The regulation of IoT in Canada is nascent, fragmented and complex. Determining what rules and requirements apply to IoT device manufacturers / suppliers, service providers and enterprise customers requires navigating various regulatory regimes, from telecommunications and radiocommunications legislation to privacy laws and municipal access regimes.
IoT architecture is generally composed of three layers: the endpoint layer, data/application layer and network layer. Each of these layers raises various regulatory considerations.
- Endpoint layer: The endpoint layer is comprised of connected devices and short-range IoT gateway and router devices that collect and aggregate vast amounts of data. This includes connected vehicles, security cameras, wearable devices and sensors that detect and measure things like temperature, light, noise and movement.
- Data / Application layer: The data collected in the endpoint layer is in turn sent to data centers / cloud networks and managed service providers, which store/process the data and host IoT applications and services (e.g., fleet tracking).
- Network layer: The network layer provides connectivity to IoT devices and applications using wireline and wireless network technologies (e.g., LTE, 5G, LPWAN, satellite, WiFi and Bluetooth).
The following is an overview of the regulatory landscape for IoT in Canada:
- Device certification: IoT devices, such as connected sensors, gateways and routers, that utilize radio spectrum to communicate and transmit data must meet specified regulatory requirements and technical standards established by Innovation, Science and Economic Development Canada (ISED) and obtain certification from ISED or a recognized certification body.
- Radio or spectrum licensing: IoT service providers that operate in certain radio frequency bands may need to obtain a radio or spectrum licence from ISED.
- Telecommunications registration: IoT service providers that offer / bundle network connectivity (wireless or wireline) as part of their IoT products and services, including on a resale basis, may need to register with the Canadian Radio-television and Telecommunications Commission (CRTC) as a telecommunications service provider (TSP) and comply with various obligations established by the CRTC. Certain TSPs may be exempt from registration (e.g., pure M2M resellers).
- Infrastructure access: There are regulatory processes to attach IoT equipment to municipal-owned street-level infrastructure (streetlights, transit shelters, etc.) and rights-of-way, utility-owned support structures, carrier-owned support structures and multi-dwelling units.
- Privacy: The sensors in IoT devices frequently collect information that is related to an identifiable individual. This information constitutes personal information the collection, use and disclosure of such information is regulated by federal and provincial privacy legislation. The requirements to provide notice to and seek consent from individuals in certain situations pose significant challenges when their information is automatically collected by objects that involve no human interaction.
- Cybersecurity: Although Canada does not currently have a dedicated IoT cybersecurity law that, among other things, requires manufacturers to equip IoT devices with security features, Canadian privacy laws generally require device manufacturers and IoT service providers that process personal information to have systems in place to address known vulnerabilities. This would include addressing vulnerabilities at the device layer (e.g., default passwords, software and firmware vulnerabilities and supply chain risks), network layer and data / application layer.
- HealthTech licensing: IoT devices used in medical diagnosis, health monitoring and/or treatment decisions may be regulated as medical devices under Canada’s health regulatory regime and may require a medical device licence issued by Health Canada.
- Consumer protection: Consumer protection legislation in Canada regulates various aspects of the commercial relationship between companies and their customers, including protecting consumers from unfair business practices, such as false, misleading or deceptive representations, providing consumers with certain rights and warranties and imposing disclosure obligations in consumer agreements. Companies that develop and sell IoT technologies and services must take care not to make false or misleading representations regarding the functionality or effectiveness of their products – performance claims cannot be made without adequate and proper testing to back them up.
Dentons Canada’s regulatory team has the multidisciplinary knowledge and experience to bring your IoT devices and/or solutions to market in Canada and globally. If you are an enterprise customer seeking to implement IoT solutions into your business, we can help you consider (and limit) the regulatory risks and ensure vendor compliance. Please feel free to reach out to any of our key contacts if you have any questions.