This article has been written by V Nivetha, pursuing a Diploma in International Data Protection and Privacy Laws from LawSikho. It has been edited by Zigishu Singh (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
A new Internet of Things (IoT) regulatory framework for the UAE has been released by the Telecommunications Regulatory Authority (TRA). The IoT Regulatory Policy and Procedures (Policy & Procedures) establish an obligatory registration process for all IoT Service Providers with the TRA. The Internet of Things (IoT) is a global information society infrastructure that connects (physical and virtual) things utilising existing and evolving interoperable information and communication technologies (as defined in the IoT Policy) (as stated below). The UAE’s Telecommunications Regulatory Authority (TRA) has officially released a new Internet of Things regulatory policy (the IoT Policy) and procedures, with the goal of successfully regulating IoT “to evolve in a coordinated, coherent, safe, and secure manner” over the next year.
The following are the stated aims in further detail:
- Delivering a safe IoT service that meets all reasonable needs, supports continued innovation, efficiently manages finite resources, protects the rights and interests of IoT users, and provides clarity for IoT market development
- The IoT Policy clearly allows the TRA to iterate on and/or replace current regulations, directives, and/or guidelines as and when it sees fit, particularly with relation to roaming IoT devices, in recognition of the ever-evolving nature of the Application world.
- Apart from the TRA, ministries and regulators for specific industries may develop their own additional IoT-specific guidelines in coordination and consultation with the IoT Advisory Committee (which was established for IoT-related matters within the UAE and has representatives from various identified ministries, regulators, public sector entities, and experts and is chaired by the TRA) and/or the IoT Advisory Committee (which was established for IoT-related matters within the UAE and has representatives from various identified ministries, regulators and public.
Who does it apply to?
The IoT Policy applies to all parties involved in IoT in the UAE, including telecommunications providers, IoT Service Providers, and IoT Services (both as described below) consumers (individuals, businesses, and government). An IoT Service Provider is defined as a person who provides functions or facilities to consumers in the UAE that are IoT-related services/solutions (excluding connection)). Systems integrators, telecom equipment makers, and machine-to-machine connectivity providers are just a few examples of IoT service providers. If an IoT service provider does not currently have a presence in the UAE (either onshore or in one of the free zones), it must either establish one or rely on an official representative who is locally present and responsible for all communications with the TRA and UAE law enforcement agencies under the IoT policy.
What does it say?
- Registration: Prior to delivering any IoT Services, all IoT Service Providers must register with the TRA under the IoT Policy. There are additional registration requirements for IoT Service Providers providing Mission Critical IoT Services, such as maintaining subscriber information (subscriber’s name, address, and ID, the device’s model and registration number, and any other information that the TRA may stipulate from time to time), as well as adhering to heightened security measures. The IoT policy defines a critical IoT service as one that, if it fails, “may have a negative impact on the health of individual(s), public convenience/safety, and/or national security.”
- Data protection: In addition to the above-mentioned new registration requirements, the IoT Policy also includes new compliance requirements centred on data protection. The applicable clauses include words that are derived from the General Data Protection Regulation (GDPR), such as:
- Data collected through IoT services shall only be used for specified and lawful purposes.
- Data minimisation: IoT service providers can only acquire the data that is required to meet the processing goals.
- Data cannot be kept when it is no longer needed for the purpose(s) for which it was processed due to a storage limitation.
- Storage requirements are based on the type of data collected, which is then classed based on the level of harm that would be inflicted if the data was exposed without authorisation. (1) Open; (2) Confidential; (3) Sensitive; and (4) Secret are the four classifications.
The rule relating to data localisation (storage requirements) is the most notable of these laws; this is a trend that we have seen spreading across the Middle East in recent years. While “Open” data may be stored in the UAE or elsewhere, “Confidential,” “Sensitive,” or “Secret” data relating to individuals and businesses (unless certain adequacy requirements are met) and “Secret” data relating to the government (unless certain adequacy requirements are met) must be stored in the UAE (without exception). It should be noted that the TRA considers personal material to be “Secret” data, and it must be stored as such.
