IEEE Digital Privacy Podcast: Episode 15

 

Puja ModhaHealth Tech or Data Trap? A Legal Look at Wearables
A Conversation with Puja Modha
Partner, Aria Grace Law CIC

Listen to Episode 15 (MP3, 27 MB)

 

Part of the IEEE Digital Privacy Podcast Series

 

Episode Transcript:

Puja Modha: Let me tell you about my client called Your Stride, who’ve created a smartwatch which connects their elderly users to a 24-7 emergency monitoring team wherever they are in the UK. Now, their smartwatch has front-facing SOS buttons for easy activation. And when the SOS button is triggered, responders are immediately notified of the user’s location, so they know exactly where to go.

There’s also a built-in speaker and microphone for two-way emergency calls. And importantly, their smartwatch also has automatic fall detection. So if the user falls down and can’t call for help, the watch does it for them. So, all of this combined gives elderly users the confidence to live independently and exercise. Now, Your Stride got in touch with me when they wanted to onboard a new monitoring partner, as they wanted to conduct a proper and full legal review before signing any contractual terms.

Now, through this process, I learned that Your Stride really does care about data privacy and building safeguards into its service. What’s also remarkable is that Your Stride has received over 1,000 positive reviews, not just from elderly users themselves, but also from family members who purchased a smartwatch for their loved ones.

These reviews highlight how their product brings peace of mind, safety and independence to families across the UK. And for me, their product is a story of technology serving people with care, accountability and of course, privacy by design at its core.

Nick Napp: That sounds precisely like the kind of device my kids keep threatening me with, but we heard those words from Puja Modha, who is a commercial data protection and AI solicitor in England. And she’s joining us to explore some of the data privacy concerns that naturally form around wearable fitness trackers. These small devices are used by millions of people worldwide to monitor physical activity, sleep, heart rate, and stress levels, and many other biometric markers, but how do we ensure that the data stored on those devices doesn’t compromise our personal or our digital privacy? So we’re going to dive into the world of wearables, looking not just at the risks, but also some of the rewards. I’m Nicholas Napp. I’m the chair of the IEEE Digital Privacy Framework and Foundation subgroup, and I’m the host of this episode of the IEEE Digital Privacy Podcast. So I’d like to welcome Puja to the episode.

And building on the story of your client that you just shared with us and from some of your broader work, what are the key concerns about how wearables collect, store and share user data? What should we really be concerned about?

Puja Modha: So, first of all, thanks so much, Nick, for having me on the podcast. I’m really delighted to be here. I would say that there are four key concerns that come to mind around how wearables collect, store and share user data.

So the first concern, is that wearables capture highly sensitive information such as height, weight, step count, calories burned, heart rate, and even sleep pattern. In addition, these wearables often use AI to analyze data and generate inferences, predicting things like health risks or stress levels. So this introduces additional legal and ethical challenges.

The second concern that comes to mind is that users don’t actually realize how much data is collected. Privacy notices are long and technical, so people tend to skip them instead of reading them and understanding how their data is really being used. The third key concern is to do with how much data is being shared with third parties. many wearable devices are part of a broader ecosystem that includes companion apps, cloud services, and integrations with third-party platforms. So while users may assume that their data stays within the device or the app, in reality, it often flows to insurers, advertisers, analytical firms, and research institutions. And sometimes it does so without clear or even informed consent. The final key concern, I would say, is to do with security and potential data breaches. So…

I recently read a report by the German Federal Office for Information Security. Now they’ve done a study on wearables with medical functionalities and found that many devices that they had tested were surprisingly open to attack. This is because of the vulnerabilities and encryption, inadequately secured communication channels and inadequate authentication mechanisms, all of which can really enable criminals to intercept or manipulate sensitive information. So While wearables offer powerful insights into our health, they also raise serious concerns about how much data is collected, who sees it, and how securely it’s protected.

Nick Napp: Yeah, certainly within our work at the digital privacy group, we have found a lot of times it’s an accidental issue as well. I won’t name the apps name, but there was a running tracking app that had a lot of problems because they were basically showing the routes that people had taken when they were running. And so, you know, if you were female going for a jog in the evening, other users of the app could see precisely where your run started and finished if they happened to cross paths with you, which was a very inadvertent exposure of highly personal data, but precisely the kind of thing that I think you’re pointing at as saying we need to be cautious.

So, there must be some benefits to these devices because obviously millions of people are using them and looking at some numbers according to straight research global wearable tech market was valued at about 75, almost 76 billion in 2025. And that’s expected to scale to a whopping 352 billion by 2033. So clearly there’s some growth there. But in your opinion, what’s really driving that?

