Indian Privacy Law: What HealthTech Companies Should Know

Darshan: Everyone's been recently talking about GDPR. People have been talking about CCPA. Those are the people in the know, right? Everyone's talked a lot about HIPAA, but if you are a health tech company that is working at a global level, what you really need to recognize, and what you really need to understand, is that this is going to be complicated. That you are subject to laws and privacy considerations that you have haven't even thought of. The most recent one of these is the proposed Indian Data Protection Bill. Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshawn Kulkarni. You can find the show on Twitter @darshawntalks or the show's a website at darshawntalks.com. Darshan: So in 2017 the Supreme Court of India rule that privacy is a constitutional right of an Indian citizen. Great. That sounds great. This data protection bill intends to protect and safeguard citizens privacy rights, and they intend to do that by controlling the collection, security, storage, sale and exploitation of this data. What this bill goes out and does, and this is kind of interesting to me, they now try to make these digital companies data fiduciaries instead of mere data collectors. And that means that they're responsible for obtaining user permission, and therefore, they need to get the permission for initial collection, and for subsequent processing off that user data. Darshan: It goes out, and unlike GDPR, even CCPA, I believe, they go out and propose the data provider is the owner of their own data, but, and this is kind of interesting, the data provider, which in this case is the individual, has the right to access this locally stored data. And that's kind of interesting to me. This kind of changes the cost benefit analysis for a lot of digital companies that obviously you lose money in the provision of free services, but theoretically you could earn the money from the sale and exploitation of the actual personal data itself. Darshan: So that takes us to the next piece, right? And the next piece is what is consent and what do you need consent for? So what you need under this new proposed law, is you need to get explicit consent from the user, and it must be obtained that each stage of subsequent data processing. So think about collection, and then when again, you need collection. So companies often collect the personal data, and then you'll often be modifying that and using that, updating that to create new information that may not belong to the original user. So do you have to go back to the user each time and go, well, what does it mean now? Darshan: The next thing is not just the processing of the consent, but the data classes. And this is kind of interesting as well. Under this new proposed law, they create three categories of information. The first is the general category. They don't really define it, and there are no limitations on where the data must be either processed or stored. Then there's sensitive data, sensitive data, or first to financial data, health data, sexual orientation, genetics, transgender status, caste, and religious belief. The data must be stored in servers in India, but it can be processed out of India. So you can do the processing outside, bring it back in. Darshan: So if you are a health tech company, this becomes extremely important for you. If you are a pharmaceutical company, that's doing research, that becomes extremely important for you. Where is your data going to be stored? The data has to be stored in India. And then there's critical data, that typically refers to things like military or national security data, and it must be stored in servers and cannot be taken out of India. Darshan: So how is this different from HIPAA?