- Encryption standards: IoT service providers should use an encryption standard that complies with the UAE authorities’ criteria. If the IoT service provider requires a higher encryption standard, TRA clearance is necessary and will be considered on a case-by-case basis.
- SIMs: In the context of IoT services, both physical SIMs and embedded/eSIMs are permitted. However, prior approval from TRA is required for the use of “Soft SIMs,” which are defined in the IoT policy as “a collection of software applications and data that performs all of the functionality of a SIM card but does not reside in any kind of secure storage in the memory and processor of the communications device.”
- Type approval: All Radio and Telecommunications Terminal Equipment (RTTE) capable of collecting data and/or providing IoT Services must comply not only with the existing type approval regulations, but also with the new type approval regulations, but also the following additional IoT policy requirements: Describe the features and functionalities of the gadget that collects data and sensory inputs such cameras, position identifiers, and microphones reflect the effect on the device’s functionality or use in the event of a loss of connection, the device should be able to be restored to its previous settings, and ‘Security by Design’ should be an incorporated feature to prevent unauthorised use.
- M2M (machine-to-machine): The TRA has established a numbering scheme for M2M services. Licensees should be able to distinguish between assigned numbers for Mission Critical IoT Services. When a clear distinction between numbers is impossible to make, the TRA may assist Licensees by assigning numbered block(s) within the M2M numbering range.
The TRA may temporarily or permanently suspend a business’s ability to provide IoT services if it violates the IoT policy. A violation of the IoT policy will also be a violation of the Telecommunications Law (Federal Law by Decree No 3 of 2003), which carries fines and/or prison sentences. Providing services without a licence; not having up-to-date subscriber information in relation to Mission-Critical IoT Services; non-adherence to defined consent requirements for data processing; non-adherence to data storage requirements; provision or activation of soft SIMS without TRA approval; and non-provision of OTA/remote provisioning services where mandatory are all examples of possible breaches.
IoT service providers should evaluate their existing activities and make sure they are compliant with the current IoT policy. IoT service providers should, in particular, assess the categories of data they retain through the lens of the IoT policy (open, confidential, sensitive, and secret) and verify that each category of data is handled in compliance with the IoT Policy’s requirements (i.e. within or outside of the UAE).
All IoT players should be aware that similar regulations are expected to emerge in other Middle Eastern jurisdictions, and the amount of regulation is set to rise in the run-up to a smarter, more connected region.
Breach of IoT policy
Penalties (penal and fiscal) for non-compliance with the IoT Policy and/or the UAE’s Telecommunications regulations are defined in the UAE Telecommunications Law and may include temporary or permanent service suspension, according to the IoT Policy. Some examples of violations include: providing services without a licence; failing to have up-to-date subscriber information for Mission Critical IoT Services; failing to adhere to defined consent requirements for Data Processing; failing to adhere to data storage requirements; providing or activating Soft SIMS without TRA approval; and failing to provide OTA/remote provisioning services where required. Violations/breaches of the IoT Policy will only be prosecuted after it is implemented.
While the IoT policy was supposed to be implemented within a year of its release, by March 22, 2019, the TRA has given no further indication about the issuance of IoT regulations/procedures or the actual operationalisation of this policy. It’s unclear whether the IoT policy, once implemented, will allow existing IoT services to register with the TRA during the transition period.
In light of the current IoT Policy, and until it takes effect, it may be prudent for IoT service providers to review their current operating procedures and protocols to see if they comply with the IoT policy, such as focusing on identifying data categories (open, confidential, sensitive, secret), identifying specific data storage limitations, and considering stipulations for the storage of the various categories (within and outside of the UAE).
The UAE isn’t the only GCC country dealing with the Internet of Things. The Kingdom of Saudi Arabia’s IoT legislation was covered in An Overview of Telecom Licensing in Saudi Arabia, published in Law Update in March 2019, while Oman recently had a public consultation on IoT and M2M.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA