8 terms · Maintained by Tomás Maria Vaz de Noronha · CC-BY-4.0
What this is. Plain-English explainers for the concepts that show up in our wearable privacy audits — GDPR articles, network forensics, EU adequacy decisions, and the methodology terms we use in audit reports.
Data Minimisation (GDPR Principle) Data minimisation, codified in GDPR Article 5(1)(c), requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." For wearables, this means a fitness tracker …
Forensic Network Audit A forensic network audit is the network-engineering equivalent of an independent financial audit. Where an accounting audit verifies that a company's reported numbers match the underlying transactions, a forensic network audit verifies that…
GDPR Article 44 GDPR Article 44 says that any transfer of personal data outside the EU/EEA — including via a wearable that uploads health metrics to a cloud — must meet specific safeguards. If the destination country is not on the European Commission's "ad…
Non-Adequate Country (GDPR) Under GDPR, the European Commission publishes a list of "adequate" countries that provide essentially equivalent data protection to the EU. Transfers to those countries are largely unrestricted. Transfers to all other ("non-adequate") count…
PCAP (Packet Capture) — Consumer Explainer A PCAP — short for "packet capture" — is a forensically detailed recording of every data packet a device sends or receives over the network during a defined time window. It is the gold standard for verifying what a wearable, smartphone app,…
Privacy Tier (Ainode Scoring) Ainode's privacy-tier system grades each audited wearable into one of four bands based on the actual network flows we observe during forensic capture, plus a 6-dimension score. Tier A devices contact zero non-EU servers. Tier B contact only…
Schrems II Schrems II is the 2020 ruling by the European Court of Justice (Case C-311/18) that invalidated the EU-US Privacy Shield framework. The court held that US surveillance laws (notably FISA section 702 and Executive Order 12333) provided insuf…
Third-Country Transfer (GDPR) A "third-country transfer" under the GDPR is the act of sending personal data from the EU/EEA to any country outside it — including by uploading it from a wearable to a cloud server. Whether the transfer is lawful depends on the destination…