116 B, Mittal Towers, Nariman Point, Mumbai, India

With the growing population and growing demands, there has been an immense growth in the Indian wearables market. It is being reflected that the India wearables market grew 170.3 per cent year-over-year in Q1 2021, between January and March, shipping 11.4 million units according to the recent data from the International Data Corporation’s (IDC) Worldwide Quarterly Wearable Device Tracker. Due to the enormous use and adoption of wearable technology, in 2019, it was declared that India ranks third largest concerning the wearable market after China and US. This depicts that the use of wearable technology right from the young to old ones are consumed for various reasons and whether it is for personal, social or professional, it does revolve around the daily lives of the people.

Health wearable devices (smartwatches, fitness bands, smart glasses, smart bags, smart jackets etc.) have become increasingly pervasive and have access to vast amounts of private data of users. As much as this technology offers promise and potential to technologically improve lives - there are various legal and ethical issues that need to be addressed. The objective of this post is to assess and analyse the state of legislation(s) and regulation(s) that ensure adequate data protection in the case of health wearables in India. In course of the same, the protection and remedies available are discussed, alongside the lacunae that needs immediate attention of policymakers and stakeholders.

At the outset, it would be prudent to understand the inter-operability of wearable technology - they operate with the interphase of smartphones/tablets/computers, and act towards a particular function that they have been designed to execute. In a way, it can be said that wearable technology enables real time communication between the user and the device - facilitating the access, assimilation, storage, and profiling of information. This is solely because wearable technologies do not focus on individuals, but focus on the collection of data, and its processing, interpretation, and its consequent decision-making.

DEFINITION

According to the Cambridge Dictionary - wearable technology consists of things that can be worn, such as clothing or glasses, that contain computer technology or can connect to the internet: Fitness trackers are wearable devices that can help you move more, sleep better, and improve your overall health. Wearable technology such as "smart clothes" can be used to monitor heart rate.

HOW DO THE WEARABLES WORK?

Wearables are part of electronic technology which has been embedded into a device that can be worn by an individual on a day-to-day basis. Technically, the wristwatches are categorized into two types-

  1. Operating Systems (OSs) - In the case of specialised devices like smartwatches, the OSs are embedded into them which enables them to connect with third-party applications and acts just like smartphones.
  2. Software - Simple devices with specific features like calculating footsteps, sleep cycle etc are smart bands where the software is embedded to perform such functions.

And various wearable devices work on sensors

  • In wearable medical devices - it works through the sensor embedded into the device through which the individual will get to know about its heart rate, ECG activity etc, and
  • In wearable devices like some smartwatches have mini-computers embedded in them (just like mobile phones contain mini processors) to check the day-to-day activity and sync the information in your laptop or computer.

The idea of taking care of your health all by yourself startled the techy generation to which not just wearable devices like smartwatches are in demand but also there are wearable medical devices like heart rate sensors, oximeters, wearable ECG monitors etc that are used for keeping track of the patient’s health and informing about the risk they are facing to the concerned doctors.

Before introducing such wearable devices in the market, they were used to fulfil the medical and health conditions of the people in the military forces. There were devices like Smart T-shirts, Wearable Motherboards, wrist watches etc to navigate the health and to know whereabouts through real-time connectivity.

ANALYSING THE LEGAL ISSUES AT HAND

Wearables serve two main purposes: To track a specific condition, and to help users maintain good health. Wearables can collect a host of data to execute these roles. Some of the collectable data include steps taken, food and water intake, calories burned, sleep movement, and breathing. Wearable technology can also collect biometric data such as heart rate (ECG and HRV), brainwave (EEG), and muscle bio-signals (EMG) from the human body to provide valuable information in the field of health care and wellness.

