Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
22 ACRP LRD 42 While many of these systems can be used without collecting and retaining PII, some require collection of some of the most sensitive PII information. Those systems involve not only the actions of airports and airport stakeholders, but frequently the actions of contracted vendors. Additionally, the products and services used to implement these programs may involve data collection (or attempted data collection) by third-party entities. All these practices raise a host of legal concerns, which need to be addressed. IV. DEVELOPMENTS IN FEDERAL CONSTITUTIONAL PROTECTIONS The U.S. Supreme Court has grappled with privacy issues since the 1970s, addressing it in several different contexts. Most often, these cases involve the Fourth Amendment, but First and Fourteenth Amendment issues have also arisen.82 Consistently throughout these cases, both conservative and liberal justices have expressed concern over the effects of technology on pri- vacy. The Courtâs concerns have frequently centered on the governmentâs compilation of large databases and the ability of advanc ing computer technology to analyze them. While review of data and privacy has largely been limited to govern mental rather than private use, the issues raised by the Court and the legal analysis offered in the decisions provide insights into a range of legal issues confronting airports and private stake- holders in the use of data. A. Carpenter and the Contours of Privacy Protections In June 2018, the U.S. Supreme Court in the case of Carpenter v. United States83 issued an opinion that significantly expanded privacy protections under the Fourth Amendment. In Carpenter, the Court concluded that cell site location in- formation (CSLI) that tracked a cellphoneâs whereabouts over an extended period was an unreasonable search and seizure. Addressing the individualâs informational privacy interest in this data, the Court set aside the long-established âthird-party rule.â84 This rule gave the government easier access to business records, like phone records and financial records, retained by third parties under the logic that the third-party possession of that data diminished or destroyed individual privacy. Carpenter rejected that notion and ushered in an era where the Court rec- 82 General applicability of the First and Fourth Amendments to activ- ities in airports is well documented. See e.g., Regulations Affecting the Exercise of First Amendment Activities at Airports, Natâl Acads. of Scis., Engâg, & Med. (2015); The Fourth Amendment and Airports, Natâl Acads. of Scis., Engâg, & Med. (2016), https://doi.org/10.17226/23500. 83 Carpenter v. U.S., 138 S. Ct. 2206 (2018). 84 The contours of the âthird part ruleâ were established in two Court decisions. See U.S. v. Miller, 425 U.S. 435 (1976) (concerning access to banking records); Smith v. Md., 442 U.S. 735 (1979) (concern- ing phone company records registering the incoming and outgoing calls). In these cases, the Court concluded that, despite some privacy interest on the part of the individual, a warrant was not required to access these third-party business records. be identified for follow-up processing. As the health- check screening is being conducted, passengers are provided with notice by the screening agent. That notice should specify consent and access process as well as information on access and redress. b. Choice/Consent: The consent of passengers to the health screening can be implied by their continuation with the passenger journey process. Given the senility of this data collection relating to health informa- tion, airports may wish to consider an opt-out pro- cess for passengers allowing for screening objectives to be accomplished in a different fashion. Passengers and employees provide consent to screening prior to gaining access to sterile areas beyond the screening checkpoint. c. Access/Participation: Programs providing health screening need to establish programs for individuals to access records retained health screening subjects, especially those from the EU and California, are af- forded the right to request their data be removed from a health-check system. d. Integrity/Security: HHS OCR has established data integrity and security protocols. For vendors per- forming these functions, best practices in data secu- rity must be assured through contracting as well as through audits. Audit support can be found through the HHS OCR. Detailed provisions need to be made to address potential data breaches of sensitive health- related information. e. Enforcement/Redress: Audit capabilities and rights should be addressed in internal policies as well as in contracts with vendors. Health-related data collection has federally mandated procedures for enforcement and redress. There may be additional state law provi- sions concerning the collection of health-related data. Both federal and state requirements should also be considered and accounted for with respect to poten- tial data breach occurrences, particularly ones involv- ing sensitive PII involving health-related information. F. Conclusion The five use cases illustrate more than approaches and solu- tions for specific challenges. They also cover the primary areas of privacy data used in airports today, while referencing a vari- ety of other privacy data types and uses. PPA use case analysis addressed video analytic use as well as cellphone tracking. The Security/Biometrics use case covered the biometric use prac- tices in support of check-in, screening, arrivals, and boarding. The ALPR use case examined both the administrative purpose of managing the commercial curb as well as law enforcement purposes. The airport digital marketplace use case covered web- sites, apps, Wi-Fi, as well as a CRM system. Lastly, the Health Checks use case addressed thermal imaging for detecting pas- sengers or employees who are exhibiting a fever. Each use case poses a unique set of legal considerations.
