As per a recent report by Research and Markets, the global market for fitness devices will reach 464 Million Units by 2027. As per another report by Greenbone Sustainable Resilience, a German cybersecurity firm, the health data of nearly 120 million Indian patients is freely available online.
Given the privacy risks posed by these wearable devices, especially in a medico-legal landscape where there is a constant tussle between the right to privacy and health, it becomes important to discuss the utility and risks of wearable devices and the legal framework governing them.
Usage of various micro-controlled devices that are worn on the body for the purposes of collecting health related information is ever-increasing. Examples include smart helmets, headphones, glasses, smart clothing and smart footwear.
Wearables essentially help in prevention and more effective cure. First, they help users in maintaining good health and avoiding diseases. Second, they help in better monitoring of diseases by physicians, thereby enabling them to give better advice. In the pursuit of achieving these two purposes, they collect various data, like steps taken in a given time, intake of food and water, sleep cycles and breathing.
This shows that big data accumulated through the means of wearables has immense potential in reducing the burden on the health systems in many ways. This assumes special significance in India where the doctor-to-patient ratio is already abysmal.
Even more so, in the backdrop of the programs like E-health and National Health Policy 2017 that have been launched by the Indian government in recent years, it is more likely that there might be a burgeoning of wearable devices in the near future.
As much as the potential of big data to transform the public health system is unquestionable, it has also created a dangerous market of information that can be used to the detriment of the user.
These devices collect basic information like sex, age, health status, location alongside more intimate information like blood pressure, heart beat and steps taken. This information can lead to the violation of the right to privacy through identity invasion, location tracking and data mining.
First, many a times, these devices have poor encryption practices. If the data is not encrypted properly, hackers can use personal details to clone an individual’s identity and subject them to grave risks like identity theft. They could be falsely implicated in financial frauds and criminal activities through the cloned identity.
Second, these wearables also emit Bluetooth signals, which can monitor the location of the user. This can be useful in determining the places they visit for shopping, eating and other leisure activities. This, in turn, can be used to deduce their interests. There is a huge market for such information and thus, it is vulnerable to being traded for a price.
Third, there is a problem of data mining. It is a process wherein the companies use various softwares to process huge batch of raw data into useful information by observing various patterns. Since the data collected by these devices is stored on the hard drive for most of the times, it becomes more vulnerable to data mining.
Lacunae in law
The absence of oversight mechanisms to check privacy violations by these companies is deeply worrisome.
First, there is no oversight mechanism to regulate wearables since they are classified as ‘fitness devices’ as opposed to ‘medical devices.’ Medical devices are monitored by the Central Drugs Standards Control Organisation (CDSCO). However, fitness devices do not fall within the purview of this organisation.
Second, provisions of the Information Technology Act, 2000, and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, are applicable to fitness wearables. However, these antiquated provisions have not been able to keep up with the pace of the technological developments of wearables.
Laws in the pipeline
Pursuant to the verdict of the Supreme court in KS Puttaswamy v. Union of India, as per which the right to privacy was declared to be a fundamental right, there were attempts to grant statutory protection to this right.
In furtherance of this aim, the Personal Data Protection (PDP) Bill, 2019 has been drafted and is being reviewed by a joint parliamentary committee. On the other hand, another bill called the Digital Information Security in Healthcare Act (DISHA) has been drafted by the Ministry of Health and Family Welfare (MoHFW) for the purposes of protecting Digital Health Data (DHD).
If both these bills gain presidential assent, DISHA will govern DHD over PDP. This is because DISHA is a special law and as per the ruling in General Manager, Telecom v. M. Krishnan, a special law overrides a general law.
DISHA provides for a concrete mechanism to protect the violation of privacy. Section 29 (2) provides that wearable companies need to obtain explicit consent of the user at every stage of collecting data. This is a welcome step and adheres to the principles of decisional and informational privacy as set out in Puttaswamy.
If this right is utilised by users carefully, they will be able to avoid risks like identity invasion, locational tracking and data mining. But it is to be noted that mere declaration of rights is not enough, unless the law is able to empower the right holders to assert their rights and access remedies in cases of breach. This can only happen when the government facilitates awareness programs to educate the consumers regarding safe practices while using these devices and other health-related apps.
On the flip side, Section 29 (5) of DISHA imposes a blanket restriction on any sort of commercialisation of data. But, anonymising data, which includes an analysis of huge batch of data to collate useful information by observing patterns through softwares, can be very useful in developing the product to meet the ever-changing needs of the users and the market.
A blanket ban on usage of anonymised data for commercial purposes can hamper research, development and innovation. Thus, the usage of data for limited commercial purposes should be allowed, till the time the data is properly anonymised and the privacy of users is not violated.
Given the immense utility of wearable devices and the privacy risks associated with them, there is a need to strike a balance between the developers’s potential to grow and innovate, and the user’s right to privacy. Striking off this balance becomes particularly important because the potential of big data to transform our public health system is ever-growing. At the same time, it puts extremely sensitive information of the users at great risk.
Views expressed are the author’s own.
The author is grateful to her friend and batchmate, Priyanka Vishnoi, for her comments and suggestions.
is a student of law at the National Law School of India University, Bengaluru.