New UAE regulatory policy for the Internet of Things

Along with the prediction that the continued growth of the Internet of Things (IoT) will transform our everyday lives and how we do business, we can also anticipate that the increased number of connected devices will bring about additional challenges, including greater security and privacy-related risks. In light of these challenges, the UAE Telecommunications Regulatory Authority (the TRA) has recently laid the groundwork for regulating IoT by introducing a regulatory policy (the IoT Policy) and a set of regulatory procedures (IoT Procedures) that give the TRA control and oversight over IoT services in the UAE while also setting forth some data protection-related principles. It is important that those that provide IoT services to the UAE market understand their obligations under the TRA’s IoT Policy going forward.


What is IoT?


When we speak of IoT, we generally refer to the network of everyday physical objects or devices connected to the Internet, which are able to communicate with other devices and collect and exchange data through software, embedded electronics, sensors and other forms of hardware. These devices can be consumer-based, such as wearables, cars, speakers, and smart home devices and appliances, as well as industry-based objects, such as intelligent medical devices, security systems, and machinery and robots used in factories.


In the IoT Policy, IoT is broadly defined as “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) Things based on existing and evolving interoperable information and communication technologies”.


Who is Subject to the IoT Policy?


The IoT Policy is applicable to all individuals, companies, public authorities, and other legal entities concerned with IoT within the UAE. This includes IoT Service Providers that are located in the UAE as well as foreign-based IoT Service Providers providing services remotely to the UAE market.


The TRA defines an IoT Service Provider as any individual, company or public authority that “provides an IoT Service to users (including individuals, businesses and the government) that will comprise the provision of IoT-related service/solutions”. In addition, an IoT Service is considered to be any “set of functions and facilities offered to a user by an IoT Service Provider”, other than IoT-specific Connectivity (which is generally the type of activity that is provided by a network service provider). The TRA’s wide-reaching definition of IoT Service Provider and IoT Service would likely capture traditional IT providers offering IoT related services or solutions to businesses located in the UAE as well as foreign companies bringing IoT related products to the market, such as cars and smart home devices and appliances.


Requirements under the IoT Policy


The following are some of the principal requirements under the IoT Policy:


Registration and Local Presence. All IoT Service Providers must register with the TRA and obtain a registration certificate. To obtain a registration certificate, the IoT Service Provider is required to have a local presence or an appointed representative physically present in the UAE to be responsible for communicating with the TRA and law enforcement agencies. It also must have registered its IoT Service with the TRA pursuant to the IoT Procedures.


Mission Critical IoT Service. If an IoT Service is characterised as Mission Critical (i.e., any service that if it fails, may result in an adverse impact on the health of individuals, public convenience or safety or national security), then the IoT Service Provider is required to meet additional requirements stipulated by the TRA, including maintenance of subscriber information.


Soft SIMS. The TRA requires prior approval for the use of Soft SIMs. A Soft SIM refers to a collection of software applications and data that perform all of the functionality of a SIM card, but does not reside in any kind of secure storage. Rather, the Soft SIM is stored in the memory and processor of the communication device.


Type Approval. Any Radio and Telecommunications Terminal Equipment (RTTE) as defined in the TRA’s type approval policy that is to be sold, offered for sale or connected to any Telecommunication Apparatus within the UAE, requires a type approval from the TRA. In addition, if the RTTE collects any data or information or is capable of providing IoT Service, then it must also meet additional requirements set forth in the IoT Policy.


IoT-specific Connectivity. Any person that intends to provide IoT-specific Connectivity must contact the TRA to obtain a license, and the TRA will conduct a case-by-case assessment to consider whether awarding such a license is necessary subject to the Telecommunications Law (Federal Decree Law 3 of 2003) and the licensing regime in place at the time.


Data Protection 


In addressing data protection, the IoT Policy focuses on data storage and the location of stored data. It should be noted that while drafting these provisions on data protection, we can see that the TRA has looked to existing international standards as well as Dubai’s own policies as many of the data protection-related terms and principles contained in the policy have been adopted from the General Data Protection Regulation (EU) 2016/679 (the GDPR) and the Dubai Data Manual published by Smart Dubai in 2016.


Data Storage. IoT Service Providers must adhere to the following principles:


• Purpose Limitation – Data must be collected for specified, explicit and legitimate purposes only and cannot be further processed in a manner that is incompatible with these purposes.


• Data Minimisation – Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.


• Storage Limitation – Data must be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the data is processed.


Data Localisation. Essentially, data must be classified based on the potential impact that will be caused in the event of a confidentiality breach or uncontrolled disclosure, and where data is to be stored depends on its classification. The TRA has set out four categories of classification, Open, Confidential, Sensitive, and Secret. Each of these classifications is defined in the IoT Policy and has been adopted from the Dubai Data Manual.


Data that is considered Secret, Sensitive or Confidential for individuals and businesses must be primarily stored within the UAE. However, this type of data may be stored outside of the UAE provided that the destination country meets or exceeds the UAE’s data security and user protection policies and regulations. Personal Data (as defined in the GDPR) will be classified as Secret Data for individuals. If any data is classified as Secret, Sensitive or Confidential Data for the government, then it must always be stored in the UAE. Finally, data that is classified as Open Data for individuals, businesses or the government may be stored in the UAE or abroad.


