1) www.pdpjournals.com Challenges with workplace wearables in the EU and US Ann Bevitt, Partner, Colleen Hannigan, Associate, and Harriet Swan, at Cooley (UK) LLP, examine compliance challenges with the use of wearable technology in EU and US workplaces P R I V A C Y & D A T A P R O T E CT I O N W ith the potential to transform the workplace and become as ubiquitous as the smartphone, wearable technologies are rapidly increasing in popularity and provide attractive opportunities to both employers and employees. According to PricewaterhouseCoopers, 70 percent of consumers say they would wear employer-provided wearables streaming anonymous data to a pool in exchange for a reduction in their health insurance premiums. For employers, wearable technologies allow for great efficiencies by tracking employee productivity, improving security and even improving the accuracy of healthcare. Inevitably, the existence of these wearable products with the ability to collect and process data is resulting in an increase in the amount of personal data being processed by the employers that provide them. However, employees may be unaware of just how much data are being processed and forgetful of the fact that their devices are constantly collecting and, in some cases, sharing information about where they live, where they travel to and from, and their state of health. Employers need to be mindful of avoiding the many pitfalls of having access to such a vast archive of information, particularly in anticipation of the proposed reforms to the EU data protection regime. This article looks at the issues associated with collecting data from wearable technologies for corporate use, and in particular the type of employee consent required, the risks associated with profiling individual employees, and the differences between how this area of law is regulated in the EU and the US. Opportunities and pitfalls of workplace wearables Many employees value the benefits that wearable technology, such as Apple’s smartwatch, can bring to their working lives. The possibility of being alerted to a drop in energy levels, or being able to record productivity at different times of the day and manage workload accordingly, is an attractive V OLU ME 1 6, ISSU E 1 one. In addition, these technologies have the potential to identify health concerns before they can cause long-term damage. By providing their employees with these devices, employers are able to empower their workforce with these opportunities. However, they must also be wary of the responsibilities that run alongside them. One of the main complications with the mass use of wearable technologies is the impact on privacy, and some employees are reluctant to get on board as a result. Lack of understanding forms part of this reluctance for employees to embrace wearables, so businesses need to consult with their staff and be completely transparent about what data are being collected and exactly how they are being used. At the same time, as participation increases, it raises the ‘tipping point’ question: at what stage may refusal to participate have a negative impact on those who choose to opt-out of the wellness revolution? Another pitfall is the potential alienation of, and discrimination against, some parts of the workforce based on the data gathered by wearables. This may happen even when an employer adopts wearables with the best of intentions, e.g. to encourage an active lifestyle for its employees, and in turn a more productive workforce. Employees know that they should be active, but may either deliberately choose not to be, or find it very difficult (due to personal or family circumstances) to be so. Highlighting their lack of activity to colleagues may not help with team bonding. Alternatively, employees may view wearables as just another metric against which they will be measured and learn how to ‘game the system’ and come out on top, reducing the quality of the data collected. Current EU and US legal framework In the EU, the data collected by employer-provided wearables is subject to the Data Protection Principles contained in the Data Protection Directive 95/46/EC (the ‘Directive’). (A previous article has provided an overview of the application of these 

2) www.pdpjournals.com P R I V A C Y & D A T A P R O T E CT I O N principles to data generated by weara- to employees based on their bles in the EU — ‘Wearable technolo- participation in workplace wellness programmes. gy and the corporate wellness strategy’, Volume 15, Issue 7, pages 9-10). Many such programmes that incorporate wearables are deemed ‘health In addition to local contingent wellness legislation implementing programmes’ under the Directive, employers HIPPAA, as they may be subject to additional reward employees requirements arising out of “Lack of for meeting particular the monitoring. One examunderstandhealth standards, ple of this is in Germany such as taking where prior to introducing ing forms a certain number a new means of monitoring of steps per day. part of this employees, employers must consult with works reluctance Health contingent councils. wellness programmes for employare subject to several In the US, data privacy ees to requirements, includgenerally is governed by ing that they be reaa patchwork of state laws, embrace sonably designed to sector and industry specific wearables, prevent disease or federal and state laws and promote health, and regulations, and the Federso businesses that employers offer al Trade Commission’s auneed to a reasonable alternathority to prevent unfair and tive standard to indideceptive trade practices. consult with viduals for whom their staff it is unreasonably Wearable technology in the difficult, impossible, workplace engages several and be or medically inadvisaof these laws. completely ble to meet or attempt to meet the reward For example, many states transparent standard. require that all parties to about what a conversation consent to Workplace wellness it being recorded. Wearable data are programmes incorpodevices with recording being rating wearables must capabilities, such as most comply with more smartwatches, give employcollected than just HIPAA. ees the means easily and and exactly Such programmes discretely to violate these must also comply wiretapping and surveilhow they with the ADA, which lance laws. are being prohibits discrimination based on disabilIn addition, the use of used.” ity and generally health-related wearables prohibits employers such as pedometers and from making disability other activity trackers in -related inquiries or requiring medical connection with corporate wellness programmes engages both the Health examinations. Insurance Portability and AccountabilFor example, programmes involving ity Act (‘HIPAA’) and