This Article is written by Rugved Mahamuni, Law student of Vidya Pratishthan’s Vasantrao Pawar Law College, Baramati.
Editor Lester Vinal Lasrado
Introduction
Have you ever considered what happens to the health data you generate daily through wearable devices such as smartwatches, fitness trackers, and rings? This question is addressed in the digital contracts that we often hastily agree to by clicking the “I agree” button.[1] Each company producing such wearable technology must mandatorily have a privacy policy detailing the use of our data[2]. The European Union’s high standard of data protection, as embodied in the Global Data Protection Regulation (GDPR), is an exemplary piece of legislation[3]. Similarly, the Indian government’s initiative in creating the Data Protection Bill, 2023, a comprehensive data protection act, is a commendable step in the right direction. The emphasis on health data, or data in general, reflects how a country respects its citizens’ right to privacy. In India, the right to privacy has been established as a fundamental right under Article 21 of the Constitution, as recognised in the Justice Puttaswamy case[4].
This essay will explore the significance of health data and how various domestic and international entities manage it. It will also consider the potential repercussions of the unethical commercialisation of health data on fundamental rights, particularly Article 21 of the Indian Constitution, which guarantees the right to privacy to all individuals, regardless of citizenship.
LEGISLATIVE INITIATIVE FOR PROTECTION OF HEALTH DATA & PRIVACY POLICIES
Specifically, concerning the protection of health data, similar to the Health Insurance Portability and Accountability Act (HIPAA)[5] In the US, India introduced the Digital Information Security in Healthcare Act (DISHA). This Act aims to establish National and State eHealth Authorities, regulate digital health data processes, and ensure data reliability, privacy, confidentiality, and security, But DISHA never materialised and was forwarded to MeitY to be integrated into the broader data protection framework, which evolved into the 2019 Personal Data Protection Bill[6].
The Indian data protection journey began with the introduction of the IT Act, 2000. The 2008 amendment, specifically Section 43A[7], addressed instances where entities handling data failed to protect it adequately. Subsequently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI) were introduced to regulate sensitive personal data[8] such as medical records. Section 72A[9]. The Act was also enacted to penalise the unauthorised disclosure of data without the consent of the individual concerned. The Electronic Health Record Standards for India, 2016 (EHR Standards) outline principles for protecting, disclosing, and preserving Protected Health Information (PHI) and Electronic Protected Health Information (ePHI), emphasising consent. The Data Security Council of India (DSCI) has also crafted the DSCI Privacy Guide for Healthcare[10], which categorises data into Personal Health Data or Information (PHDI), covering demographic, administrative, health risk, and current health status information.
Following these developments, the awaited Digital Personal Data Protection Act (DPDPA), 2023[11], was introduced as a dedicated legislation aimed at regulating the processing of data in India. This legislation came into effect six years after the recognition of the Right to Privacy as a fundamental right.[12]
In Mr. X vs. Hospital Z[13]
“The Right of Privacy may, apart from contract, also arise out of a particular specific relationship which may be commercial, matrimonial, or even political…. Doctor-patient relationship, though basically commercial, is, professionally, a matter of confidence and, therefore doctors are morally and ethically bound to maintain confidentiality. In such a situation, public disclosure of even true private facts may amount to an invasion of the Right of Privacy“
Within the context of this article, the contractual arrangement between the manufacturer of wearable devices and the user imposes a legal obligation on the company to safeguard the individual’s health data, in accordance with Rule 4 of the SPDI Rules. Any deviation from the privacy policy may lead to penalties under Section 72A of the IT Act.
Illustration: A, using a smartwatch manufactured by company B to track her menstrual cycle and ovulation[14], discovers she has Polycystic Ovary Syndrome (PCOS) through analysis of her watch’s health data. However, a significant data breach occurs at company B, resulting in the loss of A’s health data and that of millions of other customers, which is subsequently posted on a deep web forum. This breach exposes A’s private health condition of PCOS to the public domain, violating her right to privacy. |
The leading wearable vendors in India[15], BoAt[16], Noise[17], and Fire-Boltt[18], have explicitly outlined in their privacy policies that they collect health information but refrain from commercialising it, with certain exceptions related to third-party services.
