The fitness tech market is booming with revenues estimated to exceed $3 billion by 2022. Fitness trackers, bodytech, wearables and associated apps, also known as “Wearables”, range in sophistication from basic recording of activity levels like step counts, to more advanced physiological indicators like heart rate and blood pressure. No matter the type of information recorded, the legal risks are largely the same for all players in this market.

Is it a ‘medical device’?

The first question to ask is whether the Wearable is a medical device. Put simply, is the device intended to be used for medical purposes i.e. diagnosis, treatment, etc.? If it falls within the definition of a medical device^[1], it will be subject to the Medical Devices Directive^[2], or the Medical Devices Regulation^[3] from May 2020. If subject to this medical devices framework, compliance with numerous requirements will be required, including in relation to:

• Clinical investigations
• Conformity assessments
• CE marking
• Post market surveillance

Answering this question is vital as the consequences of selling or promoting a Wearable, which is actually a medical device, without regulatory compliance or approval could be significant. Monetary fines or even imprisonment could be imposed depending on what legislation enforcement action is brought under.

Determining whether a Wearable is a medical device is not solely concerned with the hardware product itself. Associated software, including related apps or algorithms, requires careful consideration as these aspects may be considered software medical devices or in some circumstances, accessories to the hardware product. If so, they will also be subject to certain requirements under the medical devices framework.

What marketing claims are being made about the product?

The claims being made about the Wearable are just as important in assessing whether it is a medical device. Making particular health claims about the product can inadvertently trigger the application of the medical devices framework.

Marketing claims, promotional materials and instructions for use should be carefully reviewed against the Medical Devices Directives/Regulation to ensure that the “intended purpose” of the Wearable is not bringing it within scope of the medical devices framework.

These claims also cannot be misleading and must be supported by evidence under EU consumer and unfair commercial practices rules^[4].

How safe is the hardware and the software?

A number of Wearables have already been subject to product liability litigation for safety reasons. Instances cited predominantly relate to burns and/or rashes. Wearables cannot be placed on the market if they are not considered ‘safe’ according to EU and Irish product safety rules. This will apply to a watch, bracelet or wrist device (as ‘products’) but could also apply to accompanying software too. Whether software is capable of being subject to the product safety and liability framework is currently under consideration as part of the issues the European Commission’s Expert Working Group on New Technologies is looking at. Manufacturers should be aware of their potential obligations and liabilities under the product safety legislative framework, particularly given the strict liability regime provided for by the General Product Safety Directive^[5].

What about reliability?

How Wearables are used and relied on also creates legal risks. For example, complex liability issues arise if persons are using the wearable app to assist with managing a disease or illness when this is not the manufacturer’s intended use. For instance, tracking sugar intake on the nutritional component of the app by a diabetic or tracking heart rates or monitoring heart rates during exercise.

If a manufacturer knows their Wearables are being used for these purposes, even though this was not their intention, they will need to consider their obligations and duties to users, including appropriate disclaimers and warnings. Reliability and accuracy of the data generated by Wearables comes into sharp focus when the Wearable is being used for health reasons and the manufacturer knows this. If the Wearable is unreliable in how it records data, the question arises as to whether that makes it unsafe under EU product safety rules when used for these purposes.

This question of reliability also comes into focus in the context of litigation. There have been a number of cases in Canada where fitness tracker data has been subpoenaed and used in personal injury litigation to go towards proving or undermining evidence of the impact an injury has had on a person’s activity levels. Whether this is a trend that will develop in EU based litigation remains to be seen.

What about data?

Wearables collect significant amounts of data about their users and compliance with GDPR will be a significant challenge for manufacturers. Issues to consider include:

• Being transparent with users about data being collected and generating from their use of the Wearable and how that data will be used. This is challenging when the Wearable is constantly evolving as technology and business plans change. Maintaining user transparency is vital.
• Understanding whether they are collecting ‘health data’ as defined under GDPR. Use of this data is subject to additional and more restrictive rules. Answering this question will depend on the picture the data paints about the user. Simple step count data likely won’t qualify as ‘health data’ but step count, diet, heart rate, blood pressure combined might. Manufacturers need to be alive to the risks this poses.
• Ensuring appropriate security measures are in place to protect the data and ensuring the Wearable has been developed in accordance with GDPR’s rules on privacy-by-design and default. These rules mean that privacy cannot be an “add-on” consideration at the end of the product development process but something that needs to be baked in from the outset.

Failure to comply with GDPR can lead not only to significant sanctions but also damage user trust.

Conclusion