Policy Recommendations: Wearable Sensors

Gadgets on the move and in stasis

Consumer and medical electronics, what's the difference?

Our policy recommendations are based on the findings of a three-year long case study on wearable sensors. We have assessed state-of-the-art developments, using evaluation and analytic methods that correspond with the expertise and experience available on our study team and among our associates in industry and innovation, medicine, policy, grass roots activism, STS and ELSi study traditions. We provide recommendations for ongoing innovation in this field, considering the necessity of mutual recognition and reflexive knowledge exchange among innovators and industrial actors, medical expertise, scholarly and technical assessments, patient organisations and grass roots activists, policy developers and regulators.

Summary of findings and key concerns

Wearable sensors for health and self care, fitness and well-being, are gadgets on the move and in stasis. They blur the boundaries between healthcare and the self-administration of care when patients begin to actively self-monitor using wearables and biosensors as part of ongoing care. They shift these boundaries when consumer electronics are marketed and put to use for medical purposes—devices which then sit in a policy vacuum since there is no adequate legal framework with binding rules to cover consumer gadgets in medical settings (Green Paper on mHealth, 2014). Yet, the boundaries are drawn quite clearly when wearable sensors are marketed for quasi-medical purposes, for which the HTA frameworks and the European medical devices directive do not apply. Moreover, wearable sensors, whether or not they classify as mHealth technology, are not indiscriminately on the move. In fact, their flexibility is confined to prescription: that of structured activity, of locality, stasis and types of measure and monitoring built into them, including standards on data capture and data processing.

Policy-relevant considerations

  • Reform in healthcare delivery across Europe comes with great emphasis on more personalised care, patient choice, private insurance and personal responsibility.
  • Personalised care is shifting roles, relations and responsibilities in care-giving.
  • Mass marketing of smartphone-enabled apps and accessories are blurring the boundaries between healthcare, self care, fitness and well-being applications.
  • New service 'hubs' for mobile data gathering and the processing of health-related and potentially sensitive information, are a challenge to the protection of privacy and personal data.

We learn from our explorations that policy and research programmes are promising flexible and more personalised care, patient involvement and greater citizen responsibility in managing disease and staying healthy. Alongside that is a very positive media environment, accommodating media commentaries which are almost entirely based on promotional materials that endorse the new gadgets and services. It is not clear however, how ICT-based and mobile technologies will impact in the long run on publicly or privately provided care and public health targets. Wearable sensors fit into grander visions of a healthcare revolution—of an evolving ecosystem of objects, functions, services and growing incentives to take charge of one's life. But, there is implied bias here toward prediction and control which reduces care to control measures and over-simplifies care relations and communication on care.

During the early stages of the case study, the future of care and the future of the informational embodied person were two topical areas identified on the basis of a changing politics of care and the influx of gadget use-data, behaviour-data, location-data and other incidental data in the mix with data on people's physiological states and medical conditions. The responsibility for providing care is shifting from public institutions to private enterprise, toward more personalised care, patient choice and individuals being themselves in charge of their care needs. It follows that increased use of wearable computing and sensor technology to support the new care practices, necessitates collection, processing and dissemination of data on persons and bodies in ways that can be hard to reconcile with directives on the protection of such data. It can also be argued that predominant visions of 'measure and monitor' to support health and self care, are reductionist in their orientation to care as data practice.

Policy recommendations – Innovation policy development

These recommendations are directed at scientific and innovation policy advisory bodies to the ESF, the Digital Agenda, the Commission's DG-Research, DG-Health, and other relevant innovation and research funds/agendas/programmes in matters of health and social care, ICT-driven innovations in healthcare (eHealth / mHealth) and Public Health initiatives.

Navigating the future of healthcare, patient activism and the self-administration of care, concerns all Europeans. Care is woven into the fabric of everyday life and everyone is at one point or other facing the consequences of change. This reminds us that EC and EU policy-makers are not the only, or necessarily the most important policy actors in developing an innovation policy with claims upon the future politics of care and what the priorities need to be to ensure sustainable quality care—what should be the institutional (re)structuring, the technological and socio-cultural innovations, and the reimbursement and funding schemes to provide care or to otherwise support it.

In the case of wearable sensors as part of the eHealth and mHealth programmes, there are questions to debate and deliberate across a wide range of expertise, professional and other relevant experience to shape and cultivate an epistemic network. Such a network is necessarily dynamic and fluid, an emergent network of a rather different constitution than the narrow aggregates of policy actors who – so far – appear to have exclusive access to policy development and decision-making procedures.

