India PDP Bill 2019: Together towards ushering a new dawn for privacy in India

Anirudh Sen, Country Lead, India Asia Pacific Medical Technology Association (APACMed) highlights the medical technology industry’s perspective on the Personal Data Protection (PDP) Bill and suggests that all stakeholders need to deliberate collectively on the best way to handle personal health data in a world of targeted and aggressive breaches while reassuring the beliefs of the industry

 In an era where ‘Right to Privacy’ is a fundamental right and it is imperative to protect personal data as an essential facet of “Informational Privacy”, the Personal Data Protection (PDP) Bill, 2019, is India’s first and most significant attempt to domestically legislate on the issues of data protection.

Globally over 132 out of 194 countries, (which is 66 per cent of the globe) have put in place legislations to secure the protection of data and privacy, with Asia showing a similar level of adoption with 55 per cent of countries having adopted such legislations from which 23 are least developed countries.

The India PDP Bill explicitly advocates, protection of the autonomy of individuals, concerning their personal data and it upholds the enforcement of “Data Sovereignty” in the country. The medical technology industry who play a vital role in the entire healthcare value chain commends government’s initiative in this regard in the form of a legislative action and is keen to contribute towards making this the best piece of legislature.

The PDP Bill was eagerly awaited as it will bring about a new dawn for privacy in India that empowers the citizens of the country. The Bill consists of six Rights offered to the general populace, ranging from the Right to Correction or Deletion (with certain exceptions) to the Right to be Forgotten, along with segregation of “data” into three broad subheads (constituting the Personal Data, the Critical Personal Data and the Sensitive Personal Data).

Data localisation which is another attribute provided by the Bill highlights how it will aid not only government and policy makers but also law-enforcement agencies access data for investigations and enforcement, as the private sector has access to enormous data sets which would be immensely useful even if the personal details of individuals are anonymised.

In healthcare, unified data on patients can help identify patterns and analyse trends at regional, national, or disease-specific levels in a population which would be immensely beneficial to the government and the healthcare sector, MedTech being no exception. Industry can leverage the data for developing products, procedures and systems for better diagnosis and treatment, while the government can use it for developing health policies and programmes for specific demographics and also make them better prepared to respond to healthcare emergencies.

Such datasets would also be key to developing the next generation of artificial intelligence for the healthcare industry and will be a necessary raw material for public-funded research institutes working in this area. Also, much of the cross-border data transfer is now governed by individual bilateral “mutual legal assistance treaties” which in a way will greatly prevent data thefts.

The healthcare sector is an important stakeholder as it is an industry, where people mostly trust with its personal data.  With PDP setting out stringent policies for collecting, processing, and securing personal data, it makes the industry’s compliance levels far greater. This also presents an opportunity for healthcare organisations (HCO’s) to ramp up their systems, policies, and overall IT infrastructure. For individuals, it puts the ownership of their data in their hands and also ensures right to data portability, all of which would eventually take our country’s overall healthcare system to a new dawn of digitalisation, therefore, a strong rationale to discuss the impact of the PDP Bill in healthcare.

Like any other legislative change, especially one of this scale, once PDP becomes an Act, implementation of the framework would pose its own challenges which are in a way anticipated. Some of the challenges that HCO’s should be cognizant of would be in the form of rise in operational costs as well as increase in prices of foreign cloud computing services as a result of a domino effect.

Also, predictions have been made that few young start-ups in India might face challenges relating to storage and processing of sensitive data, although, many indigenous technology companies, which store most of their data exclusively in India, support localisation.  For example, PayTM has consistently supported localisation (without mirroring), and Reliance Jio has strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon other global regimes.

It is thus also important to study the various global privacy regimes like in EU with the successful implementation of GDPR (with which the PDP Bill bears many similarities), and align the provisions relating to cross-border flow of data while addressing the Indian environment, culture, and sovereignty of the country. Need is to look at how GDPR defines several roles that are responsible for ensuring compliance: Data Controller, Data Processor, and Data Protection Officer and holds processors liable for breaches or non-compliance.

Also, while accepting the fact that compliance will cause some concerns and new expectations of security teams, the GDPR takes a wide view of what constitutes personal identification information. It also leaves much to interpretation saying that companies must provide a “reasonable” level of protection for personal data but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance. With this, it also has been found that businesses are developing a compliance culture overtime and increasingly use strong data protection as a competitive advantage, so such learnings can be taken from various global regimes and selectively incorporated to make this bill holistic.

Hence, considering the enormity of the task and the impact the Bill would have to healthcare and the medical technology sector specifically, it is imperative that industry collaborates and partners with the government to help shape the various contours of the Bill through joint consultations, recommendations and by providing insights on some practical, on ground realities that may have long term ramifications. 

Even in the face of the most unprecedented global pandemic, much has been talked about this Bill, which undoubtedly presents a great opportunity for India to turn privacy to its competitive advantage and make it an enabler of digital disruption. The Act would be a landmark legislation that would revolutionise the Indian industry as it brings India in the same league as other progressive countries such as the US, Canada, and the UK that expressly guarantee privacy as a fundamental right. APACMed thus applauds the action of the government, and the way the Bill was developed and tabled in the lower house of the Parliament in record time, however, the question remains, what would be the best way to handle data in the world of targeted and aggressive breaches while reassuring the beliefs of the industry. In such a scenario, stakeholders like government bodies and industry associations (like APACMed for medical devices) need to come together and have due deliberation, to suggest the best workable plan forward, ensuring that the PDP Act becomes all-encompassing in true sense.