Puja Modha: Really good question. So I would say there are probably four key drivers. And the first one is that people are more focused more than ever on wellbeing now.

So wearables make it so much easier to track activity. They turn health into something that is measurable and actionable. The appeal lies in the simplicity. So you don’t need to be a health expert to understand your progress. And with AI-powered insight and nudges, wearables really do help users to build better habits, like walking more, sleeping earlier, or breathing more deeply. And this has really caused a shift towards preventative data-driven wellness. And I think that’s a major force that’s helping and causing the market growth. And I actually see that with those around me. So for example, both of my parents who are in their late 60s have become more conscious about their health and they ensure that they move every hour and hit their steps because of their Fitbit targets and they like to compete with each other. So I’d say that’s the first key driver.

The second key driver would be wearables are also so much more fashionable now. They’re stylish. People actually want to wear them. So for example, instead of giving my maid of honor a traditional gift before my wedding, like a silver bracelet, I actually gave her a fit bit. And that went down a complete treat, especially as she is a fitness instructor herself.

Now, the third key driver. Well, I think it’s about being part of a community. Wearables really allow people to do that, to be in a group with other people. And there’s a wonderful gamification element involved in it. So you can get step challenges and compete with people. You can get badges and you can share your results with your friends. So that makes fitness actually quite fun. Out of seven days in the week, I go to workout classes in four of the seven days. And I love sharing with my friends after workout how many calories I’ve burned or what I was aspiring to achieve. This is all because wearables allow me to do that easily. And they also create a sense of accountability for myself and for others that are involved.

Now, I would say the final key driver is that wearables are now becoming part of a bigger ecosystem. And once you’re in that ecosystem, it’s hard to leave. So for example, many companies who are employers, they run wellness programs that offer free or discounted fitness trackers to employees. And they hope that will help their employees to improve health and of course, for their benefit, productivity. Likewise, you’ve got health insurance providers. They offer perks or lower premiums if you use a tracker and meet certain activity goals. So all of these things combined, these are incentives that are really accelerating the adoption of wearables.

Nick Napp: Yeah, that makes perfect sense. So let’s move on and talk a little about legal protections. Do the current laws currently address the privacy risks that are posed by wearable technology or is regulation very much still catching up?

Puja Modha: So it’s a really good question. I’m gonna, if it’s all right with you, I’m gonna break it down a little bit. So to look at what are the current laws first. Of course.

In the EU, we’ve got several key frameworks. So I’m just going to give you a high level overview of four of them that are the most relevant. So we’ve got the e-Privacy Directive. Now this applies to any technology that stores or accesses information on a user’s device, including wearables. And before the provider of a wearable can access or store information on advice, it must inform the user what the wearable does and obtain consent in advance.

The second, the one that most people know about, is the EU’s General Data Protection Regulation, which is the cornerstone of data protection and privacy. It is deliberately technology neutral, and it requires a lawful basis for processing. It requires transparency, user rights, and strong security measures. It treats the health data from wearables as special category data, which means it requires explicit user consent and stronger safeguards.

Now, companies must ensure in this case that they are transparent and accountable. The next that we’ve got is the EU Data Act. Now, this gives users the right to access and share the raw data that their devices generate, and it forces manufacturers to design for interoperability. So the EU Data Act very much complements the EU GDPR, but goes a bit further with user rights on data portability.

The final one that we have in the EU, also very popular and quite well known now, is the EU AI Act. Now here, if a wearable uses AI to interfere or predict health conditions, it falls under this act. If wearables have certain features, such as emotion or stress detection, it is likely to be classified as a high-risk system, and therefore the provider of the wearable faces strict requirements and obligations.

If on the other hand, the wearable focuses only on step counting or calorie tracking, it’s likely to be classified as low risk. So it’s different obligations. So this is everything that we’ve got in the EU. If we glance over to the UK where I’m from, we’ve got very similar protections too, just with other names for the laws and regulations. So these are the current things we have in place. Now, my view is I actually believe they do provide a good foundation, but there is some duplication.

There are some gaps and a lack of clarity. So there is no single law or regulation that is solely dedicated to wearables. And during our chat here, I’ve talked about data laws, but there are so many other laws that are relevant. You’ve got medical device laws, consumer laws. There is so much. But overall, there is no one single law that covers this very popular area and consolidates in one place. So this can make it actually quite complicated for companies that are producing these devices and for the public who are using them to know how the device should be and what rights they actually have. So in light of everything I’ve said, I would probably conclude that we do have a strong foundation, but there is more work to be done. Technology is moving very fast and wearables are becoming very popular. We really do need a law, some sort of resource that is more…and user-friendly for companies that need to adopt it and for users who will benefit from these wearables.

