June 24, 2022 witnessed perhaps one of the single-most momentous blowbacks to the notion of privacy, the consequence of which would certainly send ripples across the globe both on an ideological and a judicial-legal plane. On this day, the Supreme Court of the United States of America on this day overturned the watershed case of legal and feminist jurisprudence, Roe v. Wade of 1973 (“Wade”), effectively disrobing women in the country from exercising the erstwhile right to abort. The ramification of this ruling underlines a particularly interesting conundrum – in the wake of Big Tech collecting, storing, and processing personal data and information incessantly and sharing the same with law enforcement agencies (“LEAs”) as and when mandated, how can the most vulnerable and sensitive aspects of a person’s personal life be afforded protection to in the absence of adequate safeguards?
It is common knowledge that the tracking and storage of personal data and information accompany with it a saddening saga of squander and abuse – history is witness to this. With the over-ruling of Wade, it is now open season, wild-wild-west – the LEAs theoretically have a free hand to collect location data, forage through text messages and SMSes, dig through web-browser histories, online purchases, and personal e-mails, and use period-tracking apps surreptitiously to prosecute not only the users but also the intermediaries who may provision the said services.
The logical, unfortunate conclusion to the series of events that may potentially transpire hereon would be an absolute nightmare for all the people and families who were promised significant reproductive autonomy in the US for the past five decades. To chill reproductive freedoms, we may now even notice medical and health services providers track pregnant patients and LEAs exploit tools of surveillance to enforce existing abortion laws.1
Calm before the Storm?
If a report from Vice News were to be believed, accessing data troves in the US is an absolute breeze – for as meager as $160, one could access a week’s worth of data of the credentials and the geo-indicators of people who visited Planned Parenthood facilities (an American NGO which provides for sexual healthcare services). One possible reason why such a glaring infraction of personal privacy exists in the US in broad daylight is because of a ‘gray area of the law’. This gray area pertains to the Health Insurance Portability and Accountability Act, 1996 (“HIPPA”) which covers such data or information that is shared by the individual with a doctor. However, HIPPA does not secure any such data or information which is shared with a third-party. Hence, taking into consideration the possibility that third-party apps may share such data or information with yet another third party, the risk of abuse is glaring, to say the least.
There are two consequential takeaways for policymakers closer to home in India here. First and foremost, the guardrails for the protection and preservation of personal data and information in India are starkly lacking. And, second, in the absence of an omnibus privacy legislation, individuals and their data are at the mercy of private parties and the government to be exploited and be capitalized on.
Certainly, the Supreme Court of India did affirm that the Right to Privacy forms an integral part of the Right to Life and Liberty guaranteed by Law under Article 21 of the Indian Constitution – certainly no two thoughts about it. However, because of its delicate nature, the degree of safety and consideration that protection of medical data warrants is a notch above the safety standards mandated by the protection of general data. Taking into consideration the rapid growth of the Indian telemedicine market, the onus falls upon the Government to ensure that the prospective economic benefits of the proliferating market segment do not imperil the tenets of the Right to Privacy, especially that of health data. A nuanced and considered approach is the call of the day.
Falls and flaws in the Indian medical data policy framework
Perhaps the most pertinent issue in the framework as it stands today is the ambiguity in the understanding of ‘health data’ or ‘medical data’ and what it constitutes. Case in point, the Information Technology Act, 2000 (“IT Act 2000”), along with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”), accords the status of sensitive personal data or information (“SPDI”) merely on such data which are either related to the physical, physiological, or mental health of an individual. However, the current legal framework does not require such data to be anonymized – hence, it is quite feasible for any entity (government or third-party) which is in possession of such un-anonymized data to ascertain who it pertains to and mine such data, thereby risking misuse.
