The Ministry of Civil Aviation recently released the discussion draft of the National Unmanned Aircraft System (UAS) Traffic Management Policy, seeking to create the required infrastructure for UAS operations and to spell out the various aspects of UAS traffic management in India. This blogpost contains the comments we submitted to the Ministry on the draft policy.

  1. PRELIMINARY

This submission presents Ikigai Law's comments to the Discussion Draft of the National Unmanned Aircraft System (UAS) Traffic Management Policy (draft UTM Policy) released by the Ministry of Civil Aviation (MoCA) of the Indian government on 30th November, 2020. The submission highlights broad and specific concerns with the Policy with recommendations to address the same.

2. CONCERNS AND RECOMMENDATIONS

Section Existing Clause Proposed Change(s) Reason
5.2.1. According to the draft UTM Policy, the DigitalSky Platform will also act as a pan-India UTMSP, apart from being a central data archive and a central regulatory platform. DigitalSky's UTMSP will be hosted on the DigitalSky Platform and offer services similar to other UTMSPs. The DigitalSky UTMSP will be available to government and non-government stakeholders for the same services being offered by private UTMSPs. We recommend that the draft UTM Policy provide clarity on whether the DigitalSky UTMSP will be operating based on the data provided by UTMSPs, whether there will be a data sharing arrangement with the private players and whether they will be remunerated for such data sharing. If the Digital Sky UTMSP will be operating independently, similar to other player players, then the draft UTM Policy should clarify that the DigitalSky UTMSP will be operating on similar terms and subscription model as the plater UTMSPs. We think that this overlap in the services offered by private UTMSPs and the DigitalSky UTMSP may be a cause for concern for private players. If UTMSPs are being allowed to monetise the services offered by them, having a pan-India government operated DigitalSky UTMSP reduces the opportunities available for private players. Moreover, the private UTMSPs will only be operating in the allocated airspaces and not pan-India. Further, since the UTMSPs have to be integrated with the DigitalSky Platform and share real-time data with DigitalSky, there is no clarity on: (i) whether DigitalSky UTMSP will be utilising the data provided by the private UTMSPs; and (ii) whether there will be a data sharing arrangement with the private UTMSPs  under which they will be remunerated sharing data.
7.1. The draft UTM Policy requires all software and hardware UTM systems to be hosted in India. It further provides that the UTM system owner has to ensure that 'all types of data including user-provided, collected, generated, analysed and other similar data will reside in India', and is not accessed by any entity outside India. We recommend that the data localization aspect of drone-related data should not fall within the ambit of the draft UTM Policy and should be legislated under the PDP Bill or a specific law on non-personal data protection. There are two reasons why we think that this data localization requirement should be kept outside the ambit of the draft UTM Policy: (1) Data localization requirement for sensitive and critical data is being deliberated upon under the Personal Data Protection Bill, 2019 ("PDP Bill"). PDP Bill also empowers the Central Government to frame laws for protection of non-personal data. Therefore, until such deliberation is complete and the PDP Bill is passed, the draft UTM Policy should refrain from legislating upon the issue of data localization; and (2) Not all drone related data is sensitive or critical non-personal data. The Committee of Experts in their Report on the 'Non-Personal Data Governance Framework' ("CoE Report"), noted that the sensitivity to non-personal data comes from four perspectives: (a) national security or strategic interests; (b) risk of collective harm to a group (collective privacy etc.); (c) business sensitive or confidential information; and (d) anonymised data that bears risk of re-dentification. Data such as weather data, hazard data or even navigation for commercial operations such as delivery services cannot fall within the ambit of sensitive non-personal data. For instance, drone data on commercial operations in the agricultural sector are not sensitive and therefore are not required to be stored or processed, as indicated by the PDP Bill and the CoE Report.
7.1 As per the draft UTM Policy, "if any UTM system is to be hosted on the cloud, then such cloud service provider ("CSP") must be empanelled by the Ministry of Electronics and Information Technology (MeitY)". We recommend that the draft UTM Policy consider allowing CSPs which are not MeitY empanelled to participate in the UTM ecosystem. The draft UTM Policy could also require that such service providers, not empanelled with MeitY, should provide a declaration of compliance with the security standards prescribed by for MeitY as a pre-requisite for hosting UTM systems.    At present there are only 12 CSPs who are empanelled with the MeitY. However, there are several technology companies which provide cloud services in India and while they are preferred service provider to UTM providers, they are not empanelled with MeitY. This may act as a barrier for qualified service providers who will not be able to host UTM systems. Concerns regarding data security would be suitably addressed through the requirement that all CSPs would be required to comply with the security standards prescribed by the DGCA based on internationally accepted ISO standards.
7.1 As per the draft UTM Policy, a competent authority may conduct physical audit of the IT system to ascertain data security and privacy compliance of the UTM systems. We recommend that instead of a physical audit, the draft UTM policy can take a self-assessment approach whereby service providers have to maintain a quarterly internal audit report on compliance with data security and privacy norms. Such a report can be requested by the competent authority any time. There is no clarity on how, by whom or the frequency at which physical audits will be conducted. Clarity on these aspects is important from a business planning perspective. Physical audits have the potential to be counterproductive as the audit process can itself introduce opportunities for breaching the physical and logical security measures used in IT systems. This risk is a cause for concern for service providers as it could expose their IT systems even beyond those which are used for providing UTM services.    
Scenario 7 For autonomous drone operations for complex use cases, the draft UTM Policy states that the regulator may mandate bi-modal control capabilities on the UAS, for taking over control and command of the autonomous UAS in case of emergencies. We recommend that the draft UTM policy consider adopting a coordinated approach between the regulator and drone operators such that if there is any emergency, then the drone operator would be required to immediately halt the operations of the autonomous UAS or act in coordination with the regulator. We also recommend that the draft UTM Policy specify the categories of emergencies that may require such action. We appreciate the safety concerns which have prompted the requirement of sharing controls with the regulator. However, there is a practical challenge in that the regulator may not have the necessary expertise to pilot the model of UAV being used. The UAV operator would be much better equipped to pilot the UAV in emergency situations. To address the safety concerns, redundancy in the form of a back-up pilot and controls can be mandated for autonomous operations. Further, there is no clarity on the types of situations which would be considered "emergencies". Clarity on this is important for operators to plan and prepare standard operating procedures for such situations. The proposed changes will address the safety concerns as well as give drone operators the necessary clarity to better prepare SOPs for emergencies.
We recommend that the draft UTM policy stipulate a date on which it will be published as well as the date on which it will become operational. Further, the policy should clarify whether it will be implemented in the form of rules, CAR or a guidance document from the DGCA. The draft UTM policy is a great step towards truly opening the skies for drone operations in India We greatly appreciate the efforts which have gone into the preparation of the policy. Our recommendation is because clarity on timelines and modalities is important for the ecosystem to prepare in advance for the introduction of the policy.  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.