SWEATING OVER PRIVACY BREACHES
Panel worries about firms sharing data from use of health monitors
Startups hoping to sell health tracking devices and software to corporate customers are worried European regulators will torpedo their business model.
Employers should be banned from issuing workers with wearable fitness monitors, such as Fitbit, or other health tracking devices, even with the employees’ permission, a European Union advisory panel said in June. Employers should also be barred from accessing data from their devices their employees wear, even if it is only aggregate data for the entire workforce or anonymous data, the EU body said.
Since the ruling, concern has grown among both small startups and more established players who sell wearable devices and software to businesses, often on the prospect of improved employee health and lower medical insurance premiums.
According to Fitbit, employees should be informed of how their data will be used, who would have access to it, and be given the choice of opting out of any data sharing without adverse consequences, the company said.
That’s insufficient, said the EU advisory body, known as the Article 29 Working Party and is comprised of data regulators from each of the EU’s 28 member states.
“Given the unequal relationship between employers and employees,” the body said, workers were probably never able to give legally valid consent to have their data shared.
“Even if the employer uses a third party to collect the health data, which would only provide aggregated information about general health developments to the employer, the processing would still be unlawful.”
Fitbit has more than 1,300 organizations using its devices as part of corporate wellness programs, encompassing more than 2.6 million people, the company said in a statement. Among its customers are a number of large European employers such as SAP SE. Concerned about how much time its employees spent sitting, it provided workers with subsidized Fitbits to try to encourage them to get up more and move around.
Fitbit declined to comment directly on the EU data privacy group’s opinion but said it believes all corporate wellness programs should be voluntary and protect employees’ privacy.
Telecom company Nokia purchased French wearables maker Withings for US$190 million in 2015 and has since built a new division called Nokia Digital Health around it. It too has been targeting the corporate wellness market.
“We believe the responsible integration of connected health devices into the health care system, including through corporate wellness programs, has the potential to significantly improve the health and well-being of society, and are actively working with hospitals, research institutions, and health care providers to explore this promising field,” Alexis Normand, head of business to business sales for Nokia Digital Health, said in a statement.
Normand said Nokia would abide by all applicable laws and regulations in every market it sells in. The company is “committed to upholding the highest standards of privacy and security,” he said.
Movecoach, which counts Microsoft’s LinkedIn and Salesforce. com as customers, currently shares aggregate demographic data, such as the age of the participants in the program, and aggregate fitness levels, with the full knowledge of employees, said Tom McGlynn, the company’s chief executive officer.
“We are concerned that if a company is being transparent with their employees and wants to look at aggregate data, we might not be able to provide that service in Europe,” he said.
That’s also the view of Frank Palermo, head of digital solutions for Virtusa, a London-based firm that consults on business uses of connected devices, including wearables.
“Collecting data on worker activity and productivity to ensure their safety should be in the purview of the employer,” he said.
Article 29 Working Party’s opinions are not binding. It is up to each national data regulator to formulate its own regulations to conform to the opinion — or not. “The reality is that regulators are citizens of their jurisdictions, and while there is an effort to achieve harmonization if a regulator doesn’t see something as an issue, there will be some divergence between countries,” said Mark Thompson, the global leader of KPMG’s privacy advisory business.
The EU’s privacy rules are set to become somewhat more streamlined from May 2018, when the new General Data Protection Regulation goes into effect. The new regulation says that when considering any employee tracking, businesses should select “the most data privacy friendly solutions” available.
It also requires the business to carry out impact assessments before implementing technology or procedures that pose a high risk to individual privacy rights.
Not everyone disagrees with the European regulators’ conclusion. David Plans, the chief executive officer of BioBeats, a London-based company that uses wearable sensors and a mobile app to help employees better manage stress, said he welcomed it.
He said BioBeats had encountered potential customers who wanted to access the data BioBeats collects and that the company had always resisted on privacy grounds.
The EU opinion would mean BioBeats would not be at a disadvantage compared to competitors who were more willing to share data with employers.
“The only thing that should ever reach the employer is our analysis of the data,” Plans said. “Not the data itself.”
Even if the employer uses a third party to collect the health data ... the processing would still be unlawful.