IOT NEWSLETTER- MAY 2019
In March, 2018 the Telecommunications Regulatory Authority of UAE issued a Regulatory Policy on the Internet of Things (“IoT”) (collectively, “Policy”). The Policy was made public only last month and the implementation timelines for the same are yet to be ascertained.
- The Policy has been issued by the Telecommunications Regulatory Authority (“TRA”) pursuant to the powers granted to the TRA under the UAE Federal Law by Decree 3/2003 on Telecommunications Law (“Telecom Law”). Accordingly, some of the terms used in the Policy are a culmination of the terms used and defined in the (a) Telecom Law; (b) Dubai Data Manual (version 2), Smart Dubai and; (c) EU General Data Protection Regulation 2016/579 (“GDPR”).
- Most notably the Policy derives the terms Consent, Data Controller, Data Processing, Data Processor, Data Subject and Personal Data from GDPR. The Policy however goes on to clarify that the inclusion of these definitions from the GDPR in the Policy are merely for reference purposes and therefore, cannot be construed as the incorporation of GDPR or any associated decisions within the policy framework.
- As per Clause 3.2 the aim of the policy is to specify TRA’s stance on the regulatory aspects that underlie the IoT Service (as defined in the Policy) across industries, however, the regulators for the specific industries are at the liberty to issue additional guidelines in consultation with the IoT advisory committee (framed in accordance with the Policy)
- The Policy also makes stricter regime for the Mission Critical IoT Services ie. The services requiring higher level of safety and security as they are likely to have significant adverse impact on the users or the nation. As such the TRA shall provide more exhaustive requirements for such services.
Internet of Things
The Policy defines IoT as a “Global infrastructure or the information society, enabling advanced services by interconnecting (physical or virtual) things based on the existing and evolving interoperable information and communication technology.” The scope of the definition is restricted to regulating IoT in UAE. The Policy further defines, IoT Services to mean a set of functions and facilities offered to a user by an IoT Service Provider and does not encompass IoT Specific-Connectivity.
As such as per Clause 3.3 the Policy is applicable to the (i) entities which have been issued a ‘telecom license’ under the Telecom Law, (ii) IoT Service Providers which by definition in the Policy means the legal persons providing the IoT Services; and (c) IoT Service Users include the individuals, businesses and governments.
The Policy broadly provides the requirements for the following:
(A) Sale or offer for sale of any Radio and Telecommunications Terminal Equipment (RTTE) and connection of such RTTE with any telecom apparatus.
(B) Offer of IoT Services by IoT Service Providers.
(C) Offer of IoT Services by the existing telecom license holders under the Telcom Law.
Any applicant proposing to sell an RTTE or connect the same with an existing telecom apparatus shall be required to obtain a prior approval from TRA. Additionally, if the RTTE collects the data/ information and/or is capable of providing the IoT Service, the RTTE shall also be required to mention details of the devices collecting data and/or sensory inputs and the impact thereto shall be indicated on device and packaging. Such a device is also required to have the capability for users to reset it to factory settings. Further, security by design is required to be incorporated in the device for protection against unauthorized usage.
For the RTTE, the TRA is also entitled to maintain frequency spectrum authorization (Class Authorization) on short range devices. Further, the holder of such Class Authorization is not directly entitled to conduct any of the other regulated activities under the Telecom Law and for provision of the IoT Services, the applicants shall apply for an appropriate IoT Service Registration Certificate.
IoT Service Providers
IoT Service Providers are required to obtain the IoT Service Providers Registration Certificate under the Policy framework for provision of IoT Services and cannot undertake any other regulated activities under the Telecom Law.
In case of Mission Critical IoT Services the Policy provides for additional requirements like that of maintenance of subscriber information and adherence to sector specific policies of the UAE regulators.
The highlight of sections of the Policy on IoT Service Providers are the specific principles on Data Storage. The IoT Service providers are required to maintain 3 (three) important principles of data storage, ie. Purpose Limitation, Data Minimization, and Storage Limitation. In a very welcome move, the Policy also provides for various parameters for storage of data.
The ‘Secret’, ‘Sensitive’ and ‘Confidential’ data (including personal data) for individuals and businesses, must be primarily stored in UAE, however, such data may also be stored outside of UAE, as long as such other jurisdiction has same or better data protection regime. Further the ‘Secret’, ‘Sensitive’ and ‘Confidential’ data for the government is mandatorily required to be stored in UAE. Lastly, any ‘Open Data’ for individuals, businesses and government can be stored within or outside of UAE.
Any Licensees ie. The license holders under the Telecom Law are also required to follow the procedures under the Policy. The Licensees who have already obtained the spectrum and frequency authorization can provide the IoT Service under the said spectrum and frequency. Additionally, the Licensees are required to maintain robust mechanism for differentiating the spectrums and numbering for machine to machine services.
A violation of the Policy may result in the temporary or permanent suspension of the offending services, and any such breach would contravene the Telecom Law which imposes fines and/or imprisonment.
The Policy introduced by the TRA is one of the more progressive and robust policies of its genre globally. Specifically, with respect to the Data Storage and the licensing, the Policy provides for a level playing field for the new entrants.
Authored by Akshata Namjoshi (Senior Associate).