Click here to view PDF version. As the COVID-19 pandemic and its fallout continues to challenge health care systems, supply chains, and essential services around the world, the growing cybersecurity threat of ransomware must be addressed by policy makers given its potential impact on already strained critical infrastructure networks. What is ransomware? Ransomware is a […]read more
The Use of Wearable Technology Among Athletes and its Potential Privacy Concerns
Professional sport has officially arrived in Halifax. The Halifax Hurricanes have been competing in the National Basketball League of Canada since late-2015; the HFX Wanderers almost won the Canadian Premier League in its second season; rumours of a Canadian Football League team coming to Halifax continue to swirl; and the Halifax Thunderbirds were at the top of the National Lacrosse League standings until their season was also put on hold. What issues might these young sports franchises face, particularly in light of elevated health concerns related to COVID-19? One might be the privacy concerns of their players through the ever-increasing use of wearable technology.
Wearable technology, sometimes referred to as “wearables”, is a growing range of products and associated software that have the ability to collect and monitor fitness and health information. Wearable tech has become prevalent in modern athletics, both amateur and professional. The introduction of wearables in sports opens up a new concern for athlete privacy, as wearables are becoming more sophisticated in their ability to accurately collect sensitive health information, which is no longer solely accessible by the individual and/or their healthcare provider.
What is wearable tech and what does it do?
Wearable technology has extended far beyond what the average Apple Watch or Fitbit user might come to expect. As an example, the MLB Collective Agreement defines wearable tech as “any equipment, program, software, device or attire which is designed to collect and/or analyze information or data related to a Player’s health or performance at any location”. Such tech may be able to measure heart rate, breathing rate, speed, reaction time, power, sleep quality, distance, and more. Once collected, data is analyzed to evaluate a wearer’s performance and recovery.
It doesn’t stop there. Wearables have been increasingly used in healthcare fields in order to assist with the treatment of patients. Future versions of wearable technology in sports will likely use some of the same features as the healthcare versions, such as monitoring blood oxygen levels. Future playbacks on sports broadcasting television could include data collected by wearables to show viewers in real time the speed, force, and impact of any individual athlete.
What’s the Big Deal?
Simply put, from a privacy law standpoint, an employee’s personal health information is considered among the most sensitive information an employer can possess. In general, the greater the sensitivity of the information in the employer’s possession, the greater the expectation on that employer to keep the information safe. As internet-enabled devices with the ability to record and transmit personal information become more widespread, there is a concern regarding how securely the information collected by wearable technology is protected. A study of common fitness trackers conducted in 2016 by Canadian not-for-profit Open Effect demonstrated that many companies, including Fitbit, Garmin, and Jawbone, had significant privacy weaknesses when it came to transmission security and data integrity. The study also found that the ability of the individual companies to share the information collected by their devices and corresponding apps varied widely, and nearly all of them included the ability to disclose or sell information with third parties in their privacy policies.
Canadian privacy laws have tried to keep pace with the widespread collection of personal information. A former justice of the Supreme Court of Canada defined the right to privacy as the “right of the individual to determine for himself when, how, and to what extent he will release personal information about himself”. Nova Scotia courts have since recognized that damages could be awarded for invasion of privacy in the right circumstances. Very recently, the Supreme Court of Nova Scotia recognized the tort of public disclosure of private facts, which imposes liability on a person who communicates publicly the private information of another, causing harm.  Ontario courts have largely led the way in recognizing a common law right to privacy.
With respect to employee health information, the Nova Scotia Labour Board has said that such information is highly sensitive, and accessing and using it can only be done on consent and for the purpose the information was given. An Ontario Labour Arbitration Board found that “An employer only has a right to an employee’s confidential medical information to the extent that legislation or a collective agreement or other contract of employment specifically so provides, or that is demonstrably required and permitted by law for the particular purpose”. The Supreme Court of Canada has recognized a general right for employees to refuse to comply with demands by employers that they submit their personal information, unless the collection of personal information is reasonably necessary to carrying on business.
Legislators have also tried to keep pace with the growing hordes of data collected with ease these days. Alberta, British Columbia, and Québec have enacted privacy legislation which governs the collection, use, and disclosure of personal information between private individuals and private organizations. Where such legislation does not exist, as is the case in Nova Scotia, any personal information that a private-sector organization collects, uses, and discloses in the course of for-profit, commercial activities will fall under the federal Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA. In the world of professional sports, this means that any personal information that is collected from wearable tech and disclosed as part of a commercial transaction, including trade negotiations between teams involving cash payments (which is rare in North American pro sports), falls under PIPEDA. PIPEDA and similar provincial legislation generally requires a person’s consent before collecting, using, or disclosing that person’s personal information. Obtaining one’s consent requires disclosing the intended use of the information collected. The judicial decisions noted above generally require the same.
In sum, widespread data collection has resulted in a legal response, placing the onus on the entity collecting the data to inform why the data is being collected, obtain consent, and to take adequate measures to protect it. A failure to do so may have legal consequences.
How are Some of the Bigger Sports Leagues Addressing Wearable Tech?
Professional sports teams frequently obtain consent to collect data through collective bargaining. Under the MLB Collective Agreement, “any use of a wearable technology by a Player … shall be wholly voluntary” and “there will be no consequences to a player if he declines to use any wearable technology…” Before the player agrees, the club must provide written information on how the technology will be used, who will have access to the data collected by the wearable tech, and how the player will personally be able to access their data. “Wearable Data” is considered highly confidential, and the protection of such data carries on beyond the termination of the Agreement itself. The NBA has similarly been using wearables during practice in order to measure player acceleration and deceleration, heartbeat, and workload. Like the MLB, the NBA’s Collective Bargaining Agreement works on a voluntary basis and requires that all wearable devices be approved by a Committee made up of equal parts players and league representatives. The NBA Agreement also expressly prohibits the use of Player data in negotiations or contracts involving the Player.