This acts as the starting point for the myriad of legal issues that arise in the usage of this technology. In this point of discussion, there are two scenarios that emerge: i) while one makes use of wearable device there is a lot of exchange of data between the user and the wearable device. This raises lots of questions regarding the ownership of such data; ii) whether such data collected in a wearable device belongs to the wearable device manufacturer or the service provider providing the said service regarding operations and maintenance of the device. Data protection is the crucial aspect that needs to be considered with regard to wearable technology and devices - this includes issues regarding the data collection and processing in a wearable device. Furthermore, there is sharing of sensitive and personal data between the device, user, and several third parties.

In light of this, deciding the jurisdiction of the data processing and storage of a wearable device is another issue to look into - situations such as i) location of data storage; ii) location of data processing and sharing; and iii) the recipient of such information shall be integral in deciding the jurisdiction of the data, which will then be subject to the laws of the same.

In the upcoming portions of this article, we shall address several issues with regards to i) the privacy aspects of wearable technologies vis-a-vis i) data protection and existing laws in India; and ii) issues with respect to assigning liability in the case of defaults.

CHALLENGES ARISING FROM WEARABLE DEVICES

When you purchase a wearable device, you input your every information in such device and such data stored is protected or not becomes an issue. Whether such data is controlled by the manufacturer of such device or the service provider. These questions pose a crucial element to determine the risks regarding the right to privacy of the individuals storing their data in such devices.

LAWS AND REGULATIONS

  1. Constitution of India In the case of K.S. Puttaswamy v. Union of India, the Supreme Court held that the Right to Privacy is a fundamental right protected under Article 14, 19 and 21 of the Constitution of India. Users of wearable devices and social media networks may not conceive of themselves as having volunteered data but their activities of use and engagement result in the generation of vast amounts of data about individual lifestyles, choices, and preferences. Data such as medical information would be a category to which a reasonable expectation of privacy attaches. This depicts that the Court believes in securing medical information about an individual and it is reasonable for an individual to expect its right to privacy over violation by anyone.
  2. Personal Data Protection Bill The Personal Data Protection Bill 2019 was introduced in Lok Sabha on 11th December 2019 and referred to the Standing Committee of Information Technology of Parliament on the same day itself. Its main purpose is to tackle issues regarding data privacy in this digital world. It is applicable in India as well as outside India where foreign companies are dealing with the data security of Indian individuals.The Bill enumerated the rights of an individual, grounds for processing personal data, defined steps for the data protection authorities for tackling data protection issues and penalties on violations and defined the social media intermediaries. It also ensures that the data collected by the device should be consensual and should be stored fairly and reasonably having transparency to the customers.
  3. Digital Information Security in Healthcare Act (DISHA) The Ministry of Family and Health Welfare issued the Digital Information Security in Healthcare Act 2018 also known as DISHA. This legislation would cover the aspects regarding the rights of data owners and restricting the collection and processing of health data. It has also established a panel of digital health authorities consisting of a National Authority and various State authorities. It aims at the data collected at medical institutes on a consensual basis but it also deals with other ways in which medical data gets generated.
  4. Information Technology Act 2000 The Information Technology Act 2000 is the main legislation that regulates the issues regarding data protection in India. It is the first legislation that addressed the issues and in regard to privacy, established a notice and consent model. It also prescribed penalties to the offences related to breach of data privacy. Under the Act, it is the Central Government that decides as to what type of data comes under sensitive personal data.In addition to the legislation, the Government also issued Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 under Section 87 of the IT Act which laid down various measures for data collectors as well as for data processors in regard to data protection. These rules play a major role because it created rules regarding medical records under the shelter of Sensitive Personal Data and also included the physical, physiological and mental health conditions. This eventually depicts that the data collected by fitness trackers are regulated under these rules.
  5. Electronic Health Record Standards 2016 The Electronic Health Record Standards 2016 are advisory but not enforceable by law. Many companies use them in their policies regarding the data protection of their customers. By considering the recommendations of these standards, they are also applicable to fitness trackers as they are recognized as self-care health devices. These standards also imply the consent model where there should be a consent of patient whether his/her medical information can be disclosed to a third party or not. It also includes recommendations concerning ownership of medical data, data security standards, prescribe to follow ISO standards etc.