the Americans wearable activity trackers may run with Disabilities Act (‘the ADA’). afoul of the latter prohibition by prompting an employee to reveal HIPAA imposes rules governing a disability. privacy, security, and breach notification on the collection, use, storage, and disclosure of individuals’ The agency responsible for implementing the ADA, the Equal protected health information. While Employment Opportunity Commission HIPAA generally does not apply to employers, it does apply to employ- (‘the EEOC’), has stated that medical examinations and disability-related er-sponsored group health plans, inquiries are permissible if done as many of which provide rewards such part of a voluntary employee health as discounted insurance premiums V OLU ME 1 6, ISSU E 1 program. However, as we discuss below, the ADA’s requirements of wellness programmes are about to change. Proposals for reform of current EU and US legal framework The draft General Data Protection Regulation (‘the draft Regulation’) is set to replace the Directive and harmonise data protection procedures and enforcement across the EU. Although the final text of the draft Regulation has yet to be agreed, there are two issues which are particularly relevant to the use of employerprovided wearables. Firstly, the requirements for consent under the draft Regulation are stricter than under the Directive. Under the latest draft of the Regulation, consent must be freely given, informed, specific and explicit in all circumstances. To satisfy these requirements in the context of employer-provided wearables, employers will be required to provide full disclosure of what data are being collected and for what purposes, and in response some clear, affirmative consenting action will be required from employees. One particular objective of the draft Regulation is to further limit the extent to which individuals may be subjected to decisions based on automated personal profiling (making assumptions and predictions about individuals on the basis of automatically processed data). Under the existing Directive, employees have the right not to be subject to a decision based solely on the automated processing of data intended to evaluate certain personal matters, such as the employee’s performance at work, creditworthiness, reliability, conduct and so on. The draft Regulation goes much further and prohibits profiling except in limited circumstances. This will be a particularly important consideration for businesses in relation to developing a corporate wellness strategy that (Continued on page 10) 

3) www.pdpjournals.com (Continued from page 9) meets the new standards, or welcoming wearable technology more generally. In the US, the EEOC has issued proposed rules governing workplace wellness programmes, including those that incorporate wearable technology, under the ADA. Among various other requirements, the proposed rules make it clear that a wellness program will only be deemed ‘voluntary’ if employees are given notice clearly explaining what medical information will be obtained through the program and by whom, how the medical information will be used, and how the employer will safeguard against its improper disclosure. The proposed rule would also require that employers only receive information collected as part of a wellness program in aggregate form that does not disclose the identity of specific employees, except to the extent such identification is necessary to administer the plan. The EEOC notes that, as best practice, individuals who handle employee medical information in administering a wellness program should not also be responsible for making employment decisions, such as termination or discipline, to reduce the potential for disabilityrelated discrimination. US employers that administer or offer wellness programmes should take care to ensure their programmes’ compliance with the new rules, which are expected to be finalized in the near future. Safeguarding — practical steps for businesses To comply with the current EU regime and to prepare for the draft Regulation and the finalisation of the EEOC’s proposed rules under the ADA, businesses should focus on putting adequate safeguards in place now, in order to ensure a seamless and transparent approach for their employees. P R I V A C Y & D A T A P R O T E CT I O N Given the amount of data collected by wearable technologies, an obvious danger lies in the temptation for employers to use them for purposes other than those previously disclosed to employees. Employers should, at the very least, consider the following: V OLU ME 1 6, ISSU E 1 Getting — and staying — ahead As ever, the law is playing catch up to developments in wearable technologies, which are happening so fast that legislation and data protection authorities are struggling to keep pace. Consent: Do current consents satisfy the more onerous requirements of the draft Regulation? If However, with the appropriate safenot, what changes need to be made to guards in place, there is no reason the consent process to address the why both employers and employees new requirements? should not reap the benefits of introducing wearable technologies Profiling: What activities will be into the working environment. caught by the prohibition on profiling in the draft Regulation? Are any of the To do this, potential pitfalls must be exemptions from the prohibition appliidentified and conquered so that they cable? do not outweigh the positive benefits of embracing innovation, technological Data minimisation: i.e. ensuring that growth and increased productivity in only data that are strictly necessary the workplace afforded by wearable for the intended purpose(s) technologies. are collected. As we have seen, wearable technology is capable of collecting vast amounts of data. To take an obvious and ubiquitous example, activity trackers track employees’ steps both in and outside of work; whilst an employer wishing to encourage employees to take more regular breaks from their screens may be justified in reviewing the former, it should be wary of collecting detailed data relating to activity outside working hours. Anonymisation or aggregation of data where appropriate: e.g. in exchange for a reduction in the business’ insurance premium. Ensure that workplace wellness programmes incorporating wearables comply with HIPAA and the ADA’s requirements: Perhaps most critical to achieving this is providing adequate training to employees responsible for administering wellness programmes or otherwise handling medical information. The key to the success of all of these measures is communicating with employees and ensuring proper regulation and internal enforcement of applicable requirements. Ann Bevitt Partner Cooley (UK) LLP abevitt@cooley.com