The Legal Ramifications Of Body Scanning On Fitness Companies And Athletes


Europe has recently adopted new privacy regulation, called the General Data Protection Regulation or ‘GDPR’. This regulation is innovative, but also a bit strict. It’s therefore likely that new ‘data-driven’ products and services from non-EU countries will need to be revised before they can successfully enter the EU market.

For example, this seems to apply to the 3D body scan of the Australian company mPort, which is targeted for the market of online retail for clothing and fashion and for the fitness space. This body scan is based on biometric data, which falls in the category of health data and sensitive personal data. Therefore, both mPort and the company operating the mPort body scan will need to take additional measures to ensure that security and privacy can fully comply with EU regulation. mPort is hinting that a health claim could be made based on one or more body scans. This implies that it’s likely that the product and/or service will be considered as a ‘medical device’, under EU law. If that’s the case, even more measures are required, because then clinical studies and CE certification are mandatory.

Get The Latest Sports Tech News In Your Inbox!

Body scanning is still experimental technology, which implies a considerable operational and financial risk. Apparently, this doesn’t stop mPort or other companies to undertake R&D activities on a large scale. For example, the company Evolv Technology is planning large-scale pilot-projects at Union Station in Washington DC, in Los Angeles’s Union Station metro and at Denver international airport.

Operating a mPort body scanner in the EU requires explicit consent or informed consent from the user, via an individual agreement. This agreement needs to support several aspects, like the right to have personal data erased (or even not stored at all). The targeted personal profiling is risky, because it can always be reviewed and contested by the customer. It also doesn’t matter if the name of a person has been removed from the dataset, because the other data points are probably enough to point to a unique individual. Profiling is certainly not allowed for health purposes, especially if it is done in an informal (non medical, non health service) context.

Storing and sharing ‘identity’ data is only allowed in a few cases and it’s unlikely that it is allowed in this case. Finally, conducting and storing such measurement data is a ‘high risk, high impact’ operation, because of the current limitations of security measures, to effectively mitigate the operational risk of ‘data leaks’. That is because data leaks need to be communicated to the EU regulator immediately. Unfortunately, data breaches are quite common nowadays, as it is common that data breaches have a ‘late’ detection, often by the designated individual victims themselves. In the EU, an unreported data breach does allow the regulator to issue the maximum penalty of 4% of the annual worldwide turnover.  This is serious business.

However, Europe is and will be an interesting playground and stepping-stone to test and scale up Sport & Health Tech innovations. The EU privacy laws stimulate products and services that are both sustainable and sensible, for both the consumer as the designated company. On the short term, this seems like collateral damage for leading innovators, but on the long term, this will bring ‘privacy-by-design’ and ‘security-by-design’ products and services, that also give healthy cash flows and customer loyalty.

In other words: if you’re compliant in the EU, you are probably compliant anywhere else, which could significantly reduce investments when bringing the product to other countries and regulatory regimes.  Global companies that want to succeed in the EU will have GDPR compliance as a goal and will include GDPR required activities into their product development process and their budget.

What applies to a fitness product and service like mPro basically applies to all data-driven sport and health technologies that are targeted for the EU. Recently, for example, Runkeeper, Nike and Fitbit faced similar challenges, after regulatory reviews in both Norway and the Netherlands (additional regulatory feedback in Dutch).

These are global challenges, for all companies that are planning to launch or scale-up sport and health technologies. This has recently been flagged by the ‘Office of the National Health Coordinator for Health Information Technology’ (ONC), regarding US regulation like HIPAA and FDA. Addressing these challenges will help to make better products, that can help athletes and teams to improve technique and performance, but without running unnecessary personal risks.

 

This was a contributed story by Marcel van der Kuil. Marcel is quite serious about Running and Mountainbiking. Next to that, he’s active in Sports & Health Tech, as an Entrepreneur, Trainer/Coach and Blogger. Marcel has a background in Computer Science, Data Science and Regulatory (MSc). Data plays a major role in Marcel’s international ventures, as well as Science and R&D.