ACRP LRD 42 23 v. United States90 and Riley v. California,91 the Court observed that protection of privacy had to be a focus in the face of technol- ogy innovations. The central aim of the Framers was ââto place obstacles in the way of a too permeating police surveillance.ââ92 Against this general backdrop of Fourth Amendment analy- sis, the Court went on to examine the implications of govern- ment access to CSLI without a warrant. While previous caselaw had affirmed the ability of law enforcement to conduct surveil- lance of an individualâs movements using sensory enhancing technology like beepers,93 advancements in technology, like global position systems (GPS), raised serious questions of easily conducted extensive pervasive surveillance.94 Looking to the two concurring opinions of five Justices in Jones,95 the Court acknowledged the fact that technology devel- opments in the fields of surveillance and tracking raise signifi- cant and legitimate privacy concerns. The amount of location data acquired and processed by government using modern technology raises the specter of persistent mass surveillance, inconsistent with Fourth Amendment protections. The Court went on to conclude that, like the GPS data that raised concerns in Jones, the CSLI data raised similar possibilities of tracking the whole of a personâs movements such that the Court concluded it gives rise to reasonable expectations of privacy. Thus, access- ing that data constituted a search cognizable under the Fourth Amendment. The Carpenter decision offers many lessons on the Courtâs perceptions of data privacy. Of course, the opinion has direct applicability to any airport law enforcement use of CSLI for in- vestigative purposes. However, beyond that, the opinion should serve as a cautionary tale for airports looking to collect data either directly from individuals or through third parties. The Carpenter decision evidences deep concern over the need to control and limit government use data, particularly the prolif- eration of data that characterizes life in the digital age. Of sig- nificance is the fact that the Court was willing to set aside long- standing precedent concerning privacy interests in data held by third parties to extend privacy protections. The history of the Courtâs focus on this issue demonstrates a willingness to rethink government use of established informational tools to ensure protection of privacy, even where any specific data may have no significant privacy protections at the time of collection. 90 533 U.S. 27 (2001) (use of thermal imaging technology on a resi- dence is a search requiring a warrant). 91 573 U.S. 373 (2014) (storage capacity of cellphones generally pro- hibits search of such devices incident to arrest absent a warrant). 92 Carpenter v. U.S., 138 S. Ct. 2206, 2214 (2018) (quoting U.S. v. De Ri, 332 U.S. 581, 595 (1948)). 93 U.S. v. Knotts, 460 U.S. 276 (1983). 94 Jones, supra, note 88. 95 Id. ognizes a right to informational privacy protectable under the Fourth Amendment. Chief Justice Robertsâ majority opinion noted the near ubiq- uitous adoption of cell phones and the acceptance of the cellular network systems that enables the devices to work. The Chief Justice also discussed the abundance of data created though cellular service systems.85 In its legal analysis, the majority began by noting that one of the principal functions of the Fourth Amendment was to âsafeguard the privacy and secu rity of indi- viduals from arbitrary invasion by government.â86 The Court then discussed the evolution of Fourth Amendment juris- prudence from a purely property-based concept, where trespass was required before a Fourth Amendment violation could be established, to a focus on a reasonable personâs expectations. The expanded focus of the Fourth Amendment protects an indi- vidualâs expectations of privacy that âsociety is prepared to ac- cept as reasonable.