Nike Health App Changes End Dutch Privacy Office Action

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Nov. 9 — European Union privacy regulators appear to be taking a more inclusive approach to classifying consumer information as sensitive health data, a privacy attorney told Bloomberg BNA Nov. 9.

An enforcement proceeding in the Netherlands concerning the processing of data generated by a Nike Inc. fitness app demonstrates how privacy regulators are “stretching to the max” the interpretation of what should be classified as health data, Wanne Pemmelaar, a senior privacy associate with De Brauw Blackstone Westbroek in Amsterdam, said.

Nike ran afoul of the Dutch privacy office over its Nike+ Run Club app that collected user information, including height, body weight, gender, frequency of exercise and running distances and speeds. An investigation showed Nike hadn't obtained “required explicit consent from the app users,” and had not specified retention periods for the data, the Dutch data privacy office said.

But the office Nov. 8 said that Nike had remedied violations of the Dutch Data Protection Act.

Violations of the Dutch Data Protection Act were brought to an end when Nike tightened up its consent procedures and specified a maximum data retention period of four years, with data being encrypted after 13 months, the Dutch privacy office said.

Health Data?

The Dutch privacy office said in a statement that the data collected by the Nike app was “sensitive data that gives an indication of your state of health; there is a relationship between how often and intensively you exercise and your life expectancy.”

Pemmelaar questioned whether such data covering exercise habits should be considered sensitive health data.

There was a risk that “more and more information will be qualified as health data”—including perhaps data on food habits and consumption—and this could lead to data that isn't really health information being classified as sensitive, he said.

A strict interpretation by national privacy offices of what is health data “fits their vision” of encouraging the minimization of data collection, he said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.