National Academies Press: OpenBook

Legal Implications of Data Collection at Airports (2021)

Chapter: IV. DEVELOPMENTS IN FEDERAL CONSTITUTIONAL PROTECTIONS

« Previous: III. AIRPORT DATA USE CASES
Page 22
Suggested Citation:"IV. DEVELOPMENTS IN FEDERAL CONSTITUTIONAL PROTECTIONS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 22
Page 23
Suggested Citation:"IV. DEVELOPMENTS IN FEDERAL CONSTITUTIONAL PROTECTIONS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 23
Page 24
Suggested Citation:"IV. DEVELOPMENTS IN FEDERAL CONSTITUTIONAL PROTECTIONS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 24
Page 25
Suggested Citation:"IV. DEVELOPMENTS IN FEDERAL CONSTITUTIONAL PROTECTIONS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 25

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

22 ACRP LRD 42 While many of these systems can be used without collecting and retaining PII, some require collection of some of the most sensitive PII information. Those systems involve not only the actions of airports and airport stakeholders, but frequently the actions of contracted vendors. Additionally, the products and services used to implement these programs may involve data collection (or attempted data collection) by third-party entities. All these practices raise a host of legal concerns, which need to be addressed. IV. DEVELOPMENTS IN FEDERAL CONSTITUTIONAL PROTECTIONS The U.S. Supreme Court has grappled with privacy issues since the 1970s, addressing it in several different contexts. Most often, these cases involve the Fourth Amendment, but First and Fourteenth Amendment issues have also arisen.82 Consistently throughout these cases, both conservative and liberal justices have expressed concern over the effects of technology on pri- vacy. The Court’s concerns have frequently centered on the government’s compilation of large databases and the ability of advanc ing computer technology to analyze them. While review of data and privacy has largely been limited to govern mental rather than private use, the issues raised by the Court and the legal analysis offered in the decisions provide insights into a range of legal issues confronting airports and private stake- holders in the use of data. A. Carpenter and the Contours of Privacy Protections In June 2018, the U.S. Supreme Court in the case of Carpenter v. United States83 issued an opinion that significantly expanded privacy protections under the Fourth Amendment. In Carpenter, the Court concluded that cell site location in- formation (CSLI) that tracked a cellphone’s whereabouts over an extended period was an unreasonable search and seizure. Addressing the individual’s informational privacy interest in this data, the Court set aside the long-established “third-party rule.”84 This rule gave the government easier access to business records, like phone records and financial records, retained by third parties under the logic that the third-party possession of that data diminished or destroyed individual privacy. Carpenter rejected that notion and ushered in an era where the Court rec- 82 General applicability of the First and Fourth Amendments to activ- ities in airports is well documented. See e.g., Regulations Affecting the Exercise of First Amendment Activities at Airports, Nat’l Acads. of Scis., Eng’g, & Med. (2015); The Fourth Amendment and Airports, Nat’l Acads. of Scis., Eng’g, & Med. (2016), https://doi.org/10.17226/23500. 83 Carpenter v. U.S., 138 S. Ct. 2206 (2018). 84 The contours of the “third part rule” were established in two Court decisions. See U.S. v. Miller, 425 U.S. 435 (1976) (concerning access to banking records); Smith v. Md., 442 U.S. 735 (1979) (concern- ing phone company records registering the incoming and outgoing calls). In these cases, the Court concluded that, despite some privacy interest on the part of the individual, a warrant was not required to access these third-party business records. be identified for follow-up processing. As the health- check screening is being conducted, passengers are provided with notice by the screening agent. That notice should specify consent and access process as well as information on access and redress. b. Choice/Consent: The consent of passengers to the health screening can be implied by their continuation with the passenger journey process. Given the senility of this data collection relating to health informa- tion, airports may wish to consider an opt-out pro- cess for passengers allowing for screening objectives to be accomplished in a different fashion. Passengers and employees provide consent to screening prior to gaining access to sterile areas beyond the screening checkpoint. c. Access/Participation: Programs providing health screening need to establish programs for individuals to access records retained health screening subjects, especially those from the EU and California, are af- forded the right to request their data be removed from a health-check system. d. Integrity/Security: HHS OCR has established data integrity and security protocols. For vendors per- forming these functions, best practices in data secu- rity must be assured through contracting as well as through audits. Audit support can be found through the HHS OCR. Detailed provisions need to be made to address potential data breaches of sensitive health- related information. e. Enforcement/Redress: Audit capabilities and rights should be addressed in internal policies as well as in contracts with vendors. Health-related data collection has federally mandated procedures for enforcement and redress. There may be additional state law provi- sions concerning the collection of health-related data. Both federal and state requirements should also be considered and accounted for with respect to poten- tial data breach occurrences, particularly ones involv- ing sensitive PII involving health-related information. F. Conclusion The five use cases illustrate more than approaches and solu- tions for specific challenges. They also cover the primary areas of privacy data used in airports today, while referencing a vari- ety of other privacy data types and uses. PPA use case analysis addressed video analytic use as well as cellphone tracking. The Security/Biometrics use case covered the biometric use prac- tices in support of check-in, screening, arrivals, and boarding. The ALPR use case examined both the administrative purpose of managing the commercial curb as well as law enforcement purposes. The airport digital marketplace use case covered web- sites, apps, Wi-Fi, as well as a CRM system. Lastly, the Health Checks use case addressed thermal imaging for detecting pas- sengers or employees who are exhibiting a fever. Each use case poses a unique set of legal considerations.

