The ascendance of the low-altitude economy as a pivotal manifestation of new quality productive forces has positioned civilian Unmanned Aerial Vehicles (UAVs) at the forefront of a transformative economic paradigm. The scalable application of civilian UAV technology is rapidly evolving into a primary growth engine, permeating diverse sectors such as logistics, precision agriculture, infrastructure inspection, emergency response, and aerial cinematography. This expansion is fundamentally data-driven; modern civilian UAV are sophisticated data acquisition and processing platforms, equipped with multi-modal sensors capable of scanning, mapping, and gathering vast amounts of spatial, visual, and operational data across wide domains. The integration of artificial intelligence further augments their capabilities, enabling autonomous data mining, deep analytics, and the generation of valuable derivative data. However, this very capability creates a profound governance paradox: the immense potential for economic development is inextricably linked to significant risks arising from data misuse and technological disorder, leading to a critical imbalance between safety and development imperatives.
The core of this paradox lies in the dual nature of data generated and processed by civilian UAV. While it serves as the essential feedstock for innovation and service optimization in the low-altitude economy, it also encompasses sensitive personal information, critical public data, and operational parameters vulnerable to malicious interference. The existing regulatory framework, though evolving, exhibits significant gaps. It often struggles to keep pace with the rapid technological iteration of civilian UAV systems, leading to a structural misalignment between governance mechanisms and industry realities. This paper argues that resolving the safety-development tension requires a paradigm shift in data governance. We propose integrating the core tenets of data security theory with the adaptive principles of agile governance to construct a holistic, responsive, and balanced governance pathway. This pathway must be anchored in a localized governance philosophy, supported by a systematic legal-institutional framework, and operationalized through an inclusive and multi-stakeholder governance architecture.
I. The Dual Realities: Governance Challenges in Civilian UAV Data Applications
The lifecycle of a civilian UAV—from manufacturing and deployment to operation and decommissioning—is intrinsically a data lifecycle. The governance challenges manifest across different layers of the data environment, creating internal dilemmas of data misuse and external dilemmas of technological disorder. The following diagram and analysis delineate this传导路径 (conduction path).
| Data Environment Layer | Governance Risk | Risk Causes | Governance Domain | Resulting Dilemma |
|---|---|---|---|---|
| Closed Layer (Data-at-Rest: storage, trusted sharing) | Data subject rights infringement; Unauthorized internal access. | Ambiguous data subject responsibilities; Failure of data controller obligations. | Internal Governance & Accountability Domain | Internal Dilemma: Data Misuse |
| Semi-Open Layer (Data-in-Process: collection, analysis, deep application) | Personal information leakage; Public data security breaches; Algorithmic opacity. | Panoramic data capture without discrimination; Lack of preemptive safeguards; Black-box AI models. | Endogenous Risk Domain | |
| Fully Open Layer (Data-in-Transit: cloud sync, open sharing) | Data hijacking (e.g., GPS spoofing); Signal link attacks; Third-party service interference. | Technical ecosystem fragility; Vulnerability to external cyber-physical attacks. | Exogenous Risk Diffusion Domain | External Dilemma: Technological Disorder |
A. Internal Dilemma: The Perils of Data Misuse
Within the internal and semi-open layers, data misuse primarily threatens individual privacy and public data security.
1. Personal Information Infringement: Civilian UAV operations implicate personal data in two key dimensions. First, user data—including identity, geolocation, biometric data (e.g., face from controller feeds), and identifiable flight logs—is collected during operation. The convergence of highly identifiable flight trajectories with geospatial data can escalate the consequences of a breach from individual harm to public safety threats. Second, bystander data is passively yet pervasively collected as civilian UAV transit urban spaces, capturing faces, voices, and movements of non-consenting individuals. The stealth, accessibility, and speed of these devices make such collection hard to detect and regulate. While regulations may mandate broadcast式 identification, this is not synonymous with real-time infringement detection, creating a lag in remedy that often renders it ineffective. The rise of civilian UAV sharing platforms exacerbates this risk, creating complex “many-to-many” mappings between users, devices, and data that overwhelm traditional “one-to-one” governance models.