Nick Napp: Yeah, that also makes perfect sense. So moving to the sort of next part, you’ve talked about the users obviously, but from a continuingly with the legal theme, what responsibilities do companies have when it comes to protecting user data that’s collected through these wearable devices?

Puja Modha: So, well, wearables collect some of the most sensitive data. So, companies have serious legal obligations to protect it.

I would say that there are probably five key responsibilities that apply to all companies. So first, would be privacy by design is obviously necessary. This means building privacy into every stage of the wearable product development and therefore completing a data protection impact assessment at the beginning and for any feature changes. The second that I would say is that companies need to ensure that they obtain consent and put in place user controls.

So under laws like the EU and UK GDPR, consent really needs to be explicit and easy to manage. Users should be able to access, delete, or even port their data without having to jump through multiple hoops.

The next responsibility that companies have is to do with security. They need to have strong encryption, secure authentication, and regular software updates.

And then I’d also say that another responsibility is to do with transparency. Companies need to be crystal clear about what they collect, why, and who they share it with.

And finally, and most importantly, I think the key responsibility for companies is to actually ensure ongoing compliance. So laws evolve if we think, you know, there’s the EU GDPR. Now there is also the EU AI Act. If your wearable uses AI for health features and qualifies as high risk, As a company, will now need to ensure that you have a risk management system, high quality training data, human oversight, all along with all the other obligations that are required under the EU AI Act. And this is even before you enter or continue to participate in the EU market. So I’d say they are all collectively the key responsibilities that companies need to be aware of, they are their obligations they need to fulfill. Because if they don’t, they certainly risk fines, reputational damage and losing consumer trust.

Nick Napp: So we’ve talked about the regulatory landscape a bit, and we’ve talked about the company’s obligations with these devices. Of course, the other big factor in here is the users of the wearables themselves. So what advice would you give to everyday users of wearables? How can people better understand what they’re agreeing to? And what steps can they take to actually protect their privacy adequately?

Puja Modha: A really good question.

My advice to the everyday user would be to first to be very informed. Take a few minutes to check the privacy settings, notices and policies, however long and detailed they look. Know what data is actually being collected and who it’s being shared with. And if something feels unclear, that’s a red flag. Ask for clarification. More companies are open to addressing queries promptly and responsibly as they really do not want to receive complaints.

The second piece of advice that I give is really control your data. So adjust your device and app settings to limit sharing. Use strong passwords and always enable two factor authentication. It is a simple step that really can make a huge difference.

Third, I’d say be cautious with third party apps, however much you want to share data. Only connect to trusted services and regularly review and revoke permissions you no longer need. So, if you’re not using a third-party app with your wearable anymore, stop sharing. You don’t need to keep giving them your data. There are many breaches that can happen through weak links in the app ecosystem. So make things better for yourself and protect your data by sharing less when you don’t need to.

The fourth thing I would say, and this is a really necessary one, is to keep your software updated. Regularly update your smartwatch as updates can often include security patches that fix vulnerabilities. Delaying updates can really leave your device exposed to known threats. And if I’m honest, I see this happen. You know, I have a wonderful elderly aunt. Now she has never, she never updates her smartwatch. And then she wonders why it’s not working properly. She’ll come to me very frustrated, but the issue is often just an outdated system. So make it a habit. Check for updates and enable automatic updates if available. Make it easier for yourself to protect yourself and your data.

I would say now my fifth and final step that I would recommend to the everyday user is exercise your rights. Depending on where you live, you can request copies of your data. You can ask for it to be deleted. You can withdraw your consent if you’re very uncomfortable with a certain feature. Do it. These rights exist for a reason, so use them.

And I think the final point I would say to the everyday user actually, so sorry, it’s another one point, is wearables are becoming part of our health infrastructure. They’re part of our workplace. They’re part of our social lives. So that really does mean that the stakes are higher than ever. So as a user, I would just really, really urge you to enjoy your wearable, but be curious how your data is used and be very cautious.

Nick Napp: Great. Well, thank you. That was a collection of really strong insights from Puja Modha. Thank you for joining us on this episode of the Digital Privacy Podcast. As wearables become more and more part of our daily lives, understanding how they use our data isn’t just smart. I think it’s pretty essential. So thank you all for listening. You can find more episodes and resources at digitalprivacy.ieee.org. Until next time, stay informed and try and stay private.