Wearable technologies and the Internet of Things are one of the most discussed at the moment with a considerable potential impact on our approach to technologies in the next years. But, with the huge amount of personal data relating to users as well as images/sounds on the people/events around him collected by means of such devices and the possibility to very easily share them on the Internet, the impact on privacy rights of these technologies will require a careful review.
This post is not meant to cover all the privacy-related legal issues relevant for wearable technologies but to shortly outline some of the most relevant.
1. Collection of user’s health-related and even biometric data
Especially in the case of usage of health and fitness Apps, a number of health-related sensitive data concerning their users will be collected and this will require to comply with stringent privacy obligations. Indeed, as already prescribed with reference to smartphone Apps, the company managing the App used through the wearable technology will be subject to the privacy law of the country where the device/user is located even in the case of non-European entities and it will not be sufficient to merely ask for a privacy consent, but it will be necessary to provide a data protection notice listing all the information requested by the relevant privacy law. Therefore the pop-up message that is displayed following the download of most Apps would not be sufficient.
The matter is even more complex in countries like Italy that require a written privacy consent for the processing of sensitive data and allow the data processing only within the limits of a so called “general authorization” issued by the Data Protection Authority. In such cases, it shall be checked whether such regulatory restriction might limit the exploitation of these technologies (that might be considerable also in the medical sector) or a solution might be adopted to ensure privacy compliance without hampering the functioning of the App.
Additionally, under Italian law the usage of such technologies in the medical sector might require to perform a notification to the Data Protection Authority and the same requirement would apply if such technologies are used to either crate a profile of the users which might include a profile of his physical features or to collect biometric data.
In particular, biometric data include any data obtained from physical or behavioural features of a person e.g. fingerprint, facial characteristics, hand geometry, retina and iris, but according to someone also the signature or the voice. The Italian Data Protection Authority issued in relation to biometric data very stringent requirements as to the modalities of collection, the security measures to be implemented for their storage and the maximum term of storage. Also, if the new EU Privacy Regulations are adopted, it will be necessary not only for ISPs, but also for any data controller to notify data breach (i.e. losses or corruption of collected data) to the data protection authority within 24 hours.
2. Misuse of confidential information and monitoring of employees
The usage of wearable technologies can allow to record confidential information and easily disclose it to third parties. Indeed, an employee might just take a video or a picture of a document and in a few seconds send it via email to a third party or even share it on social media. At the same time by means of wearable technologies, employees might by-pass company’s restrictions on the usage of the Internet, emails or social media.
At the same time the usage of such technologies to monitor employees is prohibited but subject to exceptions identified by the Italian Data Protection Authority.
3. Collection of sounds/images of third parties
The usage of wearable technologies can make much easier the collection of sounds/images relating to events both involving its user and the people around him which can then very easily be shared on social media and in general on the Internet.
Some of the technologies on the market at the moment are equipped with some signals (e.g. a light) in order to inform people around the user that the device is actually recording. This might be considered a tool aimed at replacing the CCTV privacy billboard that we find in a number of shops as required by the competent data protection regulators, but such notice itself would not make the usage of third parties images, sounds and in general personal data legal without implementing the other requirements necessary under applicable data protection law.
Privacy and intellectual property related legal issues are both relevant on such matter and it will be interesting to see whether the competent data protection authorities will issue any guidelines or obligations as to the usage of these technologies. Indeed, unless a different position is taken by the competent authorities, the recording of images/sounds will require not only the provision of a data protection notice, but also the collection of the privacy related consent and of a copyright waiver.
Following this post, I ran a webinar on the topic whose slides are available here. The above is a very short outline of the privacy-related issues connected to the usage of wearable technologies, the development of such technologies will better tailor the attention to the most relevant issues. The scenario above might be considerably impacted by the consultation on the Internet of Things launched by the privacy regulator addressed in this blog post.