All IoT Service Providers must register with the TRA to obtain and IoT Service Registration Certificate prior to providing any IoT Services. For IoT Service Providers providing ‘Mission Critical IoT Services’, there are additional registration requirements including:
- maintaining records of subscriber information (e.g. subscriber’s name, address and ID, the device’s model and registration number)
- adhering to policies and/or stipulations from other UAE authorities.
Mission Critical IoT Services are IoT Services that ‘may result in an adverse impact on the health of individual(s), public convenience/ safety and/or national security’ if they were to fail.
Data Privacy and Protection
The IoT Framework contains terms and concepts drawn from established and accepted international best data protection practices and principles including from the EU General Data Protection Regulation (GDPR). These include that IoT Service Providers must:
- only collect data for specified and lawful purposes and not use that information for any reason that would be incompatible with those purposes (purpose limitation)
- only collect as much data from users as is actually needed in order to achieve the above purposes and no more (data minimisation)
- retain this data only for so long as it is actually needed in order to achieve the above purposes and no longer unless the law requires otherwise (storage limitation)
- use data encryption standards that fulfil the requirements of the competent UAE authorities.
- when developing software and hardware, that ‘attempts to make systems free of vulnerabilities and robust to attacks to the best possible extent through continuous testing, authentication safeguards and adherence to best practices’ are made (privacy by design)
- classify data collected on the basis of the anticipated harm that could result should such information be disclosed without consent (data classification)
- based on how the data is classified, comply with the data localisation requirements prescribed for each category of data.
The categories of data are:
- Open data – data freely provided by individuals, businesses or government that can be freely, or subject to only minimum limitations, shared with third parties
- Confidential data – data that if disclosed without restriction may cause limited harm to the individual, business or government
- Sensitive data – data that if disclosed without restriction may cause significant harm to the individual, business or government
- Secret data – data that if disclosed without restriction may cause significant damage to the supreme interests of the UAE and very high damage to the individual, business or government.
On the basis of the above, the data localisation requirements are:
- Open Data – may be stored either in the UAE or abroad
- ‘Confidential’, ‘Sensitive’ or ‘Secret’ – where it relates to individuals and businesses, it shall primarily be stored in the UAE (unless certain adequacy requirements* are satisfied)
- ‘Confidential’, ‘Sensitive’ or ‘Secret’ – where it relates to the UAE government, must be stored in the UAE without exception.
It must be noted that whilst none of the above obligations actually refer to personal data, the TRA considers this to be Secret Data and therefore should be treated as such.
*Adequacy requirements mean that these categories of data may be stored, for example on a server, outside the UAE where the country in question meets or exceeds the data security and user protection policies/ regulations in the UAE.
The use of both physical SIM cards and embedded/eSIMs are allowed for IoT Services but the use of any software that performs all the operations of a SIM card but is located in the memory and processor of the communications device (e.g. mobile phone) rather than any kind of secure physical storage (i.e. Soft SIMs) requires prior approval from the TRA.
All radio and telecommunication equipment capable of collecting data and/or capable of providing IoT Services must, in addition to complying with the UAE Type Approval Regulations, comply with the following:
- indicate the features and functions of the device that collects data including sensory inputs such as cameras, location identifiers, and microphones;
- indicate the impact on the device’s features or use in case of unavailability of connection;
- the device shall be capable of being reset to its original settings; and
- that ‘Security by Design’ be an incorporated feature to combat unauthorised usage.
IoT Device roaming
The IoT Framework states that the TRA will ‘exercise forbearance’ on the roaming of IoT devices for now, but may implement future regulations on this subject at its discretion.
IoT Specific connectivity
Persons or organisations that want to provide the underlying connectivity for IoT Services will require a separate licence from the TRA to do so. Applicants for this licence will be considered by the TRA on a case-by-case basis.