GeoAI and the Law Newsletter

Keeping geospatial professionals informed on the legal and policy issues that will impact GeoAI.

Summary of Recent Developments in GeoAI and the Law

This weeks’ newsletter will focus on the privacy issues associated with geospatial information and include a deep dive into the American Privacy Rights Act of 2024 – a comprehensive federal data protection bill recently introduced in Congress. Privacy is an important issue in AI in general, but particularly so for GeoAI, given the power of location to identify an individual, his or her behaviors or activities, or track someone’s movements. As a result, GeoAI professionals should be mindful of legal developments in privacy law at both the federal and state level, particularly with respect to how location information is defined and treated in various laws and regulations, as they build AI systems and applications. 

Recommended Reading

Germany: BSI publishes guide on generative AI models

A publication from Germany’s Federal Office for Information Security that gives an overview of the opportunities and risks of LLMs and suggests possible countermeasures.

American Privacy Rights Act of 2024

A comprehensive data protection bill recently introduced in Congress.

France’s Data Protection Authority publishes recommendations for using artificial intelligence technologies while ensuring the protection of personal data. (in French)

Consumer Protections for Artificial Intelligence

A bill recently introduced in Colorado’s state legislature.

The Deep Dive

Each week, the Deep Dive will provide a detailed analysis on how a particular legal matter (e.g., a case, law, regulation, policy) pertaining to AI could impact the geospatial community and/or GeoAI in particular.

A recent WSJ article discussed insurers using images collected from drones and satellites to take images of policyholders' homes and properties. The article, referenced here, was published at the same time as a draft of the American Privacy Rights Act of 2024 (the “Act”) was released. The Act – which some have suggested has a chance of passing Congress this legislative session – could have significant impact on businesses that collect and use overhead imagery (e.g., imagery collected from drones, crewed aircraft and even satellites).

The Act applies to “covered data,” which is defined as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to one or more individuals” [emphasis added]. As the WSJ article highlights, because overhead image essentially contains at least three pieces of data (i.e., the data on the image, a lat/long and a time stamp), imagery of property can be easily linked to an address and thus the property owner.

Businesses subject to the Act have certain obligations with respect to “covered data.” These include (with some limited exceptions) not collecting, processing, retaining, or transferring covered data (1) beyond what is necessary, proportionate, and limited to provide or maintain (A) a specific product or service requested by the individual to whom the data pertains or (B) a communication by the covered entity to the individual reasonably anticipated within the context of the relationship.

Some geospatial information may also be considered sensitive, and therefore subject to additional requirements. For example, that Act provides that covered entities may not transfer “sensitive covered data” to a third party without the express consent of the individual to whom such data pertains. “Sensitive covered data” includes “precise geolocation information,” which is defined in the Act as information that “reveals the past or present physical location of an individual or device with sufficient precision to identify (A) street-level location information of such individual or device; or (B) the location of such individual or device within a range of 1,850 feet or less.” While an overhead image is unlikely to be sufficient to identify an individual on their own (or in a crowd) it could be reasonably linked to other data, such as an address, to constitute “street-level location information” of such individual.

As currently written, many geospatial companies could be considered covered entities (i.e., entities subject to the Act). Covered entities are defined as “any entity that, alone or jointly with others, determines the purposes and means of collecting, processing, retaining, or transferring covered data.” While a service provider is not subject to the most onerous provisions of the Act, the determination as to whether a company is a service provider or a covered entity depends “on the facts surrounding, and the context in which, the data is collected, processed, retained, or transferred.” Given the complex nature of the geospatial ecosystem, it may be difficult for a business to determine whether it is a covered entity or a service provider in any given context.

Small geospatial companies may not feel that the Act will apply to them as there is an exemption for “small businesses” However a “small businesses” is defined as a business (i) whose average annual gross revenues for the period of the 3 preceding calendar years did not exceed $40,000,000; (ii) that, on average, did not annually collect, process, retain, or transfer the covered data of more than 200,000 individuals for any purpose other than initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product; and (iii) that did not transfer covered data to a third party in exchange for revenue or anything of value. The last two points (i.e., (ii) and (iii)) are significant: if remote sensing data is considered covered data, many imagery providers and users likely would not be exempt.

Businesses subject to the Act have several requirements. For example, in addition to the restrictions on the collection and transfer of covered data, covered entities would also be required to respond to requests from individuals to (i) access and to correct any inaccuracies in covered data associated with them, (ii) delete such covered data and (iii) to the extent feasible (and subject to restrictions on derived data if the export of such derived data would result in the release of trade secrets or other proprietary or confidential data) export covered data as requested by the individual. Given the nature of how overhead imagery is collected and used, satisfying these requirements would be a challenge for many organizations.

Recent statements from the Federal Trade Commission (FTC), the U.S. federal agency with the greatest enforcement authority pertaining to privacy matters, highlights why it will be important from a GeoAi standpoint to determine whether overhead imagery is covered data under the Act (or any other data protection law that is adopted at the federal or state level.) The FTC recently published in a blog post that “it may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for AI training—and to only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.” Moreover, FTC Chair Lina Khan is reported to have said “that sensitive personal data that is linked to health, geolocation and web browsing history should be excluded from training artificial intelligence (“AI”) models.”

We will continue to follow developments in privacy law as they will become even more complex given the increase in other types of data being collected from aerial and satellite platforms (e.g., radar, infra-red, LiDAR).

GeoAI and the Law is not legal advice. The reader should consult with a trained lawyer on legal matters associated with GeoAI.