L. Robert Batterman, Michael Cardozo, Robert E. Freeman, Howard L. Ganz, Wayne D. Katz, and Joseph M. Leccese of Proskauer Rose write that companies providing fitness apps need to comply with EU data protection laws concerning health data, as Nike is finding out:
In November, the Dutch Data Protection Authority (the “CBP”), a supervisory body engaged to enforce personal data protection laws, published a report outlining several alleged violations of Dutch data protection law following its investigation into Nike‘s fitness app, the Nike+ Running app (“Nike+”). Nike+ is an app for a smartphone with capability to be synced with tracking sensors in running shoes or with other wearable devices.
The CBP asserted that Nike violated Dutch privacy law based on two premises: first, that the Nike+ app collected “data concerning health” of its users, thereby triggering stricter privacy protections; and second, that Nike did not sufficiently inform users in its privacy notices about the types of personal data it collects and processes and, as such, users of the Nike+ app had not given requisite consent to the specific ways in which Nike processed health data.
Read more on National Law Review.