Wearable technology is set to make a big impact in the UK in 2015, despite the recent withdrawal of Google Glass. This year will see the launch of the Apple Watch as well as a number of wearable devices from other technology giants, including Microsoft, Samsung and HTC.
With this in mind, it is worth looking at the following three important regulatory developments relating to wearable devices and considering their implications for both users and vendors.
The law may apply to your recordings
In July 2014, the UK Information Commissioner’s Office (ICO) published a report that discussed when the Data Protection Act 1998 (DPA) would apply to wearable devices. One section related directly to the doomed Google Glass, and particularly to the oft-discussed concern surrounding wearers filming other people. The report noted that if an individual is using a device purely for their own personal reasons, then this would be unlikely to breach the DPA, because of the exemption for the collection of personal information for domestic purposes (DPA Part I, Section 36). However, for businesses, the use of wearable devices will almost always be covered by the DPA.
Businesses considering using wearable devices to record people may therefore wish to confirm that they are in compliance with the DPA and, particularly, the ICO’s CCTV Code of Practice.
Individuals have a right to see their raw data
In September 2014, the Article 29 Working Party – the EU’s data protection legal advisory body – published an opinion on the threats to privacy posed by wearable technology, in the wider context of the Internet of Things (IoT), and how EU data protection law applies to the technology. One particular point of interest, noted by the body, is that the right for individuals to obtain their unprocessed data in an intelligible form and to receive information on the source of that data (DPA Part II, Section 7) is rarely observed by wearable device manufacturers. At the moment, manufacturers often only provide access to data after it has been interpreted by the devices (rather than the raw data itself).
This lack of clarity is something that manufacturers (and other businesses processing wearable device data) may wish to address by ensuring that they are capable of providing access to unprocessed data (if requested), especially given that this will be a fundamental part of adhering to the proposed “right to portability” of personal data under the EU’s new General Data Protection Regulation, currently due to be enacted in the next year or so.
Any wearable device data may be personal
In October 2014, a declaration was published by the International Privacy Conference (the annual conference of global privacy regulators) that stated that big data derived from the Internet of Things (including wearable technology) should be regarded and treated as personal data. The rationale for this was that “IoT sensor data is high in quantity, quality and sensitivity. This means the inferences that can be drawn are much bigger and more sensitive, and identifiability becomes more likely than not”. If applied, this conclusion has the potential to significantly widen the definition of personal data from how it is currently defined under EU/UK law. It removes the requirement for an individual to be identifiable for data protection law to apply. The burden of proof is shifted; if the data is collected via wearable tech sensors, there is an assumption that the law does apply.
While the declaration is not binding – it simply espouses the views of the privacy regulators (including the ICO) – it certainly gives an insight into policy direction. To this end, businesses may wish to ensure their processing of any wearable tech data, whether the data is anonymised or not, is in line with the DPA sooner rather than later.
Jonathan McDonald is an associate at law firm Travers Smith LLP