Smart glasses - tech dream, data protection nightmare?

The wearable tech industry has made huge strides since the early days (everyone's favourite: calculator watches) and has been on the cusp of exploding for almost a decade. Smart watches are ever more popular for social, entertainment and sports purposes. After a shaky start in the consumer market smart glasses are now predicted to become part of many of our lives in a personal or professional capacity.

How could smart glasses impact our privacy?

Smart glasses are treated as a particular class of the "Internet of Things" (IoT) for two reasons. They have a relatively high number of sensors and they are worn as ordinary glasses. As a result, they can record much more data from the physical world than most other IoT devices. Sensors such as Wi-Fi, Bluetooth, GPS tracker, accelerometer, microphone and camera allow collection of personal data such as activity and health profiles of both users and nearby non-users. And the information gathered goes beyond direct user inputs. It also encompasses information from the device environment from which personal data may be derived indirectly without an individual's knowledge and consent.

One of the main concerns regarding smart glasses is their capacity to record video and audio in a discreet way so that the people being recorded are not aware of it. The dystopian future portrayed in the Black Mirror episode ‘The Entire History of You', where everyone's field of vision is continuously recorded, may be an extreme scenario. But gathering personal information without the subject's consent is clearly a relevant issue for developers.

With the popularity of smart glasses on the rise, the European Data Protection Supervisor (EDPS) has produced a report exploring the privacy and data protection implications. It highlights the following concerns:

• videos of people in public places (use of CCTV that included coverage of public areas was found to be the processing of personal data in the 2014 Ryneš case);
• localisation and audio recordings;
• processing of Wi-Fi or Bluetooth radio signals of others' devices;
• non-users watching the smart glass display (potentially containing personal information); and
• security loopholes allowing others to gain access to personal information.

What do manufacturers need to do?

Europe's new privacy law, the GDPR, includes comprehensive and detailed obligations on the collection and use of personal data. Obligations require developers to design in privacy from the outset. Organisations collecting and processing data generated in this way will have to comply with the GDPR's requirements on fair and lawful processing, transparency, data minimisation and retention, data subjects' rights and data security.

Smart glasses are already used by law enforcement in several countries using face recognition technology to identify individuals in crowds and could be used to scan vehicle licence plates and process biometric information. Google, in response to privacy concerns in relation to Google Glass, has explained how they took privacy into consideration during design, for example by using sounds and lights to notify those nearby that video or audio recording were taking place. 

Are new laws needed?

The EDPS's position is that, at this stage, new legislation initiatives addressing smart glasses' impact on privacy are not required, although the report notes that the adoption of a new ePrivacy Regulation remains outstanding. This update to the ePrivacy Directive is currently held up in the legislative process. But manufacturers will need to be attentive to privacy risks in their product design and development phases. Smart glasses are likely to attract greater scrutiny as their popularity grows.