Messages

The Swiss Federal Court declared water meters that transmit consumption values every 30 seconds via radio as impermissible in a municipality. The judge found an interference with the right for self-determination with regard to personal information.

#more#

The highest Swiss court pronounced judgement regarding electronic water meters that collect data over a long period of time and transmit this data regularly via radio. In the published judgement made by the Federal court last week, the judge ruled that the personal rights of the plaintiff were violated. In principle, electronic water meters are however intended to report usage.

A resident of the municipality Auenstein brought the case to federal court after the administrative court in Aargau dismissed his charges in the previous year. In October 2017, the municipality installed a radio water meter in the plaintiff’s building of residence. Municipal workers can use a device to perform annual readings of the recorded values without entering the building — for example, from a car.

In its decision, the Federal Court has found an interference with the right for self-determination with regard to personal information because the installed model collects too much data. The iPerl device, manufactured by GWF, saves values for alarm status, the current counter reading as well as the maximum and minimal measured flow rate in hourly intervals for a period of 252 days. The meter transmitted this encrypted data every 30 seconds via radio. According to the court, in this scenario it’s possible at any point in time to trace back the hourly value for the past eight months.

Even though the municipality only wanted to read the current usage and not the hourly values, it “did not change anything”. There is no legal basis for saving the data and transmitting it every 30 seconds. “This data processing proves itself unnecessary and is therefore excessive”, according to the judgement.

Municipalities must uphold the principle of data economy

The plaintiff argued that a consumer profile could be created from the collected data of which, under circumstances, could be accessed by third parties. The Aargauer administrative court countered in the first instance that the data is well protected and that access from unauthorised parties could be ruled out. However, the Federal Court also decided that “data security alone cannot outweigh that more personal data is being processed than necessary”. The purpose of data avoidance principles and data economy is that only necessary data will be collected and nothing more. “In this regard, it’s also more ensured for your protection: non-existent data cannot be misused”, according to the Federal court.

Indeed the Federal Court did not generally prohibit the implementation of electronic water meters: the public interest of these devices stems from the greater efficiency in being able to read meters from a distance. However, this did not apply for the 252 days of collected water amounts.

With its judgement, the Federal Court reversed the previous ruling of the administrative court. The municipal council of Auenstein now must investigate how it can reduce the collection of data.

The plaintiff originally requested that the municipality install an alternative meter and informed the Aargauer data protection officer of the case. The data protection officer confirmed in her investigative report from September 2018 that consumer behaviour can be determined from the collected information — such as how often the shower is used or at which times no water is used and if occupants are likely not at home. She recommended deactivating wireless modules or adjusting programming accordingly for meters that have already been installed without consent for data processing. The water meters should only collect data required for invoicing and only do this once or at a maximum of twice a year when requested by a reading device.

Smart meters for electricity metering

Also in Germany some water companies have already implemented digital meters. The Hessian data protection officer, Michael Ronellenfitsch issued a statement regarding radio water meters on properties in March 2020: accordingly the values recorded for properties “with one or two residential units at most” are personally related data. Already in 2018 the Bavarian data protection officer, Thomas Petri warned that data that can be read at any time from digital water devices could be used to create a profile of every day behaviours of residents. Bavaria introduced rules for using electronic water meters in 2019 that include a right to object.

Whereas in the energy sector, there is already an obligation for digital meters: the 2016 law on the digitization of energy transition calls for the nationwide installation of digital electricity meters by 2032. A legal constraint for so-called “smart meters” exists for households with an annual use of over 6000 kilowatt hours. Since 2020, these meters have been gradually included with devices. They transmit collected values to energy providers and network providers — for example, via mobile networks. Smart meters remain optional for households with low energy usage. In such cases, meter operators decide whether they will install a digital electricity meter without a wireless module or a radio electricity meter. Customers must be informed three months in advance about the planned installation and be notified that they have the possibility to change to another provider.

The German Federal Consumer Protection Board writes the following regarding this: “As with every device that sends data via radio or cable, an intelligent reading system is also generally vulnerable to people and companies with criminal intents. They could gain knowledge about everyday life and habits of residents from the stored measured values.” The communication module must be certified by the German Federal Office for Information Security.

Intelligence agencies can no longer rely on ‘general warrants’ for certain forms of property interference like hacking, court says

#more#

The UK’s High Court ruled that UK security and intelligence services can no longer rely on ‘general warrants’ to conduct searches of property, including computers.

