Bahrain’s Telecommunications Regulatory Authority (“TRA”) has published a long-awaited position paper on the Internet of Things (IoT) on February 2023.
Zeina AlbuainainAssociate,Digital & Data
Bahrain’s Telecommunications Regulatory Authority (“TRA”) has published a long-awaited position paper on the Internet of Things (IoT) on February 2023 (the “Position Paper” or “Paper”), which identifies key areas that help the development of safe and secure IoT services in the Kingdom. The position paper addresses key issues relating to IoT, including data privacy, network and equipment security, and licensing considerations.
Speaking on the Position Paper, the General Director of the TRA, Philip Marnick, stated: “We all today use many IoT devices in our homes and offices. But IoT is set to rapidly increase, enabling large numbers of previously unconnected devices to communicate and share data with each other and between different business sectors.”
The Position Paper highlights the Kingdom’s readiness for IoT. It opens with a clear statement of intent: which is to clarify and affirm the TRA’s position in relation to policy considerations relating to the provision of IoT services in Bahrain. The TRA emphasises however that these policy considerations are non-exhaustive, and all other applicable laws and regulations in force in the Kingdom should be given due regard.
The Position Paper refers to the European Parliament’s broad definition of IoT, being ‘a global, distributed network (or networks) of physical and/or virtual objects that are capable of sensing or acting on their environment and able to communicate with each other, other machines or computers’. An ‘IoT service’ is used to refer to a service comprising of a set of functions and/or facilities offered to a user that can be accessed via a smart device, through a voice assistant and/or through other smart user interfaces.
Outlined below are some of the key policy considerations related to IoT services delineated in the Position Paper.
With the continued evolution of technology, it is inevitable that data privacy concerns will continue to grow. The TRA affirms that existing data protection laws and regulations applicable in Bahrain will be applied whenever the use of IoT services involves the collection or processing of personal data and/or sensitive personal data.
The Paper provides an example of this, relevant to telemedicine technology: where an IoT device is used to obtain health data about an individual, which is then transferred to a healthcare provider to provide the relevant healthcare services. All parties involved in the collection, use & transfer of such data will need to consider their respective obligations and ensure compliance with the provisions of Law No. (30) of 2018 with respect to Personal Data Protection (the “PDPL”) and its implementing decisions. Further, the Paper envisages that the TRA may introduce an additional sector specific regulation on data protection & privacy in the telecommunications sector, which would apply to those licensed to operate telecommunications networks or provide telecommunications services in Bahrain (“Licensed Operators”).
With the continued development of IoT services and consumers’ increased reliance on them, the network and/or equipment delivering these services should be sufficiently robust and secure. Telecom licensees in Bahrain should consider the TRA’s regulations concerning the security and availability of their infrastructure as applicable.
Separately, ‘suppliers’ of IoT devices are encouraged to ensure that all IoT devices imported to Bahrain are manufactured in accordance with certain standards set by the European Telecommunications Standards Institute (ETSI). These include security by design (supplementing its counterpart – privacy by design, which is emphasised on under the PDPL), using ‘unique per device’ pre-installed passwords or enabling user-defined passwords for IoT devices, ensuring software integrity, and keeping the software up to date.
Identifiers play an important role in IoT, whose core concept is communication among other devices and users. In the Paper, the TRA provides the example of using traditional telephone numbers as communication identifiers. Licensed Operators may presently utilise numbers from the ‘Universal Number Series’ as per the National Numbering Plan for the purpose of assigning identifiers to IoT devices. In order to be able to utilise numbers from the National Numbering Plan, IoT service providers will need to hold individual licenses as issued by the TRA.
Notwithstanding the above, the TRA is currently studying the feasibility of introducing a separate numbering range for IoT to the National Numbering Plan.
The TRA is responsible for regulating the telecommunications sector in Bahrain, and as such, strictly speaking, ‘IoT services’ as defined in the Paper may not on its own fall within the purview of the TRA. However, IoT heavily relies on telecommunications networks, generally triggering certain licensing requirements imposed by the TRA.
The parties involved in the delivery of IoT services should therefore pay due consideration to their roles under Bahrain law, and whether such role would involve carrying out a TRA regulated activity, in which case appropriate licensing will need to be sought and maintained.
Separately, in accordance with the Bahrain Telecommunications Law, all ‘Telecommunications Equipment’ (broadly defined under the law) imported into the Kingdom of Bahrain shall be subject to the TRA’s type approval regulations before the equipment can be made readily available in Bahrain. Therefore, to the extent applicable, IoT device suppliers need to ensure that the Telecommunications Equipment meets the technical requirements set out under the TRA’s type approval regulations (unless the IoT devices are intended for ‘private use’, in which case these may be imported into the Kingdom without the need to obtain type approval subject to meeting certain conditions).
The general position is that IoT service providers wishing to use SIM cards issued by Licensed Operators need to ensure compliance with the TRA’s SIM-Card Regulations which set out certain SIM-Card registration and activation requirements.
The adoption of embedded SIMs (eSIMs) in IoT devices particularly continues to grow given eSIMs’ convenient offerings compared to traditional SIMs. In cases where the IoT devices contain Embedded SIMs (eSIMs) that require activation by a Licensed Operator, prospective IoT service providers must seek the TRA’s approval to ensure that all SIM-Cards used in the provision of IoT services are configured only for automated communication between devices.
The Position Paper is a product of Bahrain’s keenness to support IoT development with the aim of making the Kingdom one of the leaders in the provision of IoT services and the deployment of IoT devices.
While the Position Paper is not to be considered an exhaustive statement on the TRA’s views on IoT services or the obligations arising thereof, it nonetheless serves as a useful guidance for IoT service providers, which should be considered in conjunction with all applicable laws and regulations in Bahrain, including, without limitation, Bahrain’s Telecommunication Law.
For further information, please contact Zeina Albuainain.
Published in May 2023