The Telecommunications Regulatory Authority (TRA) has made available a new Internet of Things (IoT) regulatory framework for the UAE. The IoT Regulatory Policy and the IoT Regulatory Procedures (Policy & Procedures) set out a mandatory process for all IoT Service Providers to register with the TRA.
The Policy & Procedures define IoT Service Providers as "any Person that provides an IoT Service to users (including individuals, businesses and the government), that will comprise the provision of IoT-related service/solutions". This covers systems integrators, telecom equipment manufacturers and machine-to-machine connectivity providers - regardless of their location. If IoT Services provided by IoT Service Providers are available to customers in the UAE, such IoT Service Providers are covered by the Policy & Procedures and so must be registered with the TRA. The Policy & Procedures define an IoT Service as "a set of functions and facilities offered to a user by an IoT Service Provider". This includes any technology that enables straightforward provisioning, management, and automation of connected devices within the IoT universe. Though, registration is not applicable for those providing "IoT-specific Connectivity", such as telecommunications providers.
This new framework includes additional compliance requirements for IoT Services, with a particular emphasis on data protection. This is interesting because it may serve as an indication that the UAE is preparing to update its data protection legislation; by implementing a federal data protection law and to bring it in line with the EU's General Data Protection Regulation (GDPR). The Policy & Procedures demonstrate how the UAE is taking data protection seriously, and that it recognizes the need to respect and protect personal data. The data protection-related requirements under the Policy & Procedures that have been adopted from the GDPR include:
- Purpose limitation: any data collected through IoT Services must be collected only for specified and legitimate purposes.
- Data minimisation: only the data that is necessary to achieve the purposes of processing can be collected by IoT Service Providers.
- Storage limitation: data cannot be retained once it is no longer necessary for the purpose(s) for which it was processed.
Additionally, the Policy & Procedures outline the requirements for the storage of data collected through IoT Services. These requirements are determined on the "type" of data collected which, in turn, is classified based on the perceived level of damage inflicted should such data be disclosed without consent. The categories are:
- "sensitive"; and
The most flexible rules in relation to data storage apply to "open" data (stored either in the UAE or abroad), and the strictest applying to "secret" data (stored only ever in the UAE).
A violation of the Policy & Procedures may result in the temporary or permanent suspension of the offending services, and any such breach would contravene the Telecommunications Law (Federal Law by Decree No 3 of 2003), which imposes fines and/or imprisonment.
The Policy & Procedures are "living and breathing" pieces of regulation, as it is acknowledged that UAE may develop "further" regulations concerning data management and protection which would apply to IoT - for example, in relation to roaming of IoT devices. The dynamism of legislation, particularly concerning technology is a positive step to achieving the TRA's goal in making UAE a leading country in the development of IoT Services.