You work for a small but exciting Internet of Things start-up company that develops fitness- and health-themed
Question:
You work for a small but exciting Internet of Things start-up company that develops fitness- and health-themed products for consumers. One of the latest products will be released sometime in the next year, tentatively named the Health Ring.
The Health Ring looks like a piece of jewelry. It is worn on a finger, just like any other ring. Embedded in the material is an innovative set of tiny, non-invasive sensors that can measure information about the person who wears it. This includes their heart rate, blood pressure, blood-oxygen levels, temperature, and number of steps taken. The Health Ring also senses its geolocation. Users also provide additional biographical information through an app when they register for serviceincluding, height, weight, gender, and ageas well as an email address.
Through the companion app, which will be available on smart phones and tablets, the Health Ring compiles all of the information it collects into a fitness and well-being report, which provides the user with a proprietary score of their overall health. The app can also be used to display workout histories on a map, such as running and biking routes. All of this information is stored in a cloud computing environment that is managed by the company, and the app pulls the information down to the user's phone or tablet when they log in. In order to provide the fitness report, the company partners with another startup company that specializes in data analytics. The analytics startup designs and maintains the algorithms and manages the data storage on the backend for your company.
The company projects that the primary revenue streams will come from sales of the Health Ring and a subscription service that unlocks premium features in the app. In addition, the company thinks that the data could be sold or licensed to members of the medical community who conduct research on the impact of fitness on personal health. Although the company is based in the U.S., it plans to sell the Health Ring within E.U. member states.
Your assignment: The company is already familiar with the U.S. Federal Trade Commission's approach to consumer privacy, and it estimates its practices are compliant (based on the FTC's unfair and deceptive trade practices authorities). However, it knows little about the E.U.'s approach to consumer privacy.
To help the company for entering the European market, you are tasked with developing a brief slidedeck (approximately ninde slides, with accompanying notes explaining your rationale) to help introduce the company to the GDPR. Conduct internet research as needed, and take note of any relevant guidance issued by the European Data Protection Board. Pay special attention to GDPR Articles, 2, 4, 5, 6, 7, 9, 24, 25, 26, 28, and 30. Note that some of these articles were not assigned as part of the readings - you can find them online.
Use your judgment to focus on the aspects of the GDPR that are most important at this stage for the company. At a minimum, your slides should address the following questions: How does the GDPR differ from what the U.S. FTC requires under its UDAP authorities? Is meeting the FTC's privacy "standards" sufficient to meet the GDPR's requirements? How would you describe the similarities and differences? Would the Health Ring be subject to the GDPR? What specific characteristics about the product inform your reasoning? Based on the information provided about the Health Ring, what kinds of transparency disclosures are needed? How specific do they need to be? What basis for lawful processing should the company rely upon? Roughly speaking, how would you recommend the company go about this? What requirements, if any, does the company's partnership with the startup analytics company trigger under the GDPR? If the company decides to sell or license information to medical researchers, what, if anything might that require under the GDPR? What, if any, changes might the GDPR require for a company's internal operations, in terms of documentation and oversight? Is there any additional advice you would offer to the company about how to approach GDPR compliance?
N.B. - For purposes of this assignment, you can assume that no data from the Healthy Ring devices sold in Europe will be transmitted or processed outside of E.U. member states.
References:
1. Adam Satariano , "GDPR, a New Privacy Law, Makes Europe World's Leading Tech Watchdog," The New York Times, May 24, 2018 2. General Data Protection Regulation (EU), 2016/679), Art. 3, 4, 5, 6, 15, 30, 32, 33, 34, 82. 83 3. Stephen P. Mulligan and Chris D. Linebaugh, "Data Protection Law: An Overview," Congressional Research Report, R45631 4. Example GDPR Enforcement Actions: United Kingdom Information Commissioner's Office Press Release, "ICO fines Marriott International, Inc. 18.4 million for failing to keep customers' information secure," October 30, 2020 Commission Nationale de L'Informatique et des Liberts Press Release, "The CNIL's restricted committee imposes a financial penalty of 50 million euros against Google LLC," January 21, 2019 French Highest Administrative Court Upholds 50 Million Euro Fine against Google for Alleged GDPR Violations," June 23, 2020 5. Catherine Barrett, "Emerging Trends from the First Year of EU GDPR Enforcement," American Bar Association SciTech Lawyer, February 28, 2020