In recent years, the Health & Wellness movement has grown alongside a broader shift in how people approach their health. What was once largely limited to an annual check-up has increasingly become part of everyday life. More and more people now actively monitor their physical activity, heart rate, sleep quality, and even stress levels through data that is easy to access and can be used to adjust behavior in real time. At the center of this shift is a device most people now know well: the smart watch.
This trend closely aligns with the concept of Digital Health, which the World Health Organization (WHO) describes as the use of information and communication technologies (ICT) to support decision-making, strengthen health service delivery, and promote well-being on a broader scale.
In this context, smart watches and other wearable devices have moved beyond being mere accessories to become genuine personal health technologies. People are not only familiar with them, but are increasingly integrating them into their daily routines. These devices enable real-time, continuous health monitoring in a way that occasional medical check-ups cannot. At the same time, the WHO has also emphasized that while digital health creates significant new opportunities for care, it must be developed and deployed with due regard for privacy, cybersecurity, system reliability, and data integrity, especially where sensitive health information can be linked to identifiable individuals.
Behind the convenience of tracking health through a smart watch, however, lies the collection, use, and interconnection of large volumes of personal data. This makes data protection a central issue in the use of such technology. The data collected by smart watches may include activity records, health metrics, location information, and identifiers that, whether alone or in combination, may fall within the definition of personal data under Thailand’s Personal Data Protection Act B.E. 2562 (PDPA).
Put simply, the data typically collected by a smart watch can be grouped into four broad categories.
The first category is activity data, such as step counts, distance traveled, calories burned, exercise duration, and the types of physical activity performed each day. This is the foundation of most fitness-related features on wearable devices.
The second category is health data, including heart rate, sleep patterns, respiratory rate, and other indicators of physical well-being. This type of data is more detailed than general activity data and can provide a relatively clear picture of a user’s physical condition and health-related behavior.
The third category is location data, especially when route tracking or GPS connectivity is enabled. This data may reveal where a user goes, when they exercise, and how they move throughout the day. When combined with health data, it can offer an even more detailed picture of an individual’s daily life.
The final category is usage and device data, such as account information, device identifiers, app connections, system settings, and usage history. This information may not appear to be personal data at first glance, but when combined with other categories of data, it can make identification of a particular individual easier.
Under the PDPA, data that can identify an individual, whether directly or indirectly, may constitute personal data. Where health-related data is involved, it may also qualify as sensitive personal data, which is subject to stricter legal requirements, particularly in relation to the legal basis for processing and the need for explicit consent where required by law.
1) The Granularity of Health Data
What distinguishes data from a smart watch from ordinary personal data is its granularity and continuity. Wearable devices do not collect information only once; they collect it daily, hourly, and sometimes almost minute by minute. As a result, they can reveal detailed patterns in a person’s life, such as sleep and wake cycles, exercise habits, and bodily conditions at different times of day.
As data becomes more granular, privacy risks also increase. Even information that appears harmless in isolation can, when combined with other data points, reveal a much fuller picture of a person’s health, behavior, or personal circumstances than the user may reasonably expect.
From a PDPA perspective, the issue is not only what type of data is collected, but also how detailed that data is and what it may reveal about the data subject. Where such data reflects a person’s physical condition or health status, it may come closer to the nature of sensitive personal data.
Although the PDPA does not define “health data” in the same level of detail as the GDPR, the GDPR adopts a relatively broad concept of “data concerning health.” It covers personal data relating to a person’s physical or mental health, including data that reveals information about that person’s health status. It may also include information about disease, disease risk, medical history, or physiological condition, regardless of the source of the data. Accordingly, where data collected through a smart watch can genuinely reveal an individual’s health status, it warrants particularly careful consideration from a personal data protection standpoint.
2) Data Linkage Across Apps and Platforms
Smart watches do not generally function on a stand-alone basis. They operate as part of a wider ecosystem that includes the device itself, a mobile app, cloud infrastructure, and other connected services. Data captured on the user’s wrist is often transmitted to an app, stored or processed in the cloud, and in some cases linked to health services, research initiatives, or commercial partners.
This is where data sharing becomes an unavoidable issue. Users should know where their data is sent, who acts as the data controller, who acts as the data processor, and who ultimately receives the data. In addition, where some recipients are located outside Thailand, the cross-border transfer provisions under the PDPA may also become relevant, requiring consideration of whether the destination country provides an adequate standard of personal data protection or whether an applicable exception under Section 28 is available.
3) The Use of Data for Analytics and Technology Development
Another important issue in the Digital Health era is that data from wearable devices is not used solely to display results to the user. It may also be used to analyze health trends, develop new features, conduct health analytics, or support AI development.
From a policy perspective, this creates both opportunities and risks. On the one hand, large volumes of data can support more accurate and effective health innovation. On the other hand, users may not clearly understand whether their data is being used beyond the core service they signed up for, or for what specific purposes.
This issue is closely linked to the principle of transparency. If a company intends to use wearable data to develop systems, analyze user behavior, or train models, it should clearly define those purposes, explain the scope of the data use in terms users can understand, and ensure that the chosen legal basis for processing is appropriate and supported by adequate security safeguards.
