_edited.png)
Beginning in the 20th century, there was an exponential increase in the adoption of digital technologies. The presence of cheaper digital tools and easy accessibility has made the adoption process simpler and easier. The data age has revolutionised many industries with aerospace, healthcare, etc., being some of the major gainers. With the adoption of digital technologies by many businesses and individuals, the world has also witnessed new types of crimes. Since the world has not seen these types of crimes before, the retaliation measures took some time. The cyberCrimes [1] ranged from simpler ones like coupon code generator to malicious ones like cyberterrorism. The cybersecurity steps were taken seriously in recent years, and there are a lot of proactive measures taken by organizations against cyber-attacks. Many large corporations spend thousands and thousands of dollars for cyber protection, but still recent malware attacks like WannaCry, Not Petya and others showcase how vulnerable digital technologies are. In addition to the protection of IP’s and organizational data by companies, the customer data too should not be taken lightly. The customer data have proved to be very valuable to the organizations, and in many cases, the insights from the customer data have even changed the strategy of the organizations. The data proves to be that powerful, and the misuse of it can create chaos in the world like election manipulation, religious chaos, etc. Enter the Data Protection and other privacy laws to prevent such mishaps and to provide guidelines on how to handle the customer data. Data Ownership In our previous article on the Tale of data pile in the healthcare industry [2], we had a brief overview of multiple regulations governing the data ownership and handling procedures. There are multiple regulations worldwide, and a few of the key regulations include GDPR, HIPAA, EUDPD, CCPA, etc., Most of the key regulations are implemented a few decades ago, while CCPA (California Consumer Privacy Act) came effective very recently, from January 1, 2020. To get into the Indian context, India does not have a dedicated law on Data protection and privacy. Also, India has not adopted any international instruments for Data protection and privacy. The Information Technology Act (2000), provides few provisions, but it is not extended to cover all the facets of protection and privacy. The Personal Data Protection Bill, which is yet to be passed in the legislative assembly, has few provisions to address these issues. In the bill, there are mentions of fines up to ₹2 to 3 lakhs with a jail term of 3 to 5 years, if there is any mishandling of data being identified. But, with a fine of just ₹3 lakhs is peanuts to the magnitude of the committed data crimes. For the Healthcare Industry in India, the EHR Standards [3] mentions that the patient is the owner of the data (health records) and has control over the data. The Healthcare service provider should handle and secure the data on behalf of the patient. Data Handling Here is the catch. Indian laws are limited only to the Indian subcontinent, and many companies bypass this by transferring data of Indians outside India. They can process the data for insights, transfer to other companies and can even monetize it. The Personal and Data Protection Bill, which is still in draft stage, states that the data can be transferred to other countries only after approval from the central government after consulting with the Authorities. Also, at the moment, India doesn’t even have a Data Protection Authority, and in comparison, even the Philippines and Thailand have it. This shows how lagging we are in terms of taking data seriously. There are multiple instances where data of Individuals have been transferred out of India, and the notable ones include the ones by Xiaomi[4]. Xiaomi explicitly mentions that based on the laws of the area; they will transfer data to their data centres in other locations like China[5]. But unfortunately, this cannot happen when the customer is European. The data would have to be within the EU, and no personal information can be transferred out of the EU. On the other hand, technology giants like Google, Facebook, etc., don’t sell the personal information of their clients, but instead, they process it within themselves. If any company wants to target a customer or a customer segment, all they have to do is to pay a small fee and the targeting will be done by Google AdSense. This is possible for them since they run their own heavily populated application ecosystem and advertising segment. What does it mean for Indians? The ministry of health and welfare has released Digital Information Security in Health Data (“DISHA" a draft Bill)[6]to create national and state health authorities, regulate and standardize how the data is collected, stored, and used, ensure reliability & confidentiality of digital health data. The draft bill has clearly explained the right of owners and conditions on which the data can be collected and stored. It also clearly mentions that the data collected should not be used for commercial purposes or disclosed to insurance companies, human resource consultants, and pharmaceutical companies. Unfortunately, the bill has not been passed, which makes companies in India to collect, process, handle and transmit the data without any hindrances. The main point to note here is that, these kinds of extensive data about the Indian customers are in the hands of Foreign corporates. If those corporates don’t follow GDPR or HIPAA, then there is no power to exercise deletion of personal data, and even the SPI (Sensitive Personal Information) can be transmitted out of India.
Unless the Indian Government takes necessary steps at the earliest, the data collection and mishandling of data will happen forever, which can be categorized only as unethical and not as illegal. Till then, the biggest gainers would be the corporates who reap the benefits with the unethical data handling practices. Realities Around the System Since the wearable devices provide a lot of insights about the physiology of an individual, the companies are harvesting the individual data. We all know the regulations around the healthcare data is restricted only to the HSPs. The HSP is just a standards and not a law, so it cannot be enforced. In addition to that, wearables doesn't come under HSP (healthcare service providers) and by using this play, some of the popular wearables collect user data and store it in their servers. Most wearable companies have mentioned that data will be shared with their partners, affiliates, etc. Even the privacy policy of those companies are not clear about the ownership of the data. With all these realities, we can only hope for India to catch up with regulations powerful enough like GDPR in the coming years. References: [1] - https://en.wikipedia.org/wiki/Cybercrime [2] - https://www.urufit.com/post/the-tale-of-data-pile-in-healthcare-industry [3] - https://www.nhp.gov.in/NHPfiles/EHR-Standards-2016-MoHFW.pdf [4] - https://www.deccanchronicle.com/technology/in-other-news/250419/xiaomi-sends-users-data-beyond-indias-jurisdiction.html [5] - https://privacy.mi.com/all/en_IN/ [6] -http://www.mondaq.com/india/x/729484/Data+Protection+Privacy/DISHA+Data+Ownership+Security+Consent+for+health+data