In this article, co-authored by Jane Elphick, an associate at Cooley LLP, Sarah Pearce, a partner, looks into the issue of privacy around wearable tech.
Wearable technology is often described as a regulatory minefield as it is increasingly faced with legal challenges, some of the most challenging of which revolve around data privacy.
Collecting data from wearable technology allows companies to continue to develop their products in a direction that complements the way their consumers are utilising them. This benefits the company and enhances their products for consumers.
However, while the vast data collected from wearable devices has the potential to do great things (such as tackle obesity or monitor a baby’s heartbeat from the womb) there is also great controversy that surrounds the collection and usage of such data.
It often falls to ensuring that the data collected does not violate any laws, nor impact brands in a meaningful way. Like most things, it comes down to balance. In this article, we take a look at some of the key data privacy issues facing the wearables market today:
• GDPR – or rather, The General Data Protection Regulation, is a new EU-wide regulation that will, from May 2018, revamp Europe’s current data protection legislation (which pre-dates the internet by the way…).
The GDPR aims to bring data protection legislation up to speed with growing technology, clarifying data subjects’ rights and increasing the obligation on data controllers and data processors for handling EU residents’ personal data.
• Big data – There are also new, strict obligations on big data, particularly on profiling which can be a large slice of the wearables business.
• Global domination – GDPR will reach beyond the EU; any organisation that offers goods or services to EU residents or monitors the behavior of data subjects in the EU will be caught by the regulation. This increased global scope is intended to protect EU personal data wherever it ends up.
Further, organisations wanting to transfer EU personal data outside the EEA will have to make sure they legitimize such a transfer with one of the European Commission approved mechanisms such as the EU-US Privacy Shield (in the case of transfers to the US), Model Clauses, Binding Corporate Rules or a derogation (which is essentially an exception to the rule).
• Privacy and Security by design – Regulation meets innovation – the new law will mean that manufactures will be obliged to put privacy first (at inception of a product) and ensure that the default setting is always the maximum level of privacy.
• Consent– Everyone wearing a wearable needs to give his/her clear, affirmative consent to the use and sharing of their personal data and the new rules will make sure organisations tell users as much as possible about what will happen to their data.
• Breach – A concern for both, companies and users alike, is the risk of data breach: not only will stricter security requirement help to limit the risk of data breaches, but should data breaches occur, data controllers will have new obligations on how to handle them.
• Brexit – although not uniquely a data privacy issue, it’s hard to ignore the elephant in the room. The UK has contributed real leadership in the emerging Internet of Things market. Some think that a widespread loss of EU nationals could stunt the growth of the sector, BUT London is very much open for business and the Mayor of London’s campaign has a strong focus on keeping London’s doors open – a strong hub of growth for the wearables market.
On data, one thing for organisations to check ahead of Brexit itself is whether there are any contracts in place requiring data to be kept in the EU. If so, post-Brexit you may find yourself in breach if that data is in the UK.
Striking the right balance
- First things first: develop a privacy policy and ensure that the transfer and storage of any personal data is compliant with EU law: a clearly visible and easily accessible privacy policy will help reassure consumers that their personal data is protected and “safe”. This is particularly significant in the world of wearables where the potential sensitivity and extent of data at (albeit possible) risk means that a data breach would be like no other.
- Mind the gap: figuring out whether you are complying with the current law is a good first step. You can then work on filling any gaps for both current and future legal and technical compliance, both in terms of data privacy and data security.
Knowledge is power – up the ante on training, consider tailoring training by business line and / or geography.
Quantity over quality – don’t process and store data you don’t need, act reasonably and responsibly.
It’s no secret that the technology sector is evolving at great speed, particularly the growing wearables sector: not only does the law often have blind spots when it comes to protecting consumers, but it is difficult to think about and prioritise compliance when innovation is moving so quickly.
New EU data protection law hopes to bridge this gap, through its stricter requirements on profiling and forcing the hand of manufactures to consider privacy at the start of a new product’s life.
Organisations should take advantage of the changes and act now by conducting gap analyses and getting results/solutions in front of key management now – before it’s too late and the law catches up with you.