We will cover herein the topic wearable technologies that will have a considerable potential impact on our approach to technologies in the next years. With the huge amount of personal data relating to users as well as images/sounds on the people/events around him collected by means of such devices and the possibility to very easily share them on the Internet, the impact on privacy rights of these technologies will require a careful review.
This post is not meant to cover all the privacy-related legal issues relevant for wearable technologies but to shortly outline some of the most relevant.
1. Collection of user’s health-related and even biometric data
Especially in the case of usage of health and fitness Apps, a number of health-related sensitive data concerning their users will be collected and this will require to comply with stringent privacy obligations. Indeed, as already prescribed with reference to smartphone Apps, the company managing the App used through the wearable technology will be subject to the privacy law of the country where the device/user is located even in the case of non-European entities and it will not be sufficient to merely ask for a privacy consent, but it will be necessary to provide a data protection notice listing all the information requested by the relevant privacy law. Therefore the pop-up message that is displayed following the download of most Apps would not be sufficient.
The matter is even more complex in countries like Italy that require a written privacy consent for the processing of sensitive data and allow the data processing only within the limits of a so called “general authorization” issued by the Data Protection Authority. In such cases, it shall be checked whether such regulatory restriction might limit the exploitation of these technologies (that might be considerable also in the medical sector) or a solution might be adopted to ensure privacy compliance without hampering the functioning of the App.
Additionally, under Italian law the usage of such technologies in the medical sector might require to perform a notification to the Data Protection Authority and the same requirement would apply if such technologies are used to either crate a profile of the users which might include a profile of his physical features or to collect biometric data.
In particular, biometric data include any data obtained from physical or behavioural features of a person e.g. fingerprint, facial characteristics, hand geometry, retina and iris, but according to someone also the signature or the voice. The Italian Data Protection Authority issued in relation to biometric data very stringent requirements as to the modalities of collection, the security measures to be implemented for their storage and the maximum term of storage. Also, if the new EU Privacy Regulations are adopted, it will be necessary not only for ISPs, but also for any data controller to notify data breach (i.e. losses or corruption of collected data) to the data protection authority within 24 hours.
The above obligations are even more relevant if it is considered that Italian law recently extended to privacy-related crimes, the criminal corporate liability for companies. In this respect it is worth it to mention that data identifiable even indirectly (e.g. through a code) or by means of third parties (i.e. the recipient does not have the names connected to the codes) are deemed personal data rather than anonymous data and therefore are subject to privacy related obligations.
2. Misuse of confidential information and monitoring of employees
The usage of wearable technologies can allow to record confidential information and easily disclose it to third parties. Indeed, an employee might just take a video or a picture of a document and in a few seconds send it via email to a third party or even share it on social media. At the same time by means of wearable technologies, employees might by-pass company’s restrictions on the usage of the Internet, emails or social media.
This risk might require employers to review their privacy policy on the usage of email, Internet and social media by their employees. These policies are strongly recommended by the Italian Data Protection Authority which though provides stringent restrictions on their scope. Indeed they represent a fundamental tool when employers need to get access to the data embedded in wearable technologies if they believe that the employee has performed some illegal activities through them (e.g. the disclosure of confidential information). The absence of such policy might prevent employers from getting access to these data even if they suspect that the device has been used to perform illegal conducts.
At the same time the usage of such technologies to monitor employees is prohibited but subject to exceptions identified by the Italian Data Protection Authority.
3. Collection of sounds/images of third parties
The usage of wearable technologies can make much easier the collection of sounds/images relating to events both involving its user and the people around him which can then very easily be shared on social media and in general on the Internet.
Some of the technologies on the market at the moment are equipped with some signals (e.g. a light) in order to inform people around the user that the device is actually recording. This might be considered a tool aimed at replacing the CCTV privacy billboard that we find in a number of shops as required by the competent data protection regulators, but such notice itself would not make the usage of third parties images, sounds and in general personal data legal without implementing the other requirements necessary under applicable data protection law.
Privacy and intellectual property related legal issues are both relevant on such matter and it will be interesting to see whether the competent data protection authorities will issue any guidelines or obligations as to the usage of these technologies. Indeed, unless a different position is taken by the competent authorities, the recording of images/sounds will require not only the provision of a data protection notice, but also the collection of the privacy related consent and of a copyright waiver.
@GiulioCoraggio