Navigating the IoB Frontier: Why Your Compliance Strategy Needs to Address Geopolitical Data Risks

Compliance Hub

Compliance Hub

9 min read
Navigating the IoB Frontier: Why Your Compliance Strategy Needs to Address Geopolitical Data Risks

The Internet of Bodies (IoB) is no longer a futuristic concept; it's here, connecting digital devices directly to our physical selves and rapidly transforming healthcare and daily convenience. From smartwatches tracking heart rate to advanced medical implants transmitting vital signs, IoB devices collect an unprecedented volume of highly personal and sensitive information. While the benefits in personalized health and early disease detection are significant, this intimate invasion of data also introduces profound compliance and national security challenges that every organization must understand and address.

The Intimate Invasion: Unpacking IoB Data Privacy Risks

IoB devices delve deep into the most personal aspects of our lives, recording everything from physiological data like blood pressure and EEG readings to behavioral data like activity levels and purchasing habits. Future devices could even aim to read thoughts or record everything a user sees. This raises fundamental questions about data ownership and consent:

  • There is no clear consensus on who owns the data generated by an IoB device – is it the user, the manufacturer, or the healthcare provider?.
  • Users are often unaware of precisely what data is being collected, how frequently it's gathered, or where it's ultimately going, making meaningful informed consent nearly impossible.
  • This sensitive data becomes a valuable asset, ripe for misuse by data brokers who can acquire and sell detailed profiles without the individual's knowledge, forming "identity shadows" or "data doubles" that can influence insurance, loans, or employment opportunities.
  • IoB data also poses risks in specific scenarios, from insurance companies denying coverage based on lifestyle data to law enforcement using fitness tracker data in criminal investigations, and the potential for surveillance states to enforce social control.
The Growing Insider Threat: How U.S. Military and Intelligence Personnel Are Being Recruited as Spies
The numbers are staggering: the FBI opens a new China-related counterintelligence case every 10 hours, and 2025 has already seen more military espionage arrests than many entire years in recent history. What’s driving this surge in insider threats, and why are our own personnel betraying national security for surprisingly modest
Breached CompanyBreached Company

The Geopolitical Dimension: China's Biotech Ambitions and Data Dominance

Beyond individual privacy, the widespread collection of biometric and genomic data via IoB devices has critical national security implications, particularly concerning foreign adversaries. China's approach to biotechnology, for instance, highlights these risks:

HIPAA Security Assessment Tool | Healthcare Cybersecurity Self-Assessment
Free healthcare cybersecurity risk assessment tool for HIPAA compliance, IoT medical device security, and PHI protection. Identify vulnerabilities and get actionable recommendations.
HIPAASecurity.health
  • Strategic National Champions: China views biotechnology as a "strategic emerging industry" and key to future economic development and national power, fostering "national champions" like BGI Group.
  • COVID-19 Testing and Data Collection: During the COVID-19 pandemic, BGI Group, formerly Beijing Genomics Institute and with close ties to the Chinese Communist Party (CCP), offered to build and run COVID testing labs in multiple U.S. states. This concerned top U.S. counterintelligence officials, who warned that "foreign powers can collect, store and exploit biometric information from COVID tests" as China seeks to "obtain and control the world’s biodata".
  • Prenatal Tests and Military Collaboration: BGI developed its NIFTY prenatal test, taken by millions globally, in collaboration with the Chinese military, storing genetic data from tests taken by women in Europe and Asia in the government-funded China National GeneBank. The test's privacy policy states that data can be shared when "directly relevant to national security or national defence security" in China.
  • Dual-Use Concerns: Lawmakers and experts, including the U.S. National Counterintelligence and Security Center, express concern that the CCP could use collected genetic data for "malign aggression," potentially "even to develop a bioweapon used to target the American people". There is also concern about the use of genomic data to study and control ethnic minority groups, such as the Uyghurs.
  • Military-Civil Fusion (MCF): The CCP's MCF strategy blurs the lines between private and public, and civilian and military entities, making companies like BGI tools of the state.
  • Compulsory Data Sharing Laws: China's legal framework, including the National Intelligence Law of 2017, the Data Security Law of 2020, and the Cryptography Law of 2020, compels Chinese firms and citizens to support, assist, and cooperate with PRC intelligence services, including by turning over data or installing "backdoors" in equipment. This means any U.S. business using data services or equipment from PRC-linked firms, or storing data within China, is at heightened risk of compelled data theft.
  • Legislative Responses: In response, the U.S. has introduced the BIOSECURE Act, bipartisan legislation aimed at restricting federally funded medical providers from using services or equipment from foreign adversary biotech companies like BGI Group and WuXi Apptec. The UK has also raised concerns about BGI's access to its genomics sector.

