Ryan Black

“I’m wearing a Fitbit right now, so I’m kind of a hypocrite,” joked Jason Chung, JD, before he raised a series of grave data privacy concerns surrounding wearables.Chung, a senior research scholar at New York University’s School of Professional Studies, used sports leagues to illustrate why the United States needs better privacy regulations for health data collected by wearable devices. The NFL players' union reached an agreement to distribute a biometric fitness tracker to all players in advance of the current season. The MLB and a few college teams now request some athletes wear the devices. As a result, Chung said at the Data Privacy in the Digital Age symposium, one player described feeling like a “lab rat.”Biometric data, Chung went on, can paint a comprehensive picture of one’s habits and proclivities. When an employer collects and stores that data on third-party cloud service, it raises important questions of ownership and privacy.While the NBA players' union has held in their collective bargaining agreement that athletes can opt out of wearing any device that the league may someday embrace, and that hypothetical data collected by wearables be forbidden from use in contract negoatiations, most American workers are not represented by a robust union the way professional athletes are.That becomes an issue to Chung because he believes the government and insurance agencies incentivize the use of wearables in non-sports workplaces to gather employee health information, thus lowering insurance costs. Large companies like BP, he said, use voluntary programs for this purpose, while CVS has fined employees for not sharing health metrics.Beyond being a bargaining chip for group insurance plans, “Health data can also be used for more invasive employee monitoring, evaluation, and discrimination,” he said.All of this amounts to an ethical quandary: “What will happen if an employee doesn’t want to share their data or wear a Fitbit?” he asked. Sports leagues have a massive investment in their workers’ physical fitness, but “How can Oracle ask a systems analyst to do the same thing?”Apologizing to his hosts (the Department of Health and Human Services held the event), Chung said US regulatory infrastructure was not adequately set up to ensure that biometric data can be accurately collected from wearables, stored securely, and used transparently.HIPAA itself, he noted, even contains an exemption of mhealth technologies from its domain, which then pushes the regulation off to 2 other agencies: the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC). Although the FTC has provided some guidance on the collection and use of biometric data, and the FCC has a Connect2Health task force to review how wearables should be regulated, Chung thinks these efforts are insufficient.“While [the FCC and FTC’s] commitment may be admirable, the US is betraying a historically siloed approach to modern problems,” he said, calling the current approach, “frankly, a mess.”Solutions he proposed require looking at how the European Union or Canada approach the issue. Even Hong Kong, often considered the “freest economy in the world,” has a single federal regulator, the Office of the Privacy Commissioner, overseeing the matter. Canada, where Chung is from, has a body of the same name.He stressed an imperative that the US follow suit in consolidating regulation of biometric data policy, to eliminate inefficiency and give citizens a clear resource to turn to with their concerns. The presence of wearables in the workplace is only going to spread in the coming years, he said.“Such battles will soon pass from the sports and technology pages to the front page, and Americans will begin rightly asking who is responsible for this data, and who should be,” he said. When asked why he was speaking on the issue because breaches and misuse of athlete biometric data were, at this point, hypothetical, he responded: “They’re only hypothetical in the sense that we haven’t had a catastrophic event yet. But we will.”