To better illustrate that smart watch data is not merely personal health information but also raises broader legal and privacy concerns, it is helpful to look at a number of international case studies. These include court cases in which wearable data was used as evidence, regulatory responses to health data practices, and examples of unintended data exposure. Together, they show that data from wearable devices can have implications far beyond everyday consumer use.
1) Court Decisions: When Wearable Data Becomes Evidence
In recent years, data from wearable devices has increasingly been introduced as evidence in legal proceedings. One example is State v. Bowman (2022), a criminal case in Ohio in which the court relied in part on data from the victim’s smart watch. Movement and heart-rate data were used to help establish the timeline of events and to challenge aspects of the defendant’s account.
Another example is Hollins v. Biomet, a civil case involving claims related to a hip implant manufactured by Biomet. In that case, a U.S. court ordered the plaintiff, who wore a Fitbit, to disclose certain data, such as step-count information, because it was relevant to claims about pain and bodily movement. At the same time, the court allowed more private and unrelated information, such as heart-rate and sleep data, to remain protected.
These cases demonstrate that data from wearable devices is not just personal health data; it can quickly take on a different legal character and become evidence in litigation or the basis of legal disputes.
2) Regulatory Case Studies: When Oversight Expands to Everyday Health Data
From a regulatory perspective, authorities around the world have begun paying closer attention to health data generated through technology. A key example is the Google/Fitbit merger, which was closely scrutinized by the European Union because of concerns that Google could gain greater access to Fitbit users’ health and fitness data and potentially use that data for commercial advantage. In the end, the merger was approved subject to several conditions intended to restrict the use of the data and reduce the impact on market competition.
At the same time, in the United States, the FTC Health Breach Notification Rule has been applied to certain health apps and connected health devices that do not fall under HIPAA, the U.S. law that generally applies to hospitals, health insurers, and healthcare providers. The rule requires providers to notify users when health data is leaked or disclosed without authorization. These developments show that the regulation of health data is no longer confined to traditional healthcare settings, but increasingly extends to health data generated in everyday life through apps and digital devices.
3) Strava Heatmap: When Activity Data Leads to Unintended Disclosure
Another widely discussed example is the Strava Heatmap. This feature used GPS activity data from users, such as running and cycling routes, to generate a global heatmap of exercise activity. It was originally designed to help users see patterns in fitness activity and popular routes. However, it was later found that the heatmap could reveal movement patterns and locations in sensitive geographic areas, including military bases and operational zones in some countries.
This became a classic example of unintended data exposure: a situation in which large amounts of data were analyzed and made public without a sufficiently thorough assessment of the risks. The case highlights that the problem is not limited to the collection of data itself, but also includes how data is used, analyzed, and disclosed afterward.
As smart watches become more deeply embedded in everyday life, the key question is no longer simply whether these devices are useful, but how the data they generate should be governed.
The first question is: At what level should data from smart watches be regulated? Even if such data does not amount to formal medical records, it can still reveal highly detailed information about a person’s health and behavior.
The second question is: What limits should apply to the use of wearable data for technology development? As data analytics and AI become increasingly central to health innovation, it is essential to define clear boundaries around purpose, transparency, and control.
The third question is: How much should users be told about how their personal data is used? In practice, effective data protection should not stop at the minimum legal disclosure required by law. Users should be able to understand clearly how their data will be used, for what purposes, and within what scope.
These questions reflect a broader point: that as smart watches become more embedded in daily life, the conversation must shift from whether to use them to how to use them responsibly.
Data Protection Approaches for Smart Watches
At the same time, focusing only on the risks may create an overly negative picture of smart watches. In reality, smart watches and wearable devices can provide significant benefits for day-to-day health management. The real issue, therefore, is not whether such technologies should be avoided, but how they should be designed and used in accordance with appropriate personal data protection principles.
First, users should be given clear and understandable information. They should be told what categories of personal data the device collects, why the data is collected, how long it is retained, and with whom it is shared. This is especially important where health data is involved, given its sensitivity. Transparent communication is therefore a core element of PDPA compliance.
Second, privacy by design should be applied throughout the lifecycle of the technology. This includes collecting only the data that is necessary, giving users meaningful control over features that involve more detailed data, and seeking consent separately for different purposes. Where processing is likely to pose a high risk to data subjects, for example where AI is used, where large volumes of sensitive personal data are processed, or where users include children or vulnerable individuals, a Data Protection Impact Assessment (DPIA) should also be carried out. This helps assess what risks may arise from the collection, use, or disclosure of data and what measures should be put in place to reduce those risks. This approach makes personal data protection more effective because it is built into the technology from the outset.
Third, appropriate data security measures are essential. Even where there is a valid legal basis and proper disclosures have been made, risks remain if the system lacks adequate security. Data controllers should therefore implement appropriate organizational, technical, and physical safeguards, along with a response plan for personal data breaches.
Smart watches are among the technologies shaping the Digital Health era by making health monitoring more continuous, accessible, and integrated into everyday life. At the same time, they raise important questions about personal data protection, especially where the data collected can be linked to identifiable individuals and may include health-related information that qualifies as sensitive personal data under the PDPA.
The challenge, therefore, is not to reject the technology, but to ensure that the development and use of smart watches proceed in a way that is consistent with sound personal data protection principles. If that can be achieved, smart watches can serve not only as useful health tools, but also as technologies that respect and protect the rights of the individuals who use them