ACRP LRD 42 23 v. United States90 and Riley v. California,91 the Court observed that protection of privacy had to be a focus in the face of technol- ogy innovations. The central aim of the Framers was “’to place obstacles in the way of a too permeating police surveillance.’”92 Against this general backdrop of Fourth Amendment analy- sis, the Court went on to examine the implications of govern- ment access to CSLI without a warrant. While previous caselaw had affirmed the ability of law enforcement to conduct surveil- lance of an individual’s movements using sensory enhancing technology like beepers,93 advancements in technology, like global position systems (GPS), raised serious questions of easily conducted extensive pervasive surveillance.94 Looking to the two concurring opinions of five Justices in Jones,95 the Court acknowledged the fact that technology devel- opments in the fields of surveillance and tracking raise signifi- cant and legitimate privacy concerns. The amount of location data acquired and processed by government using modern technology raises the specter of persistent mass surveillance, inconsistent with Fourth Amendment protections. The Court went on to conclude that, like the GPS data that raised concerns in Jones, the CSLI data raised similar possibilities of tracking the whole of a person’s movements such that the Court concluded it gives rise to reasonable expectations of privacy. Thus, access- ing that data constituted a search cognizable under the Fourth Amendment. The Carpenter decision offers many lessons on the Court’s perceptions of data privacy. Of course, the opinion has direct applicability to any airport law enforcement use of CSLI for in- vestigative purposes. However, beyond that, the opinion should serve as a cautionary tale for airports looking to collect data either directly from individuals or through third parties. The Carpenter decision evidences deep concern over the need to control and limit government use data, particularly the prolif- eration of data that characterizes life in the digital age. Of sig- nificance is the fact that the Court was willing to set aside long- standing precedent concerning privacy interests in data held by third parties to extend privacy protections. The history of the Court’s focus on this issue demonstrates a willingness to rethink government use of established informational tools to ensure protection of privacy, even where any specific data may have no significant privacy protections at the time of collection. 90 533 U.S. 27 (2001) (use of thermal imaging technology on a resi- dence is a search requiring a warrant). 91 573 U.S. 373 (2014) (storage capacity of cellphones generally pro- hibits search of such devices incident to arrest absent a warrant). 92 Carpenter v. U.S., 138 S. Ct. 2206, 2214 (2018) (quoting U.S. v. De Ri, 332 U.S. 581, 595 (1948)). 93 U.S. v. Knotts, 460 U.S. 276 (1983). 94 Jones, supra, note 88. 