The European Data Protection Supervisor has published a technology report on smart glasses and data protection. The report aims to clarify the state of play relating to smart glasses and related privacy and data protection issues. The report’s conclusion is that there is currently no need for new legislation to address issues arising from the use of smart glasses. The GDPR has set out a harmonised set of principles and tools for developers of smart glasses to assess privacy impacts. However, it includes recommendations to establish a new framework for privacy and electronic communications, as proposed with the ePrivacy regulation.
In summary, smart glasses are wearable computers with a mobile internet connection which you wear like glasses. They may display information in the user’s view field and may capture information from the physical world using eg camera, microphone and GPS receiver for augmented-reality (AR) applications. The target audience was initially the business market but there are now cheaper models aimed at a younger and wider audience. They have a wide variety of uses including technical maintenance, education, construction, etc.
Smart glasses can also be used for law enforcement purposes (eg a police officer could wear them and use facial recognition to put a name to a face in a crowd). The report states that legislators must consider necessity and proportionality when discussing legislative initiatives aimed at using connected devices such as smart glasses for law enforcement purposes.
Smart glasses have many uses but according to the report, have a high potential to undermine the privacy of individuals and may suffer from security loopholes. Although they are not widely used at present, their significance will increase and some issues were considered in the Article 29 Working Party report on the Internet of Things. The potential for harm comes from the following areas:
- lack of data control by users and especially by non-users
- inference derived from data and repurposing
- intrusive analysis of behaviour and profiling
- limitations on the possibility to remain anonymous for the user
- lack of anonymity because of high identifiability of information being processed, eg facial pictures
- processing of special categories of data which requires special safeguards
- the security risks attached to mass market products.
Most of the data protection recommendations for Internet of Things devices also apply here:
- apply data minimisation eg do not collect localisation data unless really needed
- perform a data protection impact assessment
- embed data protection by design and default in the development process
- provide application information to users and non-users, develop new and creative ways to inform, and obtain consent from, non-users
- specific user control before publication on social networks
- security and vulnerabilities notifications and security updates.