Wearable tech and the privacy issue

In fitness, gaming, smartwatches and a host of other areas, wearable technology has found a place in consumers’ hearts. For the product manufacturers, however, it is often described as a regulatory minefield: wearables are increasingly faced with myriad legal challenges, the most difficult of which revolve around data privacy.

Collecting data from wearable technology provides valuable information for companies about their products, especially when, where, and how often their customers are using them. This allows manufacturers to continue to develop their products in a direction that complements the way that their consumers are using them and to innovate effectively with new or upgraded technology. There are clearly benefits for the company but this does actually facilitate the enhancement of their products for consumers in a carefully targeted manner?

While the vast amount of data collected from wearable devices has the potential to do many great things (such as tackling obesity or monitoring a baby's heartbeat from the womb) the collection and usage of such data is not without controversy. The manufacturer is often required to ensure that whatever data is collected and stored does not violate any laws, or adversely impact brands.

Like many things in life, it is a question of balance. In this article, we take a look at some of the key data privacy issues facing the wearables market today.

  • GDPR – or rather, The General Data Protection Regulation, is a new EU-wide regulation that will, from May 2018, revamp Europe's current data protection legislation (which pre-dates the Internet one might add…). The GDPR aims to bring data protection legislation up to speed with evolving technology, clarifying data subjects’ rights and increasing the obligation on data controllers and data processors for handling EU residents' personal data.
  • Big data - There are also new, stricter obligations surrounding big data, particularly on profiling which could be a potentially significant slice of the wearables business.
  • Global domination – the scope of the GDPR will reach beyond the EU; any organisation that offers goods or services to EU residents or monitors the behaviour of data subjects in the EU for example will be caught by the regulation. This increased global scope is intended to protect EU personal data in whatever jurisdiction it ends up. Further, organisations wanting to transfer EU personal data outside the EEA will have to make sure that they legitimise such a transfer with one of the European Commission-approved mechanisms such as the EU-US Privacy Shield (in the case of transfers to the US), Model Clauses, Binding Corporate Rules or one of the listed derogations (consent being one of them for example).
  • Privacy and Security by design – Regulation meets innovation – the new law will mean that manufacturers will be obliged to put privacy first (at the inception of a product) and ensure that the default setting always provides the maximum possible level of privacy.
  • Consent– Everyone sporting a wearable already, under existing law, needs to give his/her clear, affirmative consent to the use and sharing of their personal data and the new rules goes even further, ensuring organisations tell users as much as possible about what will happen to their data.
  • Breach – A concern for both, companies and users alike, is the risk of a data breach: not only will stricter security requirements help to limit the risk of such data breaches, but should they occur, data controllers will have increased obligations on how to handle them.
  • Brexit - although not uniquely a data privacy issue, it is hard to ignore the elephant in the room. London is very much open for business and the Mayor of London's campaign has a strong focus on keeping the city’s doors open – a strong hub of growth for the wearables market. The Information Commissioner has come out and said Britain will continue to follow the GDPR line of increased regulation – it will of course have to put through new legislation to reflect the new rules, but it is clear the landscape will continue to change as we have discussed in this article, in the world of data post-Brexit.

How to strike the right balance

  • First things first – develop a privacy policy and ensure that the transfer and storage of any personal data is compliant with EU law: a clearly visible and easily accessible privacy policy will help reassure consumers that their personal data is protected and “safe”. This is particularly significant in the world of wearables where the potential sensitivity and extent of data at (albeit possible) risk means that a data breach could be extensive.
  • Mind the gap – figuring out whether you are complying with the current law is always a good first step. You can then work on filling any gaps for both current and future legal and technical compliance, both in terms of data privacy and data security.
  • Knowledge is power - up the ante on training, consider tailoring training by business line and / or geography.
  • Quantity over quality – don't process and store data that you don't need, act reasonably and responsibly.


It is no secret that the technology sector is evolving at great speed, particularly the growing wearables sector. Not only does the law often have blind spots when it comes to protecting consumers, but it is difficult to think about and prioritise compliance when innovation is moving so quickly.

New EU data protection law will aim to bridge this gap through its stricter requirements on profiling and forcing the hand of manufactures to consider privacy at the start of a new product's life.

Organisations should therefore take advantage of the changes and act now by conducting gap analyses and getting results and solutions in front of key management as soon as possible - before it's too late and the law catches up with you.

Sarah Pearce, Partner in Cooley LLP’s Technology and Transactions Group

Image Credit: Franklin Heijnen / Flickr