Dummy cameras are only permitted if they don't appear deceptively real and don't monitor unfamiliar areas. Doorbells with camera functionality are permitted if they only transmit images after the doorbell is pressed and if they are not permanently stored.

Recordings may not be stored for longer than 72 hours, and the storage technology used must comply with data protection requirements. Following these rules can help avoid legal problems and fines.

Read more about this in this Article.

Der Beitrag Überwachungskameras am Haus: Was ist erlaubt? erschien zuerst auf R&U.

Goal of the electronic patient record

The introduction of the ePA is being celebrated as a milestone in the digitalization of the German healthcare system. According to a report by "heise.de," Federal Health Minister Karl Lauterbach stated at Bitkom's Digital Health Conference: "After 20 years of sluggish development, we have successfully caught up. On January 15, the electronic patient record will be launched for 70 million insured persons. It is the centerpiece of digitalization in the healthcare system and will significantly improve patient care."

Lauterbach acknowledged that the ePA in its original form had significant weaknesses, but the delay made it possible to integrate state-of-the-art technological solutions that make the system more efficient.

A comprehensive treasure trove of data is created

In the future, all health data will be automatically stored in the ePA: from lab results and x-rays to medication information and hospital stays. "This data set is gigantic – there are one billion doctor-patient contacts in Germany every year," Lauterbach emphasized. The collected data will be combined at the Research Data Center for Health (FDZ) with additional information from over 400 medical registries and genome databases. Billing data from health insurance companies will also be part of the system, with all information linked via a pseudonymized health insurance number.

Use of artificial intelligence

A central element of the ePA is the use of artificial intelligence (AI). "This data set is made analyzable with the help of AI systems," Lauterbach explained. The structure of the ePA is already designed to be "AI-ready."

A central element of the ePA is the use of artificial intelligence (AI). "This data set is made analyzable with the help of AI systems," Lauterbach explained. The structure of the ePA is already designed to be "AI-ready."

Interest of international technology companies

Lauterbach indirectly confirmed this fear. "All major AI companies are interested in this treasure trove of data," the minister said. Meta, OpenAI, and Google, among others, are in discussion. The companies are interested in training their language models with German health data. Furthermore, the healthcare sector is a significant growth industry. "While many economic sectors are stagnating, we are experiencing dynamic growth here," Lauterbach said. With other data sources, pseudonymized health data could be attributed to a specific individual.

Opportunities and risks of the ePA

The advantages of the EHR are obvious: Important medical documents such as x-rays, reports, and doctor's letters are centrally accessible and can be accessed at any time. This can improve the quality of treatment and avoid duplicate examinations.

However, IT security experts have discovered serious security vulnerabilities in the ePA. This is particularly alarming given that it involves highly sensitive health data—perhaps the most vulnerable information a citizen has.

Poor data processing in healthcare?

Doubts about the professional processing of health data have existed since the coronavirus pandemic. The Paul Ehrlich Institute (PEI) was criticized for failing to provide reliable interfaces with health insurance companies and for publishing only incomplete data on side effects. While other countries such as the Netherlands, Denmark, and the USA created detailed side effect databases, the PEI merely provided an inaccurate Excel spreadsheet.

Data protection measures and their weaknesses

Lauterbach assured that Israeli experts had reviewed the data security of the ePA and that a balance had been struck between data protection and usability. A key point was the use of "confidential computing," in which data is processed within a protected environment without being encrypted. However, this statement raises questions: Wouldn't a truly confidential data set be precisely an encrypted data set?

Researchers can access health data upon request – the research purpose, not the identity of the requester, is crucial. The data should not leave the secure research environment. But how secure is this "trusted environment" really?

Lauterbach's vision: A world-leading health data set

The minister sees the ePA as the most important digital project in Germany and a breakthrough innovation. His goal: to build the largest and most comprehensive health dataset worldwide.

However, based on previous experiences with security deficiencies in the ePA and the ineffective data management of the PEI, there are legitimate concerns: Is the health data of 70 million insured persons really adequately protected?

