IoT is the infrastructure of physical or virtual connection between objects, mediated by devices, based on information and communication technologies. This network allows the collection, processing, treatment, and sharing of data referent to physical and/or virtual objects.1
This article presents the challenges for regulating this matter in Brazil, stressing the public consultation held by Anatel in September 2018 on IoT-related issues.
Such public consultation dealt with issues related to the rating of IoT applications, licensing and award rules, use of the spectrum frequencies, taxation, and others, to be examined further on.
There are IoT applications in houses and buildings. IoT products for smart homes – controlling temperature, lights, security, and energy consumption, such as Alexa, a virtual assistant sold by Amazon2. In buildings, IoT applications are used for security, such as biometric control of entrance, as well as vehicle control in the garage.
In the industry, there are IoT projects for digitalization and robotization of factories, manufacturing of self-driving cars, etc. The so-called 4.0 Industry uses sensors with wireless networks to improve productivity in factories, control inventory conditions, monitor product transportation, as well as the environmental conditions of factories.
In the trade sector, IoT applications are used to monitor vehicle fleets, track containers in ports and ships, among others, control inventory in logistics distribution center, among other uses.
In agriculture, it is present in smart irrigation, controlling agricultural equipment, tracking plantations with drones, and monitoring climate conditions. IoT is also used to monitor cattle grazing.
IoT is present in the health sector allowing for remote monitoring of chronic patients, tracking high-cost medication, sensors can control the temperature of equipment such as surgical drills used in hip-replacement surgery, among other applications.
In the public sector, with have IoT projects for smart cities: public lighting networks with smart sensors, traffic-based traffic lights, etc.
In the financial industry, one of the applications of the Internet of Things is machine to machine communication. For example, electronic payment companies, through mobile apps, on small devices.
New business models for IoT applications that perform financial services through machine to machine communication require knowledge of the sectoral regulation adopted by Anatel (the Brazilian Telecommunications Regulatory Agency). This is because the business may rely on a virtual network of a mobile communications operator, or not. The IoT application’s business model may or may not use frequencies of the spectrum.
In other words, IoT applications rely on the telecommunications infrastructure network. Hence the need to examine the IoT business model to know if it may require a permit as an added-value service of the telecommunications network or authorization to the frequencies of the spectrum. Hence the regulatory role by Anatel in clarifying the regulatory framework applicable to IoT applications.
IoT: Security and Privacy Risks
The Internet of Things has the potential to collect the personal data of millions of people. There are possible risks to the security of personal data and privacy, with the remote monitoring of people’s consumption patterns, their location, behavior, preferences, and others by the technological devices.
Society must be aware of the hypervigilance risks caused by IoT networks, as well as the possible risks to digital freedom. Then, legislators can define in the proper laws the limits to IoT applications.
IoT Applications and the Demand for Connectivity Using the Telecommunications Infrastructure Network.
The Internet of Things requires digital communications networks infrastructure. It needs high-speed data transportation networks and access networks.
The 5G internet network, a high-speed network (the average speed is 10 Gbps, in comparison to the current 100 Mbps) is vital for IoT. This 5G network requires mobile telephony antennas and fiber optics, and cloud-based software solutions.
Challenges to the Regulation of IoT Applications.
In Brazil, IoT is not yet regulated.
The law must regulate the matter, through laws and decrees, along with self-regulatory measures by the companies that offer IoT devices.
In addition to regulation, the government must also provide incentives for the private sector to make investments in IoT network infrastructures.3
In Brazil, the Internet of Things is only mentioned in Decree No. 9.319/2018, that institutes the national digital transformation system.
This Decree deals with matters such as internet access and data transportation networks by mobile and landline broadband, the digital transformation of the economy, professional education and training, data-based economy, new business models.
Decree No. 9.319/2018 only mentions the following: “by recognizing the transformative potential of the Internet of Things applications, actions and incentives must be set to allow for the continuous evolution and dissemination of such devices and the associated technologies.
Anatel: Public Consultation on the Regulation of IoT Applications
Anatel recently opened Public Consultation No. 31, of September 2018, to reexamine the regulation to expand IoT applications.
The regulatory agency presented the following themes for assessment of regulatory impact: a) granting of IoT services based on new business models; b) rules for providing IoT services; c) the matter of taxation and licensing of IoT services; d) numbering to meet the demand of IoT devices (used to address and identify these devices in any network in the world); e) the cyber security of IoT devices (certification and approval of IoT devices); f) the spectrum band available for IoT (and, also, non-monetary bids for new frequencies; g) broadband infrastructure to support IoT services; h) domestic roaming agreements, given the offering of IoT services based on global connectivity providers.
Anatel mentions the National IoT Plan, and the IoT Chamber, established in the form of Decree No. 8.234/2014, as one of the grounds used to open the matter to public consultation. This Decree regulates Article 38 of Law No. 12.715/2012, which deals with the taxation of machine to machine communications. According to that norm, the Ministry of Communications (currently, the Ministry of Science, Technology, innovation, and Communication) will create a chamber to manage and monitor the development of machine to machine communication systems. Under this Decree, Anatel will regulate and monitor compliance with its provisions.
