As per a recent report, the global market for fitness devices will reach 464 million units by 2027. As per another report by Greenbone Sustainable Resilience, a German cybersecurity firm, the health data of nearly 120 million Indian patients is freely available online. Given the privacy risks posed by these wearable devices, especially in a medico-legal landscape where there is a constant tussle between the right to privacy and health, it becomes important to discuss the utility and risks of wearable devices and the legal framework governing them.
Usage of various micro-controlled devices that are worn on the body for the purposes of collecting health related information is ever-increasing. Examples include smart helmets, headphones, glasses, Smart clothing and smart footwear. Wearables essentially help in prevention and more effective cure.
First, they help users in maintaining good health and avoiding diseases. Second, they held in better monitoring of the disease by the physicians thereby enabling them to give better advice in order to stop the health issue from aggravating. In the pursuit of achieving these two purposes, they collect various data like steps taken in a given time, intake of food and water, sleep cycles and breathing. This shows that big data accumulated through the means of wearables has immense potential in reducing the burden on the health systems in many ways. This assumes special significance in India where the doctor patient ratio is already abysmal. Even more so, in the backdrop of the programs like E-health and National Health Policy 2017 that have been launched by the government in the recent years, it is more likely that there might be a burgeoning of wearable devices in the near future.
As much as the potential of big data to transform the public health system is unquestionable, it has also created a dangerous market of information that can be used to the detriment of the user. These devices collect information like sex, age, health status, location and more intimate information like blood pressure, heart beat and steps taken. This information can lead to the violation of the right to privacy through identity invasion, location tracking and data mining.
Firstly, many a times, these devices have poor encryption practices. If the data is not encrypted properly, hackers can use their personal details to clone their identity thereby subjecting them to risks like identity theft. They could be falsely implicated in financial frauds and criminal activities via the cloned identity. Secondly, these wearables also emit Bluetooth signals which can monitor the location of the user. This can be useful in determining the places they visit for shopping, eating and other leisure activities. This in turn can be used to deduce their interests. There is a huge market for such information and thus, it is vulnerable to being traded for a price. Thirdly, there is a problem of data mining. It is a process wherein the companies use various software’s to process huge batch of raw data into useful information by observing various patterns. Since, the data collected by these devices is stored on the hard drive for most of the times, it becomes more vulnerable to data mining.
Lacunas in Law
The absence of oversight mechanisms to check the privacy violations by these companies is deeply worrisome.
Firstly, there is no oversight mechanism to regulate wearables as they classify as fitness devices as opposed to medical devices. Medical devices are monitored by the Central Drugs Standards Control Organization. However, fitness devices do not fall within the purview of this organization. Secondly, the provisions of the Information Technology act 2000 and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011, are applicable to fitness wearables. However, these antiquated laws have not been able to keep up with the pace of the technological developments of wearables.
Law in Pipeline
Pursuant to the verdict of the Supreme Court in KS Puttaswamy vs Union of India, as per which the right to privacy was declared to be a fundamental right, there were attempts to grant statutory protection to this right. In furtherance of this aim, the Personal Data Protection (PDP) bill has been drafted and is being reviewed by a joint parliamentary committee. While on the other hand, another bill called the Digital Information Security in Healthcare Act (DISHA) has been drafted by the ministry of family and health for the purposes of protecting digital health data (DHD). If both these bills gain presidential assent, DISHA will govern DHD over PDP. This is because DISHA is a special law and as per the ruling in General Manager, Telecom vs M. Krishnan, a special law overrides a general law.
DISHA provides for a concrete mechanism to protect the violation of privacy. Section 29 (2) provides that wearable companies need to obtain explicit consent of the user at every stage of collecting data. This is a welcome step and it adheres to the principles of decisional and informational privacy as set out in Puttaswamy. If this right is utilized by users carefully, they will be able to avoid risks like identity invasion, locational tracking and datamining. But it is to be noted that mere declaration of rights is not enough unless, the law is able to empower the right holders to assert their rights and access remedies in the cases of breach. This can only happen when the government facilitates awareness programs to educate the consumers regarding safe practices while using these devices and other health related apps.
On the flip side, section 29 (5) of DISHA imposes a blanket restriction on any sort of commercialization of data. But, anonymizing data which includes an analysis of huge batch of data to collate useful information by observing patterns through software’s, can be very useful in developing the product to meet the ever-changing needs of the users and the market. A blanket ban on usage of anonymized data for commercial purposes can hamper research, development and innovation. Thus, the usage of data for limited commercial purposes should be allowed, till the time the data is properly anonymized and the privacy of the user is not violated.
Given the immense utility of wearable devices and the privacy risks associated with them, there is a need to strike a balance between the developers’spotential to grow and innovate and the user’s right to privacy. Striking off this balance becomes particularly important because the potential of big data to transform our public health system is ever-growing. While, at the same time, it puts extremely sensitive information of the users at great risk.