WHAT IF HEALTH DATA WAS COMMERCIALISED?
As previously analysed, the majority of wearable technology firms are required to establish privacy policies[19], affirm their collection of customers’ health data while pledging not to commercialise it. Yet, the possibility of commercialising this data may lead companies to develop behavioural advertising strategies that aim to influence individuals’ actions based on their health information, potentially infringing upon their fundamental right to decisional privacy[20].
In the realm of health data commercialisation, pharmaceutical firms[21] can pinpoint users with specific health conditions identified through wearable devices. For instance, individuals flagged with elevated glucose levels or diabetes symptoms may receive targeted advertisements for diabetes medications and associated products such as glucose monitors[22]. This focused marketing could induce users to unnecessarily purchase and use medications or devices, potentially leading to excessive treatment, heightened healthcare expenditures, and adverse effects. Similarly, those identified with irregular heart rates or low physical activity levels might receive promotions for cholesterol-lowering drugs or heart health supplements, encouraging preventive use without adequate medical guidance. Additionally, users with disrupted sleep patterns may be exposed to advertisements for sleep aids, fostering dependence on medications instead of addressing root causes like stress or other clinical reasons.[23]
Illustration: If X, a wearable device company, commercialises health data obtained from users like A, who suffers from arrhythmia, pharmaceutical companies could perpetually advertise the risks of arrhythmias, including reduced heart function, blood clotting risks, heart failure, and sudden cardiac arrest. Simultaneously promoting their antiarrhythmic medications as the sole and optimal treatment, potentially manipulating A and violating their right to decisional privacy. |
RECENT DATA BREACH
One of the essential considerations to think about is whether it’s fair to treat data breaches differently depending on whether they happen in the Global South or Global North. A case in point is BoAt, an audio and wearables brand that produces devices accumulating both health and regular data, experienced a significant data breach affecting 7.5 million customers. The breached data is now accessible on various dark web forums[24]. The critical question pertains to the repercussions faced by BoAt following this incident. As of April 5, 2024, authorities are investigating the breach, and if BoAt’s internal investigation confirms data compromise, the company could face severe penalties under the Digital Personal Data Protection Act (DPDPA). Non-compliance with security measures incurs a penalty of Rs. 250 crores while breaching personal data protection mandates attracts a penalty of Rs. 200 crores.
Moreover, the breach has led to a loss of customer trust and temporary disruption in operations. Hypothetically, had BoAt been an EU-registered company under GDPR, it would have been obliged to adhere strictly to regulatory provisions. These include mandatory Data Protection by Design and by Default (Section 25), conducting Data Protection Impact Assessments (Article 35), and adhering to dedicated codes of conduct for comprehensive regulatory compliance (Article 40).
This, in turn, helps us understand various fields where India can ramp up its regulations and help protect precious private data. There shall be an appropriate standard for the cybersecurity of wearables, as discussed in the World Economic Forum’s Council of the Connected World[25], but such a standard cannot be made mandatory and legally binding due to the concern that it might inhibit innovation. Hence, we shall find a balance between securing our personal data and not inhibiting innovation through strict standards of protection.
The BoAt data breach is a stark reminder in India’s wearable technology landscape that “with great power comes great responsibility,” echoing Spiderman’s timeless wisdom. As we embrace the connectivity and innovation offered by wearable devices, we must ensure that the power to collect and manage health data is wielded responsibly.