ASSESSING THE INDIAN LEGAL SCENARIO

While wearable devices make use of exchange of data between users and them, this data is ultimately nothing but information in electronic form and can be considered as an electronic record under the Information Technology Act, 2000. Further, these wearable devices collect data and provide a service with respect to that data turning themselves to be referred to as ‘intermediaries’ under the IT Act (as mentioned under Section 79). It is pertinent to note that the Intermediary guidelines along with the cyber legal compliance envisaged under the IT Act and the rules and regulations made under shall be made applicable to wearable devices and technology.

In case of the Indian context, in terms of data stored and analyzed at the hands of a wearable device - currently, there are a few landmark judgments that highlight the individual’s right to privacy - Puttaswamy and Puttaswamy II, among others. However, there is a lack of a data protection legislation, which shall uphold users’ rights in the course of the introduction of new technological initiatives and schemes. At this juncture, the Data Protection Bill, 2019 is the first step into this direction. The need for an established legislation is imminent due to the fact that that there have been several concerns and controversies around the assimilation of personal data at the hands of the government (reference is being made towards issues such as the Aadhar Card controversy, the collection of data in the National Digital Health Mission, the deployment of FRTs in law enforcement agencies, the Arogya Setu application, the DISHA scheme etc.) - a similar situation has been observed towards activities taken up by private entities as well, and due to the absent adequate legislation(s), they do not fall under the radar of any defaults/punishments.

Considering this, the privacy of an individual in the usage of wearable technology becomes essential due to the amount of information that is taken up by such devices, and potential of trouble it holds during a breach. At this point, companies will have to adopt focal thrust strategies and policies in the light of wearable devices - although there exists a lacuna in the law, judicial precedents do not leave an individual/entity completely handicapped in this regard. Another pertinent point to note is as follows: while it is just not the privacy relating to wearable devices that needs to be considered, but its inter-operability with respect to the relevant mobile/computer applications also need to be investigated, since these wearable devices are connected to such mobile apps. It is pertinent to note that wearable technology could also be used for surveillance and monitoring by both state and non-state actors.

ASSESSING THE POSITION OF WEARABLE DEVICES UNDER THE GDPR

It shall also be interesting to see wearable technology and devices get amenable under the European Union’s General Data Protection Regulation (‘GDPR’) - this could give us a fair idea into how cross-border usage of data by companies that handle wearable technologies should look like. The questions of wearable devices as ‘data controllers’ and ‘data processors’ are likely to bring in new manifestations. As privacy by design (‘PBD’) has become a primary requirement of GDPR compliances, wearable device shall have to be created in order to adhere to the same. Therefore, the processing of personal data under the GDPR would have to be specifically addressed and specific aspects with regard to personal data and data sharing to third parties need to be reviewed in the light of GDPR and wearable devices.

Further, with ‘right to be forgotten’ and right not be automatically profiled being the data subject rights under GDPR, it shall be required to obtain consent before processing personal data to analyse the behaviour, preferences, health and medical conditions or predict work performance, fatigue and the like. Thereby taking consent through fine print shall be a mistaken notion and specific and communicated consent is the new message coming loud and clear under the GDPR.

WHAT IS THE WAY FORWARD?

In light of the above discussions, it is going to be interesting to analyse the landscape of liability in the context of wearable technology providers and service providers - from the Indian perspective. In the absence of any national and international norms specifically in the light of wearable technologies, it can be suggested that the wearable technology and service providers should have reasonable security practices and procedures to protect sensitive personal data and personal information of the user while also having adequate measures to protect the privacy, safety of the user and also not indulge in any infringement of intellectual property rights and exercise care and caution and due diligence while discharging their obligations under the law and be duty bound to disable access to any illegal content. In this kind of scenario kinds of responsibilities to be followed by wearable technology and service providers will have to be specifically addressed as time passes by.