**5. Discussion**

#### I. Wearable technologies and data protection norms

The General Data Protection Regulation (GDPR) is having a very strong impact on the world of fashion and on its commercial practices (Allday 2018).

The theme of data protection has become central and involves, today, both personal and particular (or "sensitive") data: types of data that, in the fashion world, are very common.

Data is instrumental in marketing, as Allday correctly states: "allowing retailers to bridge the gap between online/offline and digital/physical stores (where applicable), so retailers may struggle to maintain this without as much consumer information. Currently, the online shopping experience is often a 24/7 engagement, with emails landing throughout the night offering similar items to your shopping/browsing history. Without this constant presence, online fashion retailers will have to find less intrusive ways of keeping high levels of engagemen<sup>t</sup> with their consumers. Although companies will still be able to see what their customers are purchasing, there will be less scope for them to track closely their browsing habits and histories. The consumer's 'right to be forgotten' must be addressed within one month, and customers will also have the right to have their personal data erased. Although thousands of fashion products sold online are inspired by luxury catwalk items, trends are equally driven by consumer shopping habits and patterns. If customers request that they be erased from retailers' systems, it could limit insights into what their customers are looking for next" (Allday 2018).

As Allday says: "online fashion companies will have to change the way they interact with their customers and use their personal information. For pure play retailers like Amazon, ASOS, Boohoo and Missguided, all of whom have benefited from the ambiguity of the EU's existing data laws, the General Data Protection Regulation has the potential to drastically, perhaps catastrophically, alter how they operate" (Allday 2018).

Also the presence on social media of the most important brands in the fashion industry will change: "Lax data laws have allowed fashion retailers to leverage social media even more by offering personalised shopping links that lead to clicks and therefore sales. Online fashion brands are faced with the momentous task of overhauling not just their business strategy, but ensuring that their brand identity is not watered down by GDPR" (Allday 2018).

First of all, as Arthur correctly writes (Arthur 2016), from a data processing point of view, some of these wearable devices and smart clothes "even stretch what the term 'wearables' might mean–stepping

beyond connected textiles into deeper fibre science, which is the area looking the most likely to shape the future of our wardrobes" (Arthur 2016).

The author cites, for example and among others: Levi's and Google Project Jacquard ("a piece of wearable technology designed for urban cyclists. Conductive yarn is weaved into the left cuff enabling touch interactivity so users can tap, swipe or hold to fulfill simple tasks like changing music tracks, blocking or answering calls or accessing navigation information delivered by voice"); The Unseen for Selfridges ("a start-up that has captured the simple idea of colors that alter based on user interaction or the environment they're placed in. The resulting line of luxury accessories for Selfridges [ ... ] included a backpack, scarf, phone case and more, which responded to things like air pressure, body temperature, touch, wind and sunlight. An Italian alligator-skin shoulder bag for instance saw environmentally-responsive ink shifting from black in the winter, to red in the spring, blue in the summer and green fading to red in the autumn"); and Emel+Aris (a smart coat with hidden intelligent heating technology inside: "Made from a lightweight polymer, rather than a load of wires, it produces FIR (far infrared) heat energy from various panels across the garmen<sup>t</sup> that is then absorbed by the skin to heat the muscles and increase blood flow") (Arthur 2016).

In 2017, in another example, University of Manchester's National Graphene Institute "produced a dress in collaboration with wearable tech company Cute Circuit. The dress is made with a fabric that has 'wonder material' graphene which causes the dress to change color according to the wearer's breathing patterns" (Draper 2018).

We are therefore in the presence of technologies that are not just wearable objects, but are real tools for the transmission of data and are particularly complex technologies in their functions (even invasive of the privacy of the individuals). In other words, we are in the presence of potentially dangerous technologies for human beings.

So, the first necessary point, when discussing the (cyber) security of wearable devices and smart clothes, is to understand the need for the di ffusion of a "culture" of data protection that, in many cases and due to security costs, has not been implemented.

This must be done even before designing such tools, and must become an essential part of the production process itself of these products.

In a period of market crisis, investments in information security have been minimal: often these are the first balance voices to be cut. However, at the same time, there is a commercial rush to collect data. This commercial rush is arising new legal challenges (Mathys 2014).

The GDPR, first of all, demands, with a particular attention to the idea of accountability, that the security must be placed "inside" the device itself, and the accountability must be "inside" the company itself. Also, this approach must be demonstrable at any time.

This entails the need for large-scale training of all operators, from the top to the subjects who process the data, to ensure a safe and secure data environment. This can happen with ad hoc training and with the writing of policies, regulations, and best practices.