The ownership of data collected by Internet of Bodies (IoB) devices remains unclear primarily due to a lack of clear legal norms and consensus on who possesses the rights to this highly personal information.

Biotech Risk Calculator - Digital Twin Security Assessment
Calculate privacy and security risks for your biohacking and digital health setup
Digital Twin Security Assessment

Here are the key reasons why IoB data ownership is ambiguous:

  • Absence of Clear Consensus The sources explicitly state that there is "no clear consensus on who owns the data generated by an IoB device – is it the user, the manufacturer, or the healthcare provider?". This fundamental lack of agreement is a major contributing factor to the uncertainty.
  • Bypassing of Informed Consent and Lack of Transparency Users are often unaware of exactly what data is being collected, how frequently it's gathered, or where it's ultimately going. This lack of transparency makes it extremely difficult for individuals to provide meaningful consent for data usage, which in turn blurs the lines of ownership. If users don't know what data is being taken, they can't effectively claim ownership over it or dictate its use.
  • Fragmented Regulatory Landscape The regulatory environment for IoB devices is described as a "Wild West," characterized by a patchwork of legislation and significant gaps. In the United States, for example, there is no comprehensive federal data privacy law, and much of the data collected by consumer IoB devices falls outside the purview of existing laws like HIPAA. This regulatory void contributes directly to the uncertainty regarding data ownership and sharing practices.
  • Commodification of Personal Identity The lack of clear legal norms regarding data ownership can lead to the "commodification of personal identity". This means that personal and health data, which is highly valuable, can be bought and sold by data brokers without the consumer's knowledge or consent, further complicating any concept of individual ownership.
  • Potential for Undermining Autonomy The continuous collection and algorithmic analysis of IoB data can subtly influence and shape an individual's choices, potentially undermining human autonomy and free will. This erosion of self-determination implicitly challenges the idea that individuals retain full control or ownership over the data that is being used to influence them.

In essence, the intimate nature of IoB data, combined with a fragmented legal framework and practices that prioritize data collection and monetization over individual consent and ownership, leaves the question of "who owns the data" largely unanswered.

Industrial Espionage and International Justice: The Arrest of Xu Zewei Exposes Ongoing Threats to Critical Research
Bottom Line Up Front: The arrest of Chinese national Xu Zewei in Italy for alleged COVID vaccine espionage highlights the persistent threat of state-sponsored industrial espionage targeting critical U.S. research, demonstrating both the international scope of these operations and the effectiveness of cross-border law enforcement cooperation. The arrest of
Breached CompanyBreached Company

Compliance Imperatives for Your Organization

The complexities of IoB data and the aggressive data acquisition strategies of foreign adversaries necessitate a proactive and robust compliance approach. Here are key considerations for organizations:

  • Due Diligence is Paramount: Businesses must apply rigorous due diligence when considering data service providers and equipment, especially those with an ownership nexus in the PRC or with PRC citizens in key roles. Understand the full ownership of your data service providers and the location of your data infrastructure.
  • Scrutinize Data Relationships: Any business relationship that provides access to sensitive data—including trade secrets, intellectual property, customer Personally Identifiable Information (PII), genomic data, or geolocation data—requires intense scrutiny.
  • Explicit Contractual Agreements: Your Terms of Service and contractual agreements should explicitly state where data is stored, who has access to it, and how liability is allocated. Choose a trusted jurisdiction outside of the PRC for choice of law, forum selection, and arbitration clauses.
  • Strong Encryption: Where the path of data flow is uncertain, utilize strong encryption provided by a company that does not operate within the PRC.
  • Data Minimization and Segmentation: Minimize the amount of at-risk data stored and used in the PRC or places accessible by PRC authorities. IT operators should ensure proper segmentation of network infrastructure from external software use.
  • Regulatory Awareness: Be aware of the fragmented regulatory landscape in the U.S., where existing laws like HIPAA often do not cover the non-medical health or biometric information collected by most consumer IoB devices. Familiarize yourself with state-level laws (e.g., CCPA) that may provide broader protections.
  • Ethical Frameworks: Implement ethical AI frameworks emphasizing clear consent, limited data collection, avoidance of manipulation, fairness, and accountability.
DeviceRisk.health - HIPAA Risk Assessment
Comprehensive HIPAA risk assessment and management for healthcare devices
HIPAA Risk Assessment

The BIOSECURE Act

The BIOSECURE Act is bipartisan, bicameral legislation introduced in the U.S. Congress to address national security concerns related to foreign adversary biotech companies.

