1) www.pdpjournals.com Do my data look good in this? The challenges with workplace wearables in the EU and US Ann Bevitt, Partner at Cooley (UK) LLP, examines compliance challenges with the use of wearable technology in EU and US workplaces D A T A P R O T E C T I O N I R E LA N D W ith the potential to transform the workplace and become as ubiquitous as the smartphone, wearable technologies are rapidly increasing in popularity and provide attractive opportunities to both employers and employees. According to PricewaterhouseCoopers, 70 percent of consumers say they would wear employer-provided wearables streaming anonymous data to a pool in exchange for a reduction in their health insurance premiums. For employers, wearable technologies allow for great efficiencies by tracking employee productivity, improving security and even improving the accuracy of healthcare. Inevitably, the existence of these wearable products with the ability to collect and process data is resulting in an increase in the amount of personal data being processed by the employers that provide them. However, employees may be unaware of just how much data are being processed and forgetful of the fact that their devices are constantly collecting and, in some cases, sharing information about where they live, where they travel to and from, and their state of health. Employers need to be mindful of avoiding the many pitfalls of having access to such a vast archive of information, particularly in anticipation of the proposed reforms to the EU data protection regime. This article looks at the issues associated with collecting data from wearable technologies for corporate use, and in particular the type of employee consent required, the risks associated with profiling individual employees, and the differences between how this area of law is regulated in the EU and the US. Opportunities and pitfalls of workplace wearables Many employees value the benefits that wearable technology, such as Apple’s smartwatch, can bring to their working lives. The possibility of being alerted to a drop in energy levels, or being able to record productivity at different times of the day and manage VOLUME 8, ISSUE 5 workload accordingly, is an attractive one. In addition, these technologies have the potential to identify health concerns before they can cause long-term damage. By providing their employees with these devices, employers are able to empower their workforce with these opportunities. However, they must also be wary of the responsibilities that run alongside them. One of the main complications with the mass use of wearable technologies is the impact on privacy, and some employees are reluctant to get on board as a result. Lack of understanding forms part of this reluctance for employees to embrace wearables, so businesses need to consult with their staff and be completely transparent about what data are being collected and exactly how they are being used. At the same time, as participation increases, it raises the ‘tipping point’ question: at what stage may refusal to participate have a negative impact on those who choose to opt-out of the wellness revolution? Another pitfall is the potential alienation of, and discrimination against, some parts of the workforce based on the data gathered by wearables. This may happen even when an employer adopts wearables with the best of intentions, e.g. to encourage an active lifestyle for its employees, and in turn a more productive workforce. Employees know that they should be active, but may either deliberately choose not to be, or find it very difficult (due to personal or family circumstances) to be so. Highlighting their lack of activity to colleagues may not help with team bonding. Alternatively, employees may view wearables as just another metric against which they will be measured and learn how to ‘game the system’ and come out on top, reducing the quality of the data collected. Current EU and US legal framework In the EU, the data collected by employer-provided wearables is subject to the Data Protection Principles contained in the Data Protection Directive 95/46/EC (the ‘Directive’). 

2) D A T A P R O T E C T I O N I R E LA N D www.pdpjournals.com (A previous article has provided an overview of the application of these principles to data generated by wearables in the EU — ‘Wearable technology and the corporate wellness strategy’, Volume 8, Issue 4, pages 12-13). provide rewards such as discounted insurance premiums to employees based on their participation in workplace wellness programmes. Proposals for reform of current EU and US legal framework Many such programmes that incorporate wearables are deemed ‘health contingent wellness programmes’ under HIPPAA, as they reward employees for meeting particular health standards, such as taking a certain number of steps per day. The draft General Data Protection Regulation (‘the draft Regulation’) is set to replace the Directive and harmonise data protection procedures and enforcement across the EU. In addition to local legislation implementing the Directive, employers may be subject to additional requirements arising out of the monitoring. One example of this is in Germany where prior to introducing a new means of monitoring employees, employers must consult with works “Lack councils. In the US, data privacy generally is governed by a patchwork of state laws, sector and industry specific federal and state laws and regulations, and the Federal Trade Commission’s authority to prevent unfair and deceptive trade practices. Wearable technology in the workplace engages several of these laws. For example, many states require that all parties to a conversation consent to it being recorded. Wearable devices with recording capabilities, such as most smartwatches, give employees the means easily and discretely to violate these wiretapping and surveillance laws. In addition, the use of health-related wearables such as pedometers and other activity trackers in connection with corporate wellness programmes engages both the Health Insurance Portability and Accountability Act (‘the HIPAA’) and the Americans with Disabilities Act (‘the ADA’). VOLUME 8, ISSUE 5 of understanding forms part of this reluctance for employees to embrace wearables, so businesses need to consult with their staff and be completely transparent about what data are being collected and exactly how they are being used.” Health contingent wellness programmes are subject to several requirements, including that they be reasonably designed to prevent disease or promote health, and that employers offer a reasonable alternative standard to individuals for whom it is unreasonably difficult, impossible, or medically inadvisable to meet or attempt to meet the