UAE regulates IoT
The Telecommunications Regulatory Authority has published a new policy regulating services and devices associated with the Internet of Things.
The UAE Telecommunications Regulatory Authority (TRA) has published a new policy regulating services and devices associated with the Internet of Things (IoT Policy). The IoT Policy’s introduction reflects a growing regional trend to regulate specific market sectors and technologies in response to their increasing prevalence and the perceived risks they present.
Internet of Things (IoT) refers to the network of inanimate objects connected to the Internet, including devices as diverse as home electrical appliances, thermostats, gas meters and vending machines. Also referred to as “machine-to-machine” or “M2M”, IoT technology promises transformative economic benefits in two distinct ways – as an industry vertical which uses the technology to amass data for superior analytics; and as a horizontal industry enabler which can be adopted across industries to allow for the smarter use of infrastructure, improved efficiency and growth of new business segments.
The TRA has only recently published the IoT Policy on their website, although it is dated March 22, 2018. Accordingly, the one-year grace period provided to IoT service providers has already expired and compliance with the requirements of the IoT Policy is now mandatory. Some of the key requirements are as follows:
- Registration: All IoT service providers are required to obtain an IoT Service Registration Certificate from the TRA, in addition to the existing type approval for their devices. This also applies to offshore service providers offering IoT services to UAE-based customers.
- Onshore representation: IoT service providers must have a local presence in the UAE or an official representative in the UAE who can liaise with the TRA on their behalf.
- Data protection: The IoT Policy requires compliance with data protection concepts adopted from the European data protection regime, namely: data minimisation obligations; limitations on the purpose for which data can be used; and a ‘security by design’ approach to device development to safeguard IoT networks from remote hacking.
- Data localisation: Certain data of government entities are required to be kept within the geographic boundaries of the UAE (e.g. “Secret, Sensitive and Confidential” data). Other categories of data may be transferred overseas provided certain minimum criteria are satisfied.
- IoT device features: All IoT devices must have certain technical features, such as an in-built capability for users to restore the device to factory settings and a facility which enables inspection by the UAE authorities of the data transmitted.
- IoT connectivity: IoT service providers who provide “connectivity” for IoT ecosystems over a “wide area” using the Public Switched Telecommunications Network (PSTN) are obliged to notify the TRA of those activities in advance so that the TRA can take a view on whether or not those activities should be regulated under the IoT Policy. This could in theory capture providers of applications designed to interact with and manage the data collected from IoT enabled devices.
What’s next?
Although the IoT Policy has only been made publicly available recently, compliance is now required. Failure to comply may result in penalties being levied by the TRA under the UAE Telecoms Law. Technology vendors operating in the UAE should assess their activities and take steps where necessary to meet the compliance requirements as set out by the IoT Policy.
Commentary by:
Kellie Blyth, Head of IT & Communications, UAE Baker McKenzie Habib Al Mulla