![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Wearable technologies continue to make news but it is unclear whether the concerns of regulators and media are symptomatic of a moral panic or a true regulatory challenge.
Certainly wearable technology involves the collection and use of personal information about the person wearing the technology. The data collected may include biometric data that is highly sensitive. However, this type of collection and use fits comfortably within the existing legislative schemes for the collection, use, processing and disclosure of personal information in the course of commercial activities.
Nevertheless, the issue of wearables appears to be on the minds of regulators this season. On July 3, the Office of the Privacy Commissioner of Canada (OPC) published a comprehensive research report (dated January 2014) entitled, Wearable Computing: challenges and opportunities, examining the issues raised by wearables. On June 26, the UK Information Commissioner’s Office (ICO) blog published a comment on Wearable technology - the future of privacy in which the ICO reminding organizations that wearables are subject to UK privacy laws. On June 16, Australian Privacy Commissioner Timothy Pilgrim encouraged companies to develop policies that address the use of wearables in the workplace, as reported in Australian news.
So what are the regulators saying about wearables? And, perhaps more importantly, what have they not addressed?
Amplification of Privacy Issues
Wearable technologies involve the integration of computing devices into clothing and accessories that are worn by a person. Some of the applications of these technologies were highlighted in the recent OPC research report. These include important medical applications such as continuous glucose monitors and vision aids as well as applications to produce augmented reality for entertainment purposes.
One socially intrusive aspect of wearables is that they may not just collect personal information of the user. They may contain cameras and sensors that collect images and sounds of identifiable individuals within the vicinity of the individual using the wearable. The use may be deliberately covert given that the technology is integrated with an individual’s clothing, jewellery, glasses or watch. More innocently, the device may simply be used in situations in which individuals in the vicinity of the user are unaware of and cannot provide meaningful consent or even tacit consent to the collection of personal information. The OPC research report commented on this issue, stating:
[...] some wearable devices can amplify privacy risks in the mobile environment by collecting images, audio and video in unobtrusive, or covert, ways and by creating the potential to gather this personal information in situations where a more obvious camera device would not be socially acceptable.
The potential of wearable technology to capture information about individuals without their knowledge or consent is perhaps a significant issue. However, there is an element of panic here that is reminiscent of concerns regarding pocket tape or digital recorders and the introduction of camera phones.
Limits of Data Protection Laws
In addressing wearables, regulators naturally focus on notice, consent and reasonableness. In the UK ICO blog post, Andrew Paterson, Senior Technology Officer, cautioned that organizations collecting information through wearables must:
- inform people how their data is being collected and used,
- only collect information that is relevant, adequate and not excessive,
- comply with the CCTV Code of Practice,
- keep the information secure, and
- delete it once it is no longer required.
Similarly, the Australian Privacy Commissioner encouraged organizations to develop policies for the use of wearable technologies at work.
However, these issues do not address one of the more socially disruptive aspects of wearable technologies. As the OPC stated in its research report, “[u]ser privacy is one issue but the privacy of those around the user is another, and perhaps more vexing, problem.”
Arguably, however, there are limitations on the ability of current data protection laws to address this privacy issue sufficiently. In his blog post, Paterson stressed that organizations that process personal information collected through wearables are subject to the UK Data Protection Act (DPA). However, Paterson also acknowledged that the same is not true for an individual who is using wearables solely for his or her own use. This is because, as Paterson wrote, the DPA does not apply to domestic use.
Section 36 of the DPA provides that “personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles.” Section 16 of the Australian Privacy Act, 1988, also provides that nothing in the Australian Privacy Principles applies to the collection, holding, use or disclosure of personal information by an individual “only for the purpose of, or in connection with his or her personal, family or household affairs.” The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) contains a similar exception in paragraph 4(2)(b). As the recent report by the OPC said, “PIPEDA may not have much to say” about “information collected by individual users about other individuals for personal purposes.”
Leaving aside the blunt instrument of criminal law, which in Canada may apply to the surreptitious interception of communications and, if Bill C-13 makes it through Parliament, the distribution of intimate images, the most immediate practical privacy issue is reconciling the use of wearables by one individual with the social and individual expectations by others of individual autonomy and practical obscurity in public spaces.
Perhaps in the most egregious of covert situations, this issue may be left to courts to regulate through developing private law systems, such as the common law tort of intrusion upon seclusion in Canada. However, the limitations of today’s data protection laws do not render those laws irrelevant. As Paterson warned in his blog post, individuals must be mindful that if they change their use of the personal information—such as to start a campaign or a business—the UK DPA would apply. This foreshadows a major tension that data protection authorities will need to address in coming years or sooner. When is a use no longer “only” personal?
A Search for Gatekeepers
For now, the approach of regulators appears to be to search for gatekeepers. The hook thus far has been the fact that wearables involve an application provider collecting or processing data for the user of the wearable device. The OPC stated that PIPEDA “could be engaged where personal information from the user’s device is sent to organizations that collect, use and disclose personal information in the course of commercial activities.” Similarly, the data protection laws of other jurisdictions, such as the UK and Australia, could be engaged based on similar logic.
The implications of this approach are that employers are expected to regulate the use of wearables in the work environment and, more broadly, consent may be required where the information collected is information about an identifiable individual. Consent will almost always be necessary for an organization collecting information about the wearer such as geolocation, heart rate, and other data about the user. In addition, in Canada, at least, images or voice recordings of other individuals captured by the device could be subject to PIPEDA if there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information. Theoretically, therefore, it may be possible for the OPC to suggest that the organization must take steps to ensure that the user obtains meaningful consent from those in the vicinity of the user of the device whose information might be captured or the organization must de-identify that data immediately or the organization must otherwise limit the collection of third-party information through the device.
However, this seems impractical. Moreover, there is an underlying tension in this approach between the attempt to impose obligations on the wearable application provider and the fact that the user (who is, after all, the conduit for collection) is exempt from similar obligations. Indeed, it is an open question whether an organization that simply stores and processes information for a person who is using a device solely for personal purposes should be viewed as a collector and user of personal information under PIPEDA or, if it is, should that organization be entitled to rely upon the personal use exception of the user in relation to the information collected about others. Should the printer inquire as to whether I had the consent of the subject of my photograph? Should the camera maker prevent me from taking pictures of other people in case they didn’t consent?
Conclusion
There is a strong possibility that the issues surrounding wearables are simply symptomatic of a moral panic with respect to disruptive technology, which will quickly be addressed through adaptive social conventions and existing privacy principles. However, the outward facing, covert, always on, potential of wearables has the potential to turn us all into sensors gathering data for others, exposing the limitations of a consent-based model. Â Â