Introduction & Panel
The evening opened with an introduction by Christian Fleck, Managing Director for LexisNexis UK & Ireland. He stated that we are at the forefront of new tech trend which faces exponential growth, with devices amassing vast amount of personal data. This immediately has implications on privacy and HLE is interested in generating discussion around this cutting edge topic.
Chair Joshua Rozenberg immediately quizzed the panel for a definition of wearable technology. On the panel were:
Andrew Caldecott QC, One Brick Court
Jessica Bland, Senior Researcher in Technology Futures at Nesta
Sally Annereau, Data Protection Analyst at Taylor Wessing LLP
James Castro Edwards, PwC Legal LLP
Eduardo Usteran, Hogans Lovells
The most basic wrist watch is technology that you can wear. The ubiquitous smartphone is clearly smarter than a watch and once you've got headphones, Bluetooth attachments, etc., it becomes 'wearable'. The general wooliness about a definition demonstrates how difficult it is to pin down - does it mean 'hands free' suggested Sally Annereau? Is it complicated further by the collection of individual's data, as suggested by James Castro Edwards? Rozenberg took the recent US Supreme Court judgment of Riley v California, where the judge said;
These cases require us to decide how the search incident to arrest doctrine applies to modern cell phones, which are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.In his opinion Chief Justice John Roberts concluded that warrants would be required to search a mobile phone.
Rozenberg split the types of data being collected into two; information about you, and information that you are collecting about someone else. Both very different. The consensus regarding the collection of your own data, unless someone gains unauthorised access, it's not a problem. You are entitled to release it how and when you like, for instance, data about a run you've just completed on a purchased fitness app. But what happens when there is a surreptitious collecting and storing of information about the wearer, the individual is no longer in control. As James said, 'if an app is free, you are the product. Information about you may go somewhere you don't expect'.
Relying on user consent is becoming a fallacy. It appears that the individual is shifting the responsibility to developers and users of data to judge whether it's intrusive. The volume and variety of information being collected is vast, and as yet the vendor may not know what they will use it for. This obviously makes it difficult to assess whether the information will be exploited fairly and lawfully.
So where's the harm?
Given the recent explosion in health wearables from all the major data giants, people remain happy to share their private information with Apple, Google and Microsoft; clearly the benefits outweigh any reservations. To be fair we have been sharing information with supermarket loyalty cards so that they can target advertising at us, and as Andrew Caldecott pointed out, 'the mere collection of data rarely leads to litigation'. It is the disclosure and its unpreventable gathering that leads to legal proceedings.
There are positive aspects of data collection and monitoring, especially in the health sector. Jessica Bland quoted the US FCC figures, '[remote] monitoring can save up to $12,000 per patient, and that a monitored patient has a 48% chance of surviving cardiac arrest, as compared with 6% for a non-monitored patient'. It also means that people don't have to come into germ ridden waiting rooms etc to have the doctor take readings. Obvious objections arise regarding the announcement of bad news, impersonality of interacting with a machine but sensitive data security would be paramount.
It was recently announced that workplace wearable technologies can boost employee productivity by up to 8.5%. e leave Goldsmiths said, 'using data generated from the devices, organisations can learn how human behaviours impact productivity, performance, well-being, and job satisfaction. Employees can demand work environments and hours be optimised to maximise their productivity and health and well-being'. Clearly the privacy implications of this are staggering. There would have to be very clear guidelines as to what could and could not be done with the data collected.
Finally there are the benefits of smart fridges, heating systems, baby monitors, all of which amass huge quantity of data for the supposed benefit of the consumer. The internet of things is threatening to become one of those over used, meaningless phrases which promise great changes and may yet turn out to be a damp squib. I mean, who would want their fridge to speak with their health professional? Still, who knows, with insurers monitoring driving and gym attendance, the potential is there if the consumer wants to give their information to those who will exploit it. What if your data is sold, or is used in a way you disagree with? What if your home system is hacked, what then?
Surprisingly OFCOM reported that only a minority of people know a lot about glasses and smart watches, so perhaps integrated supermarket/insurer/fridges will take a while to go mainstream?
One set of data from one device is useful, yet the real value comes from the data aggregation of various devises, social media, and other apps. The law is sensitive to profiling because it can be intrusive. For instance the construction workers who were blacklisted for whistle blowing and trade union activities.
Google Glass was discussed and the panel were asked whether it posed a privacy risk? Given the capacity for video, cameras, sound recording it certainly could be. However the advantage of Google Glass over a hidden recording device is that you can tell they are being worn. Therefore is there presumed consent when third parties are captured? Once the data has been sent to Google, what are they doing with the data? Is it secure in the cloud?
Is the law adequate?
At the end of Dec 2000, there were 360,985,492 internet users globally. By End of Dec 2013, there were 2,802,478,934. Even if these figures are wildly out, that is an incredible increase. More figures from Cisco has - conservatively - estimated that the 10 billion things connected in 2013 could increase to 50 billion by 2020.
Therefore a 1995 EU directive offers a woefully inadequate data protection framework for a world so information heavy. The EU are currently in the middle of replacing this directive. Major differences include; more obligations and responsibilities placed upon the data controller; the definition of personal data will be wider - for instance, should IP addresses be classed as personal data?!
Andrew Caldecott made reference to Campbell v MGN Ltd (HL) which stated that the data controller could not process the information in a way which would cause harm to the data subject. By publishing photos of her outside an addiction clinic, this risked causing a significant setback to her recovery. He stressed that each case was fact specific - so really, the law will have to develop in line with how judges interpret the statutory framework.
We were left with a number of scenarios and models.
- Some companies are working to ensure that data is stored locally. The panel had no idea whether this would work.
- Certain vulnerable groups were being given their own network so that they could share data with trusted partners.
- Another option was setting up jamming technology so that information is prevented from being uploaded...
- Some companies are making a virtue out of the fact that they protect your privacy
- T&Cs are far far too long and people just don't read them. As devices become more complicated, this problem is not going to go away.
- How are smart garments going to manage when they are in the washing machine?
- Education for the young - ensuring they know what they are signing up for / signing away / third party expectation of privacy
With thanks to various tweeters under #hledebate