This issue is filled with great insights and expert commentary on areas that are relevant to the legal landscape and highlight how the business community is embracing technology, media and telecommunications. There are various topics covered, from new ways of working and digital transformation in the finance sector to data protection regulatory updates and guidance. We also have a series of articles that focus on e-commerce across a number of jurisdictions.
You will also find insights from our lawyers around real estate analytics, tech trends, and data centres.
We hope this edition of Law Update provides some useful food for thought – enjoy the read!Take a read of the edition
As Professor Klaus Schwab (Founder and Executive Chairman of the World Economic Forum) said we are at the beginning of The Fourth Industrial Revolution, a revolution which is fundamentally changing the way we live, work and relate to one another. This revolution, through a fusion of technologies (including Artificial Intelligence, Blockchain, and Internet of Things (‘IoT’)), is blurring the lines between physical, digital and biological spheres. While it may seem disruptive in nature, it brings with it new unforeseen challenges. Globally, various authorities are grappling with these issues and this has resulted in a spurt of policy and guidance documents, notably in the realm of cyber security, data protection, cloud computing regulatory framework and IoT.
Simply put, IoT is a system of physical things embedded with sensors, software, electronics and connectivity that creates a network in which physical objects can exchange data internally or with other connected machines. Thus, any physical object can be transformed into an IoT device if it can be connected to the internet and controlled accordingly. In the UAE, the IoT market is (on a conservative basis) expected to double over the next five years.
To regulate and foster this growth, the UAE government issued its IoT Policy on 22 March 2018 (‘IoT Policy’). However, the Telecom Regulatory Authority (‘TRA’) is yet to issue the regulations/procedures necessary to operationalise the implementation of the IoT Policy.
The IoT Policy aims to regulate IoT within the UAE and has been issued by the TRA with the intention of making the UAE a leading country in developing IoT services.
TRA developed the IoT Policy based on certain specific considerations which include:
The TRA may also issue further regulations, directives, and/or guidelines to provide incentives and support in developing the IoT environment in the UAE. If it is required, ministries and regulators for particular industries may develop their own additional IoT-specific guidelines through coordination and consultation with the IoT Advisory Committee (which was established for IoT related matters within the UAE and has representatives from various identified ministries, regulators, public sector entities and experts and is chaired by the TRA).
As with most technology related matters, there is a bit of jargon. To understand the IoT Policy, you need to understand the key definitions:
IoT is defined as “global infrastructure for information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies”;
IoT Service is defined as “set of functions and facilities offered to a user by IoT Service Provider and it does not encompass IoT specific connectivity”; (like connected home appliances, connected cars, Bluetooth enabled pagers in restaurants, driverless vehicles);
IoT Service Provider means “any person that provides an IoT Service to users including individuals, businesses, and the government that will comprise the provision of IoT related service/solutions”. (like car manufacturers, telecom service providers);
IoT-specific Connectivity means “connectivity that is transmitting, broadcasting, switching or receiving IoT related data by means of a Telecommunications Network covering a wide area”;
Mission Critical IoT Service means “an IoT Service which upon failure may result in adverse effects on the health of individual(s), public convenience or safety, and/ or national security.” (like driverless cars, drones, medical devices).
The IoT Policy is applicable to all those concerned with IoT within the UAE including but not limited to licensees (like Etisalat and Du), IoT Service Providers and IoT Service users (i.e. individuals, businesses, and the government).
There are data localisation requirements which state that Secret, Sensitive and Confidential data for individuals and businesses are to be stored primarily in the UAE. However, such data may be stored outside of the UAE if the destination country has data security and user protection polices which are at least of the same level as those followed in the UAE. Further, Secret, Sensitive and Confidential data of the government must remain in the UAE under all circumstances. Open data for data for individuals, businesses and the government may be stored within the UAE and/or outside the UAE. With regards to the IoT Policy, the TRA deems Personal Data (which refers to information relating to identifiable Natural Person as defined under GDPR) to be Secret data for individuals. (This may be problematic in practice as not all personal data such as your name, email address needs to be a ‘secret’ in every circumstance).
As mentioned above, TRA has to issue the IoT Regulatory Procedures which will contain detailed procedures on the following:
As per the IoT Policy penalties (penal and fiscal) of non-compliance with the IoT Policy and/or the UAE’s Telecommunications regulations are defined within the UAE Telecommunications Law, which may include temporary or permanent service suspension. Some examples of breaches include: providing services without a licence; not having up-to date information of subscribers in regard to Mission Critical IoT Services; non-adherence to defined consent requirements for Data Processing; non-adherence to data storage requirements; provision or activation of Soft SIMS without TRA approval; and non-provision of OTA/remote provisioning services where mandatory. The violations/breach of the IoT Policy will be applicable only when once the it is operational.
While it was intended that the IoT Policy will be implemented within one year of its issue i.e., by 22 March 2019, there is no further indication from the TRA regarding the issuance of IoT regulations/procedures and actual operationalisation of this policy. It is not clear whether the IoT Policy, once enforced, will provide a transition period for the existing IoT Services to be registered with the TRA.
In light of the present IoT Policy and until such time as it comes into force, it may be prudent for IoT Service Providers to review their current operating procedures and protocols, in order to determine whether they comply with the IoT Policy, for example focusing on identifying the categories of data (open, confidential, sensitive, secret); identifying the specific storage limitations of data; and considering stipulations for the storage of the different categories of data (within and outside of the UAE).
The UAE is not the only GCC country addressing the IoT. KSA’s IoT regulations have been discussed in An Overview of Telecom Licensing in Saudi Arabia published in the March 2019 edition of Law Update and Oman recently conducted a public consultation on IoT and M2M.