Wearable technology and data protection in the European Union

Wearable technology seems to be the latest phrase on everyone’s lips.

fredericka_argentFrom the Samsung watch that enables emails to be read and phone calls to be made on your wrist, to Nike’s FuelBand that tracks and analyses your fitness as you move, technology is becoming not just part of our daily lives but part of our physical selves. So, what of the privacy implications?

Companies that offer devices that collect, process and transfer personal data, such as health or financial data, must comply with data protection law.

In the European Union, the relevant laws have been implemented in each member state. Non-European companies with establishments or data-processing equipment in the EU that collect or process data from EU consumers also need to comply with these laws. The rules for complying with data protection law will become even stricter if the General Data Protection Regulation is adopted.

Data protection concerns affect all companies that process personal data collected via wearable technology, including companies selling the devices, any platforms where data is stored and third party app developers whose software is downloaded on top of existing services.

The potential benefits of this new technology are immense but there are important data protection and privacy concerns that need to be addressed in order for consumers to have confidence in the devices.

Wearable tech is already capable of tracking the location of its users and revealing calories burned, but it is predicted that soon the devices will be analysing employee productivity and monitoring patients’ vital health information, such as blood-glucose levels.

There is scope for the information that is collected to be shared via third party cloud services, with hospitals, employers, advertising agencies and even insurance companies. Therefore, one device may soon enable the transfer of highly sensitive data to the databases of several unrelated companies around the world, contributing to already unprecedented levels of data flows and raising the privacy stakes even higher.

The Article 29 Working Party is made up of the data protection authorities of all the EU member states. It provides guidance to entities who control or process personal data and has recently recommended privacy guidelines for wearable tech.

The guidance states that consumers should know and be able to control what data is being collected and used by which companies and for what purposes so that they can provide their fully-informed, specific consent to certain uses and withdraw consent where they disagree.

The working party also considers issues of cyber security: preventing the loss or theft of sensitive data, especially during transfer across borders.  To avoid such pitfalls, the establishment of robust technological security measures, such as encryption of personal data and deletion of non-essential raw data are recommended.

The burden of protecting consumers in this new age of wearable tech will largely fall on the companies who control the information collected via wearable tech but consumers will also have an important role to play in being sensible about how they share their information.

Implementing and utilising effective, privacy-friendly mechanisms should imbue consumers with trust in tech companies and enable all the advantages of wearable tech, such as increasing productivity, monitoring health information and communicating with loved ones, to be enjoyed.

Fredericka Argent is a technology and media associate at Covington & Burling