It isn’t difficult to imagine a future where wearables will monitor everything from blood glucose to blood alcohol.
Health Data Considerations
Of course, wearable technology relies on the processing of individual user’s personal data, including health data for med tech wearables. Health data falls under “special category data” for the purpose of the General Data Protection Regulation 2016/679 (GDPR) and consequentially requires more protection because of its sensitive nature. In order to to lawfully process special category data, a lawful basis under Article 6 and Article 9 of the GDPR must be identified. And processing must be fair and transparent.
When processing health data through a wearable device it is likely that the explicit consent of the user will be required to process that data. Consent may also be required to process non-sensitive user personal data. Under the GDPR, consent must be freely given, specific, informed and an unambiguous indication of the user’s wishes. Explicit consent (for the processing of special category data) must be expressly confirmed in words. Implying consent through use of a wearable device isn’t sufficient.
Technology providers should therefore consider the following points with regard to their wearable products:
- If consent is required from the user in order for the provider to carry out its processing activities
- Where consent is required, the user must be provided with clear information (usually in the form of a privacy notice) regarding how their personal data will be used so the user is fully informed before making any decision
- That users can easily withdraw consent and ensure that their personal data is not further processed
- If explicit consent is required (for processing special category data) any written statement provided allows a user to clearly indicate that they agree to the processing.
Complying with other GDPR Principles
In addition to the lawful basis of processing personal data, other principles set out in the GDPR should be considered such as:
- Data minimisation (only the minimum relevant amount of personal data necessary for processing must be collected and used)
- Data security (personal data must be processed in a manner that ensures appropriate security of the personal data)
- Limitation on the use of data (personal data is only processed for the purpose the personal data was collected for)
- Retention of data (personal data should not be stored for longer than necessary)
- Accuracy of data (personal data must be kept up to date)
and the technology provider must be able to demonstrate compliance with the principles set out in the GDPR.
International Transfers of Personal Data
For those technology providers who transfer personal data outside of the EEA, making the personal data anonymous means the restrictions on international transfers of personal data set out in the GDPR will not apply. When anonymization isn't possible, the technology provider should consider if the non-EEA country has a legal framework in place that the EU Commission has deemed to be "adequate" in providing protection for individuals’ rights and freedoms for their personal data. If no adequacy decision has been made in respect to such non-EEA country, then the technology provider may have to engage the party importing the data using standard data protection clauses adopted by the EU Commission. The standard contractual clauses must be used in their entirety and without amendment.
Following BREXIT, transfers of personal data from the UK to countries outside of the UK will be subject to transfer rules under the UK regime, which shouldn't be dissimilar to the rules set out in the GDPR. Transfers from the UK to the EEA shouldn't be restricted. If the UK leaves the EU without a deal, organisations can't assume that an adequacy decision will be in place for the UK immediately following exit day. As such organisations with EEA customers may also need to adopt the standard data protection clauses into their agreements. Following BREXIT, UK organisations which process the personal data of EEA data subjects will need to comply with both the GDPR and the UK data protection regime.