In 2019, the European Union (EU) passed regulations for the aviation safety of civilian drones. They are aimed to foster innovation and ensure the safe integration of drones, of all sizes, into European airspace.
This move was made to also harmonize drone rules throughout the EU as the previous framework only covered drones weighing over 150 kilograms, which led to fragmentation of rules in different states.
Yet, these ‘harmonized’ rules fall short in harmonizing regulators, which remains a general problem for consistent EU regulations.
In drone regulations, state regulators are empowered to either allow or reject certain innovative operations, such as urban delivery by small drones. These operations fall under the so-called ‘Specific’ category, in the language of regulations, and can only be performed if the state authority allows it.
For this purpose, the drone operator is required to conduct a comprehensive risk assessment which would include operational description, associated risks, safety objectives, and mitigation measures.
These aspects are vaguely defined in the regulation so they could fit all sorts of operations. Here, state regulators would ascertain whether the risks, objectives, and measures, as mentioned by the operator, align with the given operation and that they are satisfactory for safety purposes.
The subjective oversight by different regulators does not guarantee harmonious interpretation. This issue usually follows a performance-based approach, as adopted in these regulations. While it allows more flexibility for drone operators to define safety objectives, risks and measures, it also implies the possibility of conflicting interpretation with authority.
The interpretation could be exceedingly conservative or liberal. Both extremities would be challenging for drone regulation, as one state authority may outrightly deny an operation request which another state would be more inclined to accept. While it is a hypothetical scenario, reality may not be so different.
In the recent European Drone Forum (EDF) Conference, an official from the German Aerospace Center voiced similar concerns while referring to the special risk assessment methodology introduced by the EU aviation safety agency (EASA). He called for its standardization so all the authorities could judge the risk assessment in the same way. The EASA’s recommended methodology is quite detailed yet it could not eliminate this problem. Drone regulators’ call would legitimize an operation. A variation between them could generate conflicting authorizations and in turn jeopardize regulatory goals.
The concern regarding the incoherent behavior of EU regulators is not far-fetched. Researchers have found contrasting styles of risk analysis and opposing conclusions by different authorities in the case of EU-wide food safety regulations.
We can also see the disparity in regulators’ behavior when it comes to the enforcement of the EU General Data Protection Regulation (GDPR). The Irish Council of Civil Liberties (ICCL) highlighted this problem through a comparative analysis which shows that Spanish authority, with comparatively lesser resources, has produced more draft decisions than Irish authority. This case is not just about inaction, Irish authority faces heavy criticism by privacy advocates for being too lenient towards big tech companies such as Facebook.
While the variation could confuse drone operators, it can also lead them to choose favorable states for authorization. Here, another problem is that the authorization would also apply to non-authorizing states. They could not raise concerns about the entire risk assessment but only about a small portion of it.
So, what if the non-authorizing state is dissatisfied with the overall risk assessment? There is no clear answer in the regulation.
Interestingly, an operator is not even barred from applying for authorization from any other member state upon getting rejected by one member state. So, if a member state, say Estonia, denies operational authorization, the operator could still approach Austrian authority for authorization of the same operation. Ideally, the latter authority should also reject it, but what if the Austrian authority reaches a different conclusion? If Austria allows the operation, it will impute certain legitimacy to operations in Estonia as well.
We are also aware that authorities could reach opposing conclusions despite a unified regulation. For instance, recently, the interpretation of GDPR by the Irish data protection authority, in a case against Facebook, was taken as an absolute cessation of privacy rights by the Norwegian counterpart. It is also important to note that drone regulations do not contain the consistency mechanism akin to GDPR, where the lead authority coordinates with other concerned authorities to reach final decision.
It shows that drone regulations somehow assume that all the competent authorities would oversee risk assessment — with its qualitative aspects — and consequently approve an operation in a unified manner.
However, this is not to argue that regulators would never be on the same page. Such a harmony was recently witnessed for a heavy cargo delivery by Flying Basket. Their initial operational authorization by Italian authority was also accepted by German and Austrian authorities.
However, I wonder if this harmony will sustain as more operational requests would emerge under this regime? The potential inconsistency amongst regulators is one of the many concerns which would emerge in the future as more drones would start permeating into European airspace.
It remains to be seen if more experience would allow more clarity and consistency amongst drone regulators. The issue at hand relates to the regulatory approach for drones as well as the varied behavior of member state regulators. These factors ought to be considered by EASA, as it produces more guidelines, and the EU, as it endeavors to harmonize rules.