The NFL’s collective agreement stands in contrast to the NBA’s and the MLB’s. Under the NFL’s 2020 Collective Bargaining Agreement, the NFL “may require all NFL players to wear during games equipment that contains” wearable tech, and it goes on to permit the NFL to use the data commercially “including but not limited to, with broadcast partners, subject to providing advance notice to the NFLPA of such use.” There is a “Joint Sensors Committee” established under the NFL’s Collective Agreement, which is made up of equal parts players and owners representatives and whose purpose is to review and approve what sensors may be used. But, unlike in the NBA and MLB, the NFL can require any player to use any approved sensor and to share that data with any commercial partner by providing “notice” (i.e., with or without consent). This is a much more restrictive approach to wearables and, depending on what was done with the information collected, the lack of individual consent would likely be problematic in Canada despite the fact that collection was agreed to through collective bargaining.
What Does This All Mean for Nova Scotia Professional and Amateur Sports?
Developments in wearable technology occur at a much faster rate than advancements in the law. Yet, there is sufficient legal precedents, principles, and legislation currently in place to provide the following guidance to Halifax’s fledgling professional sports teams:
1. If your players are part of a players’ association, review your collective agreement obligations thoroughly. Where the players have agreed to particular uses of wearable tech in a collective agreement, it is unlikely a sports franchise will run afoul of the law if it observes that agreement. However, whether or not this is stated in the collective agreement, seeking and obtaining informed consent will provide an added layer of protection.
2. Advise players of the information any wearable device will collect. To obtain proper consent, a player must know what information will be collected about him or her.
3. Advise players on the intended use of the information. While players will likely be willing to provide medical data to help them recover faster and train better, they will likely be unwilling for medical data to be used against them in contract negotiations, or to be disclosed to other teams as part of trade negotiations.
4. Review your IT security to ensure reasonable measures are taken to protect player health data. As mentioned, employers are not only liable for willfully disclosing personal health information without consent, they are also liable for not taking appropriate measures to protect such information when obtained with consent.
5. Understand your software provider’s and wearable tech provider’s terms of service, if any. It is not uncommon for these third parties to want access to the data their devices collect. Their reason for doing so may be merely to continue improving their product. But, their purpose may be to share that data with others, which may be an issue from a privacy perspective.*
* The author would like to acknowledge and thank Erin Mitchell for her very helpful work on this paper. Erin is an Articled Clerk at Cox & Palmer.
 CFL stadium for Halifax could be another casualty of COVID-19, Bruce Frisko, CTV New :https://atlantic.ctvnews.ca/cfl-stadium-for-halifax-could-be-another-casualty-of-covid-19-1.4938555.
 Forbes, “How Are Wearables Changing Athlete Performance Monitoring?” <online: https://www.forbes.com/sites/shourjyasanyal/2018/11/30/how-are-wearables-changing-athlete-performance-monitoring/#5a0f945dae09>.
 Dylan Roskams-Edris, “The Eye Inside: Remote Biosensing Technologies in Healthcare and the Law”, 2018 27 Dalhousie J Leg Studies 59, 2018, at 60. <online: https://commentary.canlii.org/w/canlii/2018CanLIIDocs309>
 Shourjya Sanyal, “How Are Wearables Changing Athlete Performance Monitoring?”, Forbes, March 30, 2018, <online: https://www.forbes.com/sites/shourjyasanyal/2018/11/30/how-are-wearables-changing-athlete-performance-monitoring/#5a0f945dae09>.
 Lorenzo Reyes, “As NFL teams make sense of data, next wave of technological revolution awaits”, USA Today March 9 2018 <online: https://www.usatoday.com/story/sports/nfl/49ers/2018/03/09/zebra-technologies-nfl-next-gen-stats/409063002/>
 Open Effect, “Every Step You Fake” 2016 online: https://openeffect.ca/reports/Every_Step_You_Fake.pdf at 18, 36.
 Ibid at 45-46.
 See Trout Point Lodge Ltd. v. Handshoe, 2012 NSSC 245, 320 NSR (2d) 22at para 55, Doucette v. Nova Scotia, 2016 NSSC 25 at para 172. See also VonMaltzahn v Koppernaes, 2018 NSSC 192 at para 66 where the court awarded damages on the basis of invasion of privacy.
 Racki v. Racki, 2021 NSSC 46
 See Jones v Tsige, 2012 ONCA 32.
 Irving Pulp & Paper Ltd. v. CEP, Local 30, 2013 SCC 34.
 Barbara McIsaac, Kris Klein & Shaun Brown, The Law of Privacy in Canada (Thomson Reuters Canada Limited: 2000) at 2127. Also see Personal Health Information Act, SNS 2010, c 41, s 6(1)(a) (PHIA). In Nova Scotia, the PHIA has been deemed “substantially similar” to PIPEDA, but it expressly does not apply to employers who collect, use or disclose “personal health information for purposes other than health care and the planning and management of the health system”,
 PIPEDA in brief, Office of the Privacy Commissioner in Canada, online: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/#_h1-2.
 Tim Reynolds, “Is NBA’s wearable technology too invasive for players?” The Star October 13, 2018 <online: https://www.thestar.com/sports/basketball/2018/10/13/is-nbas-wearable-technology-too-invasive-for-players.html>
 Ibid at 361.
 NFL-NFLPA Collective Bargaining Agreement, 2020, Section 14 at page 291, online: https://nflpaweb.blob.core.windows.net/media/Default/NFLPA/CBA2020/NFL-NFLPA_CBA_March_5_2020.pdf .