Recommendation: In navigating the future of healthcare for European citizens, we strongly recommend rethinking how the policy environment is shaped:

  • Is the policy action mindful of the sensitive nature of future-making on behalf of European citizens?
  • Is the policy action mindful of the limits of prediction and know-how?
  • Is the policy action an exploratory action? Is it experimental, a fact finding mission across knowledge sectors, occupations and ideologies?
  • Is the policy action a work-in-progress, aiming toward discovery – on an ongoing basis – of the kinds of things that can be imagined and stated about an innovation domain?

Are politics and innovation policy pulling the medical establishment on the future of eHealth and mHealth, being pushed by it, or both? The policy literature and funding programmes tell a mixed story which indicates to us a lack of clarity in the innovation and policy rationale.

Recommendation: We strongly recommend achieving clarity on the following points:

  • Are the innovation narratives on eHealth and mHealth mindful of potential bias of prediction and control, of reducing care to control?
  • Are among the policy actors also those who are inclined to question faith in technological fixes? What alternatives do their insights have to offer?
  • Are the innovation narratives over-simplifying communication and interrelations, for example, between patients and doctors, policy-makers and innovators, and people's experiences of their lived bodily selves?
  • Are the innovation narratives reducing medical consultation to data collection and information gathering, to substitute for in-depth communication that necessitates taking into account cultural, environmental and physiological specificities of a medically-relevant case?
  • Does the emphasis on individual empowerment take adequately into account which care provisions are actually available and the full range of personal circumstance affecting motivations and abilities, including economic hardship or any form of exclusion from access to high tech solutions?

We observe a disconnect between top-down thinking in policy development aiming at personalised healthcare and mHealth, and the kinds of grass-roots developments that show what people actually do when left to their own devices, and how lead markets take shape. The policy discourse takes little if any notice of self-generating trends in managing health-related conditions with the support of devices and online services, self-help and peer-communication portals. The industry is often well aware of such trends and capitalises on them, but the institutional structuring for devices regulation is disconnected.

Recommendation: We strongly recommend achieving clarity on the following points:

  • Is the policy discourse on eHealth and mHealth making irresponsible promises of healthcare revolutions, suggesting that electronic devices and services (including wearable sensors) are key to improved care delivery, increased efficacy and cost savings?
  • What can be done to better identify the uncertainties (social, ethical, legal, technological and political) in shifting responsibilities for care into the hands of individuals themselves?
  • Are among the policy actors also those who are knowledgeable and involved in DIY design and development—those who observe first hand the implications for healthcare policy?
  • How can lessons from grass roots action be incorporated into the established practices, e.g., on criteria for data protection by-design, on issues of inclusion/exclusion, and other relevant concerns?

Policy recommendations – Regulatory and legal uncertainties

These recommendations are listed for immediate consideration and action in response to devices and services already in use and widely available on the market. They are directed at authorities of medicines and health products across Europe and the associated Health Technology Assessment (HTA) bodies, the Commission's DG-Connect, the EDPS and the Article 29 Working Party, as well the country-based DPAs.

Consumer electronics and apps are used by patients as part of ongoing care, and consumer electronics and apps are marketed and put to use for medical purposes. These mHealth practices both push and blur the boundaries between healthcare, patient participation, and the self-administration of care; between consumer rights and law and the EU Council Directive concerning medical devices. The 2012 ESF forward look on personalised medicine recommends that healthcare professionals work with ICT experts to define, for example, how smartphone-paired and smartphone-enabled sensors and apps can function as decision-support tools for citizens. It recommends a flexible health technology assessment (HTA) framework to support the adoption of new technologies of added value to conventional care. But, if the new gadgets and services are not strictly classified as medical, and regulated as such, they effectively sit in a policy vacuum. There is no clear legal framework yet, with binding rules, to ensure that developments, uptake and use are sound, as the green paper on mHealth puts it (2014, 3.3, pp.10-11).

Recommendation: We strongly recommend deliberation for action in response to mHealth developments:

  • What can be done to establish an adequate legal framework, with binding rules, to cover safety and performance requirements of quasi-medical devices?
  • How can legal ramifications be adequately (re)drawn between consumer and medical wearables?
  • Is there need to strengthen the enforcement of EU legislation applicable to mHealth, by competent authorities and courts; if yes, why and how?