The case – brought by Privacy International against the UK Investigatory Powers Tribunal – sought to narrow the use of general warrants in investigations that might result in computer network exploitation (CNE) – or hacking.

The court agreed with Privacy International that section 5 of the UK Intelligence Services Act (ISA) of 1994 does not permit the security and intelligence services to rely on non-specific warrants – otherwise known as general warrants – to authorize their wide-ranging hacking and property interference powers.

“The aversion to general warrants is one of the basic principles on which the law of the United Kingdom is founded,” the court said in its judgement. “As such, it may not be overridden by statute unless the wording of the statute makes clear that Parliament intended to do so.”

Thematic warrants are general warrants covering an entire class of property, persons or conduct, such as mobile phones used by a member of a criminal gang. These warrants may cover large groups of people without specifying the names or locations of the members. And that, PI argued, could allow governments to surveil millions of citizens unlawfully.

Older laws now apply to tech searches

The court decision in PI’s favor will essentially apply 250-year-old legal principles to modern government hacking and property interference in the UK. In agreeing with PI, the UK’s high court signaled to law enforcement that fundamental constitutional principles still need to be applied in the context of surveillance – and that government agencies do not have the right to circumvent traditional protections afforded by the common law.

“The Court referred to cases dating back to the 18th century, which demonstrate the common law’s insistence that the Government cannot search private premises without lawful authority even in the national security context,” Privacy International said in a press release. “In the digital age, where a general warrant could easily enable spying on hundreds, thousands or even millions of people, this is a major victory.”

The court found that a government policy of allowing the UK Secretary of State to grant general warrants to officers and agents to carry out searches amounted to an “unlawful delegation of authority” because general warrants violate individuals’ right not to have property searched other than by the authority of the law.

NGO litigated the case for five years

Privacy International began its legal challenge in December 2015. It questioned various aspects of the arrangements under which the UK spy agencies were believed to make use of computer searches via thematic warrants.

In October 2019, PI sought judicial review of whether the use of hacking by GCHQ prior to publication of the draft Equipment Interference Code in February 2015 had been in contravention of Article 8 and/or Article 10 of the European Convention on Human Rights.

In January 2020, the court approved a consent order under that combined the two cases, ultimately resulting in this most recent ruling.

Legal challenge found government support in some quarters

PI’s legal challenge found support in some parts of the UK government.

In a report issued before the Investigatory Powers Act 2016 went into force, Sir Mark Waller, a former Lord Justice of Appeal, expressed his concerns to government agencies about the use of warrants in a way which seemed, he felt, too broad or “thematic.”

The UK government at the time rebutted that due to the time-sensitive nature of national security investigations, they needed a warrant regime which “specifies” property under threat by a group of terror suspects in advance of actually knowing suspects’ identities. At some point in the future, the UK government argued, terror suspects could be identified more specifically, after CNE allowed under the warrant had taken place. (Posteo News)

Starting January 1, electrical equipment will be required to display a “repairability index”

#more#

France will require repairability ratings for gadgets starting this year, becoming one of the first countries to implement a circular economy labeling system to help cut environmental waste.

Starting January 1 2021, sellers in France of electrical and electronic equipment including online sellers will be required to display a “repairability index” on their products.

The French government decree provides for gradual implementation, starting with the following categories of products: washing machines, smartphones, laptops, televisions, electric lawn mowers (battery, corded, robot), according to a French government Notification Detail sent to the European Commission.

The index is designed to help consumers know if a product is repairable or not. Various criteria have been put in place, such as the price of spare parts necessary for the correct functioning of the product. Whenever relevant, the product should also offer a usage meter, similar to an odometer. The index will be displayed as a label, poster or any other appropriate form.

“This index aims to inform the consumer regarding how easy it is to repair the product concerned,” the French government said. “This measure thus aims on the one hand to compensate for the asymmetry of information between consumers and manufacturers or distributors concerning the repairability of products and, on the other hand, to encourage manufacturers to integrate repairability criteria into the design of their products, thus tending towards products that are more durable because they are more robust because they are ‘eco-designed’.”

Consumer groups praised the initiative, but said there were missed opportunities on several topics, including design, advertising and software obsolescence.

