We recently advised a leading global car manufacturer on the laws and regulations applicable to Vehicle Connectivity Services in Pakistan. Our comprehensive advice covered several regulations and policies on vehicle tracking, telecommunications, cyber security, import/export policies, and the proposed legislation on data protection.
What is Vehicle Connectivity Services?
Vehicle Connectivity Services allow users to remotely monitor and access their cars using the vehicle manufacturer’s mobile app. This allows users the ability to access information about their vehicle, including its current location, mileage, security status, and even the option to remotely operate certain features of the vehicle. These services are made possible through the installation of specialized equipment within the vehicle that transmits such data.
Licensing
It is pertinent to note according to the Pakistan Telecommunication Authority Act 1996 any service provider that intends to establish Vehicle connectivity services is essentially establishing a telecommunication system and is offering telecommunication services. Therefore, that service provider must comply with the regulations set out pursuant to the Authority.
Pakistan Telecommunication Authority (PTA) further requires that the service provider obtain the requisite licenses in order to establish and offer Vehicle Connectivity Services in Pakistan. Additionally, it is essential to emphasize that, given the inclusion of location tracking services, a distinct Class Value Added Services License is mandatory. These include the following:
Regulations Applicable on the Device
Pursuant to the PTA Act 1996, the Terminal Equipment Standard Regulation 2021 sets out a comprehensive framework applicable to the device pertaining to car-connected services in Pakistan. Since the device responsible for the transmission of data from the vehicle to the designated servers falls under the definition of both a mobile device (assuming it is SIM-based) and terminal equipment, these regulations are applicable to Vehicle Connectivity Services.
This regulation’s overall framework is to ensure that terminal equipment being used in Pakistan aligns with internationally recognized benchmarks for quality, safety, and performance. Consequently, the issuance of a Type Approval Certificate is exclusively granted to devices that demonstrate full compliance with these established standards.
Further, in the event that the service provider intends to import terminal equipment, obtaining a Certificate of Compliance (COC) becomes necessary.
Since such devices fall under the category of mobile devices, it becomes crucial that they further comply with Mobile Device Identification, Registration, and Blocking Regulations, 2017 which aims to enhance the control and management of mobile devices in Pakistan. Therefore, the devices for Vehicle Connectivity Services must be registered and must have a valid and unique IMEI issued by GSMA.
In the situation where the said device is to be manufactured in Pakistan, the Mobile Device Manufacturing (MDM) Regulations, 2021 applies to the overall framework of mobile manufacturing. The Authority shall consider a range of factors regarding the service provider intending to manufacture these devices and further, standards have been introduced to which these devices must comply, including the procedure of localization of parts.
Consumer Rights and Data Protection
National Cyber Security Framework for Telecom - Assessment Criteria & Guidelines provides a comprehensive framework of cybersecurity measures within the telecommunications sector. This framework provides a structured approach for evaluating the cybersecurity structure of telecom operators and service providers. This framework provides detailed criteria and guidelines for assessing various aspects of cybersecurity, including network security, incident response, data protection, and compliance with cybersecurity regulations.
Critical Telecom Data and Infrastructure Security Regulations 2020 requires Vehicle Connectivity Service providers to take measures and formulate protocols aimed at protecting telecommunications infrastructure and critical data from cyberattacks or any other risks.
The proposed Personal Data Protection Bill 2023 would be crucial to Vehicle Connectivity Services, as these services collect, process, and store personal data. The Bill broadly defines personal data as any information that identifies a person, thus any processing of the user's data collected from the Vehicle Connectivity Services shall be subject to their consent. Further, the Bill imposes restrictions on the cross-border transfer of data which would present a challenge to services that have servers outside of Pakistan.
In essence, these comprehensive regulations extend their scope well beyond just the service provider that intends to offer Vehicle Connectivity Services. They encompass a broader spectrum of stakeholders involved in the provision of these services, including mobile but not limited to; network operators, vendors, and any third-party entities that are part of the ecosystem for Vehicle Connectivity Services, who must also conform to these regulations.
Additionally, the service provider must recognize that, in light of these regulations, it is imperative to revise and adapt its existing contracts and agreements to align with the prescribed legal standards.
