Wearables are facing a massive growth, but have to deal with major privacy issues that could hinder or at least delay the process.
Updated on 27 August 2016
The data of the wearable devices market
According to a research from Gartner, 274.6 million wearable electronic devices will be sold worldwide in 2016, an increase of 18.4 percent from 232.0 million units in 2015. Sales of wearable electronic devices will generate revenue of $28.7 billion in 2016. Of that, $11.5 billion will be from smartwatches.
Commentators also estimate that the wearables market will become at least as big as the smartphone market and this is because sensors and chip sets are cheaper now than ever, making it easier for small companies to incorporate sophisticated hardware into wearable devices.
Wearables and eHealth, did you consider these additional privacy issues?
Wearable technologies will collect a very large amount of personal data that then – in case of eHealth devices – will be stored in cloud platforms, monitored by medical practitioners that will run also studies and clinical trials on it, will trigger notifications in case of unusual data etc.
I have already briefly touched the privacy issues relating to the usage of wearables and discussed about privacy issues of eHealth technologies, but a more detailed analysis is requested for the usage of these technologies in the healthcare sector, also in the light of the recent investigations on eHealth and wellness apps and the privacy rules recently issued on health electronic records. And these are some of the main legal issues:
1. Did you get a written consent to the usage of data?
Since health related data collected by means of wearable technologies is considered sensitive personal data, in some countries like Italy it will be required not only a written consent from patients, but it shall also be assessed whether such practice requires to be notified to the competent Data Protection Authority and/or fall under their general authorisation.
With the EU Privacy Regulation patients will be required to grant their “explicit” consent to the processing of their health related data. And indeed the regulation requires a much higher threshold of transparency in the privacy information notice to be given to individuals and the consent to be obtained as to the modalities and purposes of processing of personal data by data controllers that shall be fully disclosed to individuals, preventing to rely on those kinds of “blanket” consents that were often requested in the past.
Finally, the collection on a large scale of special categories of data, which includes health related data, biometric data and genetic data, will require the performance of a privacy impact assessment that I covered in this blog post.
2. How do you store data?
The technical measures to be put in place to protect health related data from data breaches have to be “appropriate to the risk” under the EU Privacy Regulation. And this is one of the “weak” points of the regulation since it leaves companies in a kind of limbo on what has to be done since measures appropriate on day 1 might no longer be as such just because a smart hacker identified a bug in the software.
I have already discussed about the need to have approved standards of cybersecurity in order to ensure a better exploitation of Internet of Things technologies including wearables. But for the time being the adoption of a privacy by design approach and the running of a privacy impact assessment are the sole available tools, also considering the extremely high potential sanctions.
And the matter is already quite complex when it comes to biometric data collected through wearables on which the Italian data protection authority issued specific rules.
3. Are your data anonymous?
Anomymization is the solution more often recommended to sort privacy issues. However, as covered in this blog post, the threshold currently required by the authorities to consider data “anonymous” is extremely high and would make data almost useless. Hopefully an additional flexibility will be adopted by data protection authorities in the future.
4. How do you transfer data outside of the European Economic Area?
The transfer of collected patients’ data to different jurisdictions (e.g. in the case of usage of cloud databases) might face relevant restrictions that can be currently overcome through the implementation of instruments provided by European privacy regulations such as the so called standard contractual clauses and the binding corporate rules. However, the topic has become now much hotter for transfers to the United States following the approval of the so called Privacy Shield.
I do not believe that the development of these technologies will be eventually hindered by privacy and medical devices regulations, but there is no doubt that regulators are concerned about the functionalities of these devices and in particular massive amount of data that such devices can collect from individuals and, also in the light of the recent US scandals, companies located in any jurisdiction worldwide shall comply with strict standards in order to process personal data of European patients.
If you found this article interesting, please share it on your favourite social media!