2019-02-01

Personal (medical?) data

I am having a bit of an issue with a company called Withings!

I purchased a sleep monitoring gizmo, it goes under the mattress. It is actually pretty cool as it tracks sleep, and heart rate, and snoring. Working out what to do with the data is another matter, but is interesting, and could be quite helpful.


Obviously this device needs a way to present the data to me, and that is via an app on my phone. The ideal way would be to, say, bluetooth it to the app. Simple, and it has bluetooth.

But no, it seems to be set up so it uses my wifi to send data to Withings over the internet, and then the app on my phone gets it from them and displays it. This is not ideal, and it annoys me a little that people make devices work like that, but, in theory, GDPR comes to the rescue.

My sleep is not always good
Once upon a time companies could probably do what they like as part of T&Cs of some service they offered (though, bear in mind, I have not bought a "service", I bought a "device"). However, these days, they cannot simply use my data, they need to have a legal basis, and perhaps even consent.

Also, arguably, this is sensitive personal data (medical data), so subject to even tighter controls.

So, in theory, I should be able to use the device with the data being conveyed to them and back too my phone, and no more. Data being deleted when no longer needed, and not used for any other purpose. Or so you would hope.

The first clue of a problem was that the installation not only required me to agree their T&Cs (annoying) but "consent" to their privacy policy (here). This immediately rang alarm bells as "consent" is meant to be "freely given" under GDPR. Insisting I consent as part of installation is wrong.

So, I consented on the basis I want to use the device, and immediately emailed withdrawing my consent, as is my right. To be clear, I explained I accepted that there would be some data processing to provide the core functionality of monitoring my sleep and displaying that on the phone app, but I withdrew consent for any other purposes - specifically (as per their privacy policy): Developing and managing Products and Services, Conducting data studies, and Marketing, advertising and making recommendations. The last one being my main concern.

It is worth noting, had they had a number of entirely optional consent settings such as "share data with our developers to help improve the product" and so on, I may well have clicked on some. Making it mandatory to consent to usage as per their privacy policy was what kicked this all off!

They basically have no clue, seriously. Many emails back and forth. They kept telling me where their privacy policy was and asking if there was anything else they could help with. They totally failed to understand their obligations or what I was asking. Finally I have an email saying if I don't consent then that is not compatible with use of the product and they offer a refund. Well, no, I want to use the product, but my data only be used for that usage and nothing more. That is my right!

We'll see what happens next - I have written to them now as well.

However, there is a big gotcha here, and this is the same with T&Cs for installing a smart TV and a lot of other internet of shit stuff.

EVEN IF I CONSENT, what of other people?

This is not entirely hypothetical now. I was away for the weekend, and my sleep tracker says I slept one of those nights I (someone that does not snore!). Now, I happen to know who did sleep in my bed, he is 5, and not only did he not consent to Withings having his data, but he legally is too young to have done so.

(I believe my having his data probably comes under personal/domestic use in much the same way as if I marked his high on a door post).

But Withings will presumably want to use the data for Developing and managing Products and Services, Conducting data studies, and Marketing, advertising and making recommendations.

If the basis of this use is "consent", which they seem to suggest, then when and how did they get his consent exactly? I have asked them this. We will see what they say.

Basically, they cannot assume they have consent for any sleep data they collect to be used in such a way, at all, ever, as even if the installer or owner of the device consents, they do not know the person sleeping in the bed has consented.

As I say, this is much the same as smart TVs that could be recording you viewing patterns. Even if the installer has agreed terms and consented to such data processing, the people viewing the TV may not have.

This is a legal issue that needs sorting. I wonder if the sensitive nature of medical data in the case of the Withings sleep monitoring device will help get this to a test case? ICO have been told.

P.S. I checked, and it is at least talking over https.

12 comments:

  1. 𓂺 (Cockburn - pronounced "Coburn")Friday, 1 February 2019 at 12:58:00 GMT

    I guess they could/should rely on "performance of a contract" as the lawful basis but do they nonetheless need explicit consent if it is a special category of data (such as health data). Definitely wrong in any event to bundle that type of consent with consent for marketing and suchlike too, if that is what's being done too.

    It looks like a really good device though, I'd love to know how well I'm sleeping so that I can improve my health!

    ReplyDelete
    Replies
    1. The contract one is fun - I bought a device from a seller on Amazon - not a service from Withings. But even so, they only *need* to pass the data from device to phone, not any of the rest, as you say.

      As for the device - I am interested to see if having something to eat before bed will help me sleep - as I have managed to wake up hypo lately, and this will give me some more concrete data to go on.

      Delete
  2. Just an idle, and probably wrong thought, but for your TV tracking example I wonder if it's _you_ that is responsible for seeking consent from people viewing it. After all it's _your TV_, you are the one who controls who can watch it, and you arranged for people watching it to be tracked (even if you didn't really want to).

    I don't know if the fact that you allowed a 3rd party to do the actual physical tracking, and you have no access to the data they collected absolves you from seeking consent as it's your TV and you control who can watch it...

    Perhaps it's the person providing the service that needs to seek consent even if they engage a 3rd party to do the tracking.


    * I realize that the GDPR requirement mostly apply to companies not individuals so might not matter so much anyway.