CONCLUSION
The goal of data protection laws in the global south goes beyond just rules; it includes creating a culture where people are aware of privacy and how to protect their data.In this digital age, economic growth hinges on global data flows, presenting regulatory challenges in balancing economic priorities and national security. Despite having laws in place, data protection authorities (DPAs) face enforcement difficulties due to global data complexities and resource constraints. Countries in the Global South must devise distinct data protection approaches tailored to their specific needs, rather than adopting a one-size-fits-all approach from the Global North, as it is not practical. Hence, comparing GDPR and DPDPA implementation is not feasible due to their differing regulatory contexts.
Name – Rugved Mahamuni
Institution – Vidya Pratishthan’s Vasantrao Pawar Law College, Baramati
[1] Ivanfanta, 2021. Do we actually agree to these terms and conditions? Available at: <https://blogs.ischool.berkeley.edu/w231/2021/07/09/do-we-actually-agree-to-these-terms-and-conditions/> [Accessed 27 June 2024].
[2] Rule 4 (Body corporate to provide policy for privacy and disclosure of information) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”); and Rule 3(1) of the Information Technology (Intermediaries Guidelines) Rules, 2011.
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
[4] Justice K.S.Puttaswamy(Retd) vs Union Of India AIR 2018 SC (SUPP) 1841
[5] The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191
[6] Biplab Lenin, Priyam Rajkumar, and Shivansh Vishwakarma. 2024. “Mind Your Meds and Metrics: Navigating the Indian Health Data Protection Labyrinth.” Cyril Amarchand Mangaldas, June 11.
[7] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 § 43A (Compensation for failure to protect data)
[8] Personal information consisting of information relating to physical, physiological and mental health condition; and medical records and history.
[9] The Information Technology Act, 2000 § 72A (Punishment for disclosure of information in breach of lawful contract)
[10] DSCI Privacy Guide for Healthcare https://www.dsci.in/sectoral-privacy-project/wp-content/uploads/2021/08/DSCI_Sectoral-Privacy-Healthcare-Guide1136279132045723835.pdf
[11] Digital Personal Data Protection Act, Act No. 22 of 2023
[12] Supra Note 4, (2018)
[13] Mr. X vs. Hospital Z AIR 1999 SC 495, (1998) 8 SCC 296
[14] Goodale, B.M., Shilaih, M., Falco, L., Dammeier, F., Hamvas, G., and Leeners, B., 2019. Wearable Sensors Reveal Menses-Driven Changes in Physiology and Enable Prediction of the Fertile Window: Observational Study. *J Med Internet Res*, [online] 21(4), p.e13404. Available at: <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6495289/> [Accessed 18 April 2019]. doi: 10.2196/13404.
[15] India’s Wearable Device Market Grew 34% in 2023 to 134 Million Units, IDC INDIA, February 16, 2024
[16] BoAt Privacy Policy – Wearables (3.2)
[17] NoiseFit: Health & Fitness Privacy Policy (12)
[18] Fire-Boltt Privacy Policy (Sharing you personal Information)
[19] Supra Note 2
[20] Suresh Kumar Koushal & Anr v. NAZ Foundation & Ors (2014) 1 SCC 1 Para 36, Mohinder Singh Gill v. Chief Election Commissioner (1978) 1 SCC 405
[21] Fisk, M., 2022. GPs, Patients and Health Data Commercialisation in England. Trends in Telemedicine & E-health, 3(4).
[22] Riso, B., Tupasela, A., Vears, D.F., Felzmann, H., Cockbain, J., Loi, M., Kongsholm, N.C., Zullo, S. and Rakic, V., 2017. Ethical sharing of health data in online platforms–which values should be considered?. Life sciences, society and policy, 13, pp.1-27.
[23] Id, Pg 13
[24] The data is available on LeakBase, BreachForums, Exploitin (Forums on the Deepweb)
[25] : “Joint Statement of Support on Consumer IoT Device Security” (Tech Accord, 15 February
2022) <https://cybertechaccord.org/industry-hackers-and-consumers-for-a-global-baseline-forconsumer-iot-security/> accessed 28 June 2024