â87 Citing its 2012 decision in Jones v. United States,88 the Court observed that claims of trespass as well as a claim of a reasonable expectation of privacy can provide a basis for Fourth Amendment challenge to government action.89 The Court went on to make a general observation regarding the effect of technology on the privacy rights originally secured by the Fourth Amendment. Referring to prior decisions in Kyllo 85 Cell phones continuously send signals looking for available cell sites so that voice communication and data transfers can occur. The record of these transmissions creates the CSLI, which allows for the plotting of the general location of a cellphone at specific times. The closer together the cell sites are the more accurate the location. 86 Carpenter v. U.S., 138 S. Ct. 2206, 2213 (2018) (citing Camara v. Mun. Cty. Ct. of City & Ctv. of S.F., 387 U.S. 523, 528 (1967)). 87 Carpenter v. U.S., 138 S. Ct. 2206, 2208 (2018) (citing Smith v. Md., 442 U.S. 735, 740 (1979)). 88 565 U.S. 400 (2012). 89 In Jones, the Court reviewed actions of the FBI, which had implanted a GPS tracking device on the defendantâs vehicle and tracked its movements for a period of 28 days. This surveillance was undertaken without a warrant. The majority opinion, joined by four justices, con- cluded that the actions of the FBI in trespassing upon the vehicle to plant the GPS device constituted a violation of the fourth amendment. Four other justices in a concurring opinion authored by Justice Alito, concluded that it was not the trespass but rather the governmentâs actions of tracking the vehicle for 28 days that constituted a violation of the Fourth Amendment because the defendant has a reasonable expec- tation of privacy in his location over a prolonged period of time. Those Justices suggested that because GPS technology had so significantly changed the ability of government to surveil individuals allowing for the easy collection of location data over lengthy periods of time, impos- sible through traditional human surveillance techniques, the use of GPS tracking without a warrant violated privacy protections of the Fourth Amendment. In a separate concurring opinion, Justice Sotomayor indi- cated she found the arguments of both the majority and the concurring justices to be persuasive that both a trespass and expectation of privacy could serve as a basis in that case for a claim of a Fourth Amendment violation. However, because she found the trespass basis narrower, she joined in the majority opinion. Thus, while there were in fact five jus- tices (a majority) who felt the aggregation of location data over the 28 days constituted a violation of the Fourth Amendment, that was not the controlling precedent of the case.
24 ACRP LRD 42 tional surveillance for any extended period of time was difficult and costly and therefore rarely undertaken. The surveillance at issue in this caseâconstant monitoring of the location of a vehicle for four weeksâwould have required a large team of agents, multiple vehicles, and perhaps aerial assistance. Only an investigation of unusual importance could have justified such an expenditure of law enforcementÂ resources. Devices like the one used in the present case, however, make long-term moni- toring relatively easy and cheap.100 The significance of this line of analysis regarding aggre- gated data is that while at the time of collection, information may have had no privacy protections, or more limited privacy protections, additional protections may be required once data is aggregated. As noted above, this analysis articulated in Whelan, Reporters Committee, and Jones appears to have been adopted in the majority opinion in Carpenter. This concern over aggrega- tion of data in government hands should be a consideration of airports in their decision about collecting and compiling data on individuals. 