    ReplyDelete
    Replies
    1. I can't see how I get all of that responsibility just by installing a TV. But bear in mind the "agreement" is done by the person that installed it, which may not be me, or the home owner, or the TV owner. In fact, for my TV, my son clicked on the agree button, but next time I think my 5 year old grandson may do it.

      Delete
    2. I'll bring up a real-world example that may apply here...

      We do online safety stuff for schools - filtering, logging, profiling the internet use of minors mostly. Staff and visitors are usually also covered too since this can be important for child protection purposes.

      The upshot of this is that anyone using the school network has personal data captured by the school's systems. And of course some of that could well be "special categories" of personal data (medical, political views, etc.)

      Of course, all this is under a support contract, so we can log into their systems for to help with trouble-shooting, etc. so we can access that data too. Some of our competitors basically say "you're responsible for making sure our support engineers can't access this data", which we think is a bit ridiculous, as it is an impossible task for a school who is asking for an engineer to log into their system and diagnose a problem - since the school can't possibly meet this requirement, it presumably makes the school liable. So we make the school sign a data processing agreement with us, that says we have access and defines what we can do with the data and any retention rules, etc that apply to us.

      Its up to the school, as the data controller, to decide what their "lawful basis" for collecting the data is, but if they are using "consent" they are basically responsible for collecting consent from all of their users, and that consent has to cover passing the data to us under the data processing agreement.

      So I guess the point I'm trying to make is that in this case, the school is similar to the "TV owner" in your example - they have an agreement to pass data to a vendor, and are in turn responsible for gathering consent from their users. Of course I realise there are some differences here:
      - A school is an incorporated entity, whereas an individual who owns the TV is not. This may make their legal responsibilities different.
      - The agreement between a TV owner and the vendor probably doesn't meet the legal requirements of a data processing agreement.

      As far as "freely given consent", this is a tricky one - if you say "you must give consent for your internet usage to be logged by the school" and the user refuses to consent, are you allowed to deny them access to the network as a result? IMHO that would not be "freely given" consent any more if you did that.

      Luckily, there are legal basses other than "consent" that can be used in our situation, so this isn't a big deal. But I can certainly envisage situations where the "freely given" terminology would cause significant problems if that meant that people who had given consent must be treated identically to those who haven't.

      (I'm a big fan of having strong data protection legislation, but certainly can't deny that this is a big can of worms!)

      Delete
    3. Oh yes, I was meaning to say that the same thing applies to stuff like EULAs - When you install Windows (for example), you're forced to agree to an EULA. There seems to be an assumption that anyone who uses the computer has implicitly agreed to it, but in reality only one person clicked "I agree" and that may even be "the local IT bloke" rather than any of the end users.

      And they don't have a signature on a contract, so if it came to enforcing the licence in court I'm not sure how they would demonstrate who agreed to it...

      These days EULAs probably also contain data sharing agreements and stuff too, so that seems very murky to me. Is it legal for Microsoft to collect usage data without the express permission of the exact person who is using the machine at that time? Can that person make a subject access request for the data? If so, how do MS know that the data requester is the data subject?

      Delete
  3. IANAL but... Doesn't a lot of your argument hinge on the definition of 'personal' in the context of GDPR? Personal in this context means that the subject is "identified or identifiable" so in the case of the 5 year old in your bed no consent is necessary as they cannot be identified?

    Of course the data recipient has a duty to make sure that data they hold is accurate of course, and seemingly they now hold date regarding a 5 year old's sleeping pattern that is recorded against you. They have an absolute duty to remove this as it is inaccurate...?

    Similarly with the TV viewing - The supplier has data that indicates that a TV set on IP address www.xxx.yyy.zzz was displaying certain programming. They don't know who was actually viewing and unless they have access to ISP records (or your using your own public IP address of course!) they can't link the record to an individual. Does that make it 'personal'? If you filled in owner details when the TV was installed they yes absolutely, but again the manufacturer has a duty to make sure the data the hold is accurate so if a 5 year old was watching the TV then it wasn't you!

    ReplyDelete
    Replies
    1. Even if the third party data is a red herring, GDPR wise, the main issue over my right to object to processing still stands, and they are handling it really badly.

      Delete
  4. In terms of whether an IP address is "personal data", see the CJEU's decision in Breyer. It's not a great decision, in my view, because I think they get overly eager about the chain of identification, and extend it too far, but, hey, they're the CJEU...

    http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN

    (And that's a weird looking IP address pattern ;))

    ReplyDelete
  5. Also nothing to stop them from turning around and charging you a monthly or annual fee to continue using your device... Unfortunately that's the risk we're taking with all these "cloud" services.

    Own Intuition did this, although they were on the brink of going under!

    ReplyDelete
    Replies
    1. Indeed, and personally I think the interfaces should be published for stuff like this to avoid the problem.

      Delete
  6. > Its up to the school, as the data controller, to decide what their "lawful basis" for collecting the data

    An individual TV owner is unlikely to fall within the scope of the data protection framework at all, let alone be the person who decides the purpose and means of processing by the TV company.

    It is far, far more likely that it is the TV company which needs to ensure it has a lawful basis, for the processing in respect of which it is a controller.

    I suspect your example is so different that it is not really a parallel at all :)

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.