IoT in the UAE and the maturing data protection landscape
Sheikh Mohammed bin Rashid Al Maktoum, ruler of Dubai has made clear his ambitions that Dubai should become the most advanced Internet of Things (IoT) ecosystem in the world. In March 2019 the UAE government set out how it intends to implement its IoT strategy over the next 3 years: (Phase 1): implementation of policies across government departments; (Phase 2): integration and conversion (which we presume to mean implementation of ideas and prototypes); and (Phase 3): optimisation and full integration of IoT policies leading to the first return on investment from the government's 3 year strategy.
We are currently at Phase 1 of the government's ambitious plans. New regulations are being introduced by the UAE government that indicate a move towards specific federal regulations relating to data protection, as part of the government's digital transformation objectives. While there is still no specific federal data protection legislation, the new Health Data Law (UAE Federal Law No. 2 of 2019) regulates the use of electronic data relating to healthcare throughout the UAE. This Health Data Law also sets out various data protection obligations such as the need to store UAE healthcare data within the UAE. It also establishes a central IT system with mandatory interoperability standards for the healthcare sector. Legislation like this will affect key players such as IT systems providers and Cloud Service Providers.
The UAE's new IoT regulatory framework is further evidence of the progress being made under Phase 1 of the government's 3 year strategy. It has a broad application, applying to Licensees (as defined in the Telecommunications Law), IoT Service Providers (any human, company or public authority that provides an IoT service/solution to individuals, businesses or the government) and IoT service users. Through these new regulations, the TRA has increased its control and oversight of the IoT industry and IoT Service Providers must now be registered with the TRA. It is worth noting that the provision of IoT specific Connectivity by means of a Telecommunication Network (as defined under the Telecommunications Law) is not included under the definition of IoT Service.
The new IoT regulatory framework can be seen as another indication of the government's move towards a federal data protection landscape, in line with international best practice. The definitions of "Consent", "Data Controller", "Data Processing" etc have all been adopted from the GDPR. The new framework sets out certain principles that IoT Service Providers need to follow when storing data. These include "Purpose limitation" (data is to be collected for specific purposes and shall not be processed in a manner incompatible with these purposes), "Data Minimization" (data shall be limited to what is necessary in relation to the purpose for which it is processed) and "Storage Limitation" (data shall be kept in a form that permits identification of Data Subjects for no longer than is necessary).
IoT Service Providers must consider their location, as well as the location of data that is stored when providing IoT Services in the UAE. For an IoT Service Provider to obtain a registration certificate from the TRA it is a prerequisite that they have a local presence in the UAE or that they appoint an official representative who is physically present in the UAE, responsible for communication with the TRA and other law enforcement agencies. Data localisation is also an important consideration for IoT Service Providers as "Secret", "Sensitive" and "Confidential" data for individuals and business should primarily be stored within the UAE and for the government such data must always remain within the UAE. In contrast "Open" data for individuals, businesses and governments may be stored within the UAE and/or outside of the UAE. Such localisation considerations will be important for international providers of IoT Services including those proposing to offer IoT Services into the UAE remotely.
The new IoT regulatory framework has only recently been made available on the TRA's website. Notwithstanding this fact, the implementation date for these policies and procedures have already passed. As such, IoT Service Providers should be proactive in understanding the relevant registration, localisation and data requirements contained within the new regulatory framework. Failure to observe the requirements could lead to fines and/ or imprisonment under the Telecommunications Law. As part of Phase 1, this new IoT framework is designed to be a practical way of coordinating a coherent, safe and secure IoT framework. We expect other IoT policies to be developed in due course to deal with specific industries (we would consider healthcare and financial services to be prime candidates). The IoT landscape is moving quickly in the UAE as part of the plan for achieving the Smart Dubai Plan 2021. IoT Service Providers should remain focused on staying up to date with the new regulatory and legal developments and seek legal advice where they are unclear.