“Advertising often pushes us to consume more than we need and is at the core of an unsustainable model,” Adèle Chasson of Repair.eu said. “Software obsolescence is the cause of growing frustration among consumers who cannot use their devices anymore because of incompatibility between hardware and software, or updates that cause the product to slow down. The French bill only partially tackles the issue.”

New rules for electrical gadgets, home furnishings and packaging

The rules will require manufacturers to make spare parts available to the seller or repairer within 15 working days. The repairer will also have the obligation to offer the customer spare parts from the circular economy.

France hopes the new measures will discourage manufacturers of phones and tablets from slowing down or deteriorating devices prematurely via the use of software updates.

The “anti-waste law for a circular economy” was promulgated on February 10, 2020, and several of the decrees will go into effect on a staggered schedule over the next few years.

It classifies 130 articles sold in stores and online that should be removed from stores or recycled or reused. It also aims to ban planned obsolescence and permit products to be repaired. France hopes the rules will transform its throw away economy into a circular economy.

In addition to the “repairability index” rule, another aspect of the law entered into force on January 1, 2021. It prohibits the free distribution of plastic bottles by government agencies, and limits their use of plastic bottles at sports events. It also bans plastic confetti, polystyrene boxes, and ends the manufacture and import of single-use plastic bags.

Starting January 1, 2022, plastic wrapping of fresh fruits and vegetables weighing less than 1.5 kilograms will be prohibited. Establishments open to the public will be required to be equipped with at least one drinking water fountain accessible to the public. Press publications and advertisements will be shipped without plastic packaging. Non-biodegradable plastic tea and herbal tea bags will be prohibited for sale. Plastic toys, offered free of charge to children as part of menus, will be prohibited. Sticking a label directly on fruits or vegetables will be prohibited, unless these labels are compostable and made in whole or in part from bio-based materials. The French state will no longer buy single-use plastics either for use in its workplaces or in events it organizes.

The law also plans to move towards the goal of 100% recycled plastic by January 1, 2025. Ultimately, the law provides for the end of the marketing of single-use plastic packaging by 2040. To achieve this, reduction, reuse and reuse and recycling objectives will be set by decree. These objectives are spread over four periods, allowing a gradual ban on single-use plastics.

France’s environmental rules build on EU Parliament resolution

The new repairability requirements adopted by France build on EU Commission requirements set in 2019.

In October 2019, the EU Commission adopted 10 ecodesign implementing regulations, setting out energy efficiency and other requirements for the Refrigerators, Washing machines, Dishwashers, Electronic displays (including televisions), Light sources and separate control gears, External power suppliers, Electric motors, Refrigerators with a direct sales function (e.g. fridges in supermarkets, vending machines for cold drinks), Power transformers, and Welding equipment.

The European Commission estimates that this package of measures will deliver 167 TWh of final energy savings per year by 2030. This is equivalent to the annual energy consumption of Denmark. These savings correspond to a reduction of over 46.million tonnes of CO2 equivalent, and could save European households on average €150 per year, the EC said in a press release.

But in November 2020, the EU Parliament adopted a resolution urging the European Commission to go farther — much in the direction France has just taken.

According to point 11 of the “Facilitating Repairs” chapter, the EU Parliament “Calls on the Commission to establish a consumers’ ‘right to repair’ with a view to making repairs systematic, cost efficient and attractive, taking into account the specificities of different product categories along the lines of the measures already taken for several household appliances under the Ecodesign Directive.”

The European Parliament (EP) also insisted on increasing support for second-hand goods markets. To that end, they called for measures to tackle practices that shorten the lifetime of a product, and endorsed sustainable production and common charging systems to reduce electronic waste.

Whether the rest of the EU’s 26 countries will act to match France’s ambitious new plan remains unclear.

Still, most Europeans want to see government action. In a survey by the EC, it was found that 77% of Europeans thought it was important to make an effort to have broken appliances repaired before buying new ones.

Though the EU ecodesign measures only apply to products placed on the Union market, it is likely that many other countries will adopt the EU standards given that the EU is the world’s second largest marketplace after the U.S. (Posteo News)

EU aims for broader sharing and analysis of health outcomes, greater flexibility when traveling

#more#

The European Commission and EU member state governments are proposing new rules to promote better exchange and access to different types of health data including electronic health records, genomics data and data from patient registries. The plan aims to support healthcare delivery using primary use of data, but would also support health research and health policy making purposes via the use of so-called secondary use of data, according to an outline of the plan on the European Commission’s website.

