(Image Credit: iStockPhoto/101cats)

After being touted as “the next big thing” for some time, wearable technology has captured the attention of the consumer. The big question is – what should developers and marketers consider from a legal and regulatory perspective if they’re developing or using wearables?

While the ability to summon a taxi or order a pizza at the flick of the wrist may be a selling point for some, wearable tech is arguably at its most useful as a data gathering mechanism. Data protection is a key consideration for those developing for or manufacturing wearable technology as the devices can offer unparalleled insights into an individual’s activity. In order to provide these insights, the device (or an app installed on the device) must collect information on the individual. Those who control this information must be mindful of obligations imposed by data protection legislation.

Service providers must be clear with their users about how their personal data will be used.

The relevant legislation “kicks in” when personal data is involved. Personal data is anything through which it is possible to identify a living individual, whether through that data alone, or in combination with other information in possession of the “data controller” (the entity who decides the purposes for which personal data is processed.)

“Processing” is defined so broadly by the legislation that almost any activity you could possibly think of (including just collecting or storing) will constitute processing. The current legislation only imposes obligations on data controllers, other entities who just process personal data in accordance with another’s instructions are “data processors” and won’t currently be subject to any obligations, although impending EU legislation is likely to change this. 

Consider this example – A fitness tracker reports the heart rate readings and number of footsteps of its wearer to the device manufacturer, who stores this information in order to target its advertising to its customers. If the user registered in order to use the device (giving name, gender, address etc.) and the heartbeats and footsteps are linked to this account, the account details and also the health information would be personal data because the manufacturer can identify the individual from this data. If the manufacturer just receives heartbeat and footstep statistics, and has no other information allowing it to identify the individual, the data protection regime would not be applicable to this collection of data.

Data controllers must comply with eight data protection principles set out in the relevant legislation. The first principle requires that personal data must be processed “fairly and lawfully”. To comply with this principle, data controllers must provide those whose personal data they process with certain information. This information must tell the individual who the data controller is, what data is being collected, and what this data will be used for. Unless the processing is “necessary” for one of the limited reasons set out in the legislation, the data controller must gain the individual’s consent to the processing. The consent given must be freely-given, specific, informed, unambiguous, and the individual must be given the option to “opt-out” of the processing. Where “sensitive” personal data is processed (such as health data) the consent must be “explicit” (i.e. the individual must clearly “opt-in” to the processing through some positive action.)

Personal data is anything through which it is possible to identify a living individual, whether through that data alone or in combination with other information

Service providers must be clear with their users about how their personal data will be used. Wearables present a challenge in getting this information across due to limited or non-existent screen space. Effort must be made to come up with innovative ways to draw users’ attention to data protection policies and secure appropriate consents. Serious breaches of data protection legislation can attract fines of up to £500,000 – which could rise under proposed new legislation – and serious brand damage can follow from disgruntled users going public with their complaints.

Wearables can also give their users the ability to collect information of their own. Individuals could use the technology to record meetings and perhaps even copy sensitive information from secure corporate storage. Developers and marketers should be wary of potential abuse of their devices or software and consider setting out rules of use of the device/software in an end-user agreement or appropriate policy.

Competition law may also be a concern. Apps for wearables that display search results, for example, may only be able to display “sponsored” or “promoted” adverts due to limited screen space. If those who have paid to be top of the list are featured, those who cannot afford to promote themselves are put at a disadvantage. Competition regulators could take a keen interest.

As with any technology, device manufacturers should also be aware of their liability to consumers who are harmed by defective products or the negligence of the manufacturer. This would include physical issues with the wearable, but also (and particularly in relation to health-related wearables) stating the extent to which advice or recommendations generated as a result of the wearable are reliable. 

Finally, wearable manufacturers and software developers who believe their product stands out from the rest must of course protect their intellectual property rights to avoid copies.

This article featured contributions from Donald Mee, a lawyer specializing in media and entertainment at Harbottle & Lewis.

For more information and advice on the legal implications of new technologies contact Daniel Tozer from law firm Harbottle & Lewis at daniel.tozer@harbottle.com, or Don Mee at don.mee@harbottle.com on 020 7667 5000.

 

Interested in hearing industry leaders discuss subjects like this and sharing their IoT use-cases? Attend the IoT Tech Expo World Series events with upcoming shows in Silicon Valley, London and Amsterdam to learn more.

The show is co-located with the AI & Big Data Expo, Cyber Security & Cloud Expo and Blockchain Expo so you can explore the entire ecosystem in one place.