This first, general point is clearly described in the text of Article 32 of the GDPR: "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the e ffectiveness of technical and organizational measures for ensuring the security of the processing."

The big news of the GDPR is that it leaves the company free to decide how to implement security measures in its specific reality. There are no longer any lists of mandatory measures, but it is up to the

data controller to decide which measures to implement. This is a completely new approach that will be tested in the coming years.

The description of the risks strictly connected to data processing are in the second paragraph of Article 32: "In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed."

This means that anyone who produces wearable devices and smart clothes, or whoever resells them, must, before starting to make use of these tools and give them to their customers, evaluate the possible risks and prepare safety measures that protect the processed data.

Concerning, finally, the di ffusion of a "culture" of data protection, paragraph 4 of Article 32 of the GDPR is clear: "The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he/she is required to do so by Union or Member State law."

This is a central aspect: all data processors must first be trained on data protection issues. This becomes particularly important when smart devices communicate, for example, with a store and not directly with the factory. All the subjects who process the data, even those with less important or temporary job positions, must be aware of the existence of the legislation on data protection and on the best ways of protecting customer data.

The second crucial point, the data breach management, involves the most important threat connected to the collection of data using wearable devices today. Understanding how to recognize a data breach, how to manage it (to avoid millionaire fines), how to report it to the supervisory authority but also to customers, and how to manage the data breaches that may not take place on site but in shops, stores, or companies connected to the main factory is linked to the ability to know how to assess risks of image, reputation, discrimination, possible identity theft, and economic losses.

The norms related to data breach are included in Articles 33 and 34 of the GDPR. Article 33 states that "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 h after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 h, it shall be accompanied by reasons for the delay."

Article 34 indicates that "When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay." However, "The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: (a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data a ffected by the personal data breach; in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialize; (c) it would involve disproportionate e ffort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally e ffective manner."

Then, there is the fundamental aspect of transparency, along with information and collection of consent, which have always been central to the European data protection system. This directly involves targeted marketing and profiling but also spam, newsletters, apps, and websites.

Finally, there is the aspect of the exercise of rights, especially with the request to delete and update the databases.

At the center of all these four aspects, there is the general idea of accountability, i.e., the entire system must be framed around the idea of protecting the data by design and by default, and all this must be demonstrable.

#### *Laws* **2020**, *9*, 12

Privacy and security, in conclusion, are at the heart of wearable technologies, and they are two di fferent aspects. The main risk is obviously the direct collection of sensitive data that these devices make, such as precise geolocalization, credit card numbers for possible payments, information on health status, and collection of habits and physical condition for a long period of time.

#### II. The specific accountability issues of wearable devices and smart clothes

The starting point, even in the context of wearable devices and smart clothes, is the understanding of 'accountability,' the new security approach required by the GDPR to set up corporate and productive activities and personal data handling from a correct data protection perspective.

The idea of accountability consists in doing and demonstrating (in other words, in "creating"), an environment aimed at data protection, and being able to document and prove it anytime.

The first step is usually considered that of training: training all operators so that their behavior is correct and aimed at protecting the data while not hindering its circulation. Particular attention, also in the fashion world, should be paid to three areas: (i) marketing and sales, (ii) human resources, and (iii) information technology sta ff. These are the three most vulnerable sectors.

Marketing and sales will have to pay particular attention to information, especially for TV spot, web, and app activities and highly targeted campaigns, including campaigns based on the physical characteristics of customers and the managemen<sup>t</sup> of large databases. Human resources will have to pay particular attention to the protection of employee data, especially if wearable devices are given also to the sta ff. The IT department controls the whole data system and the processing and protection of the information.

In practice, in all these three areas, accountability is achieved through a list of fulfillments: the information and consent, the appointment of a Data Protection O fficer, the keeping of a treatment register, the assessment of the risk and impact in the case of particular treatments, the contractualization of relations with external processors, and a framework of security measures also made up of training and policy plans for managing data breaches, phishing attacks, and paymen<sup>t</sup> systems fraud.

Companies should ensure that all of their employees' practices are aimed at promoting data security and, above all, human resources sta ff must establish policies, business operations, and contracts with employees that take into consideration the use of wearable technologies in the workplace. The essential problem, in this case, is the privacy of the worker, especially the violation of privacy and the risk of spreading sensitive information about the worker. They must be able to choose whether or not to wear the device, and the functioning must be transparent and well illustrated. Furthermore, the devices must not function beyond working hours.

#### III. Wearable Technologies and Data Breach Issues

The data breach, or data loss following a violation, is the most feared threat. It can happen in many ways: an external attack, but also a ransomware virus, loss or theft of a computer or tablet, access to a peripheral system that allows access to the central archive. In this case, transparency towards the supervisory authority and the users has become essential, especially if customers' rights are at risk.

