What did the Swiss Federal Court's water-meter ruling establish for IoT data collection?
Even with encryption, data collection must be proportionate: there was no legal basis for transmitting readings by radio every 30 seconds and storing 252 days of hourly values — data security alone cannot justify processing more personal data than necessary.
A Swiss Federal Court (Bundesgericht) ruling addressed electronic water meters that transmit data by radio, finding serious data-protection violations.
Core holdings:
- No legal basis: the court found no legal basis for sending data by radio every 30 seconds and storing hourly values on the device for 252 days.
- Proportionality violation: "Data security alone cannot outweigh the fact that more personal data is being processed than necessary."
Significance for IoT devices:
- Even when data is transmitted encrypted, data collection must be proportionate.
- A clear legal basis must exist for collecting and storing data.
- Data minimisation is a central principle — only necessary data may be collected.
- Long retention periods must be justified and proportionate.
- Technical protection (encryption) does not replace legal requirements.
Tip: The headline principle — "encryption doesn't excuse over-collection" — applies to every always-on IoT device: securing data you shouldn't have collected in the first place doesn't make collecting it lawful.