2. Absence of a Comprehensive Approach One case highlighting the vagaries of U.S. protection for in- formational privacy is the 2011 decision of the U.S. Supreme Court in NASA v. Nelson,101 In Nelson, the Court addressed the issue of personal privacy with respect to background in- vestigations for government contractors. The Court ultimately affirmed the actions of NASA in conducting the background checks, concluding that consistent protections existed under the Privacy Act of 1974.102 However, the majority opinion in Nelson alluded to the ex- istence of an undefined constitutional protection for privacy,103 identifying no decision where those protections are defined specifically. The absence of such a specific privacy protection has been a source of continued constitutional debate. Justice Scalia in his concurring opinion sharply criticized the major- ityâs suggestion of a constitutionally established right of privacy. While he thought protection of privacy might be a good idea, he argued that â[a] federal constitutional right to âinformational privacyâ does not exist.â104 The absence of citation to a specific constitutional reference to the right to privacy is a theme that has characterized Supreme Court decisions since the notion of information privacy was first raised in the 1970s. 3. Value of Legislative Action The Scalia concurrence in Nelson showcases not only the debate over the existence of comprehensive constitutional pro- tections for privacy, but also echoes the Courtâs notion that the 100 Id. at 429-30 [citations omitted]. 101 362 U.S. 134 (2011). 102 5 U.S.C. Â§ 552a.Â 103 Nelson, 362 U.S. at 138 (citing Whalen v. Roe, 429 U.S. 589, 599- 600 (1977); Nixon v. Admin. of Gen. Servs., 433 U.S. 425, 457 (19770). The Court in Nelson notes a broad reference in those cases to privacy interests in avoiding the disclosure of personal matters. Id. 104 Id at 159-60. B. Recurrent Themes in Supreme Courtâs Privacy Analysis Several themes have continually arisen in opinions where the Court has wrestled with informational data privacy. These themes include: â¢ The danger of government data aggregation and chang- ing privacy characteristics; â¢ The absence of a comprehensive approach to privacy pro- tection; â¢ The need for legislative protections in the face of emerg- ing technology; and â¢ The changing privacy expectations in response to emerg- ing technology. These themes demonstrate the Courtâs evolving conception of privacy protections that change as technology develops revo- lutionizes aspects of peopleâs daily lives. 1. Data Aggregation Starting with its decision in Whelan in the late 1970s, the Court in dicta expressed concern over government possession of large aggregations of personal data: A final word about issues we have not decided. We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files.96 The Court went on to note that while protection against un- warranted disclosure of personal information might have con- stitutional implications, the protections afforded in that case were adequate. Thus, the question was not ripe for decision. Department of Justice v. Reporters Committee for Freedom of the Press,97 expressed similar concerns over data aggrega- tion. In Reporters Committee, the Court extensively addressed the subject of privacy without providing a precedential ruling. The Court reviewed decisions concerning a request under the Federal Freedom of Information Act (FOIA) for criminal his- tory data. The Court observed that while records of arrest and prosecutions were publicly available, the difficulty of finding and compiling them provided some protections for individual privacy.98 It also noted that large aggregations of data not only posed a threat, they also changed the character of the data stored. Discrete pieces of information that may have at the time of collection been publicly accessible were changed in their nature by compilation over time.99 More recently, the concern about data aggregations was adopted by five Justices in the two concurring opinions in Jones. For example, in his concurrence Justice Alito observed: In the precomputer age, the greatest protections of privacy were neither constitutional nor statutory, but practical. Tradi- 96 Whelan v. Roe, 429 U.S. 589, 605-6 (1977) (citations omitted). 97 489 U.S. 749 (1989). 98 Reporters Committee, 489 U.S. at 764. 99 Id.
