Legal Implications of Data Collection at Airports (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42   41 These materials from the FTC offer examples of measures enterprise-owned network boundary.335 This defense approach that the FTC considers best practices in data protection and is particularly relevant during the COVID-19 pandemic and security. Naturally, consideration of these measures would be has broad-scale applicability to airport stakeholder employees helpful in the development of data protection practices. working from home. D. Other Executive Branch and Congressional E. Future Trends Initiatives The FTC continues to press for expansion of consumer pri- Addressing the increase in use of artificial intelligence, the vacy protections. Through its advocacy programs, the FTC has United States, by Presidential Executive Order,327 has established pressed for congressional approval of comprehensive privacy a federal initiative to promote U.S. leadership in the AI field. The and data security measures. Through its enforcement actions, initiative requires federal agencies to consider fairness, trans- the FTC has built an incremental common law of data pro- parency, safety, and security in deploying AI systems. It requires tection law. Those efforts align with international initiative to agencies to consider appropriate measures to disclose when AI strengthen data protection. Understanding FTC recommended is in use and to consider controls to ensure confidentiality and best practices and implementing them where possible will help integrity of information processed, stored, and transmitted in in establishing sound data collection and sharing practices at an AI system.328 airports. In addition to addressing AI, the executive branch has The FTC is clearly looking to expand its authority in ­privacy used the NIST to examine privacy issues. The NIST Privacy protection. In its 2020 report to the Senate Appropriations Framework,329 published in January 2020, offers guidelines for Committee, it noted enterprises to manage privacy issues. This work complements to better equip the Commission to meet its statutory mission to pro- other NIST efforts in cybersecurity.330 The FTC has also pro- tect consumers, we urge Congress to enact privacy and data security legislation, enforceable by the FTC, which grants the agency civil vided supportive comments on the proposed NIST Privacy penalty authority, targeted APA rulemaking authority, and jurisdic- ­Framework.331 tion over non-profits and common carriers.336 Among the efforts by NIST in cybersecurity is its Special Publication entitled Zero Trust Architecture.332 Zero trust archi­ tecture uses an evolving set of cybersecurity paradigms that VII. OVERVIEW OF STATE CONSTITUTIONAL employs defenses from network-based perimeters to focus on PRIVACY PROTECTIONS users, assets and resources.333 The basic premise assumes that Just as the U.S. Constitution affords protections for civil there is no implicit trust granted to assets or user accounts based l­iberties, so do the constitutions of the individual states. In fact, solely on their physical or network location or on asset owner- many state constitutional provisions offer greater individual ship.334 NIST views zero trust as a response to enterprise net- protections than those contained in the federal system. There- work trends that include remote users, bring-your-own-device fore, understanding the privacy protections established by state (BYOD), and cloud-based assets that are not located within an constitutions is necessary when advising airports about data collection. 327  Proclamation No. 13,859, 84 Fed. Reg. 3967 (Feb. 11, 2019), In some instances, state constitutions reflect specific protec- https://www.federalregister.gov/documents/2019/02/14/2019-02544/ tions for privacy. In others, the differences may not be readily maintaining-american-leadership-in-artificial-intelligence. apparent from the plain language of the constitutional provi- 328   See American Artificial Intelligence Initiative: Year One Annual sions. While such language may appear to parallel federal con- Report, The White House Office of Sci. & Tech. Policy (Feb. 2020), stitutional provisions, the interpretation of those provisions by https://www.whitehouse.gov/wp-content/uploads/2020/02/American- AI-Initiative-One-Year-Annual-Report.pdf. state courts may be different than the ones applied by federal 329   NIST Privacy Framework: A Tool for Improving Privacy Through courts. An examination of state law treatment of GPS track- Enterprise Risk Management, Version 1.0, Nat’l Int. of Standards & ing technology illustrates the way in which state constitutional Tech. (Jan. 16, 2020), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST. provisions can impact policies with respect to data collection CSWP.04162018.pdf. and use. While those cases concern criminal proceedings, their 330   See, e.g., Framework for Improving Critical Infrastructure Cyber- teachings with respect to government activities in data collec- security, Version 1.1, Nat’l Inst. of Standards & Tech. (Apr. 16, tion, particularly those activities that do not involve notice and 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018. pdf. consent form individuals whose data is collected. 331   Federal Trade Commission Staff Comment on the Preliminary With respect to express privacy protections, twelve states Draft for the NIST Privacy Framework: A Tool for Improving Privacy have specific constitutional provisions relating to a right to pri- Through Enterprise Risk Management, FTC (Oct. 24, 2019), https:// vacy. Other states have more generalized provisions with respect www.ftc.gov/news-events/press-releases/2019/10/ftc-staff-offers-­ comment-nists-proposed-privacy-framework. 335   Id. 332   Zero Trust Architecture, Nat’l Inst. Sci. & Tech. (Aug. 11, 336   FTC Use of Its Authorities to Protect Consumer Privacy and Security, 2020), https://www.nist.gov/publications/zero-trust-architecture. F.T.C. (2020), at 5, https://www.ftc.gov/system/files/documents/reports/ 333   Id. reports-response-senate-appropriations-committee-report-116-111-ftcs- 334   Id. use-its-authorities-resources/p065404reportprivacydatasecurity.pdf. 