According to Anatel, the purpose of the IoT Chamber is manage and monitor the development of machine to machine communication, to apply Article 38 of Law No 12.715/2012, which deals with the taxation of machine to machine applications. Note that the law refers solely to the issue of taxation of IoT applications.
Still, according to Anatel, some Iot/M2M (machine to machine communication) business models do not fit the typical features of telecommunications services, as per the current regulations. Hence the need to adjust the regulation of IoT/M2M services.
The regulatory agency also points out the lack of flexibility of the regulation for personal mobile services (SMP), through virtual networks for IoT applications.
According to Anatel, some IoT applications use as support personal mobile telecommunication services.
Telecommunication services are regulated based on the obligation burden of providing communication between people, hence the requirements of consumer protection and quality.
However, such consumer and quality obligations from telecom regulations do not make sense for IoT applications. Thus, one of the possible paths is establishing a differentiated scheme for IoT applications, with the possibility of the matter being defined in contract.
Also, the Mobile Network Operator (MNO) registration model requires being bound to a provider at the origin. However, this requirement does not make sense for IoT applications. Amongst the alternatives is establishing a differentiated scheme for IoT applications, through virtual networks, based on personal mobile services.4
Discussion on the Legal Qualification of IoT Applications
There is a discussion on the legal qualification of the Internet of Things.
The tendency is to qualify it as an added-value service of the telecommunications network. The concept of added-value service is in Article 61 of the General Telecommunications Act. However, it is distinguished from the concept of telecommunications services, which traditionally comprehends landline and personal mobile telephony services.
So, if the Internet of Things is qualified as an added-value service, it may be subject to the ISS municipal service tax.
However, if IoT is qualified as a telecommunications service, it will be subject to the ICMS State sales tax.
Bills for Tax Exemption of Machine to Machine Communication to Promote the Development of IoT and Application Business Models
There are some bills to remove taxation from IoT stations.5 Such is the case of Bill No. 7.656/2017.
The bill grants to Anatel the power to define the concept of machine to machine communication to apply the rule of tax exemption of the Contribution to Promote Public Radio Broadcasting and Contribution for Development of the Cinema Industry.6
It’s hard delegating to the regulatory agency the definition of the concept of machine to machine communication for taxation purposes. The law must define this concept. This is required under the principle of strict legality. Otherwise, this leads to legal uncertainty in the practical application of the concept within the regulation of the Internet of Things, with the risk of judicialization of the matter.
The public consultation held by Anatel registers the issue of the application of the licensing fees for stations (TF1 – fee for inspection of installation and TFF – fee for inspection of Operations) that may make the IoT/M2M business models unfeasible.
There is a discussion regarding the alternatives, in the sense of exempting or applying zero rates to the licensing fee of IoT/M2M terminals, waiving the licensing of such terminals or taxation based on a percentage of the revenue of the business and not by device.
The Issue of Net Neutrality
Another regulatory challenge is the issue of Net Neutrality, stated in the Internet Regulatory Framework. With the implementation of IoT networks, there will probably be a demand for flexibility of net neutrality. For example, the Internet of Things related to communication between vehicles, giving priority to ambulance services, is cited as one such demand for flexibility of net neutrality.
For example, in the United States, given the legal ambiguity of the Communication Act, there is a controversy regarding Internet neutrality. Initially, the Federal Communication Commission, during the Obama administration, qualified internet connection services as telecommunication services to guarantee the obligations regarding net neutrality. Later, in the Trump administration, the regulatory agency removed net neutrality.
In Brazil, however, the concept of net neutrality is defined in the Internet Regulatory Framework.
Frequencies of the Spectrum
Another issue related to the regulation of IoT applications is defining the range of the frequencies of the spectrum to be used, the licensed and unlicensed range, to be decided by Anatel. For example, the Internet of Things depends on wireless communication networks.
Privacy and Security Standards of IoT Applications
Another regulatory challenge of IoT is defining the privacy and security standards of the data collected through landline and mobile devices. Regulation is also vital to protect the personal data of users of IoT application.
In this regard, it must be highlighted that Brazil recently passed Law 13.709/2018 that deals with the protection of personal data, with rules for private companies and the public sector. There are also rules on the international transfer of personal data between companies.
If the IoT network’s architecture is not built correctly, there are severe risks to the security and privacy of the data transported by the networks. For security reasons, the digital identification of physical and virtual objects is essential.
International Scenario on Cyber Security and IoT
The matter of the Internet of Things is directly associated with the issue of cyber security.
In this regard, Anatel’s public consultation opened to the discussion on the issues of certification and approval of the IoT devices.
For example, the United States passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2017.
This North American legislation holds the standards for IoT devices purchased by federal agencies. Thus, the suppliers and operators of IoT equipment (such as the design of the microchips used in machines and networks) for the USA government and its agencies must adjust to the cyber security guidelines.
Also, recently, California passed Senate Bill – SB 327 to protect the privacy of information in connected devices (IoT).