95 Id. ognizes a right to informational privacy protectable under the Fourth Amendment. Chief Justice Roberts’ majority opinion noted the near ubiq- uitous adoption of cell phones and the acceptance of the cellular network systems that enables the devices to work. The Chief Justice also discussed the abundance of data created though cellular service systems.85 In its legal analysis, the majority began by noting that one of the principal functions of the Fourth Amendment was to “safeguard the privacy and secu rity of indi- viduals from arbitrary invasion by government.”86 The Court then discussed the evolution of Fourth Amendment juris- prudence from a purely property-based concept, where trespass was required before a Fourth Amendment violation could be established, to a focus on a reasonable person’s expectations. The expanded focus of the Fourth Amendment protects an indi- vidual’s expectations of privacy that “society is prepared to ac- cept as reasonable.”87 Citing its 2012 decision in Jones v. United States,88 the Court observed that claims of trespass as well as a claim of a reasonable expectation of privacy can provide a basis for Fourth Amendment challenge to government action.89 The Court went on to make a general observation regarding the effect of technology on the privacy rights originally secured by the Fourth Amendment. Referring to prior decisions in Kyllo 85 Cell phones continuously send signals looking for available cell sites so that voice communication and data transfers can occur. The record of these transmissions creates the CSLI, which allows for the plotting of the general location of a cellphone at specific times. The closer together the cell sites are the more accurate the location. 86 Carpenter v. U.S., 138 S. Ct. 2206, 2213 (2018) (citing Camara v. Mun. Cty. Ct. of City & Ctv. of S.F., 387 U.S. 523, 528 (1967)). 87 Carpenter v. U.S., 138 S. Ct. 2206, 2208 (2018) (citing Smith v. Md., 442 U.S. 735, 740 (1979)). 88 565 U.S. 400 (2012). 89 In Jones, the Court reviewed actions of the FBI, which had implanted a GPS tracking device on the defendant’s vehicle and tracked its movements for a period of 28 days. This surveillance was undertaken without a warrant. The majority opinion, joined by four justices, con- cluded that the actions of the FBI in trespassing upon the vehicle to plant the GPS device constituted a violation of the fourth amendment. Four other justices in a concurring opinion authored by Justice Alito, concluded that it was not the trespass but rather the government’s actions of tracking the vehicle for 28 days that constituted a violation of the Fourth Amendment because the defendant has a reasonable expec- tation of privacy in his location over a prolonged period of time. Those Justices suggested that because GPS technology had so significantly changed the ability of government to surveil individuals allowing for the easy collection of location data over lengthy periods of time, impos- sible through traditional human surveillance techniques, the use of GPS tracking without a warrant violated privacy protections of the Fourth Amendment. In a separate concurring opinion, Justice Sotomayor indi- cated she found the arguments of both the majority and the concurring justices to be persuasive that both a trespass and expectation of privacy could serve as a basis in that case for a claim of a Fourth Amendment violation. However, because she found the trespass basis narrower, she joined in the majority opinion. Thus, while there were in fact five jus- tices (a majority) who felt the aggregation of location data over the 28 days constituted a violation of the Fourth Amendment, that was not the controlling precedent of the case.