Despite several administrative attempts, the foul of conceptual legislative clarity remains. For instance, let us take into consideration three frameworks that pertain to or which touch upon personal health data, namely – the ‘Strategy Overview: Making India a Digital Health Nation Enabling Digital Healthcare for all’ document of the National Health Authority, dated July, 2020 (“NHA Strategy Overview”), the draft Digital Information Security in Healthcare Act, 2018 (“DISHA”), and the draft Data Protection Bill, 2021 (“DPB”). In the NHA Strategy Overview, “personal health data” encompasses information and data relating to the medical conditions and subsequent treatments undertaken by a party. In comparison to the standards of the NHA Strategy Overview – where on the one hand, the DPB covers only information regarding the physical or mental health of the individual, on the other, the DISHA goes a notch up and deals with data extracted from body-part donations and data derived from medical tests and bodily examinations as well. The discordance and dichotomy in the data protection frameworks indeed are glaring. Worse still, none of them reflect upon the surveillance misuse that can manifest from the status quo!
It indeed is well established that policy frameworks conceptualize data in general, and medical data in specific, as an incorporeal, intangible resource and an effective enabler for economic progress. Data is predominantly understood as a resource (like oil), available for human extraction, and exists independent of the bodies producing it. The present-day health data policy framework in India is inordinately concentrated on the data and information that is collated and collected by primary healthcare service providers (like hospitals and medical establishments) or secondary healthcare service providers or healthcare-related service providers (like insurance companies). We today have smartwatches and mobile apps which gather data on and monitor a person’s activity levels, heart rates, sleep cycles, and daily moods, and which also can track period-cycles. Hence, the draft DISHA-DPB framework presents a thought-provoking policy and legal lacuna – with the growing use of these smartwatches and third-party apps, can the law protect from exploitation the digital footprint of an individual that is left behind?
Yet another species of unease that arises is the difficulty in dealing with the unfettered access to medical data and information that the government (both at the Central and the State level) and LEAs can procure either from third-party apps or from IoT devices. To cite an instance, it is common knowledge that in the wake of the Covid-19 pandemic, both the Central as well as several State Governments used platforms and apps to track and contain the infection. What is perhaps not so commonly known is that for all the virtue and nobility that such contact tracing mechanisms may have brought about, they also institutionalized mass surveillance to a very large extent – one needs to understand that most of these apps often devolved into mechanisms of trickery by surveilling, monitoring and controlling the movement of individuals in the cloak of ‘lockdown enforcement’. Add to this, by way of the mandate provisioned in the proviso to Rule 6(1), and in Rule 6(2), of the SPDI Rules – sensitive personal data and information (including medical and health data) which is shared by an individual with third-party apps and platforms can legally be procured by LEAs without the explicit permission of the individual to whom such data belongs to. This gives rise to a certainly worrying trend, especially when you look at it from the privacy lens!
Where can we go from here: Steps for the times ahead
In no uncertain terms, the pressing priority of the day in the Indian data-landscape is for lawmakers to cogitate considerately upon a definition of ‘health data and information’. A good starting point to fortress individual rights over their personal health would be to place digital health data and information collected by third-party apps and platforms, as well as by IoT devices, under the ambit of the draft DPB-DISHA framework.
Subsequently, legislative intent must deliberate over the fact that a certain category of health data is more intimate and sensitive than others (like, mental health issues faced by an individual vis-à-vis the height of that person) and may necessitate a higher degree of care and protection. Hence, to ensure that the individual possesses absolute and unqualified autonomy over such data of such a delicate character, a graded approach to health data is necessary.
And lastly, lawmakers in India must take into account that in the wake of ‘data-sharing and interoperability’ practices, the policy-framework governing health data and information does not trade off privacy principles in the veneer of supposedly facilitating public welfare. Both healthcare service providers, medical insurance providers, and other healthcare-service providing third parties should enact protective policies which ought to be designed to keep a tight lid on sensitive personal health data and information and associated medical records and histories. Along these lines, to take a cue from the European General Data Protection Regulation (“GDPR”), wherein data subjects have the ‘right to erasure’ as protected under Article 17 and Recital 65, GDPR – in India as well, individuals should also have the right to ensure that their sensitive personal data and information is erased if and where the said individual objects to the collection or processing of her/his health data and information.
The United States’ decision of Dobbs v. Jackson Women’s Health Organization (the regressive U-turn precedent to Wade) did ensure for certain one thing – that the frigidity of the winters of 1973 would certainly chill the spine of women fifty odd years after, in the summer of 2022. Trust, accountability, and transparency – at a time we need them the most are indeed the absolute, dire necessity of the moment.