According to the California Bill, the manufacturer of connected devices must follow reasonable security standards, according to the following aspects: appropriate to the nature and function of the technological devices, appropriate to the information collected, stored, and transmitted; designed to protect the device and any information stored from unauthorized access, destruction, use, alteration or opening, among other rules. If the Governor of California sanctions the bill, it will come into effect in January 2020.
According to its critics, the bill is the first step, even if it contains superficial and incomplete definitions of security. The critics say that the bill does not indicate the security measures such as device certificate, code signature, and firmware safety audits, purchased from IoT suppliers that buy them from suppliers abroad. The bill also does not define liability in case of unauthorized access through coded encryption keys.7
Thus, the matter of the Internet of Things is directly associated with the issue of national cybersecurity in light of external threats. Cyber-attacks to public and private networks by hackers present challenges to national security.
Finally, in the United States, there are rules for IoT security set by the National Congress that must be followed by the industry. Over there, they are also debating whether there should be mandatory certification of IoT devices.
To better understand the context, the United States has adopted measures to prevent China from buying American technology companies (mobile phone and computer chip manufacturers). In addition to the issue of international competitiveness, there are allegations of risks to national security. The United States are concerned with the 5G network, specifically with it being dominated by foreign companies, overall Chinese companies. Hence the trade war between the United States and China in this cyber security realm.
The matter must be seen from the context of the big picture, as characterized by the trade war between the United States and China for technological leadership.
China has a program called Made in China 2025 with clear objectives to obtain its technological independence by manufacturing cell phone chips, robots, and the digitalization of its industry. Hence the international discussion around intellectual property, technology transfer, cyber security, etc.
Opportunities in IoT Applications
IoT holds tremendous opportunities for telecommunication companies, internet connection providers, and for the companies that explore this type of business. It creates demands for the creation of data centers and implementation for more networks of cellular antennas.8 There are even credit facilities for IoT startups through the Brazilian Development Bank – BNDES (via Finep).
IoT applications present challenges and opportunities for device manufacturers, network operators, and startups with new business models.
In sum, the regulation of the Internet of Things has significant repercussions in the present and near future.
1 According to the International Telecommunications Union, the internet of things is: “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies (ICT).
2 Problems have been reported regarding the security and privacy of people due to the use of technological devices that can record all conversations held close to the equipment. There are even cases of baby monitors that monitor children and homes being hacked. Hence, in the United States, consumers are demanding security and privacy measures for IoT products. The United States Senate, through its Committee on Commerce, Science, and Transportation, held a public hearing on the matter of guarantees to protect consumers’ privacy. It called representatives of the companies AT&T, Amazon, Google, Twitter, Apple, and Charter. In sum, the technology companies support a federal bill to protect the consumers’ right to privacy, to avoid having the North American States passing laws on the same matter. Amazon’s representative gave a statement on Alexa, a cloud-based voice service. According to him, when Alexa is activated, the consumer is informed that the cloud-based audio streaming service is in operation; also, that the device can be turned off through Echo/Alexa’s microphone button; and, finally, that the Echo hardware and Alexa’s service were designed to allow control by the consumer.
3 Google has announced that it will invest USD 140 million to expand its datacenter in Chile. It is the first Google datacenter in Latin America that will operate as infrastructure to offer cloud computing services. According to the press, Chile was chosen given the favorable environment for foreign investments, a clear regulatory framework, and renewable energy sources.
Brazil lost the opportunity to attract this type of investment from a global company, that would create jobs and generate income in the country. This fact attests to Brazil’s delay in establishing a policy to promote investments in datacenters in Brazilian territory and, accordingly, to compete in the international market.
India, in its turn, has recently passed a law requiring foreign technology companies to store their users’ personal data in Indian territory. The law has an impact on companies such as Facebook, PayPal, Mastercard, and others.
4 Anatel, in July 2018, authorized the company Safra Telecomunicações to operate as a Mobile Virtual Network Operator (MVNO).
5 Article 38. The value of the Fee for Inspection of the Installation of Mobile Stations of Personal Mobile Services, Cellular Mobile Services or any other telecommunication service, as per Law No. 5.070, as amended, that integrate machine to machine communication systems, as defined in the regulation to be issued by the Executive Branch, is set at BRL 5.68. (Regulation) Sole paragraph. The Fee for Inspection of Operations will be paid annually, by March 31st, and its value corresponds to thirty-three percent of the Fee for Inspection of the Installation.
6 In its turn, Decree No. 8.234/2014, which regulates Article 38, of Law No. 12.715/2012, defines the following: “Article. 1. For the purpose of the provided in Article 38, of Law No. 12.715, of September 17, 2012, machine to machine communication systems are deemed to be the devices that use telecommunication networks to transmit data to remote applications, without human intervention, with the purpose of monitoring, measuring, and controlling the device, the environment around it, or the data systems connected thereto through such networks”.
7 The press recently announced a security breach by Amazon that allegedly leaked the access code to the company’s system.
8 Thecountry was due to its political stability, the regulatory framework to attract private investments and economic stability press recently published that Google is expanding its data center in Chile. The choice to invest in that.