24 ACRP LRD 42 tional surveillance for any extended period of time was difficult and costly and therefore rarely undertaken. The surveillance at issue in this case—constant monitoring of the location of a vehicle for four weeks—would have required a large team of agents, multiple vehicles, and perhaps aerial assistance. Only an investigation of unusual importance could have justified such an expenditure of law enforcement resources. Devices like the one used in the present case, however, make long-term moni- toring relatively easy and cheap.100 The significance of this line of analysis regarding aggre- gated data is that while at the time of collection, information may have had no privacy protections, or more limited privacy protections, additional protections may be required once data is aggregated. As noted above, this analysis articulated in Whelan, Reporters Committee, and Jones appears to have been adopted in the majority opinion in Carpenter. This concern over aggrega- tion of data in government hands should be a consideration of airports in their decision about collecting and compiling data on individuals. 2. Absence of a Comprehensive Approach One case highlighting the vagaries of U.S. protection for in- formational privacy is the 2011 decision of the U.S. Supreme Court in NASA v. Nelson,101 In Nelson, the Court addressed the issue of personal privacy with respect to background in- vestigations for government contractors. The Court ultimately affirmed the actions of NASA in conducting the background checks, concluding that consistent protections existed under the Privacy Act of 1974.102 However, the majority opinion in Nelson alluded to the ex- istence of an undefined constitutional protection for privacy,103 identifying no decision where those protections are defined specifically. The absence of such a specific privacy protection has been a source of continued constitutional debate. Justice Scalia in his concurring opinion sharply criticized the major- ity’s suggestion of a constitutionally established right of privacy. While he thought protection of privacy might be a good idea, he argued that “[a] federal constitutional right to ‘informational privacy’ does not exist.”104 The absence of citation to a specific constitutional reference to the right to privacy is a theme that has characterized Supreme Court decisions since the notion of information privacy was first raised in the 1970s. 3. Value of Legislative Action The Scalia concurrence in Nelson showcases not only the debate over the existence of comprehensive constitutional pro- tections for privacy, but also echoes the Court’s notion that the 100 Id. at 429-30 [citations omitted]. 101 362 U.S. 134 (2011). 102 5 U.S.C. § 552a.  103 Nelson, 362 U.S. at 138 (citing Whalen v. Roe, 429 U.S. 589, 599- 600 (1977); Nixon v. Admin. of Gen. Servs., 433 U.S. 425, 457 (19770). The Court in Nelson notes a broad reference in those cases to privacy interests in avoiding the disclosure of personal matters. Id. 104 Id at 159-60. B. Recurrent Themes in Supreme Court’s Privacy Analysis Several themes have continually arisen in opinions where the Court has wrestled with informational data privacy. These themes include: • The danger of government data aggregation and chang- ing privacy characteristics; • The absence of a comprehensive approach to privacy pro- tection; • The need for legislative protections in the face of emerg- ing technology; and • The changing privacy expectations in response to emerg- ing technology. These themes demonstrate the Court’s evolving conception of privacy protections that change as technology develops revo- lutionizes aspects of people’s daily lives. 1. Data Aggregation Starting with its decision in Whelan in the late 1970s, the Court in dicta expressed concern over government possession of large aggregations of personal data: A final word about issues we have not decided. We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files.96 The Court went on to note that while protection against un- warranted disclosure of personal information might have con- stitutional implications, the protections afforded in that case were adequate. Thus, the question was not ripe for decision. Department of Justice v. Reporters Committee for Freedom of the Press,97 expressed similar concerns over data aggrega- tion. In Reporters Committee, the Court extensively addressed the subject of privacy without providing a precedential ruling. The Court reviewed decisions concerning a request under the Federal Freedom of Information Act (FOIA) for criminal his- tory data. The Court observed that while records of arrest and prosecutions were publicly available, the difficulty of finding and compiling them provided some protections for individual privacy.98 It also noted that large aggregations of data not only posed a threat, they also changed the character of the data stored. Discrete pieces of information that may have at the time of collection been publicly accessible were changed in their nature by compilation over time.99 More recently, the concern about data aggregations was adopted by five Justices in the two concurring opinions in Jones. For example, in his concurrence Justice Alito observed: In the precomputer age, the greatest protections of privacy were neither constitutional nor statutory, but practical. Tradi- 96 Whelan v. Roe, 429 U.S. 589, 605-6 (1977) (citations omitted). 97 489 U.S. 749 (1989). 98 Reporters Committee, 489 U.S. at 764. 99 Id.

