Air, Business News, FAA

FAA Releases Privacy Impact Assessment for Part 108 BVLOS Rule

By Inside Unmanned Systems

The U.S. Department of Transportation has published a Privacy Impact Assessment (PIA) tied to the Federal Aviation Administration’s proposed Part 108 rulemaking on Beyond Visual Line of Sight (BVLOS) drone operations.

U.S. Army National Guard photo by Sgt. Don N. Kazery, III

The document provides a framework for how the FAA will handle personal and business information submitted under the new regulatory regime, ensuring that privacy safeguards are in place as BVLOS becomes normalized in U.S. airspace.

Establishing a Privacy Baseline for BVLOS

The FAA notes that many BVLOS operations anticipated under Part 108 will be commercial. Because operators, manufacturers, and third-party service providers will be required to submit applications, compliance records, and operational data through new FAA online portals, the agency conducted a PIA under the E-Government Act of 2002 and the Privacy Act of 1974. The assessment identifies what information could be collected, how it will be used, and what protections are in place to mitigate risks.

Key goals outlined in the PIA include:

  • Ensuring system design decisions account for privacy risks.
  • Holding FAA accountable for compliance with federal privacy law.
  • Providing transparency about data flows in the proposed permitting and certification systems.
  • Minimizing the collection of personally identifiable information (PII) to only what is necessary for safety oversight.

What the Rule Proposes

The Part 108 NPRM—directed by Congress in the FAA Reauthorization Act of 2024 and reinforced by Executive Order 14307, “Unleashing American Drone Dominance”—would establish a performance-based pathway for routine BVLOS operations. The framework introduces two tiers of authorization:

  • Operating permits for smaller, less complex operations.
  • Operating certificates for higher-risk or larger-scale missions.

In addition, a new certification process for automated data service providers, such as UAS Traffic Management (UTM) suppliers, would be established under proposed Part 146. Applicants would need to demonstrate compliance with performance, cybersecurity, and interoperability standards.

Information Systems and Data Collection

If finalized, the rule would create FAA portals for:

  • Manufacturers, to submit declarations of compliance for airworthiness acceptance.
  • Operators, to apply for permits or certificates and report operational data, including flight hours, interruptions, and safety events.
  • Service providers, to seek certification and authorization for UTM and related services.

The PIA emphasizes that while no PII is being collected yet, any future systems will follow federal security and privacy controls (including NIST SP 800-53 standards). Data would not be shared outside the FAA unless legally required, and individuals would have rights to access or correct their records.

The release of this PIA highlights the FAA’s effort to balance innovation and privacy as it pushes to normalize BVLOS operations. For defense, public safety, and commercial stakeholders, it provides clarity that operational data will be subject to strict privacy oversight while enabling scalable, routine BVLOS flights.

Public comments on the Part 108 NPRM remain open through October 6, 2025.

Related Articles