Wearables: Smartwatches, fitness trackers, smart glasses

Smart devices that are worn on the body can be used for a wide variety of purposes. Their sensors allow them to collect and analyse data on things like physical activity, sleep and heart rate. They can also be used for augmented reality applications as they are equipped with cameras, microphones and location functions and can connect to the internet either via a direct mobile communication connection or by communicating with other devices (e.g. smartphones) via Bluetooth. The data protection risks therefore depend heavily on what the devices are actually used for, and can affect the users themselves as well as third parties.

User data

Most users employ wearable devices to record their own physical or athletic activity. They also gain insights into their performance, health and well-being by using pre-installed software or apps they have installed themselves to analyse the data that is collected. This data is highly personal – after all, it is measured directly on the body. Health data is considered sensitive personal data, as the risks in the event of misuse are high. Since such devices can be worn for days on end, even at night, patterns such as movement profiles can also be identified, enabling conclusions to be drawn about users’ health, lifestyle habits and private lives. In short: devices like these often know more about their users than the users know about themselves.

What to consider before making a purchase

Before purchasing these devices – or, in the case of a self-installed app, before installing it – it is therefore advisable to check how the manufacturer or app developer handles the data collected. This information can be found in the terms of use and privacy policies. It is worth reading these carefully in order to make an informed decision about your right to informational self-determination. The following questions can help:

• Have the products been designed with data protection in mind?

  Care must be taken to ensure that wearable products meet strict data protection and security standards, as users consent to the processing of sensitive personal data – and the consequences of misuse can be serious. Products developed in Switzerland or Europe are subject to strict requirements under current data protection regulations. Manufacturers must also adhere to the privacy by design principle, which requires data protection regulations to be taken into account throughout the entire design process. Specifically, they must ensure that data flows are encrypted during data transmission. It is also important that they provide security updates over the long term, regularly check for vulnerabilities and rectify them quickly.

• Where is data stored?

  When data is processed locally, i.e. on the device itself, users retain complete control over their data at all times. However, most of a wearable’s functions require data to be processed in a public cloud, for example when users wish to synchronise data across multiple devices or when using AI functions that require large amounts of computing power. If the data is processed in a cloud belonging to the manufacturer or a third-party provider, careful consideration should be given to where this data is processed and under what conditions.

• Is there a detailed, comprehensible and transparent description of the data processing?

  The manufacturer’s privacy policy and terms and conditions must be read carefully before purchase. Users must check whether the manufacturer or provider will process the data exclusively for the purpose of providing the desired service, or whether it reserves the right to use the data for other purposes as well. As this concerns health data, Swiss law requires the explicit consent of the data subject for its use for marketing purposes or for the development of proprietary products (see also Cookie Guidelines). It may be worth comparing different products.

• How can users contact the manufacturer/provider or access support?

  It should be clearly indicated how users can access support services and/or assert their rights. It is also helpful to have the option of contacting a data protection officer from the manufacturer or provider. If the data controller is located abroad, it is advisable to check whether there is a representative in Switzerland who can serve as a point of contact for questions or support regarding data protection issues.

Tips for using the product

In addition to reviewing the terms of use and privacy policies, users can take certain steps to reduce privacy risks:

When installing third-party apps or before using certain functions on a device, users are often asked to grant access to certain data on the device or to grant permissions, such as access to photos, microphone, location or health data. It is advisable to check whether the permissions are necessary for the desired functions of the app. Unnecessary access should always be refused or revoked in the settings. A privacy-friendly app should operate according to the principle of data minimisation. If the user is forced to grant permissions that are difficult to understand in order to use an app or device, it is better to refrain from using it. Security vulnerabilities can be addressed through updates. Downloading updates and regularly updating apps and software on the devices themselves reduces these risks.

Data relating to a user’s children

Parents are increasingly using wearables’ GPS and Bluetooth tracking features to track their children. Children and minors cannot exercise their personal rights themselves due to their lack of legal capacity, but their legal representatives are obliged to act in their best interests and to protect them – while still respecting their privacy and personal space. Children cannot legally consent to the processing of their data for their own monitoring.

Third-party data

Wearables equipped with cameras or microphones also enable users to process data relating to third parties (family, colleagues, friends, customers, patients, etc.), e.g. by recording their voices or taking photos. However, given that wearables are far more discreet than smartphones, there is an increased risk that the data of third parties could be collected, processed or transmitted without their knowledge. In this context, users must be aware that they are not simply permitted to process images and voices of third parties. Covert data collection may violate criminal law (see below).

Special case of smart glasses

The most advanced smart glasses (such as Ray Ban and Oakley glasses) are particularly discreet. They are capable of recording images and sounds (photos and videos) without the knowledge of the people concerned and can share them quickly and immediately, for example by livestreaming on social media. They are integrated into Meta's products and artificial intelligence. These functions therefore pose an increased risk to third parties’ right to privacy.

Processing personal data in breach of the principle of transparency constitutes an infringement of privacy that is difficult to justify and is therefore unlawful. Users should therefore ensure that any third parties involved are informed of the recording and consent to the processing of their data.

Failure to comply with these principles may result in civil and criminal penalties (e.g. under Arts 179bis, 179ter and 179quater of the Swiss Criminal Code). Users are responsible for familiarising themselves with the applicable legal provisions in force at the location where they are using the product. For further information, please see the related information on "Photos and privacy".