ACRP LRD 42 25 concluded it “risks error”111 in adjudicating whether reason- able expectations of privacy exist or have been violated. This position is understandable as the judiciary is relatively insu- lated from electoral politics and, thus, less accountable than the other branches for any pronouncements regarding what society thinks is reasonable. Similar to the concerns raised in Quon regarding technol- ogy’s ability to change privacy expectations are the ones that appear in Riley v. California.112 There, the Court examined an individual’s privacy rights in data on a cellphone possessed at the time of arrest. Flatly rejecting the government’s position that searching a cellphone was “materially indistinguishable” from previously approved searches of physical items in an arrestee’s possession, the Court explained “[t]hat is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together.”113 In reaching its con- clusion, the Court detailed the extensive amount of information routinely contained in cellphones and growing reliance on those devices by individuals in everyday life. The result in Riley was the Court’s decision to overturn long standing precedent concerning the ability to of law enforcement to search the items in possession of an arrestee at the time of arrest. As was the case subsequently in the Carpenter decision, the Court concluded that technology adoption changed the indi vidual’s and society’s expectations of what was private. The lesson from this line of opinions is that things once thought not to be privacy-protected might change in character as technol- ogy develops and becomes more embedded in people’s lives. While the Supreme Court’s assessment of privacy in the cases outlined above applies only to activity conducted by govern- ment, the Court’s analysis offers interesting perspectives about what is a legitimate expectation of privacy and what measures serve to protect those expectations. Quon, Jones, and Riley dem- onstrate how the Court anticipates the possibility of changing expectations of privacy. As the population adapts to using new technologies, especially in the context of communication, the parameters of privacy will continue to evolve. Overall, the arc of the Supreme Court’s review of privacy, particularly under the Fourth Amendment, has been to move in the direction of privacy protection. The increasing pace of data collection and the ability of government to access data is a matter of significant concern. Even justices who have concluded there is no constitutional protection for data privacy under the Fourth Amendment have indicated that protection of data and limitation of government use of data are matters that command the attention of the legislative branch. There is near universal ac- ceptance of the notion that the advances in technology are out- pacing the ability of courts to effectively regulate privacy protec- tion. There is also a consensus that technology is changing how the public views privacy and even the fundamental question of what kinds of information are even private. 111 Id. 112 Riley v. Cal., 573 U.S. 373 (2014). 113 Id. at 393. legislative branch and not the Court should be the source of such a right. Justices Scalia’s invitation for legislative action (or at the least the observation of an absence of it) is a good example of the Court’s concern over lack of legislative involvement.105 In other cases, different members of the Court have acknowledged the need to defer to the legislative branch in dealing with emerg- ing surveillance technologies that can adversely impact indi- vidual privacy rights. In Jones v. United States,106 a case involving warrantless use of GPS surveillance, Justice Alito in his concurrence observed: In circumstances involving dramatic technological change, the best solution to privacy concerns may be legislative… A legislative body is well situated to gauge changing public attitudes, to draw detailed lines, and to balance privacy and public safety in a comprehensive way. To date, however, Congress and most States have not enacted statutes regulating the use of GPS tracking technology for law en- forcement purposes.107 The notion that legislatures are equipped to deal with pri- vacy protections were principal findings of the Court in both Whelan and Reporters Committee. In those cases, the Court was satisfied that legislative action had adequately secured the indi- viduals privacy interest. In contrast, however, is the decision in Carpenter, where the Court found the congressional protections for privacy for CSLI under the provisions of the Stored Com- munications Act108 inadequate to meet Fourth Amendment requirements. Thus, while legislative enactments may be useful in demonstrating that adequate privacy protections are estab- lished, those enactments are not a panacea. 4. Technology Fueling Changing Privacy Expectations by Individuals Related to the issue of legislatures as better suited than courts to deal with rapidly changing effects of emerging technology on informational privacy, are the Court’s observations that emerg- ing technology itself is shaping the privacy expectations of indi- viduals. The Court has noted in addition to the pace of tech- nology change, which makes it difficult for courts rather than legislatures to react, there is also an evolving standard of privacy being driven by technology. In City of Ontario v. Quon,109 the Court observed that “[r]apid changes in the dynamics of com- munication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior.”110 Until there is clarity in how an emerging tech- nology has shaped societal expectations of privacy, the Court 105 In Nelson, Justice Scalia in his concurrence concludes, “[l]ike many other desirable things not included in the Constitution, “infor- mational privacy” seems like a good idea—wherefore the People have enacted laws at the federal level and in the states restricting the govern- ment’s collection and use of information. But it is up to the People to enact those laws, to shape them, and, when they think it appropriate, to repeal them.” Id. 106 565 U.S. 400 (2012). 107 Id. at 429-30. 108 18 U.S.C. § 2703(d). 109 560 U.S. 746 (2010). 110 Id. at 759.

Next: V. SURVEY OF FEDERAL STATUTORY PROVISIONS AND FEDERAL AGENCY ACTIONS »
Legal Implications of Data Collection at Airports Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, marketing, understanding passenger preferences, and enhancing the travel experience.

The TRB Airport Cooperative Research Program's ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports provides a survey of applicable law; considerations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!