This article was published by Data Guidance.
As our uses for technology develop, new risks – and terminology – emerge. All of us are familiar with the Internet of Things; now we may have to grapple with the Internet of Bodies (‘IoB’) and its associated risks, as recently addressed by the Spanish data protection authority (‘AEPD’). Javier Arnaiz Vidella, Cybersecurity and Privacy Manager at ECIJA, analyses the evolution of IoB and the AEPD’s guidance on IoB risks1.
The evolution of technology has changed the way we communicate and interact with each other, how we record our sport practices, and even how we deal with our personal health. In the case of health tech, the personal data processed is not only diverse, but also has a direct impact on our most personal sphere. In fact, some technologies, usually designed to improve or register the user’s health, such as connected implants, smart bracelets, or wearable heart scanners seem like something out of a futuristic movie. Nevertheless, technologies which offer connection to the Internet to increase their efficiency are common and massively distributed by over-the-top (‘OTT’) operators, sellers, and wide-spread websites. Normally, these connected devices are known as the Internet of Things (IoT). However, new functionalities have increased the potential to process sensitive and medical information of the data subject and to have real and physical consequences for the data subject, involving even a new term to refer to these tools, known as the Internet of Bodies (IoB).
The evolution of IoB devices have different impact points regarding technological regulation of the legal requirements related to processed information, the real consequences of the activity of such a device (i.e. connected pacemaker or prothesis), and cybersecurity requirements (from national or international regulations or standards) to protect that information or the functionality of the device.
IoB devices could be classified under the following groups:
- First generation: devices outside the body such as physical activity monitoring (e.g. wristbands, smart watches etc.);
- Second generation: devices internal to the body, including those that can be implanted, such as devices for medical purposes (e.g. pacemakers, cochlear implants, or organs developed through 3D printing); and
- Third generation: body-fused devices with a communication interface that allows interpreting and acting on the biological elements themselves.
With the rapid evolution of IoB (and considering a slower advance in regulation), regulatory bodies are implementing different regulations and guidelines to either adjust or clarify the current rules to guarantee that these technologies are safe for users.
In particular, the AEPD recently issued a document regarding IoB risks. In the document, the AEPD explains several risks to be considered regarding the use of these technologies and offers some points to be covered to protect the cybersecurity of IoB devices. Although brief, the AEPD’s guidance outlines the essential points to be considered when studying IoB devices.