2. Public Data Security Risks: Civilian UAV routinely collect public data like high-resolution geospatial imagery, traffic patterns, and critical infrastructure layouts. Unlike their government-operated counterparts, data collected by private civilian UAV entities often resides with individuals or corporations possessing weaker security postures, making it susceptible to illegal acquisition, leakage, or tampering. Incidents range from hobbyists illicitly imaging sensitive military installations to surveying firms inadvertently capturing data on secure sites. The proliferation of “black flight” services, disguised as “qualification certification” or “technical assistance,” further complicates enforcement, demanding a shift from front-end risk prevention to holistic, lifecycle-oriented data security oversight.
B. External Dilemma: The Chaos of Technological Disorder
In the fully open layer, civilian UAV face threats from external actors exploiting technological vulnerabilities.
1. Malicious Data Hijacking: Current counter-UAV systems possess technical gaps that leave core data streams vulnerable. GPS spoofing, a primary method, involves overpowering legitimate signals with malicious ones, inducing navigational drift. More sophisticated attacks using trajectory fusion strategies can evade anti-jamming detection, creating an illusion of normal operation. Similarly, attacking the return-to-home signal link can commandeer a civilian UAV, leading to physical theft or data extraction. The miniaturization and operational ease of civilian UAV also allow them to be repurposed as mobile signal relays for eavesdropping, posing a compound threat to both privacy and national security when coupled with their typically low cybersecurity defenses.
2. The Algorithmic Black Box: The integration of AI into civilian UAV autonomy creates an opacity dilemma. The drive for optimal system performance often sacrifices algorithmic transparency, resulting in data processing that is neither traceable nor explainable. This “black box” erodes the human-machine trust essential for safe integration into public airspace. From a governance perspective, it raises critical questions about ensuring citizen知情权 (right to know) regarding data analysis and striking a defensible balance between protecting proprietary algorithms and upholding transparency obligations.
C. Root Causes of the Governance Impasse
The aforementioned dilemmas stem from systemic shortcomings in the current governance approach:
1. Lagging Governance Philosophy: While recent regulations like the “Interim Regulations on Flight Management of Unmanned Aircraft” introduce elements of preemptive management (e.g., real-name registration, airspace approval), a true preventative philosophy is absent in data-specific contexts. The common practice of indiscriminate, panoramic data capture by civilian UAV increases redundancy and security exposure. Governance remains largely reactive, relying on post-incident law enforcement rather than proactive, systemic monitoring and early warning systems.
2. Incomplete Governance Framework: Significant blind spots exist in laws concerning data protection and utilization for civilian UAV. While high-level principles are established, detailed rules on data security review subjects, procedures, and the legal status of passively collected bystander information are lacking. Crucially, the absence of clear data classification and grading standards tailored to the civilian UAV context—where industrial, telecom, transportation, and personal data converge—hampers effective, risk-based governance.
3. Misaligned Governance Architecture: Authority is fragmented. The Civil Aviation Administration of China (CAAC) holds primary regulatory responsibility but operates within a traditional bureaucratic structure that can be slow to adapt. Local law enforcement agencies bear the brunt of frontline enforcement without always possessing the specialized technical capacity, leading to coordination challenges and functional marginalization of the central regulator’s strategic role in data governance.
4. Outmoded Governance Tools: Regulatory focus and tools are concentrated on the production phase (e.g., hardware testing), forming a linear model. This neglects the need for a full lifecycle, matrix-based approach. Promising tools from adjacent fields—like Data Security Impact Assessments, Algorithmic Sandboxes, and Security-by-Design certifications—are underutilized in the civilian UAV domain, which remains anchored in physical-layer safety paradigms.
II. Theoretical Foundations for a New Governance Paradigm
Overcoming the current impasse requires moving beyond reactive, “campaign-style” governance. A new theoretical synthesis is needed, one that enriches data security theory with the dynamism of agile governance.
A. Data Security Theory: A Dual-Dimensional Framework
Data security theory provides the foundational values but must be interpreted through a dual lens: one focused on protective capacity (the ontological dimension) and the other on enabling development (the efficacy dimension).
1. The Ontological Dimension: Enhancing Security Capacity
This dimension concerns the foundational ability to safeguard. It can be modeled by a composite security function $S$ that depends on the security of its constituent elements:
$$ S = f(S_s, S_o, S_c) $$
Where:
- $S_s$ represents Data Subject Security: The protection of rights for individuals, enterprises, and the state whose interests are embedded in the data. For civilian UAV, this mandates layered governance differentiating personal, corporate, and national data.
