Follow me:
Follow me:

Indian Privacy Law: What HealthTech Companies Should Know

Play episode

Indian privacy law has many nuances that health technology companies should stay informed about. How does GDPR relate to HIPAA? What new regulations could change the way you do business? What if they criminalize your current actions? Join regulatory attorneyDarshan Kulkarni as he discusses how privacy laws apply to health technology companies.

Darshan: Everyone's been recently talking about GDPR. People have been talking about CCPA. Those are the people in the know, right? Everyone's talked a lot about HIPAA, but if you are a health tech company that is working at a global level, what you really need to recognize, and what you really need to understand, is that this is going to be complicated. That you are subject to laws and privacy considerations that you have haven't even thought of. The most recent one of these is the proposed Indian Data Protection Bill.

Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshawn Kulkarni. You can find the show on Twitter @darshawntalks or the show's a website at

Darshan: So in 2017 the Supreme Court of India rule that privacy is a constitutional right of an Indian citizen. Great. That sounds great. This data protection bill intends to protect and safeguard citizens privacy rights, and they intend to do that by controlling the collection, security, storage, sale and exploitation of this data. What this bill goes out and does, and this is kind of interesting to me, they now try to make these digital companies data fiduciaries instead of mere data collectors. And that means that they're responsible for obtaining user permission, and therefore, they need to get the permission for initial collection, and for subsequent processing off that user data.

Darshan: It goes out, and unlike GDPR, even CCPA, I believe, they go out and propose the data provider is the owner of their own data, but, and this is kind of interesting, the data provider, which in this case is the individual, has the right to access this locally stored data. And that's kind of interesting to me. This kind of changes the cost benefit analysis for a lot of digital companies that obviously you lose money in the provision of free services, but theoretically you could earn the money from the sale and exploitation of the actual personal data itself.

Darshan: So that takes us to the next piece, right? And the next piece is what is consent and what do you need consent for? So what you need under this new proposed law, is you need to get explicit consent from the user, and it must be obtained that each stage of subsequent data processing. So think about collection, and then when again, you need collection. So companies often collect the personal data, and then you'll often be modifying that and using that, updating that to create new information that may not belong to the original user. So do you have to go back to the user each time and go, well, what does it mean now?

Darshan: The next thing is not just the processing of the consent, but the data classes. And this is kind of interesting as well. Under this new proposed law, they create three categories of information. The first is the general category. They don't really define it, and there are no limitations on where the data must be either processed or stored. Then there's sensitive data, sensitive data, or first to financial data, health data, sexual orientation, genetics, transgender status, caste, and religious belief. The data must be stored in servers in India, but it can be processed out of India. So you can do the processing outside, bring it back in.

Darshan: So if you are a health tech company, this becomes extremely important for you. If you are a pharmaceutical company, that's doing research, that becomes extremely important for you. Where is your data going to be stored? The data has to be stored in India. And then there's critical data, that typically refers to things like military or national security data, and it must be stored in servers and cannot be taken out of India.

Darshan: So how is this different from HIPAA? It's more comprehensive, and it includes health. So that's why it's sort of different. So HIPAA obviously includes health, but it's not as comprehensive as this law.

Darshan: So okay, this is fine. This is great. This is good for patients, good for consumers. Why should I care? Are there penalties? Maybe I'll just ignore it. So the penalties could reach $700,000, or 2% of global revenues, whichever is higher, and for major violations such as data shared without consent, the penalties would double. So that's actually based on a multinational company's global income, and that becomes usually problematic. So, okay, so there are penalties, but I'm already following GDPR. Does that mean I'm okay then?

Darshan: So there are some differences between GDPR, and this proposed law. The first difference is that the data generated by the citizens is basically considered to be a type of national asset. So it must be stored and guarded within national boundaries. Interestingly enough, India reserves the right to use that data to safeguard its defense and strategic interests. So what that means is you as a company, maybe deemed to hold data, but you intend to commercialize, that the country can get on its own, by saying it's in our strategic interest, and they can just get that from you. So that might destroy a lot of companies that make it their business out of selling to governments.

Darshan: Per the new law, the new bill, the government can ask any company to give it anonymized personal or non-personal data for policy formation of a better delivery of services. Like I said, this becomes hugely problematic if your business model was selling to governments. Obviously, this also requires that you have to store sensitive data within the sub-continent itself.

Darshan: And the last thing, and I find this extremely different from everyone else, is they criminalize illegitimate reidentification of user data. So if you have a situation where someone's data has been de-identified, and you'd go back and reidentify them for marketing reasons, or for non-marketing reasons, you could be subject to criminal penalties, and that is extremely unusual. So stay tuned. We're expecting pushback. This is not a law yet, but this is developing and this is the initial salvo that people might be looking at. This could change the world the way we see it right now, especially for clinical trials, especially for health tech, especially for medical device companies. Stay tuned, listen in.

Narrator: This is the DarshawnTalks Podcast, regulatory guy, irregular podcast with host Darshawn Kulkarni. You can find the show on Twitter @darshawntalks or the show's website at

More from this show

Recent posts


Make sure to subscribe to our newsletter and be the first to know the news.