Connected health and personal data: the CNIL investigates

business-dreyfus-81-150x150At the end of May 2014, the French data protection authority (CNIL) published an IP Report (Cahier IP) on the human body as a new connected object, focusing on personal health data resulting from “quantified self” apps and connected objects.

In its publication, the CNIL has defined this phenomenon of “quantified self. This somewhat confusing expression covers various practices which all tend to measure and compare with others the variables related to our lifestyle: nutrition, physical exercise, sleep and even mood, etc.”

The data automatically captured by the connected objects is then mass processed. The development of this practice calls for user attention vis-à-vis the future of their data. As such data relates to the health of individuals, it is sensitive in nature. There is no definition of “sensitive data” but they are listed extensively.

The Commission highlights the gap between professed privacy policies and actual practices. This often goes unnoticed due to the lack of attention and knowledge of users regarding personal data.

A “client empowerment” movement giving more power and control to the client would allow a rebalancing of the user/data collector relationship. As a matter of fact, the voice of the clients is often neglected by companies. This “empowerment” may also allow the commercialisation of the data with the client’s direct consent, which would be beneficial to data brokers.

Another solution for the protection of user data would be to impose the concept of “privacy by design” as soon as the connected object is conceived, although the CNIL makes no mention of this in its report. The aim is to make the protection of users’ privacy the primary characteristic of the object. Thus, by default, the collected data will not be extensively shared or re-sold.

As French and European laws are very protective of personal data, particularly sensitive data, one must remain vigilant when collecting such data.


Dreyfus will assist you in auditing your data and will help you to implement privacy policies compliant with French and European regulations.