- $S_o$ represents Data Object Security: The safeguarding of data’s integrity, confidentiality, and availability throughout its dynamic lifecycle. This is the value-oriented core of security, protecting the data’s utility and the legal interests it embodies.
- $S_c$ represents Data Carrier Security: The protection of the physical and logical mediums (processors, storage, cloud, algorithms). This is the critical enabling element, as attacks here are the primary cause of technological disorder. It requires advanced cryptographic and anonymization techniques.
2. The Efficacy Dimension: Promoting the Digital Economy
This dimension represents the theory’s value leap—security as an enabler, not just a constraint. The development goal $D$ (e.g., economic growth, innovation) is maximized under security constraints:
$$ \text{Maximize } D(\text{Data Utilization}), \quad \text{subject to } S \geq S_{min} $$
Where $S_{min}$ is a minimum acceptable security threshold. This view posits that:
- Secure personal data processing is a prerequisite for unlocking its economic value in civilian UAV services.
- Industrial data security fosters trust and enables data sharing, a key multiplier for the low-altitude economy.
- Cross-border data security frameworks (e.g., for exported civilian UAV products) facilitate global digital trade.
Conversely, the demands of the digital economy spur theoretical and technological innovation in data security (e.g., using blockchain for civilian UAV data logs), evolving $S$ itself to be more dynamic and intelligent.
B. Agile Governance Theory: The Catalyst for Responsive Regulation
Agile governance theory provides the necessary operational methodology to implement the balanced goals of data security theory in a fast-moving sector like civilian UAV.
1. Dynamic Coupling of Regulation and Innovation: Unlike traditional top-down regulation, agile governance prioritizes public welfare by using “smart” regulation to guide innovation. Its key features relevant to civilian UAV data governance are:
- Participatory and Expert-Driven: It involves continuous dialogue between regulators and a wide range of innovators (manufacturers, software developers, service operators).
- Iterative and Fast: It employs rapid prototyping of policies, quick feedback loops, and adaptive rule-making to avoid “regulatory decay.”
- Trust-Based: It fosters mutual dependence and trust between regulator and regulated, moving beyond pure enforcement to co-created solutions.
2. Equilibrium in Multi-Stakeholder Bargaining: The civilian UAV ecosystem involves diverse actors with competing interests. Agile governance introduces multi-stakeholder decision-making, leveraging industry expertise to inform scientifically sound policies while ensuring public oversight. For an emerging industry, it favors “guide first, punish second” tools like regulatory sandboxes, pilot programs, and compliance incentives, creating a controlled space for experimentation and learning.
The synthesis of these theories yields a core governance objective: to resolve the tension between security ($S$) and development ($D$). We can conceptualize the optimal governance pathway as seeking a point on a Pareto frontier, where one objective cannot be improved without harming the other. Effective governance shifts this frontier outward, allowing for higher simultaneous achievement of both goals for the civilian UAV sector.
III. Constructing a Governance Pathway: Integrating Safety and Development
Building on this theoretical synthesis, the proposed governance pathway for civilian UAV data applications must operate on three interconnected fronts:理念 (Philosophy), 依据 (Basis), and 体系 (Architecture).
A. Governance Philosophy: From Imported Concept to Localized Praxis
Agility must be indigenized to fit the Chinese governance context and the specific contours of the civilian UAV industry.
1. Localized Adaptation:
- Demand-Responsive Logic: The starting point must be a comprehensive understanding of the needs of all stakeholders—not just industry players but also the public, local governments, and security agencies affected by civilian UAV operations. This requires continuous environmental scanning and impact assessment.
- Rapid Response as Principle: Speed must be tempered with foresight. Leveraging big data and AI for predictive analytics of civilian UAV data risks can transition governance from “passive and reactive” to “active, anticipatory, and dynamic.”
2. From Embedding to Coupling: The philosophy must be deeply woven into the fabric of civilian UAV governance.
- Structural Optimization: Reforming governance structures to dissolve tensions between traditional hierarchies and agile, networked thinking, promoting a responsible and adaptable structure.
- Process Integration: Infusing agile principles into every stage—from the industry chain (R&D, flight, service, disposal) to the data lifecycle (collect, process, analyze, transfer, delete).