Under the plan, public health systems in the EU’s 27 member countries would be encouraged to collect data in a standardized format. A core part of the plan known as the Data Governance Act would establish a horizontal framework for the use and reuse of sensitive and valuable data in areas such as health. To that end, the plan would allow access to health data “under a trusted governance and clear rules and support the free movement of digital health services,” Stella Kyriakides, Commissioner for Health and Food Safety, said in a statement. By 2025, patients from all Member States should be able to share their data with healthcare professionals of their choice when traveling abroad.

One of the driving impulses for regulation was the COVID pandemic, Commissioner for Internal Market Thierry Breton said in a statement. “Strengthening and extending the use and re-use of health data is critical for an innovative and competitive EU healthcare sector, and will help make Europe more resilient to weather challenges such as the current pandemic,” Breton said.

According to a draft proposal of the regulation, the EU aims to create a legal framework within which the Union can react rapidly and trigger the implementation of preparedness and response measures to cross-border threats to health across the EU in the form of a Regulation.

“The COVID-19 pandemic has shown that the EU’s mechanisms for managing health threats suffer from general shortcomings that require a more structured Union-level approach if we are to deal better with future health crises,” the EU proposal said. “Since the start of the outbreak, multiple discussions have taken place with Member States including at health ministers’ level, have seen calls for a more consistent and coordinated approach to preparing for and managing health crises in the EU.”

Last spring, EU governments began collaborating to create COVID-tracking apps that work seamlessly in Germany, Ireland, and Italy. Some 30 million people have downloaded the apps, the EU said in a statement. The Czech Republic, Denmark, Latvia, and Spain later joined the program, which was setup by T-Systems and SAP, and operated from the EU Commission’s data center in Luxembourg.

This was seen as a first step in making health information available for Europeans living or traveling outside their home borders. Ultimately, the goal is to enable the exchange of the electronic patient record summaries and electronic prescriptions by 2022 between the 27 member states under the eHealth Digital Service Infrastructure (eHDSI).

Some EU countries are already moving forward with cross-border healthcare cooperation. By the end of 2020, Finland, Estonia, Portugal, and Croatia will be able to exchange imaging data, laboratory results, and discharge reports to facilitate remote consultations, according to a report by the Finnish Innovation Fund Sitra.

But privacy concerns abound. Rights groups say citizens must be able to “opt-in” to the medical data sharing schemes and that any plan must adhere to the General Data Protection Regulation (GDPR).

EU to collect 10 million genomes

An additional part of the plan, known as the Pharmaceutical Strategy for Europe, would establish “the secure federated access to 10 million genomes across borders for research, innovation and clinical applications, including personalized medicine 2025”.

The genetic data might help prevent cancer and other non-communicable diseases like heart attacks, stroke, chronic respiratory diseases, and diabetes, according to an analysis by The Finnish Innovation Fund Sitra. The plan builds on work begun as part of the “European ‘1+ Million Genomes’ Initiative”.

In order to encourage EU countries to adopt the program, Europe’s pharmaceutical lobby, EFPIA, suggested in a policy paper that the European Commission (EC) and Members States “should consider providing a mix of financial and non-financial incentives for data holders to share their data, both with public and private market participants. Such incentives could potentially include traceability of the data, financial rewards/tokenization, reciprocity in access to data, giving credit to data providers, and curators in publications that are based on the data, as well as IP-based incentives.”

Industry wants to encourage data sharing

Public acceptance will be key to the success of the EU’s health plans. But some have voiced criticism of pharmaceutical industry lobbying attempts to equate sharing medical data with donating blood.

“Data altruism is a misleading concept which can lead to malpractice,” European consumer rights group BEUC wrote in a position paper. “If patients and consumers were to provide access to their data for health research under a public purpose research initiative, this should not be for commercial purposes.”

Pharma executives have flagged what they call “data parochialism” as a possible roadblock to gaining access to data. To create public acceptance, many in the industry have likened data sharing to blood donations – despite the fact, unlike donating blood, much of the public health data could end up in the hands of private corporations.

“Think for example about how people give blood or donate organs to help those whom they don’t know,” Padriac Ward of Roche told a panel in November. “That’s the same spirit we should foster around data.”

Pressure is also coming from European tech startups, whose executives say citizen data protections like the General Data Protection Regulation (GDPR) put European health-tech companies at a disadvantage compared to their counterparts in the U.S. and China.