Compliance with the IoT Policy


Although the IoT Policy and IoT Procedures have only recently been made available to the public, they have been in effect since 22 March 2018 and 6 March 2019, respectively. In addition, the one-year transition period set out in the IoT Policy has elapsed. Therefore, unless an additional grace period is given, IoT Service Providers must immediately begin compliance with this new regulatory framework. Otherwise, noncompliance may result in the temporary or permanent suspension of services and may be considered as a breach of the Telecommunications Law, which could result in the imposition of fines and/or imprisonment.


Further Thoughts


The practical implications of the IoT Policy and IoT Procedures that are immediately obvious are the requirements that relate to data protection noted above. While the UAE (outside of the DIFC and ADGM) has not yet adopted a data protection law, the IoT Policy and Procedures have the effect of adopting certain key elements of a modern data protection regime and making them applicable to IoT Service Providers. This could be construed to apply to anyone who collects data remotely, if a liberal view is taken, as it could be difficult to draw a line between devices that collect and transmit data which do qualify as IoT devices, versus that which still collect and transmit data (like a mobile phone) which do not qualify as IoT devices. It may be that all such devices effectively are treated as IoT devices, and the result will be that different data protection regimes apply in the UAE depending on whether the data was transmitted by a device as opposed to collected directly or with pen and paper. We anticipate that this inequality of treatment under the law will be a transient phase as the UAE moves uniformly towards a consistent data protection regime, but businesses and advisors will need to be aware of this dichotomy in the meantime. It is easy to speculate that there may also be TRA approval required for importation of IoT devices too, to enable them to maintain a record or registry of IoT devices operating in the UAE.


We will provide further updates as this important area of regulation evolves.■

Health data confidentiality on a rise in the UAE!

Recent events, including the investigations into Facebook’s handling of its users’ personal data, have highlighted the realization that personal data is, in today’s world, one of the most valuable resources for any business and that businesses not only collect and store their customers’ personal data but also use and even sell it for profit.


While there is no single federal data protection law in the UAE, and UAE law does not recognise concepts such as data controllers and data processors, over the years, there have been number of sectoral laws that deal with data protection. These include Federal Law 5 of 2012 on Combating Cyber Crimes, Federal Law 3 of 2003 Regarding the Organisation of Telecommunications Sector, and the UAE Central Bank’s Regulatory Framework for Stored Values and Electronic Payment Systems. There are also data protection laws in some of the UAE’s free zones, such as the Dubai International Financial Centre, the Abu Dhabi Global Market and Dubai Healthcare City. Dubai has a few of its own laws that deal with data protection in certain contexts, e.g., Dubai Law 28 of 2015 Concerning Dubai Statistics Centre and Dubai Law 26 of 2015 on the Regulation of Data Dissemination and Exchange in the Emirate of Dubai.


A new sectoral data protection law, Federal Law 2 of 2019 Concerning the Use of the Information and Communication Technology in the Areas of Health (the New Law), has been published and is set to come into force in May 2019. The New Law is aimed at regulating the collection, processing and transfer of electronic health data that originates in the UAE and will apply to all “information and communication technology methods and uses” in the healthcare sector in the UAE, whether onshore or in any of the free zones (including the Dubai Healthcare City).


The New Law will apply to all businesses that handle health data and information such as healthcare facilities and providers, pharmacies, medical insurance providers and intermediaries, service providers assisting with medical claims management, as well as technology service providers servicing the healthcare industry. Essentially, all businesses that process data relating to patient names, consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology codes, medical scan images and laboratory results will have to comply with the New Law.


In view of the consistently fast paced development of healthcare related technology, the scope of application of the New Law could be much wider than was probably contemplated at the time of drafting it. A lot of the devices that we use in our day-to-day lives such as mobile phones and digital wrist watches have features that provide healthcare support. All businesses that manufacture such devices or develop applications that operate on these devices to provide healthcare support are likely collecting, processing and (in some cases) transferring data relating to fitness and lifestyles in the UAE, and as such, will likely fall under the scope of the New Law’s application.


The New Law requires businesses that use information and communication technology for processing health data to ensure its confidentiality, accuracy and validity, as well as its availability when required.


Some of the key features of the New Law are:


– a general prohibition on transfer of health data outside the UAE, subject to an authorisation by the relevant health authority;

– establishment and management of a central system by the UAE Ministry of Health and Prevention to store, exchange and collect healthcare data and information in compliance with the parameters set by the New Law; and

– a data retention period of not less than 25 years.


The parameters for storing health data and information inside the UAE will be defined by a resolution issued by the UAE Minister of Health and Prevention.


Non-compliance with the New Law may attract fines of up to AED 1 million. Other disciplinary sanctions include notices and warnings, and also the suspension or cancellation of an entity’s license.


Although a welcome step towards protection of healthcare data, the New Law is not the first law that regulates healthcare data in the UAE. UAE Federal Law 7 of 1975 concerning the Practice of Human Medicine Profession and the Ministry of Health Code of Conduct 1988 concerning the collection of health data impose obligations of confidentiality on healthcare practitioners. Those previous healthcare laws remain in effect, although the New Law repeals inconsistent provisions of prior law.


The timeframe to ensure compliance with the New Law as well as the scope of its application will be known once the underlying implementing regulations are issued. All concerned parties should closely monitor legislative developments in this regard and obtain legal advice to prepare for compliance with the New Law. ■