The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “AP”) announced on March 8, 2016, that two companies agreed to stop processing employees’ personal health data after the AP initiated an investigation into the employers’ practices. The two companies provided their employees with wearable devices (or “wearables”), which allowed the companies to track their employees’ physical activity and sleep patterns. In addition to the two investigations, the AP issued guidance to employers emphasizing that employers are prohibited from engaging in these practice.
The AP explained that an employer’s processing of personal health data generated by wearables is a breach of the Dutch Data Protection Act (“DPA”), and that data on movements and sleeping patterns qualifies as “sensitive personal data,” which is subject to stringent requirements under the DPA.
As a basic principle, processing sensitive data is prohibited under the DPA. There are a number of exceptions to this prohibition, both specific exceptions for specific categories of sensitive personal data (e.g., personal health data) and general exceptions. For most employers, a specific exception for processing personal health data is not available. From the general exceptions, obtaining the explicit consent of the data subject is the most commonly used exception for processing sensitive data.
However, The AP explained that employers cannot rely on the explicit consent of their employees for the processing of their personal health data generated by wearables. For consent to be valid under the DPA, the consent must be freely given, explicit, and informed. According to the AP, an employee generally cannot provide “freely given” consent due to its financial dependence on the employer. Other exceptions (e.g., if the data has been made public by the data subject, or if required for use in legal proceedings) also would not likely apply.
The AP also explained that if an employer gives its employees a wearable that generates personal health data, the employer may not set conditions on the use of the wearable. In addition, neither the employer, the supplier of the wearable, nor any colleagues of the employee may have access to or process the personal health data generated by the wearable, even if the data is anonymized. Employees may decide to share certain data generated by the wearable with friends or colleagues voluntarily (e.g., on social media), but they should refrain from sharing such data with their employer.
This is not the first time that the AP has been distrustful of personal data generated by wearables. In November 2015, following an investigation into the Nike+ Running app, the AP published a report in which it concluded that Nike violated the DPA in a number of ways through this app. Amongst other things, the AP concluded that Nike processed personal health data through the app without obtaining the required explicit consent from the users. It will be interesting to see whether the AP will continue to scrutinize the processing of personal data generated by wearables.
Although the AP explained that employers “generally” cannot rely on the explicit consent of their employees – suggesting that there may be some cases where reliance is possible – it made clear that processing personal health data generated by wearables is not such a case. This appears to be a more stringent view than the Article 29 Data Protection Working Party’s view, as set out in its opinions addressing the processing of personal data in the employment context (see here, here, and here).