Sunday, November 7, 2021

THE ELECTRONIC DEVICES . . . SPYING ON OUR LIVES. DELEGATED ACT ADOPTED BY EUROPEAN COMMISSION

 Filenews 7 November 2021 - Theano Thiopoulou



Mobile phones, 'smart' watches, fitness monitors, childcare toys and equipment, cordless toys, all of which are part of the daily lives of Europeans, citizens of EU Member States, will now be controlled by new stricter rules, because cyber threats, which can be channelled by such wireless systems, pose an increasing risk to every consumer.

The delegated act, adopted by the European Commission last week, aims to ensure that all wireless devices are secure before they start being sold on the EU market. The Commission's act sets out new legal requirements for cybersecurity safeguards, which manufacturers will have to take into account when designing and producing the relevant products.

The protection of children's rights will be an essential element of this legislation. For example, manufacturers will have to implement new measures to prevent unauthorised access to or transfer of personal data.

Location violation

Unwanted notification of a user's location (via mobile devices and transport equipment) or radio equipment in a specific location (home, second home, workplace) may reveal the presence of a known or unknown person. Unauthorized access to information that could identify a lack of presence in a home or location is also a cause for concern (e.g. this information could be useful to those seeking to commit burglaries). For example, two-way communication information, pull-push, from a smart meter of electricity or water may reveal the absence of a homeowner for an extended period.

Fitness monitor

Smart devices, smart cameras and a host of other connected radio equipment, such as mobile phones, laptops, dongles, alarm systems and home automation systems, are also examples of equipment that is at risk of a security breach and exposed to privacy-related risks when connected to the internet. In addition, wearable radio equipment (e.g. rings, bracelets, pocket clips, headphones, fitness monitoring devices, etc.) can monitor and register a lot of sensitive user data over time (e.g. position, temperature, blood pressure, heart rate) and re-transmit them, not only via the internet, but also through unsafe short-range communication technologies.

Financial fraud

The package of measures promoted by the Commission also aims to reduce the risk of financial fraud. Wireless devices should include features to minimise the risk of fraud when making electronic payments. For example, they should ensure better authentication of the user's identity in order to avoid fraudulent payments.

When carrying out the conformity assessment procedures before placing their products on the EU market, manufacturers will have a choice between two possibilities: To carry out a self-assessment of whether their product has been designed according to harmonised standards, or to rely on a third-party assessment carried out by an independent inspection body, regardless of whether or not a harmonised standard has been used.

It is important to mention that the European Commission's delegated act applies not only to European industry, but also to any manufacturer who intends to place a product on the EU market.

For which equipment will the legislation apply

Devices capable of communicating over the Internet: Examples of such equipment include electronic devices, such as smartphones, tablets, electronic cameras. telecommunications equipment, as well as equipment that constitutes the "Internet of Things". Due to inadequate security, such devices pose a risk of improper access to and sharing of third-party personal data, including for the purposes of fraud, or damage to the network.

Children's care toys and equipment: Baby toys and devices can be vulnerable to cybersecurity threats that monitor or collect information about children. Therefore, the protection of the rights of the child is an essential element of this legislation.

Wearables: Devices such as smart watches and fitness trackers are increasingly present in our lives and collect biometric data.

The EU delegated act will enter into force after a two-month scrutiny period, if the Council and the Parliament do not object. After entry into force, manufacturers will have a transitional period of 30 months to start complying with the new legal requirements. This will give the industry sufficient time to adapt the relevant products before the new requirements come into effect, around mid-2024.

Where the new measures will help

Improving network resilience: Wireless devices and wireless products should incorporate certain features to avoid damage to communications networks and prevent devices from being used to disrupt the functionality of websites or other services.

Better protection of consumer privacy: Wireless devices and wireless products should have features that guarantee the protection of personal data. The protection of children's rights will be an essential element of this legislation. For example, manufacturers will have to implement new measures to prevent unauthorised access to or transfer of personal data.

Reduce the risk of financial fraud: Wireless devices and wireless products should include features to minimize the risk of fraud when making online payments. For example, they should ensure better authentication of the user's identity in order to avoid fraudulent payments.

What will be the role of the Member States?

The delegated act, which will take the form of a regulation, will apply immediately (when the process of its adoption is completed) in all Member States, without the need for transposition into national law.

Member States are responsible for market surveillance. In accordance with the Radio Equipment Directive, each Member State has created a national market surveillance authority, which ensures that only safe and compliant products are placed on the market. These national market surveillance authorities should also ensure that all these products comply with the new requirements. Market Surveillance Authorities may, for example, require information from economic operators, take restrictive measures such as sales bans or recalls or impose sanctions. Market surveillance authorities across the EU exchange information and cooperate in a dedicated network coordinated by the Commission.

What about old devices and what products are excluded

The Commission's delegated act will apply to all devices placed on the market once it enters into force. Old appliances, which have already been placed on the EU market, can continue to be used without the need for specific adjustments until the end of their life cycle.

Wireless devices have become a key element of citizens' lives. They have access to our personal information and use the communication networks. The COVID pandemic has dramatically increased the use of radio equipment for professional or personal purposes. In recent years, studies by the Commission and various national authorities have identified an increasing number of wireless devices posing cybersecurity risks. These studies have, for example, highlighted the risk of games spying on children's actions or conversations; of unencrypted personal data stored on our devices, including those related to payments, which are easily accessed even by equipment that may misuse network resources, and, therefore, reduce their ability.

The legislative act lists categories of products excluded from the application of some or all of the essential requirements. Motor vehicles, electronic tolling systems, equipment for remote control of drones as well as non-airborne special radio equipment that can be installed on board aircraft are exempted from the requirements on the protection of personal data and protection against fraud. In addition, none of the requirements shall apply to in vitro medical devices and medical devices. The cybersecurity of these product categories is ensured by existing specific EU legislation.