Political discussion: Merz wants to create financial incentives

Lauterbach isn't the only one pursuing ambitious plans for the ePA. CDU leader Friedrich Merz has floated the idea of financially rewarding insured individuals for entrusting their data to the ePA. This could make the healthcare system more efficient.

According to a report in the "Berliner Zeitung," IT specialists are warning of significant security risks. Organized crime could steal patient data on a large scale. Intelligence agencies are also interested in this sensitive information. The Chaos Computer Club recently demonstrated at a conference how easily security vulnerabilities can be exploited.

"Experts have repeatedly pointed out security risks," said IT specialist Manuel Atug. "Yet only minimal improvements have been made. The responsible ministry is resistant to advice."

The ePA will be implemented via an opt-out procedure – those who do not opt out will automatically receive a digital patient record. Privately insured individuals, however, must actively apply for the ePA.

This is problematic from a data protection perspective. The GDPR requires explicit consent for health data. However, this uses an objection mechanism that is hostile to data protection, which many insured persons are likely unaware of.

Experts see four main scenarios in which the ePA could be misused:

Decryption of pseudonymized data: With the appropriate key, data could be re-identified.

Incorrect anonymization: Names or other identifying features may be inadvertently retained in medical reports or X-ray images.

Data reconstruction: By combining extensive information, individuals could be identified.

Tracking via service providers: A particular doctor's visit could allow conclusions to be drawn about a person's identity.

If health data falls into the wrong hands, there is a risk of serious consequences, ranging from unwanted advertising for medications to job loss, rejection of loans or insurance, blackmail by third parties or social exclusion.

Those affected can object to the electronic personal data (ePA) or have stored data deleted. There are also legal options to prevent the transfer of data to foreign companies.

Der Beitrag FOCUS online – Elektronische Patientenakte birgt Datenschutz-Risiken erschien zuerst auf R&U.

The disclosure of location data and personal details such as email addresses and phone numbers highlights a worrying weakness in security measures. It is both legally and ethically imperative to protect such information, especially when it provides deep insights into individuals' private lives.

Support with data protection issues

We offer affected vehicle owners comprehensive support in enforcing their data protection rights. Our services include:

• Support in the deletion of personal data: We help with the claim to the “right to be forgotten” under Article 17 GDPR.
• Requests for information in accordance with Article 15 GDPR: We determine which personal data has been stored and how it has been used.
• Review of legal options: This includes examining the possibilities for a class action declaratory judgment or individual claims for damages.
• Assertion of claims for damages: In case of financial or immaterial damages caused by unprotected data publication.

Data breach at VW: Legal steps and increased security requirements

The data leak could give rise to claims against subsidiaries such as VW Financial Services and VW Bank. Volkswagen Bank GmbH is a wholly owned subsidiary of Volkswagen Financial Services AG.

The disclosure of customer data provides criminals with the opportunity to launch phishing emails or other fraudulent activities. Customers who suffer financial losses as a result may have the right to claim compensation.

The potential dangers of phishing attacks or identity theft associated with VW Financial Services and VW Bank data are serious. It is imperative that companies treat the security of customer data as a top priority.

Demand for stricter data protection standards It also calls on companies to improve data protection and IT security standards. The push toward electric vehicles and advanced connected technologies should not compromise user privacy. Manufacturers must ensure that personal data is not only collected legally but also comprehensively protected.

Need for action at the political level This incident highlights the need for strict enforcement of regulatory requirements such as the upcoming EU Data Act. Manufacturers should be expected to provide consumers with clear and secure data management. Data protection should be an integral part of modern mobility.

Free initial assessment

Those affected can contact specialist lawyers for a non-binding initial assessment of their legal options. The goal is to take the necessary steps under data protection and civil law together with the affected parties.

Der Beitrag Mögliche Datenschutzverstöße bei VW: Betroffene könnten Anspruch auf Schadenersatz haben erschien zuerst auf R&U.