“While digital health startups are highly innovative and adaptable actors which seek to be compliant from day one, they are also smaller economic players,” Brussels-based trade group Allied For Startups said in a statement. “Navigating complex regulations, such as GDPR, the Medical Device Regulation and upcoming rules on Artificial Intelligence require additional resources which could otherwise be directed towards innovation.”

Much as happened with EU rules that eliminated cell phone roaming fees for travel within Europe, the proposed plan could reducing costs by making duplicate tests unnecessary.

Some 80% of health data in Europe remains unstructured and unused, according to a study by DigitalEurope. (Posteo News)

Development money facilitates deportations, expands intelligence gathering that could target journalists, NGO says

#more#

European Union development aid money is being used to create biometric ID cards that could facilitate the deportation of migrants, a report by Privacy International said.

Using documents obtained through FOIA requests, Privacy International (PI) also determined that the EU has used development funds to expand intelligence gathering operations that could target journalists and NGOs.

One program outfitted Niger with phone-tracking software, while another trained law enforcement in Algeria to monitor people on social media.

The aim of all of these programs, PI said, was for the EU to “outsource” to countries located south and east of the EU’s borders the task of stopping migration into Europe. EU officials have said previously that reducing illegal migration could remove a powerful rallying call for anti-immigrant and extremist political parties throughout the EU’s 27 member states.

Pervasive data sharing between EU, aid-recipient nations

One of the most alarming discoveries, the report’s authors said, was the provision of equipment used to establish biometric identity systems. EU officials and European contractors trained African and Middle Eastern officials in their use, and urged law changes so that these systems could be used to assist in deportations from Europe. Moreover, the EU created a framework to share non-citizen data collected within the scope of these programs with EU authorities.

In Cote d’Ivoire, for example, PI found that a 30 million euro biometric identity program’s explicit purpose was to facilitate the identification of people in Europe who are of Ivorian nationality and organize their return more easily.

Similar programs were created in Mali, Senegal, and the Balkans. In each case, the goal was to create data collection standards that are compatible with EU information systems on border and migration management such as the Eurodac database, a pan-European fingerprint database for asylum seekers, PI said.

“The Fund is being used to bankroll the development of mass-scale biometric identity systems […] and is awarding lucrative contracts to well-connected European security companies in the process,” PI said.

The report highlighted Civipol of France as a major recipients of the EU development monies. It received around 60 million euros from the EU Trust Fund for Africa, PI said.

Founded in 2001, Civipol is 40% owned by the French state. Its other main shareholders are French weapons makers Thales, Airbus DS, and Safran.

Europe teaches Africa to wiretap, surveil online

The EU has also helped countries with weak or non-existent democratic systems create surveillance infrastructures.

In Niger, for example, 11.5 million euros from the EU Trust Fund for Africa was earmarked to stem migration flows. To do this, the EU financed the purchase of surveillance drones, surveillance cameras, surveillance software, and wiretapping equipment. Moreover, the EU furnished Niger with an international mobile subscriber identity catcher (IMSI catcher). An IMSI catcher is a sophisticated surveillance device capable of carrying out indiscriminate monitoring of mobile phones in a given area.

In Bosnia and Herzegovina, a wiretapping system sold by Swedish tech giant Ericsson was provided to the State Investigation and Protection Agency (SIPA). SIPA, in turn, has a Memorandum of Understanding with other law enforcement agencies in the country allowing them to use the system, including the Border Police, creating the potential for human rights’ abuses.

“While people in many of these countries face serious security threats as well as under-resourced public services, they are also plagued by unaccountable security agencies that engage in the unlawful surveillance of civilians enabled by inadequate legal frameworks and human rights protections,” PI said. “In the absence of effective privacy and security safeguards and in contexts where security agencies arbitrarily target activists, journalists and others, surveillance techniques and tools pose a serious threat to people’s rights and their work.”

Privacy International and several other NGOs urged the European Commission to enact urgent reforms to stop the facilitation of surveillance and diversion of aid money.

“We’re calling on the European Commission to stop the diversion of aid funds, enact strict due diligence and risk assessment procedures, and to agree to transparency, parliamentary scrutiny and public oversight measures aimed at protecting human rights in non-member countries,” PI said in a statement.

The European Union is the world’s largest donor of development aid with an annual aid budget of 50 billion euros. (Posteo News)