Wearable Data: The GDPR and its Gaps

-- By AmyTang - 23 Oct 2021

Introduction

The arrival of technologies that allowed us to track the most basic but vital information, such as our health and fitness data, and to access real-time monitoring and health care resources, was revolutionary for many. This technology, often presenting itself in the form of a wearable, gave us tools to quickly measure and qualify our physiological state and wellness without having to consult physicians or third parties. It is capable of measuring a myriad of parameters (see examples of different applications of wearable technology here). However, despite the benefits this revolutionary technology may bring, we cannot ignore the serious threats of violation to our privacy in relation to our most intimate information. By purchasing the wearables, consumers are willingly signing away their privacy rights. For example, wearables store their collected data on a commercial and sometimes unsecured platform that is prone to breaches. The thought of finding stolen sensitive information about our health, lifestyle and habits in the hands of ill-intended individuals or on the black market is disconcerting, to say the least.

This paper discusses the application of one of the world’s strictest and most far-reaching privacy laws, the GDPR, and explains why it is ill-adapted to protect sensitive health data, akin to medical data, collected by the wearables. This paper suggests that there are ways to benefit from this new technology without stripping away our freedom and calls for systematic reform of the way we build analytical models of these wearables to avoid mass breaches of the company databases.

The GDPR

There is a lack of transparency with regard to how wearable technology companies gather and collect our personal information and what they do with the accumulated data, making it difficult to determine exactly what rights we are giving up. Researchers have warned against serious privacy problems in the field of mobile health applications, finding that numerous app data were being collected and shared in an unauthorised manner. However, this does not mean that wearable companies have carte blanche to do whatever they please with our data. The European Union’s General Data Protection Regulation (GDPR) controls how personal information is collected, stored and used by organizations. I outline below different protections offered by the GDPR that may be enforceable against wearable technology companies: - Request for informed consent before gathering data (article 7); - Notification of personal data breach (articles 33 and 34); - Erasing data when the data subject withdraws consent (article 17); - Taking measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (article 32); - Limiting data usage to what is necessary and must not process such data in a manner that is incompatible with the purposes of the GDPR. Processes and products should be structured and developed in a way that collects only data that is required to perform a specific purpose; and - Implementing appropriate technical and organisational measures by involving different levels of stakeholders, such as operating systems and device manufacturers, app stores, app developers and social media platforms that are all a part of the infrastructure (article 25).

More importantly, the GDPR strictly prohibits the processing of genetic data, biometric data and health data to uniquely identify a natural person (article 9) unless consent was provided or other conditions of article 9 were met. Biometric data is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person” (article 4), which covers specifically data collected by wearable technology companies.

The Gaps

Although consumers have slightly more control over their data under the GDPR, certain loopholes allow wearable technology companies to continue getting away with privacy violations. The GDPR does not solve the issue of ownership of the collected data. When the data is anonymized to the extent that it can no longer uniquely identify a natural person, it is unclear under the GDPR what transactions wearable technology companies can make with such collected data because it is comprised of a mix between biometric, health and general personal data. For example, would Fitbit still be permitted to sell de-identified data that cannot reasonably be used to identify an individual? Further, users have no choice but to consent to the processing of their sensitive personal data when purchasing and using the wearable, which allows for the gathering of data under the GDPR. The notion of consent in this situation is a mere fallacy.

Even when data is anonymized, with enough congregate information and geolocation data, it is possible to determine the identity of a person. For example, it was found that six days of “step count” data may be enough to identify an individual among 100 million others and may reveal other sensitive information such as a user’s address and routine. Additionally, even if these companies provide users with a privacy policy, the drafting and crafting of these documents are sometimes purposely elusive, vague and misleading and may be unilaterally changed at any time. Regardless, there are currently no easily-available legal recourses or watchdogs to ensure that the policies are enforced.

The consequences of leaking and divulging data are often unpredictable. For example, Strava accidentally pinpointed the location and outline of secret US military bases, as military personnel were using fitness trackers. Aggregating and divulging such sensitive information becomes a gold mine for marketers, and even for the black market. Criminals will also have the possibility of accessing a person’s routine with a few clicks on the dark web.

Solutions to Explore and Conclusion

In order to avoid these risks, systematic reform of technology, its infrastructure, framework and software is necessary. The way we process and store data collected by wearables should be revisited and reworked. For example, analytic models can be run on user-controlled computers instead of the platform’s cloud. This would effectively shield all individual data from disclosure.

The benefits of wearables are plenty and could be entirely advantageous to society. For example, they can help save lives by measuring heart rate and blood pressure to indicate when mediation or medical intervention is necessary. They allow for better decision-making with regard to one’s health, lifestyle habits and athletic performance by providing data and insight.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.