The terms of use of social networking sites (SNS) often specify that users grant the service provider 'perpetual, irrevocable' right to 'commercially exploit any text, photographs or other data and information' submitted to the online service. From a legal perspective, 'terms of use' in these environments present a strange hybrid of data protection law and something akin to copyright law. This is also the case for SNS, processing wearable sensor data and associated information on the individual. By framing data and information as 'user-generated content' and defining their use according to terms seemingly taken from copyright licensing, the locus of regulation and control of private and potentially sensitive data is presented to the user under the legal regime of quasi-intellectual rights, not that of data protection. 'User-generated content' however, is not a widely accepted legal term. It can be said to resemble copyright to the extent that creating the content requires original input, although, that is potentially misleading because it can be questioned whether the data exhibit the 'certain amount of creative effort' necessary to qualify as copyright user-generated content (OECD, 2007). It is also misleading to suggest that data protection is waived in this way. Rights and obligations concerning personal data cannot be so freely contracted away. For instance, consent is always revocable and never perpetual.

Recommendation: We strongly recommend clarifying the legal status of user-generated content in Europe, as well as the status of data protection law in relation to the creation, storing, processing and sharing of such content.

Adequately addressing issues of data protection is a pressing matter when the registration process onto online data platforms and SNS that accommodate wearable sensor data, is visually designed in such a way that it nudges the user to ignore privacy policies and terms of service. The same argument applies to the visual design of the platforms themselves. They often nudge users to make the least privacy friendly choices. The layout of privacy policies has also been criticized for being opaque, typically using small block text format creating impenetrable textures rather than readable text.

Recommendation: Several paths should be explored for deliberation and action:

  • Data controllers of online data platforms should be driven to take more consumer-centred approaches.
  • What kind of incentives can be put into effect to help deliver more consumer-centred approaches, e.g., should international self-regulatory codes or best practices be considered, or a facilitation of collective action through EU redress mechanisms?
  • Data controllers should incorporate relevant aspects of the General Data Protection Regulation (when legislated), or more precisely the obligation currently in the proposal, that data controllers should offer 'transparent and easily accessible policies' so that the data subjects can exercise their rights (Article 11.1 GDPR).
  • How can the creation of general tools that enhance awareness and understanding of data policies (like rating and labelling), be stimulated?

Similar arguments pertain to more general issues of data control and transparency in the operations and use of online data platforms and SNS:

  • Data controllers should establish procedures and mechanisms for the architecture of online data platforms and user interfaces, to enable data subjects to effectively exercise their rights (to object, access, modify or delete their data), and be provided with information about the nature of the data processing. This means also that system transparency and user empowerment – as the law requires - should be designed into the architecture to afford action, but that will also be an obligation of the data controller, i.e., to practice 'data protection by design' (Article 23.1 GDPR).
  • An important objective for establishing the need for these measures should be the degree to which they enable data subjects to effectively understand their own informational actions online and to exert control over their informational citizenship and person-hood.
  • A further consideration is whether the 'by design' framework will have to be expanded upon to cover issues like non-discrimination.

The DPIA Framework for Radio Frequency Identification (RFID) applications was established in response to the sudden ubiquity of RFID units and to the nature of their use in data handling operations. In light of a recent surge in wearable sensors for health, fitness and well-being purposes, and given the technical similarities between RFID units and wearable sensors, the RFID framework can be considered a relevant basis for DPIAs of the use and handling of wearable sensor data. Furthermore, since these devices will process personal data 'concerning health' and 'for the provision of healthcare', a DPIA will be mandatory under the proposed European GDPR regulation (art. 32a.2b&d GDPR).

Recommendation: We strongly recommend achieving clarity on the following points:

  • DPIAs for the handling of wearable sensor data will need to consider the limitations of risk assessment methods, by paying attention to risk framing and uncertainties, public engagement protocol and legal lessons on the substance of rights and procedures for dealing with them.
  • Preparing and organising DPIAs for the handling of wearable sensor data will need to consider a protocol for justifying the basis on which the considerations listed in the previous point are taken into account:
    • Is the rationale for the inclusion of risk assessment methods and risk framing mindful of user experiences, potential design complications and the risk of live system faults, including operational/administrator errors?
    • Is the DPIA covering and reflecting upon 'inconvenient' uncertainties?
    • Are public engagement plans going past the survey model, considering focus groups, scenario workshops, consensus conferences and science cafés, deliberative polls and citizen juries?


Download the Policy Recommendations