I purchased a sleep monitoring gizmo, it goes under the mattress. It is actually pretty cool as it tracks sleep, and heart rate, and snoring. Working out what to do with the data is another matter, but is interesting, and could be quite helpful.
Obviously this device needs a way to present the data to me, and that is via an app on my phone. The ideal way would be to, say, bluetooth it to the app. Simple, and it has bluetooth.
But no, it seems to be set up so it uses my wifi to send data to Withings over the internet, and then the app on my phone gets it from them and displays it. This is not ideal, and it annoys me a little that people make devices work like that, but, in theory, GDPR comes to the rescue.
|My sleep is not always good|
Also, arguably, this is sensitive personal data (medical data), so subject to even tighter controls.
So, in theory, I should be able to use the device with the data being conveyed to them and back too my phone, and no more. Data being deleted when no longer needed, and not used for any other purpose. Or so you would hope.
We'll see what happens next - I have written to them now as well.
However, there is a big gotcha here, and this is the same with T&Cs for installing a smart TV and a lot of other internet of shit stuff.
EVEN IF I CONSENT, what of other people?
This is not entirely hypothetical now. I was away for the weekend, and my sleep tracker says I slept one of those nights I (someone that does not snore!). Now, I happen to know who did sleep in my bed, he is 5, and not only did he not consent to Withings having his data, but he legally is too young to have done so.
(I believe my having his data probably comes under personal/domestic use in much the same way as if I marked his high on a door post).
But Withings will presumably want to use the data for Developing and managing Products and Services, Conducting data studies, and Marketing, advertising and making recommendations.
If the basis of this use is "consent", which they seem to suggest, then when and how did they get his consent exactly? I have asked them this. We will see what they say.
Basically, they cannot assume they have consent for any sleep data they collect to be used in such a way, at all, ever, as even if the installer or owner of the device consents, they do not know the person sleeping in the bed has consented.
As I say, this is much the same as smart TVs that could be recording you viewing patterns. Even if the installer has agreed terms and consented to such data processing, the people viewing the TV may not have.
This is a legal issue that needs sorting. I wonder if the sensitive nature of medical data in the case of the Withings sleep monitoring device will help get this to a test case? ICO have been told.
P.S. I checked, and it is at least talking over https.