Should “Rays” be banned? Data privacy and security implications of Smart Glasses in the workplace

Smart glasses have been around for a decade, but the technology was clunky and the glasses design overbearing. Now with the introduction of undetectable designs such as Ray-Ban Meta glasses it is almost impossible to tell if someone is wearing them.

As some early adopters on Reddit report:

"nobody has a clue they are smart glasses", 

"I wear mine at work. Most people I’ve talked to aren’t even aware the tech exists"

"I use mine at work all the time, no issues or complaints, most people don't notice, and honestly, I use the camera for little functions and events, and no one notices then either."

As smart glasses become more discreet and widely adopted, are businesses prepared for the privacy and security risks they bring into the workplace?

The hidden risks of smart glasses in the workplace  

There is a level of user innocence about what data is being collected and what happens to it. If the smart glasses are being used in a work environment, this user innocence could potentially lead to harm if employers have not thought through the implications of their use.

An employee could be routinely collecting personal data about customers or fellow employees using the smart glasses. It's difficult to know what data an employee is collecting when wearing them - and the ability to take photos and capture video (including live-streaming to social media) is privacy-intrusive and could make customers or fellow employees feel uncomfortable.

If the smart glasses are in record-mode, a small LED light will appear on the glasses frame, but Ireland's Data Protection commission has commented on how small and potentially ineffective the indicator light is for alerting people.

An employee could be routinely collecting personal data about customers or fellow employees using the smart glasses.

The Irish DPC and the Italian Data Protection Regulator both flagged concerns about whether the individuals captured in the videos and photos would receive notice they were being recorded. They compared smart glasses unfavourably to smart phones and similar devices. Their reasoning was that it is generally the case that a smart phone is visible and it is usually clear by, the actions of the user, that the device is recording - putting those captured in the recordings on notice. This is not the case for smart glasses.

If the employee is planning to use the smart glasses for work purposes, there is also a danger that confidential business information could be at risk. Data that is collected using the smart glasses can often be shared with the providers and their partners. It could then be used for the third parties' own purposes potentially in breach of privacy regulation and confidentiality requirements.

In some cases, AI features incorporated into smart glasses enable data collected by the glasses to be shared with third-party AI providers and other partners. The sort of data collected and potentially shared could include personal and confidential data including media, or text transcripts of the employee's interactions. In one example in relation to voice commands privacy policies provided that voice recordings could be stored for up to a year to improve the third-party AI - and the user was not allowed to disable storage for voice commands.

A new challenge for employers

Clearly where a business is highly regulated, and / or employees are dealing with confidential information there is an obvious danger that unlawful disclosures may take place where employees are able to use smart glasses. These sorts of risk do already exist where employees bring their own devices and of course there is the always present issue of unauthorised or shadow IT being introduced into the workplace. Smart glasses are a particularly difficult variation on this problem - they have been designed to be unobtrusive, so they are inherently covert and difficult to detect. This makes it difficult for employers to achieve their legal obligation to be transparent about the way in which their employees' data is collected and processed.

Smart glasses have been designed to be unobtrusive, so they are inherently covert and difficult to detect.

In light of the privacy and security issues and dependant on the business or job role it may be appropriate to adopt a policy that prohibits the usage of smart glasses in the workplace. Alternatively, and depending on the risk businesses might consider introducing or updating a 'bring your own device' to work policy which makes the wearing of smart glasses subject to safeguards such as written authorisation which is given in return for the employee confirming in writing that they will not use the smart element of the glasses whilst on work premises, if indeed it is possible to configure the glasses in this way.

Get in touch

If you are struggling with the privacy and security issues around smart glasses or other wearable tech, bring your own device policies, and shadow IT more generally get in touch with our expert data and tech team who would be happy to help.