reward standard. Workplace wellness programmes incorporating wearables must comply with more than just HIPAA. Such programmes must also comply with the ADA, which prohibits discrimination based on disability and generally prohibits employers from making disabilityrelated inquiries or requiring medical examinations. For example, programmes involving wearable activity trackers may run afoul of the latter prohibition by prompting an employee to reveal a disability. The agency responsible for implementing the ADA, the Equal Employment Opportunity Commission (‘the EEOC’), has stated that medical HIPAA imposes rules governing examinations and disability-related privacy, security, and breach notificainquiries are permissible if done as tion on the collection, use, storage, part of a voluntary employee health and disclosure of individuals’ protectprogram. However, as we discuss ed health information. While HIPAA generally does not apply to employers, below, the ADA’s requirements of wellness programmes are about to it does apply to employer-sponsored change. group health plans, many of which Although the final text of the Regulation has yet to be agreed, there are two issues which are particularly relevant to the use of employerprovided wearables. Firstly, the requirements for consent under the draft Regulation are stricter than under the Directive. Under the latest draft of the Regulation, consent must be freely given, informed, specific and explicit in all circumstances. To satisfy these requirements in the context of employer-provided wearables, employers will be required to provide full disclosure of what data are being collected and for what purposes, and in response some clear, affirmative consenting action will be required from employees. One particular objective of the proposed Regulation is to further limit the extent to which individuals may be subjected to decisions based on automated personal profiling (making assumptions and predictions about individuals on the basis of automatically processed data). Under the existing Directive, employees have the right not to be subject to a decision based solely on the automated processing of data intended to evaluate certain personal matters, such as the employee’s performance at work, creditworthiness, reliability, conduct and so on. The draft Regulation goes much further and prohibits profiling except in limited circumstances. This will be a particularly important consideration for businesses in relation to developing a corporate wellness strategy that meets the new standards, or welcoming wearable technology more generally. (Continued on page 14) 

3) www.pdpjournals.com (Continued from page 13) In the US, the EEOC has issued proposed rules governing workplace wellness programmes, including those that incorporate wearable technology, under the ADA. Among various other requirements, the proposed rules make it clear that a wellness program will only be deemed ‘voluntary’ if employees are given notice clearly explaining what medical information will be obtained through the program and by whom, how the medical information will be used, and how the employer will safeguard against its improper disclosure. The proposed rule would also require that employers only receive information collected as part of a wellness program in aggregate form that does not disclose the identity of specific employees, except to the extent such identification is necessary to administer the plan. The EEOC notes that, as best practice, individuals who handle employee medical information in administering a wellness program should not also be responsible for making employment decisions, such as termination or discipline, to reduce the potential for disabilityrelated discrimination. US employers that administer or offer wellness programmes should take care to ensure their programmes’ compliance with the new rules, which are expected to be finalized in the near future. Safeguarding — practical steps for businesses To comply with the current EU regime and to prepare for the draft Regulation and the finalisation of the EEOC’s proposed rules under the ADA, businesses should focus on putting adequate safeguards in place now, in order to ensure a seamless and transparent approach for their employees. Given the amount of data collected by wearable technologies, an obvious danger lies in the temptation for employers to use them for purposes other than those previously disclosed to employees. Employers should, at the very least, consider the following: D A T A P R O T E C T I O N I R E LA N D VOLUME 8, ISSUE 5 Consent: Do current consents satisfy the more onerous requirements of the draft Regulation? If not, what changes need to be made to the consent process to address the new requirements? However, with the appropriate safeguards in place, there is no reason why both employers and employees should not reap the benefits of introducing wearable technologies into the working environment. Profiling: What activities will be caught by the prohibition on profiling in the draft Regulation? Are any of the exemptions from the prohibition applicable? To do this, potential pitfalls must be identified and conquered so that they do not outweigh the positive benefits of embracing innovation, technological growth and increased productivity in the workplace afforded by wearable technologies. Data minimisation: i.e. ensuring that only data that are strictly necessary for the intended purpose(s) are collected. As we have seen, wearable technology is capable of collecting vast amounts of data. To take an obvious and ubiquitous example, activity trackers track employees’ steps both in and outside of work; whilst an employer wishing to encourage employees to take more regular breaks from their screens may be justified in reviewing the former, it should be wary of collecting detailed data relating to activity outside working hours. Anonymisation or aggregation of data where appropriate: e.g. in exchange for a reduction in the business’ insurance premium. Ensure that workplace wellness programmes incorporating wearables comply with HIPAA and the ADA’s requirements: Perhaps most critical to achieving this is providing adequate training to employees responsible for administering wellness programmes or otherwise handling medical information. The key to the success of all of these measures is communicating with employees and ensuring proper regulation and internal enforcement of applicable requirements. Getting — and staying — ahead As ever, the law is playing catch up to developments in wearable technologies, which are happening so fast that legislation and data protection authorities are struggling to keep pace. Ann Bevitt Partner Cooley (UK) LLP abevitt@cooley.com