- Functional Enhancement: Building a learning governance system that continuously adapts its functionality, providing measured tolerance for trial and error within the civilian UAV data ecosystem.
B. Governance Basis: A “Hard Law + Soft Law” Hybrid System
A robust and flexible legal-institutional framework is essential. This involves learning from international models and strengthening domestic system construction.
1. Drawing on International Experience: A comparative analysis reveals valuable strategies, summarized below:
| Country/Region | Legislative Approach | Key Legislation | Governance Strategy | Salient Features for Data Governance |
|---|---|---|---|---|
| United States | Risk-based, Layered (FAA + State) | FAA Modernization Act (Part 107) | Co-regulation, Industry Standards, Sandboxes | Emphasis on operational data privacy; Strong role for industry self-regulation. |
| European Union | Principles-based, Unified Framework | UAS Implementing Regulation, GDPR, AI Act | High-level harmonization, Conformity assessment, Sandboxes | Strong privacy (GDPR) by design; Integrated drone & AI governance; Clear data security obligations. |
| Japan | Safety-focused, Revised Statutes | Civil Aeronautics Act, Drone Safety Rules | Centralized oversight with local cooperation | Integration of personal information protection rules into flight regulations. |
Key takeaways include the importance of protecting bystander privacy via high-level law, risk-centered classification, and the use of “soft law” instruments (standards, sandboxes) for regulatory agility.
2. Strengthening the Hybrid System:
- Hard Law Pillars: The “Interim Regulations” provide a crucial foundation. Future revisions and supporting implementation rules must incorporate detailed provisions on data security management measures, data application scopes, cross-border data flows for civilian UAV, administrative supervision, and citizen redress mechanisms.
- Soft Law Ecosystem: A parallel system of technical standards, industry best practices, and ethical guidelines must be developed with multi-stakeholder input. These should address civilian UAV-specific data classification, security testing protocols, and algorithmic accountability, creating a flexible layer that can adapt quickly to technological change.
The target is a coherent “National Law – Industry Standards – Governance Consensus” hybrid system.
C. Governance Architecture: Fostering an Inclusive and Prudential Institutional Environment
1. Optimized Institutional Configuration:
- Clarifying Authority: The CAAC, as the primary regulator, should establish a dedicated data management department within its air traffic management system to own data security and utilization strategy for civilian UAV. The National Data Administration and its local counterparts should provide cross-sectoral coordination, technical standard setting, and incentive design. Public security and state security organs must enhance their technical enforcement capabilities against illegal data activities.
- Building Multi-Stakeholder Co-governance: Industry associations must be empowered to develop and enforce self-regulatory codes of conduct. This leverages industry expertise for “bottom-up” governance that is more responsive to new risks, complementing “top-down” state regulation with a layer of prudential, flexible oversight.
2. Innovative Governance Tools:
- Collaborative Digital Platforms: Enhance platforms like the Unmanned Aircraft System Management Platform (UOM) with modules for data compliance, real-time risk monitoring dashboards for regulators, and clear privacy notices for users. Invest in the underlying data infrastructure (computing power, secure cloud) to support advanced civilian UAV data services and trusted data exchange.
- Adopting Regulatory Sandboxes: Implement a structured sandbox process for innovative civilian UAV data applications:
- Rule Design: CAAC and National Data Administration jointly set test parameters and oversight rules.
- Application: Firms apply, with access criteria favoring SMEs to foster innovation.
- Testing: In a controlled environment, evaluate data use efficiency and novel security risks.
- Exit/Scale: Successful tests lead to simplified compliance pathways; tests are halted if unmanageable risks emerge, with mechanisms for re-application.
In conclusion, as the low-altitude economy expands, the governance of civilian UAV data will become increasingly determinant of the sector’s sustainable and secure growth. By systematically integrating the ontological and efficacy dimensions of data security with the adaptive, participatory mechanisms of agile governance, China can construct a forward-looking pathway. This pathway, realized through a localized philosophy, a hybrid legal system, and an inclusive institutional architecture, aims not merely to manage risks but to proactively enable the safe release of data value. In doing so, it can secure the healthy development of its low-altitude economy while contributing a viable “Chinese experience” to the global discourse on governing emerging technologies.