court concluded that commercial entities providing sales data to the government that was otherwise treated as private were protected from having that information disclosed under an exemption to the Federal FOIA Statute. The Court held At least where commercial or financial information is both customar- ily and actually treated as private by its owner and provided to the government under an assurance of privacy, the information is “con- fidential” within the meaning of Exemption 4 [of the Federal FOIA Statute].586 This ruling eliminated any requirement of showing economic harm because of disclosure, a requirement that would lead to costly litigation. While the ruling requires both a demonstration of the entity’s prior treatment of the information and the gov- ernment’s agreement to treat it as confidential, this type of ex- emption to the Federal FOIA Statute should provide some pro- tections. While this ruling concerning the Federal FOIA Statute will not be precedential for most airports or for construing state FOIA statutes, it is instructive concerning the type of exemption provisions that could protect proprietary commercial data from disclosure. 581 Christian L. Hawthorne, Tips for Protecting your Trade Secrets When Dealing with Government, ABA, (Aug. 30, 218) https://www. americanbar.org/groups/litigation/committees/business-torts-unfair- competition/practice/2018/tips-for-protecting-your-trade-secrets- when-dealing-with-the-government/. 582 418 P.3d 102 (Wash. 2018). 583 Id. 584 Id. 585 139 S. Ct. 2356 (2019). 586 Id. at 2366.

Next: XI. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) AND AIRPORTS »
Legal Implications of Data Collection at Airports Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, marketing, understanding passenger preferences, and enhancing the travel experience.

The TRB Airport Cooperative Research Program's ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports provides a survey of applicable law; considerations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!