Norton Rose Fulbright - Data Protection Report blog

The National Defense Authorization Act of 2018 (NDAA),[1] signed into law in December 2017, did not only authorize United States defense spending for the 2018 fiscal year – it also contained a section devoted to unmanned aerial systems.

The law notably reinstated[2] a U.S. Federal Aviation Administration (FAA) registration rule requiring the registration of all unmanned aerial vehicles (UAV) weighing between 0.55 and 55 pounds (between approximately .025 and 25 kilograms) with the FAA.  As of early January 2018, over one million UAVs have been registered thus far, of which 122,000 are commercial or public UAVs.

The law also included various privacy and security provisions that have received considerably less press.  These provisions allow the Department of Defense (DOD) to access communications from any UAV in limited circumstances.  Commercial manufacturers or commercial users of UAVs in the United States should consider how this law will impact future design or operation of UAVs.

The law grants the DOD the authority to identify, track, seize control of, or use “reasonable force to disable, damage, or destroy” UAV near any DOD “covered facility or asset.”  A “covered facility” is a facility relating to various missions of the DOD, including nuclear deterrence, missile defense, air defense, and protection of the President, among others.

The DOD may also work with the Department of Transportation (DOT) to issue regulations and guidance to carry out Section 1692.  The NDAA anticipates that further regulation may involve the interception, acquisition of, or access to, communications to or from the UAV.  To the extent communications are intercepted, the NDAA placed several privacy limitations on these communications:

  • First, access must be conducted in a manner consistent with the Fourth Amendment (which prohibits unreasonable searches and seizures, a privacy right that is significantly limited in comparison to privacy protections in the EU), and applicable federal law.
  • Second, communications may only be accessed to the extent necessary to support a function of the DOD.
  • Third, communication records may not be maintained for more than 180 days unless it is determined that the communication is necessary for a DOD function, or would support civilian law enforcement.
  • Finally, communications would not be disclosed outside the DOD unless disclosure served a function of the DOD, disclosure would assist a law enforcement or regulatory agency in a civil or criminal investigation, or disclosure was otherwise required by law.

Manufacturers and operators should consider whether they are likely to be affected by this new law.  UAVs are valuable and expensive assets that could be subject to destruction by the DOD.  Perhaps more importantly, UAVs may contain proprietary, confidential, or personal information that could be subject to interception by the DOD.  Manufacturers and operators should seek legal counsel in order to safeguard information communicated to or from a UAV to the extent that this information may also be protected by foreign privacy law, which often prohibits the transfer of information to foreign governments.  In addition, manufacturers of UAVs may have to update their privacy policies and consumer materials to reflect this new law.  Operators of UAVs should consider whether planned operations put them in the purview of a covered DOD facility or asset, or how this may affect commercial operators who work or plan to work with the DOD.

Special thanks to Susana Medeiros* for her assistance in drafting this post.

*Law Clerk–not admitted to practice law.

[1] Available at

[2] The FAA issued a final rule in December 2015 mandating registration of certain UAV.  The registration requirement was invalidated in a Washington, D.C. Circuit case, Taylor v. Huerta, 856 F.3d 1089, (D.C. Cir. 2017), as outside the scope of FAA’s statutory authority under the 2012 FAA Modernization and Reform Act.