ACRP LRD 42 25 concluded it ârisks errorâ111 in adjudicating whether reason- able expectations of privacy exist or have been violated. This position is understandable as the judiciary is relatively insu- lated from electoral politics and, thus, less accountable than the other branches for any pronouncements regarding what society thinks is reasonable. Similar to the concerns raised in Quon regarding technol- ogyâs ability to change privacy expectations are the ones that appear in Riley v. California.112 There, the Court examined an individualâs privacy rights in data on a cellphone possessed at the time of arrest. Flatly rejecting the governmentâs position that searching a cellphone was âmaterially indistinguishableâ from previously approved searches of physical items in an arresteeâs possession, the Court explained â[t]hat is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together.â113 In reaching its con- clusion, the Court detailed the extensive amount of information routinely contained in cellphones and growing reliance on those devices by individuals in everyday life. The result in Riley was the Courtâs decision to overturn long standing precedent concerning the ability to of law enforcement to search the items in possession of an arrestee at the time of arrest. As was the case subsequently in the Carpenter decision, the Court concluded that technology adoption changed the indi vidualâs and societyâs expectations of what was private. The lesson from this line of opinions is that things once thought not to be privacy-protected might change in character as technol- ogy develops and becomes more embedded in peopleâs lives. While the Supreme Courtâs assessment of privacy in the cases outlined above applies only to activity conducted by govern- ment, the Courtâs analysis offers interesting perspectives about what is a legitimate expectation of privacy and what measures serve to protect those expectations. Quon, Jones, and Riley dem- onstrate how the Court anticipates the possibility of changing expectations of privacy. As the population adapts to using new technologies, especially in the context of communication, the parameters of privacy will continue to evolve. Overall, the arc of the Supreme Courtâs review of privacy, particularly under the Fourth Amendment, has been to move in the direction of privacy protection. The increasing pace of data collection and the ability of government to access data is a matter of significant concern. Even justices who have concluded there is no constitutional protection for data privacy under the Fourth Amendment have indicated that protection of data and limitation of government use of data are matters that command the attention of the legislative branch. There is near universal ac- ceptance of the notion that the advances in technology are out- pacing the ability of courts to effectively regulate privacy protec- tion. There is also a consensus that technology is changing how the public views privacy and even the fundamental question of what kinds of information are even private. 111 Id. 112 Riley v. Cal., 573 U.S. 373 (2014). 113 Id. at 393. legislative branch and not the Court should be the source of such a right. Justices Scaliaâs invitation for legislative action (or at the least the observation of an absence of it) is a good example of the Courtâs concern over lack of legislative involvement.105 In other cases, different members of the Court have acknowledged the need to defer to the legislative branch in dealing with emerg- ing surveillance technologies that can adversely impact indi- vidual privacy rights. In Jones v. United States,106 a case involving warrantless use of GPS surveillance, Justice Alito in his concurrence observed: In circumstances involving dramatic technological change, the best solution to privacy concerns may be legislativeâ¦ A legislative body is well situated to gauge changing public attitudes, to draw detailed lines, and to balance privacy and public safety in a comprehensive way. To date, however, Congress and most States have not enacted statutes regulating the use of GPS tracking technology for law en- forcement purposes.107 The notion that legislatures are equipped to deal with pri- vacy protections were principal findings of the Court in both Whelan and Reporters Committee. In those cases, the Court was satisfied that legislative action had adequately secured the indi- viduals privacy interest. In contrast, however, is the decision in Carpenter, where the Court found the congressional protections for privacy for CSLI under the provisions of the Stored Com- munications Act108 inadequate to meet Fourth Amendment requirements. Thus, while legislative enactments may be useful in demonstrating that adequate privacy protections are estab- lished, those enactments are not a panacea. 4. Technology Fueling Changing Privacy Expectations by Individuals Related to the issue of legislatures as better suited than courts to deal with rapidly changing effects of emerging technology on informational privacy, are the Courtâs observations that emerg- ing technology itself is shaping the privacy expectations of indi- viduals. The Court has noted in addition to the pace of tech- nology change, which makes it difficult for courts rather than legislatures to react, there is also an evolving standard of privacy being driven by technology. In City of Ontario v. Quon,109 the Court observed that â[r]apid changes in the dynamics of com- munication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior.â110 Until there is clarity in how an emerging tech- nology has shaped societal expectations of privacy, the Court 105 In Nelson, Justice Scalia in his concurrence concludes, â[l]ike many other desirable things not included in the Constitution, âinfor- mational privacyâ seems like a good ideaâwherefore the People have enacted laws at the federal level and in the states restricting the govern- mentâs collection and use of information. But it is up to the People to enact those laws, to shape them, and, when they think it appropriate, to repeal them.â Id. 106 565 U.S. 400 (2012). 107 Id. at 429-30. 108 18 U.S.C. Â§ 2703(d). 109 560 U.S. 746 (2010). 110 Id. at 759.