Here are the key aspects of the BIOSECURE Act, as detailed in the sources:

  • Sponsorship and Support: The bill was introduced by Chairman Mike Gallagher (R-WI) and Ranking Member Raja Krishnamoorthi (D-IL) of the House Select Committee on the Strategic Competition between the United States and the Chinese Communist Party. It has co-leads in the House and corresponding legislation in the Senate.
  • Primary Objective: The core purpose of the BIOSECURE Act is to ensure that foreign adversary biotech companies, identified as U.S. national security concerns, do not gain access to U.S. taxpayer dollars.
  • Targeted Companies: If enacted, the legislation would restrict federally funded medical providers from using services or equipment from specific foreign adversary biotech companies. These include BGI Group and its subsidiaries, MGI and Complete Genomics, along with another PLA-affiliated firm named WuXi Apptec.
  • Underlying National Security Concerns:
    • Genetic Data Collection: A primary concern is that companies like BGI Group collect genetic data of Americans and use it for research, potentially in collaboration with the Chinese military.
    • Potential Misuse of Data: Lawmakers fear that the Chinese Communist Party (CCP) could use the collected genetic data to "further its malign aggression," which could "potentially even to develop a bioweapon used to target the American people".
    • Economic and National Security Risk: Allowing these companies to accumulate and analyze large amounts of foreign genomic data risks "most sensitive information being used by our foreign adversaries against us," which endangers the "American bioeconomy and our national security".
  • Regulatory Framework: The act aims to establish a regulatory framework to prevent the flow of taxpayer dollars to these biotech entities of concern, thereby safeguarding sensitive genomic data.
  • Broader Strategic Context: The consideration of the BIOSECURE Act highlights the broader challenge for the U.S. government in dealing with China's "national champions" in biotechnology and genomics, which China views as crucial for future economic development and national power. It acknowledges that existing technology protection tools are currently insufficient to address the complexities of this emerging field. The U.S. aims to implement a mix of policies, including supporting U.S. companies and research infrastructure, in addition to traditional mitigation strategies.
The Hidden Costs of Connection: Understanding IoB Privacy Risks
The “Internet of Bodies” (IoB) is rapidly transforming our world, connecting digital devices directly to the human body to monitor health metrics and personal information, which is then transmitted over the internet. While these advancements promise revolutionary benefits in healthcare and daily life, they also introduce significant and often unseen
Compliance Hub WikiCompliance Hub

To maximize the benefits of IoB while mitigating the profound risks, a human-centric approach emphasizing ethical design, robust legal frameworks, transparency, and continuous societal dialogue is essential. Your organization's compliance strategy must evolve to address not only privacy and cybersecurity but also the complex geopolitical landscape of data. Ignoring these "hidden costs of connection" could have disastrous consequences for your business, your customers, and national security.

PII Compliance Navigator | U.S. State Privacy Law Sensitive Data Categories
Comprehensive tool to explore which U.S. states classify different types of data as sensitive under privacy laws. Navigate compliance requirements across 19 states.
PII Compliance NavigatorDavid Stauss

Read more

Latin America's Digital Authoritarian Turn: How the Continent Became a Laboratory for Surveillance Capitalism and Censorship

Latin America's Digital Authoritarian Turn: How the Continent Became a Laboratory for Surveillance Capitalism and Censorship

The Continental Surveillance State Emerges Latin America has quietly become the world's most aggressive testing ground for digital authoritarianism. While global attention focuses on China's surveillance state or European privacy regulations, Latin American governments have systematically dismantled digital rights, implemented mass surveillance systems, and created censorship

By Compliance Hub
Navigating the Neural Frontier: A Compliance Guide for Brain-Computer Interfaces

Navigating the Neural Frontier: A Compliance Guide for Brain-Computer Interfaces

The advent of Brain-Computer Interfaces (BCIs) marks a revolutionary era in human-technology interaction, enabling individuals to control devices merely through thought. From assisting paralyzed individuals to communicate and move, to enhancing cognitive function and revolutionizing industries like healthcare, gaming, education, and marketing, BCIs offer transformative benefits. However, these groundbreaking advancements

By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates