Emma Fox provides practical tips on how wearable providers can stay within DP law in Privacy Laws and Business
Not too long ago, the idea of wearing a computer that tracks your every movement and sends data about you to other devices and applications would have been seen as futuristic and inaccessible. Nowadays, smart watches and fitness trackers are abundant and it seems that wearable technology is becoming increasingly commonplace.
Wearable tech is an area of immense potential and can carry significant benefits for users. Fitness trackers can help users to live a healthier lifestyle by tracking their activity, health and weight. But wearables can go much further than this; take, for example, UK company MediWiSe, which has developed a device that can be worn on the ear to continuously monitor blood glucose levels for diabetics. Open Bionics, a Bristol-based company, is creating 3D-printed prosthetic hands which operate via sensors on the skin to pick up muscle movements. There are an increasing number of UK start-ups seeking to take advantage of the ease and benefits brought about by wearable tech.
However, these benefits inevitably involve the collection and use of a huge volume of personal data about users, often including sensitive data. The UK Information Commissioner’s Office (ICO), in conjunction with several other privacy regulators worldwide, has recently highlighted shortcomings in data protection compliance across Internet of Things (IoT) devices, which wearable device providers will need to steer clear of (wearables being, after all, a subset of the IoT). The study, coordinated by the Global Privacy Enforcement Network (GPEN),1 demonstrates that whilst wearable devices can make life easier and more enjoyable, providers and other stakeholders must be careful not to let their data protection obligations fall by the wayside. In the UK,2 this means ensuring that the processing of personal data complies with the Data Protection Act 1998 (DP Act) and, from 25 May 2018, the EU General Data Protection 2016/679 Regulation (GDPR).
The DP Act and the GDPR require organisations to be transparent with individuals about how their personal data is being used. This means that comprehensive, accessible privacy notices must be provided at the point of data collection. The GDPR in particular requires data controllers to provide extensive information to users about the protection of their personal data, but in a “concise, transparent, intelligible and easily accessible form”. The GPEN study found that a large proportion of the IoT devices surveyed (overall around 60%) failed to communicate adequate data processing information to their users.
Transparency presents a practical challenge in the context of wearables: user interfaces are generally small or non-existent, and nowadays it may not be reasonable to expect users to read full privacy notices provided in physical or online user manuals. To ensure compliance, wearable providers should:
Many of the benefits of wearable devices involve the collection of sensitive personal data, most commonly health information. It is likely that explicit consent will be needed to process that data, but wearable providers will also need to consider whether consent will be required to process other, non-sensitive, personal data. Wearable providers must rely on a lawful processing condition to justify the collection and use of all personal data and sensitive personal data. Whilst consent is not necessarily required, the Article 29 Working Party’s (WP29) Opinion on the IoT certainly suggests that other relevant conditions, such as contractual necessity and legitimate interests, may be difficult to fulfil given the privacy implications of IoT devices and the nature of the data collected and processed.
If consent is required, that consent will need to be valid. This means that consent must be “freely-given, specific and informed” under the DP Act, with the additional requirement that it is “unambiguous” under the GDPR. For sensitive personal data, consent must be “explicit”. Consent is unlikely to be valid if it is a condition of using the device, and implying consent simply through using the device will not be sufficient. This presents practical challenges for wearable providers, where the inherent objective of a wearable device requires personal data to be collected; in effect, if users want the benefit of the device, they have to agree to some personal data being used. Wearable providers will also need to bear in mind that consent can be withdrawn at any time, and the GDPR puts a positive obligation on data controllers to tell users that they can do this.
Wearable providers should therefore:
Another key principle of the DP Act and the GDPR is that personal data used must not be excessive in relation to the purposes for which it is collected. This means that organisations must only collect and use the minimum amount of personal data necessary to enable them to carry out the purposes for which personal data is intended to be used. Under the GDPR, providers will also be obliged to comply with the “data protection by default” principle.
This means that, by default, only the minimum amount of personal data must be collected and used. This means that wearables providers will need to:
Many of the concerns around the use of wearables stem from uncertainties around the third parties with which personal data may be shared. Wearable technology often involves a complex network of data controllers all sharing personal data with each other and third parties. For example, device providers may share information they collect with social media platforms, users’ insurance providers or doctors, or employers which provide employees with wearable devices to monitor workplace activity. It is important that users have knowledge of, and consent to, this sharing.
As such, wearable providers will need to:
Security is also key in the wearables sphere. The GPEN study revealed concerns around medical reports being sent from wearable devices to GPs via unencrypted email. On a much wider level, the inherent interconnectivity of wearables and the IoT present heightened risks of systems being hacked and personal data being compromised. As wearable technology develops further, we may see specific security standards being introduced for the industry. But in the meantime, wearable providers will need to be conscious of their obligations to take appropriate technical and organisational security measures to protect data. Examples of steps wearable providers can take to comply include:
Under the GDPR, the right to data portability (i.e. to extract a copy of personal data you have provided in a common, electronic format and to transfer it to another organisation) is a fundamental privacy right. Although the benefit of wearable devices usually comes from the interpreted data, rather than the raw data uploaded or generated, wearable providers will need to bear in mind that users will have a right to access that raw data. The right of data portability doesn’t just cover personal data that a user has physically input him or herself; personal data “provided” by an individual also includes data generated by his or her activity. This is likely to capture a great deal of the personal data collected by wearable devices. The WP29’s recent Opinion on data portability suggests that data controllers will need to offer individuals an option to download their personal data directly themselves, without having to make a specific request to the data controller.
Both the DP Act and the GDPR also prohibit personal data from being kept for longer than is necessary. Steps that wearable providers can take to comply with these obligations include:
The concept of Privacy by Design and by default is recommended as current best practice and is codified in the GDPR. It means that privacy considerations must be taken into account at the outset of a project, and that by default, the minimum amount of personal data necessary must be collected and processed. Data protection impact assessments (DPIAs) form a key part of privacy by design. These are risk assessments that enable organisations to assess and mitigate the privacy risks of a particular project at an early stage. DPIAs will be mandatory under GDPR, and are currently strongly recommended as best practice.
Wearable providers should take the following steps to comply with these obligations:
Following the GPEN study, the data protection authorities involved are considering action against IoT devices they consider to have breached data protection laws. This means we may see further developments in this arena in the not-too-distant future. In the meantime, device providers and other stakeholders in wearable technology networks should make sure they do not allow privacy to become an afterthought and that they are clear with users about how personal data is used, to avoid falling foul of the DP Act and the GDPR.
Originally published in Privacy Laws and Business in March 2017
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.