They Can Do That?! Children’s Smartwatch Recalled over Privacy Concerns
The European Commission has recalled a German-made smartwatch for children due to privacy concerns. The recall from the European market was made through the Safety Gate Rapid Alert System (“RAPEX”), which was created to facilitate the exchange of information between European countries and the European Commission concerning dangerous non-food products posing a risk to the health and safety of consumers.
The smartwatch, marketed as a “high tech SIM/GPS Safety and Surveillance Smart Watch for Kids,” is intended to enable parents to monitor the location of their children. The smartwatch is equipped with an integrated GPS tracker, microphone, speaker, calling, and SMS text functions. The RAPEX alert explains that the smartwatch’s accompanying mobile application, which is usually used by parents, poses a serious risk to end users because it does not encrypt communications with its back-end servers. The lack of security in the data transmission allows for unauthenticated and unauthorized access to data by malicious actors. Hackers could potentially take control of the app, thus gaining access to children’s real-time and historical locations and personal details as well as directly contacting the users wearing the device.
The European Commission was initially alerted of the privacy concerns by officials in Iceland, and consequently concluded that the product does not comply with the Radio Equipment Directive, a European law that regulates the placing of radio-electronic equipment on the market.
Even though there haven’t been any reports of hacked watches, regulators and advocacy groups around the world have continuously monitored smart toys and other connected devices directed towards kids, as data concerning children is particularly senstive. While this is the first RAPEX alert and recall of EU products based on data protection concerns, we expect to see more of these alerts due to heightened privacy concerns and the strict requirements of the General Data Protection Regulation.