UAE’s new laws and regulation of the Internet of Things (IoT)

This article discusses the UAE’s recently published new IoT regulatory policy. The new policy aims to develop the IoT “in a coordinated, coherent, safe and secure manner” and comes following a significant increase of investment in IoT within the United Arab Emirates.

Introduction

The Internet of Things (IoT) (as defined in the IoT Policy (as defined below)) means a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. With investment in IoT within the United Arab Emirates (UAE) predicted to increase from $574.89m to $672.75m (a 17% increase) over the next year (techradar.com), the UAE’s Telecommunications Regulatory Authority (TRA) has recently published a new IoT regulatory policy (the IoT Policy) and procedures with the aim of successfully regulating IoT “to develop in a coordinated, coherent, safe and secure manner” and securing the UAE’s position as a global leader in the IoT space.

More specifically, the stated objectives are as follows:

  • providing secure IoT Service
  • meeting all reasonable demands for IoT Service
  • supporting ongoing innovation
  • managing scarce resources efficiently
  • protecting the rights and interests of user of IoT, and
  • providing clarity for IoT market development.

In recognition of the ever evolving nature of the IoT space, the IoT Policy expressly provides for the TRA to further iterate on, and/or replace, present regulations, directives and/or guidelines as and when it wishes to do so, notably with regards to roaming IoT devices. Besides the TRA, ministries and regulators for specific industries may also develop their own additional IoT-specific guidelines through co-ordination and consultation with the IoT Advisory Committee (which was established for IoT related matters within the UAE and has representatives from various identified ministries, regulators, public sector entities and experts and is chaired by the TRA) and/or the TRA.

Who does it apply to?

The IoT Policy is applicable to all persons concerned with IoT within the UAE, including but not limited to telecommunications providers, IoT Service Providers and IoT Service (both as defined below) users (individuals, businesses and government). Any person providing functions or facilities consisting of IoT-related services/solutions (excluding connectivity) (IoT Service) to users located in the UAE is defined as an IoT Service Provider (IoT Service Provider). IoT Service Providers would include (but are not limited to) the likes of systems integrators, telecom equipment manufacturers and machine-to-machine connectivity providers. Where a IoT Service Provider does not presently have a presence in the UAE (either onshore or in one of the free zones), under the IoT Policy, it must either establish one or rely on an official representative who is locally present and who will be responsible for all communications with TRA and UAE law enforcement agencies.

What does it say?

  • Registration: The IoT Policy sets out the mandatory process by which all IoT Service Providers must register with the TRA prior to providing any IoT Services. For IoT Service Provider providing Mission Critical IoT Services, there are additional registration requirements that must be complied with; for example, the IoT Service Provider must maintain subscriber information (subscriber’s name, address and ID, the device’s model and registration number, and any other information that the TRA may stipulate from time to time), as well as adhering to heightened safety and security requirements. Mission Critical IoT Services are defined under the IoT Policy as an IoT Service which, if it were to fail, “may result in an adverse impact on the health of individual(s), public convenience/safety and/or national security”.

  • Data Protection: Aside from introducing the new registration requirements described above, the IoT Policy also introduces new compliance requirements that predominantly focus on data protection. The relevant provisions contain terms which are inspired by concepts found in the General Data Protection Regulation (GDPR), including:
    • Purpose limitation: any data collected through IoT Services must be collected only for specified and legitimate purposes.
    • Data minimisation: only the data that is necessary to achieve the purposes of processing can be collected by IoT Service Providers.
    • Storage limitation: data cannot be retained once it is no longer necessary for the purpose(s) for which it was processed.
    • Storage requirements: determined on type of data collected, which, in turn, is classified based on the perceived level of damage inflicted should such data be disclosed without consent. The categories are (1) Open; (2) Confidential; (3) Sensitive; and (4) Secret.

      The most noteworthy of these provisions is that which relates to data localisation (storage requirements); a trend that we have seen is becoming more and more widespread across the Middle East in recent times. Whilst “Open” data may be stored either in the UAE or abroad, “Confidential”, “Sensitive” or “Secret” data relating to individuals and businesses must be stored in the UAE, unless certain adequacy requirements are satisfied) and “Secret” data relating to the government must remain in the UAE (without exception). It should be noted that where a person stores Personal Data, the TRA considers this “Secret” data and it must therefore be stored as such.
  • Encryption standards: The IoT Service Providers must use an encryption standard that fulfils the requirements of the competent UAE authorities. Where a higher encryption standard is required by the IoT Service Provider, TRA approval must be sought, and will be reviewed on a case-by-case basis.

  • SIMs: The use of both physical SIMs and Embedded/eSIMs are permitted in the context of IoT Services. However, the use of "Soft SIMs" (defined in the IoT Policy as "a collection of software applications and data that performs all of the functionality of a SIM card but does not reside in any kind of secure storage [but…] in the memory and processor of the communications device") requires prior approval from the TRA.

  • Type Approval: All Radio and Telecommunications Terminal Equipment (RTTE) capable of collecting data and/or capable of providing IoT Services must comply not only with the existing Type Approval Regulations, but shall be subject to following additional requirements under the IoT Policy:
    • indicate the features and functions of the device that collects data, sensory inputs such as cameras, location identifiers, and microphones
    • indicate the impact on the device’s features or use in case of unavailability of connection
    • the device shall be capable of being reset to its original settings, and
    • that ‘Security by Design’ be an incorporated feature to combat unauthorised usage.
  • M2M (machine to machine technology): The TRA has implemented a numbering plan for M2M services. For Mission Critical IoT Services, the Licensees should be able to differentiate between assigned numbers. Where a clear distinction between numbers cannot be made, then Licensees may be supported by the TRA with assignment of numbering block(s) within the M2M numbering range.

Sanctions

A breach of the IoT Policy may result in the TRA temporarily or permanently suspending a business’s right to provide IoT Services. Furthermore, a breach of the IoT Policy will constitute a breach of the Telecommunications Law (Federal Law by Decree No 3 of 2003), which imposes fines and/or imprisonment. Examples of possible breaches included (but are not limited to): providing services without a licence; not having up-to date information of subscribers in regard to Mission Critical IoT Services; non-adherence to defined consent requirements for Data Processing; non-adherence to data storage requirements; provision or activation of Soft SIMS without TRA approval; and non-provision of OTA/remote provisioning services where mandatory.

Actions

IoT Service Providers should assess their current operations and ensure that they are in compliance with the current IoT Policy. In particular, IoT Service Providers should consider the categories of data that they hold through the lens of the IoT Policy (open, confidential, sensitive and secret) and ensure that each category of data is held in accordance with the parameters stated in the IoT Policy (ie within or outside of the UAE).

All actors in the IoT space should take note that similar policies are likely to evolve across other Middle East jurisdictions and the level of regulation in the run up to a smarter, more connected region is set to increase.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.