Protect and Roam

Regulators are set to give much more attention to M2M (machine to machine) and IoT (internet of things) in 2015. This is both good and bad. There is what we have termed a ‘quicksand of regulatory uncertainty’ threatening to hold back M2M deployments, in particular for permanent roaming. At the same time, however, we will also see more regulators wanting to adopt a nurturing approach to IoT and M2M, as illustrated by the approaches of regulatory bodies in India, Singapore, the UK and some others.

PERMANENT ROAMING

The single most important regulatory issue that is likely to have a direct impact this year relates to the extra-territorial use of E.164 numbering, or ‘permanent roaming’ as it has been dubbed. Many mobile network operators make use of roaming SIMs to support M2M connections around the world. The use of roaming, rather than the need for local SIMs in all territories, greatly simplifies the supply chain process for connectivity. It also allows operators to use foreign SIMs in any given territory to take advantage of national roaming.

However, in some countries there are rules prohibiting such use. Arguments in favour of prohibiting permanent roaming include the possible exhaustion of number ranges, challenges with number portability, national regulatory oversight, customer protection and lawful intercept. The arguments against prohibition focus on the free movement of trade (eg. within the European Union), the interruption to existing services, and the fact that these practices have existed for many years with no significant problems.

However, as M2M/IoT becomes more important, the light-touch regulation that dominated in the past may not be deemed appropriate. The issue of disrupted services is a particularly challenging one. By their nature many M2M deployments are distributed and have a disproportionately high cost associated with swapping out SIM cards.

Of the 68 countries we have studied, only two had explicit rules prohibiting the practice. In another 11 it was permitted. In the remaining 55 the regulation was unclear, albeit that we would categorise the vast majority (52) as being generally accepting of permanent roaming.

But in more than 80% of countries there is significant uncertainty about the regulatory situation. Even where the regulator has laid out explicitly that it is prohibited, such as in Brazil, permanent roaming continues to be used and the regulatory situation is the subject of much discussion. This uncertainty leads to additional costs, as connectivity providers seek to ensure that their offerings are future-proofed against prohibition.

And there is the looming prospect of additional restrictions. In Europe, in particular, the topic of permanent roaming is being discussed openly within regulators. We attended a special forum hosted by the European Conference of Postal and Telecommunications Administrations (CEPT, a European regulatory organisation) on exactly this subject in January this year. The conclusion from the event was hopeful – that M2M should generally be considered an exception to the rules on permanent roaming.

DATA PROTECTION

The other major area of interest is data protection. The rules changed quite significantly recently. Within the European Union, rules about data protection are based on Article 7 of the EU Data Protection Directive 95/46/EC, which is worth reading in full given its impact: “Member States shall provide that personal data may be processed only if:

1. the data subject has unambiguously given his consent, or
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or
3. processing is necessary for compliance with a legal obligation to which the controller is subject, or
4. processing is necessary in order to protect the vital interests of the data subject, or
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed, or
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).”

As with all EU directives, this is not directly effective as legislation in member states. It must be enshrined as national legislation. All the EU member states surveyed had completed that between 1997 and 2003, for instance in Austria’s data protection act, or the Czech Republic’s personal data protection act.

In January 2012 the European Commission released a proposal to introduce a general data protection regulation (GDPR) to standardise regulation across the EU. The regulation was enshrined in EU law in March 2014 and will come into effect soon. This regulation includes the much heralded ‘right to be forgotten’ as well as (more relevantly to M2M/IoT) greater restrictions over how data can be managed: organisations will need to be aware that users may request the transfer of their data, or request that data on them be ‘forgotten’, as well as putting in place a data officer, although small and medium sized companies are exempt. There will also be an obligation to carry out risk assessments related to data.

The immediate question for anyone in the M2M and IoT space is: how much of this new regulation applies to our sector? The regulation relates to personal data, which it defines as “any information relating to a data subject”, and defines a data subject as “an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”. The protection therefore relates only to a “natural person”.

Of course it will be a matter of debate what constitutes ownership by a natural person, for instance in the case of an employee being tracked. The regulation seems to imply that any device that can be used to monitor an individual is covered.

OTHER TOPICS

The two subjects, roaming and data protection, are where we expect some interesting developments in 2015. But there are a number of other areas where regulation affects M2M and IoT. National roaming for mobile operators is one: allowing devices to use whichever network is available, rather than being limited to a single network, is appealing for remote M2M devices. Many regulators have also been looking closely at the requirement for a dedicated number range for M2M devices. Spectrum allocation is also in the spotlight, with regulators such as Ofcom in the UK looking carefully at whether there is a need for dedicated spectrum for IoT.

More generally, regulators, and government more widely, are looking at ways they can help to nurture the growth of IoT. In the UK, as well as the work undertaken by Ofcom, the chief scientific adviser, Mark Walport, has made some constructive contributions to the debate and flagged up significant areas where policy might be adapted.

Funds have even been forthcoming, although the amounts are a drop in the ocean. Singapore has been in the vanguard of regulator- and governmentled efforts. The most recent of these has been the deployment of the Smart Nation Platform, aimed at supporting numerous public sector applications.