42    ACRP LRD 42 to search and seizure, like those in the U.S. Constitution. How- ing greater protections to individual conduct than that afforded ever, under federalism, courts in those states are free to interpret under the U.S. Constitution. The action of some state courts, their constitutions as providing greater protections than those starting in the 1970’s to move of away from a “lockstep” inter- afforded by the U.S. Constitution. pretation of their constitutions with similar provisions in the The states with explicit privacy protections for ­privacy in- federal constitution is well documented.349 The introduction of clude: Alaska,337 Arizona,338 California,339 Florida,340 Hawaii,341 new data collection and surveillance capability resulting from Illinois,342 Louisiana,343 Missouri,344 Montana,345 New a proliferation of tracking technologies, and particularly the Hampshire,346 South Carolina,347 and Washington.348 While enhancements in tracking made possible by GPS technology, privacy protections follow no standard or pattern or template, raised challenges that some states courts found inadequately commonalities exist. Importantly, however, the interpretation addressed by federal law. The application of these technologies of a state’s constitutional protections falls under the exclusive ­offers a clear example of how state courts have used the provi- ­province of that state’s courts. While state courts occasionally sions of their state constitutions to address privacy concerns that look to decisions of other states or federal courts in reaching they believed federal protections did not adequately address. conclusions over similar provisions, no deference to the deci- This developing state jurisprudence involved both the rejection sions of other state or federal courts is required. Therefore, no of the lockstep doctrine and the reference to enhanced privacy such deference should be expected, although other state or fed- protections within the provisions of their state’s constitutions. eral opinions addressing analogous constitutional provisions State constitutional divergence from federal protections con- may be persuasive for matters of first impression. cerning surveillance and tracking begins with the Oregon State Some state constitutions declare an express right of privacy. Supreme Court decision in State v. Campbell.350 There, that court Those states include Alaska, California, Illinois, Florida, and provided additional protection against public surveillance activ- Montana. The constitutions of Arizona and Washington discuss ities based on its interpretation of provisions in the state’s con- protection of “private affairs.” The distinction between “privacy” stitution. While the U.S. Supreme Court had concluded that the and “private affairs,” if any, is unclear, and case law addressing use of beepers to track suspects across public space was permis- any potential distinction is scant. sible without a warrant,351 the Campbell court concluded that The state constitutional provisions establishing privacy such a practice was prohibited by the Oregon Constitution.352 rights generally reference the need to limit government activ- As the capability of tracking surveillance was enhanced with ity or provide protection concerning government actions like the advent of GPS technology, additional state courts addressed searches and seizures. Some of the state constitutional provi- associated privacy issues. In 2003, the Washington Supreme sions like those found in Hawaii, Illinois, Louisiana, and South Court concluded that its constitution prohibited the practice Carolina, provide protection for “invasions of privacy” in addi- of government use of GPS for tracking without a warrant.353 tion to protections against “unreasonable searches and seizures.” In 2009, courts in Massachusetts354 and New York355 also con- In four states, Hawaii, Illinois, Louisiana, and Missouri, consti- cluded that their constitutions precluded GPS tracking in the tutional protections for electronic communications are explicit. absence of a warrant. Unlike the decision of the Washington Moreover, some provisions guaranteeing a privacy right, like Supreme Court in Jackson, which relied on express protections those found in the constitutions of Alaska, Arizona, California, in the Washington Constitution, the courts in Massachusetts in and Washington, are drafted so broadly that they might be in- ­Connolly, and New York in Weaver, rejected the lockstep doc- terpreted to address private conduct. The implications of these broad grants of privacy right have yet to be fully explored by 349   See, e.g., Robert F. Williams, State Courts Adopting Federal Con- state courts. stitutional Doctrine: Case-by-Case Adoptionism or Prospective Lockstep- In addition to the provisions in state constitutions that ex- ping, 46 Wm. & Mary L. Rev. 1499, 1499 (2005); Helen W. Gunnarsson, pressly protect “privacy,” however styled, there are instances The Limited Lockstep Doctrine, 94 Ill. Bar J. 340, 340 (July 2006). where provisions of state constitutions protecting against un­ 350   759 P.2d 1040 (Or. 1988). reasonable searches and seizures have been interpreted as grant- 351   U.S. v. Knotts, 460 U.S. 276 (1983). 352   Movement by state courts away from the federal interpretation 337   Alaska Const. art. 1, § 22. of privacy rights regarding use of tracking devices was not universal. The Nevada Supreme Court expressly rejected adoption of the approach 338   Ariz. Const. art II, § 8. in Campbell to provisions of the Nevada Constitution. See Osburn v. 339   Cal. Const. art. I, §§ 1, 23. State, 118 Nev. 232 (Nev. 2002). 340   Fla. Const. art. 1, § 12. 353   State v. Jackson, 76 P.3d 217 (Wash. 2003). 341   Haw. Const. art. I, §§ 6, and 7. 354   In Commonwealth v. Connolly, 913 N.E.2d 356 (Mass. 2009) 342   Ill. Const. art. I, § 6. (provisions of Article 14 of the Massachusetts Declaration of Rights 343   La. Const. art. I, § 5. addressing privacy are more expansive than Fourth Amendment pro- 344   Mo. Const. art. I, § 15. tections requiring a warrant for GPS tracking). 345   Mont. Const. art. II, § 10. 355   People v. Weaver, 909 N.E.2d 357 (N.Y. 2009) (holding that pro- visions of the New York Constitution addressing privacy are more 346  N.H. Const. art. 2-b. expansive than Fourth Amendment protections requiring a warrant for 347  S.C. Const. art. I, § 10. GPS tracking, and that a similar outcome would occur under the Fourth 348   Wash. Const. art.1, § 7. Amendment).