By Daniel Tozer, Partner, and Don Mee, Associate, at law firm Harbottle & Lewis
If 2014 was the year of the fitness tracker, then 2015 seems destined to be the year of the smartwatch.
Whilst there are a range of potential legal consequences for CSPs in becoming involved in wearable tech, from consumer and product liability issues (if the CSP retails such products) to advertising and marketing issues (in relation to the promotion of such products and services), it is the data issues which are potentially of most interest.
Data protection is a key consideration for those seeking to exploit the data-related capabilities of wearable technology.
Wearables can offer unparalleled insights into an individual’s activity; in order to provide these insights, the device (or an app installed on the device) must collect information on the individual.
A CSP that partners with a device manufacturer or software developer in order to acquire information collected by wearables must be mindful of the obligations imposed by data protection legislation.
Further, if wearables use a SIM or are connected to a SIM-enabled device then CSPs may already be in possession of, or automatically acquire, certain categories of very valuable personal information as a result of usage, including location (or at least cell ID), billing history and the user’s key social circle (from call records).
Although data protection legislation in the EU differs from country to country, all national legislation seeks to implement the EU Data Protection Directive 95/46/EC (Directive), so the core principles remain the same across the EU.
The European Commission is currently in the latter stages of finalising a new “General Data Protection Regulation” (GDPR) in an attempt to update and harmonise data protection procedures and enforcement across the EU.
The GDPR will replace the Directive when it enters into force in late 2017 or early 2018 and apply uniformly across the EU.
Consider this example. An app on, or connected to, a wearable reports the heart rate readings and number of footsteps of its wearer to the app developer, who passes this information to its CSP partner in order for the CSP to target its advertising to the app’s users.
If the user registered in order to use the app (giving name, gender, address etc.) and the heartbeats and footsteps are linked to this account, the account details and also the health information would be personal data in the possession of the CSP because it can identify the individual from this data.
If the CSP only receives heartbeat and footstep statistics, and has no other information allowing it to identify the individual (such as billing or device data), the data protection regime would not apply to this collection of data.
The current legislation only applies when “personal data” is involved.
Personal data is any data from which it is possible to identify a living individual, whether through that data alone or in combination with other information to which the “data controller” (the entity who decides the purposes for which personal data is processed) has access.
“Processing” is defined so broadly by the legislation that almost any activity you could possibly think of (including just collecting or storing) will constitute processing.
The Directive focuses obligations on data controllers, although the GDPR will also place numerous regulatory obligations on data processors (the entities which process data under instruction from data controllers).
Data controllers must comply with the data protection principles set out in the relevant legislation.
The first (and arguably most important) principle provides that personal data must be processed “fairly and lawfully”.
To comply with this principle, data controllers must provide those whose personal data they process with certain information.
This information must tell the individual who the data controller is, what data is being collected and what this data will be used for.
Unless the processing is “necessary” for one of the limited reasons set out in the legislation, the data controller must gain the individual’s consent to the processing.
The consent given must be freely given, specific, informed and unambiguous and the individual must be given the option to “opt-out” of the processing.
Where “sensitive” personal data is processed (such as health data) the consent must be “explicit” (ie. the individual must clearly “opt-in” to the processing through some positive action).
Wearables present a tricky challenge in getting this information across; screen space is limited or non-existent.
Unless there are appropriate other ways in which to get this information across (such as in the main terms of service provided by a CSP), efforts must be made to come up with innovative ways to draw users’ attention to data protection policies and secure appropriate consents.
CSPs may be reliant on device manufacturers or app developers to provide this information to users and should seek contractual assurances that the information has been gathered and may be used by the CSP lawfully.
CSPs that provide “public communications services” (eg. telecoms or internet access) have an additional obligation in relation to data loss; they must notify the relevant national authority if any personal data which they process in connection with their service is lost, destroyed, altered or disclosed to an unauthorised person, whether this occurs accidentally or unlawfully.
The notification must take place within 24 hours of discovery of the breach, even if this is simply an initial notification while more information is gathered to provide a full notification.
Customers must also be notified if the breach is likely to adversely affect them.
It is debatable whether data collected from wearables would be data processed in connection with their service, but this is an additional regulatory burden for public communications services to consider.
The GDPR will widen such breach notification requirements beyond just “public communications services”.
In the UK, serious breaches of data protection legislation can attract fines of up to £500,000 (which will rise significantly under the GDPR and could reach five percent of global turnover), and of course serious brand damage can follow from disgruntled users going public with their complaints.
This is not something to be taken lightly.