by- Jahnvi Sharma
In this age of digitization, the world is witnessing a remarkable growth in information technology. However, the current legal regime has been unable to cope up with the rapid dynamism of technology. In order to catch up with this unprecedented growth of technology, governments around the world continue to revamp and modernize the existing data privacy structure. Following this, the Government of India introduced the draft of the Digital Information Security in Healthcare Act, 2018 (DISHA) with the prime objective of protecting the digital health data of the citizens. However, DISHA’s stringent provisions concerned with the banning of commercialization of health data and the contradictions with the Personal Data Protection Bill, 2019 have led to a dilemma, which should be analysed.
Understanding the present status
Mobile health, abbreviated as m-Health, refers to the practice of accessing healthcare services through mobile technologies. These services range from analysing health data through complex technologies or receiving information regarding healthcare services. However, what remains a matter of concern is the collection of health data in digital form, known as Digital Health Data, by such platforms or companies. Such collection is very likely to result in the violation of the privacy of an individual availing of these services. Moreover, this area of law remains ungoverned due to the laxity of law. At present, the Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 govern data protection by body corporates[i], however, the provision is considered inept for the growing challenges of digital health data protection.
The Conundrum: DISHA 2018 versus Personal Data Protection Bill, 2019
DISHA has been drafted with the primary objective of the protection of Digital Health Data. Under the Act, a user of any m-Health services has been empowered to control access of his data at every stage of data storage, collection, transmission and processing. The users have the power to refuse his/her consent for the collection of data at any stage[ii].
The Government drafted the Personal Data Protection Bill, 2019 after the right to privacy was upheld as a fundamental right under Article 21 in the landmark judgement of Justice K.S. Puttaswamy V. Union of India[iii]. The Bill covers health data under sensitive personal data[iv] and provides that the user may provide their explicit consent at just one stage, after which the data shall be used by the entity if consent is provided[v].
However, on analysis of DISHA, m-Health service providers are covered under the definition of ‘other entity’[vi] and consequently, shall be subject to the stringent data collection provisions under DISHA wherein they shall require consent at each stage for a collection of data.
Since both the laws have overriding provisions i.e. Section 52, DISHA and Section 98, Personal Data Protection Bill, 2019 and contradictory requirements, it is essential to ascertain the law which shall be applicable to the m-Health sector. On analysis of the precedent set in R. S. Raghunath V State of Karnataka[vii], wherein it was held that where there exists a special law, it shall prevail over general law; hence, the special law, DISHA shall prevail over Personal Data Protection Bill, 2019.
Impact of DISHA on the m-Health sector
Besides subjecting m-Health service providers to stringent provisions as to data protection, the DISHA also impacts the m-Health industry with its provision which expressly bans commercialisation of digital health data.
The m-Health service providers derive their profitability through targeted advertisement. Targeted advertisement, in the m-Health industry, uses a person’s digital health data to advertise specific products and services, specifically tailored and selected for the user. It is one of the most important components for m-Health service providers who provide their services for free. However, DISHA limits the use of Digital Health Data by an ‘other entity’ to limited purposes which include facilitation of medical and clinical research, improvement of public health activities, promotion of early detection and treatment of chronic diseases. Section 29(5) of the Act abolishes the use of digital health data for commercial purposes. The provision also abolishes the access and use of digital health data in anonymized form for any commercial purposes.
To understand the repercussions of this provision, one must understand the word ‘commercial’. The Supreme Court explored the scope of the word ‘commercial’ in Laxmi Engineering Works V. PSG Industrial Institute[viii] and defined it as something “connected with, or engaged in commerce; mercantile; having profit as the main aim”. The use of data to select and tailor an advertisement to target a specific user to receive revenue can be covered under commercial purpose’.
With the prohibition on the usage of Digital Health Data for commercial purposes, m-Health apps and service providers shall be unable to use the data for tailored or targeted advertisement and consequently, lose their main source of profits. This would further hamper the development, growth and broadening of the m-Health industry.
Conclusion
M-Health service providers generally do not process or collect sensitive personal health data for commercial purposes. They limit their access to the only collection of generic data like heartrate, Body Mass Index, calories burnt etc. These parameters can’t be held to be under the ambit of sensitive personal data. Consequently, the inclusion of m-Health services under DISHA can adversely impact the development of the m-Health sector. DISHA’s applicability and extent of coverage can be limited to health information exchange and clinical establishments since these entities handle sensitive Digital Health Data, as compared to m-Health service providers. Further, in order to achieve the twin objectives of reducing the friction between DISHA and Personal Data Protection Bill as well as the promotion and development of the m-Health sector, the m-Health service providers can be covered under the Personal Data Protection Bill, 2019, which shall be beneficial for the legal regime and the innovation in healthcare services
[i] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, Rules 4, 5, 7, 8, The Gazette of India, part II sec 3(i) (April 11, 2011).
[ii] Ministry of Health and Family Welfare, F.No Z-18015/23l2017-eGov, Digital Information in Security Healthcare Act, 2018, §28, (Notified on March 21, 2018) https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf
[iii] J. K.S. Puttaswamy & Anr v. Union of India WRIT PETITION (CIVIL) NO 494 OF 2012
[iv] Personal Data Protection Bill, 2019, Bill No. 373 of 2019, §3(36) (December 11, 2019)
[v] Personal Data Protection Bill, 2019, Bill No. 373 of 2019, §11 (December 11, 2019)
[vi] Ministry of Health and Family Welfare, F.No Z-18015/23l2017-eGov, Digital Information in Security Healthcare Act, 2018, §29(2), (Notified on March 21, 2018) https://www.nhp.gov.in/NHPfiles/R_4179_1521627488625_0.pdf
[vii] R. S. Raghunath v. State of Karnataka & Anr 1992 AIR 81
[viii] Laxmi Engineering Works v. P.S.G. Industrial Institute 1995 AIR 1428
Author:
Jahnvi Sharma
4th Year Student of B.A. LL.B at Vivekananda Institute of Professional Studies