The managemen<sup>t</sup> of a data breach therefore entails an initial assessment of the risk, to frame the event in a simple accident, where an incident log will be held, or in a serious event that must be reported. The first comparison will be with the supervisory authority, and must be reported within 72 h in specific ways. The second comparison will have to be with users in order to inform them, and here the reputation problem of the company is the most important issue. The preparation of a policy with both internal purposes (keeping track of all incidents) and external purposes (specific methods for managing and communicating data breaches) is essential.

Given the grea<sup>t</sup> risks, companies that develop wearable technologies should implement appropriate cybersecurity measures. There is no standard checklist, but measures must be adapted to the situation (for example: the volume and nature of the data collected, and the cost of a potential data breach as an impact on people's rights). Certainly, the protection should already be incorporated when thinking about the product and developing it ("privacy by design"), and the subject should have full control of his/her device.

As Allday correctly notes, GDPR will also "expose brands whose security systems are not as sophisticated as they should be, as retailers will be required to notified regulators of any data breach within 72 h and in some case, they will be legally obliged to notify their customers too. Before, some retailers lacked transparency, urgency and in some case, honesty, when dealing with data breaches. Forcing retailers to be transparent when it comes to security breaches will expose certain websites' shortcomings, which challenges brand safety, reliability and credibility" (Allday 2018).

Another key point will involve exactly how retailers remove their consumers' data, particularly when information is stored on several distinct databases: "For some companies, a complete redesign of internal IT systems will be required; for others, it will be a matter of whether a customer's data is anonymized or completely deleted, and whether it will be possible to mix the two actions within one database" (Allday 2018).

The new regulations also "make clear that it is not just the IT departments of retailers who should be clued up on data breaches and their prevention, but all members of the corporation, no matter what level, as well as third party affiliate companies, such as PRs, freelancers, insurance companies and recruiters" (Allday 2018).

#### IV. Transparency and consumers attention

In the GDPR system, the principle of transparency is closely connected to the idea of information and consent. The disclosure/information notice is an essential requirement that allows you to inform the user about how the data will be processed. The contacts, purposes, legal basis, data retention period, and transfer (or not) abroad are the most important points, to which are added the recipients and the possibility of exercising their rights.

Consent is now given in electronic format and poses the problem both of verifying the age and the will of the subject, and of filing it to verify possible revocations.

Most of the data concern health and fitness, the steps taken every day, sleep cycle, calories burned, and these are all data that, if exposed, would make the subject very vulnerable.

The large volume of so much data allows analysis to be carried out by those who have access to this data, which would not be possible with smaller datasets. Furthermore, data relating to habits could be used for other purposes, such as insurance purposes, or employee control. Transparency, with such types of data, means knowing who the data owner is, where data are stored, if they are encrypted, how they can be used and if they can be resold.

It is therefore essential to draft terms of services and privacy policies that highlight which data are collected, how they are stored, their use, if third parties are involved in management, and security measures. The collection and storage of data should then be limited, and the encryption of information should be the standard.

Attention to the consumer must also be connected to the profiles of responsibility connected to the product and to its functioning. The brand is exposed to possible responsibilities, both for physical damage and for the possibility of distraction by the user while driving or walking, or for damage to third parties.

The rights of data subjects are the central part of the European system: the possibility of exercising rights not as simple consumers but with reference to the data concerning one's person. The right to be forgotten, but also the rights to rectification, or the acquisition to treatment, are central.

As Allday states, online retailers "must therefore find ways of leveraging their loyalty schemes and other forms of advertising without creating a retail space in which legal consent is required from the consumer. The success of data-driven advertising has been, in part, down to the fact that so many consumers are unaware of it. When presented with a box on the screen asking if you want to give away your personal details, many people would say no. 'Consent' is often built into the cookies that the average Internet user accepts without reading the T&Cs. The new limitations will require

more traditional, less intrusive forms of targeted advertising, which will involve looking to more authentic advertising used in physical stores. Euromonitor figures show that online fashion retailing now accounts for 20% of all apparel and footwear sales in the UK and 15% in the whole of Western Europe, but GDPR will drastically alter the landscape of fast fashion if the key players do not address and adapt to the new, more private shopping landscape online" (Allday 2018).

In our opinion, even if the issues of transparency and consensus are not strictly related to the technological aspect of the topic we are dealing with (i.e., the hardware that collects the data), they are still central in view of a broad spectrum of protection. Even the fashion industry has long based its activity on data processing, and correct information, related to a clear manifestation of will, assumes central importance in the more general framework of data protection.
