To Track or not to Track? Employees’ Privacy in the Age of Corporate Wellness, Mobile Health, and GDPR

Research output: Contribution to conferenceConference abstract for conferenceResearch

The latest digital health developments have allowed for a better tracking of individuals’ health through wearable devices and health apps, also known as ‘mobile health’ (mHealth). mHealth companies do not only target individual consumers, but also businesses, as they see a market in corporate health and wellness programs. As such, some employers now offer employees to use fitness wristbands or smartwatches so that employees can monitor their health at work and beyond. These devices and apps enable users to track their exercise, number of steps, sleep patterns, eating habits and a myriad of other health-related activities, which are often non work-related. Employers present mHealth devices and apps as company ‘perks’ for employees. However, mHealth may come at a price for employees, who may unwillingly share their most personal information (health information) with their employer and third parties, such as mHealth developers, and/or insurance companies. Therefore, this article investigates the lawfulness of the use of mHealth devices and apps in the context of corporate wellness programs, in particular in light of employees’ rights to privacy, data protection, and non-discrimination under European Union (EU) law and under the European Convention on Human Rights (ECHR) and related case law. First, the article analyzes the conditions for a valid consent given by an employee to the processing of her health data, as set under the EU General Data Protection Regulation (GDPR), and related interpretative guidelines and opinions. The current regime seems very protective of employees’ privacy: in an advisory opinion on data processing at work issued in 2017, the European Data Protection Working Party stated that employees’ free consent to the processing of mHealth data is highly unlikely because of the sensitive nature of health data and the unequal relationship between employers and employees. The article argues that this highly protective regime is not only a way to protect employees’ right to privacy, but also to protect them against any potential discrimination on prohibited grounds, such as pregnancy, disability or health status, as such discrimination in the workplace is often indirect and difficult to prove. Therefore, measures which are less intrusive of employees’ privacy, namely, which do not track employees’ health information, may be deemed more proportionate under EU law and under the ECHR. Secondly, in the event where an employee’s consent to use mHealth technology were found valid in the employer-employee relationship, the article analyzes how third parties developing mHealth apps and devices also need to respect employees’ privacy. This question is answered in light of the recent Draft Code of Conduct on privacy for mobile health applications, as well as EU and ECHR law. The article concludes that although the European privacy regime may seem overly protective of employees’ privacy and data, this may benefit mHealth developers in the long-run by fostering a culture of trust by users of these technologies, who will know that their data cannot be used against them.
Original languageEnglish
Publication date2019
Publication statusPublished - 2019
Event8th Annual Cambridge International Law Conference: ‘New Technologies: New Challenges for Democracy and International Law’ - Cambridge University
Duration: 20 Mar 201921 Mar 2019


Conference8th Annual Cambridge International Law Conference
LocationCambridge University

ID: 216788209