In the last #PrivacyofthePeople post we looked at whether there are any safeguards to protect a person from random phone checking by the Police. In this post, we look at how the information collected by period tracking applications may be misused and to what extent the Data Protection Bill, 2021 will address any of these issues.
Why should you care?
Are you a menstruating person who uses a period tracking application? Period tracking applications collect a variety of data from their users. However, in the absence of a data protection law to protect their interests, users are completely at the mercy of these applications when it comes to ensuring that their data is processed ethically.
If you get periods, you might be familiar with the constant headache of remembering when your last period was in order to calculate when your next period will be so that you can avoid any surprises. However, this can still sometimes result in surprises or mishaps because you might end up miscalculating or forgetting completely. Like most technological innovations which aim to fill a gap, period tracking applications such as Clue, Flo, and My Calendar among others aim to reduce this burden of remembering your last period date and calculating your next, by allowing you to input various categories of your period information into their systems. These period tracking applications then use algorithms to predict when your next cycle will be and some of them also allow you to track data categories related to getting pregnant and ongoing pregnancies. According to a report by Consumer Reports on period tracking applications, around 50 million women worldwide use these applications.
These applications collect a lot of personal data about their users such as how heavy their flow is, which type of pain they are experiencing, their emotional state, how much they have slept, their sex drive, their energy levels, their food cravings, how their hair and skin is, what their mental state is, questions about their stool, weight, and temperature, how much they exercise as well as what kind of birth control they are on. However, this is not an exhaustive list. Different applications may also collect other different types of data.
What happens if your period data is misused?
In 2019, Privacy International published a study in which they showcased that certain period applications were sharing the data they collected with Facebook (As a result of Privacy International's research and advocacy on six popular menstruation apps, four of them made changes in their data sharing practices or launched internal investigations). In another study, Privacy International asked 5 period applications to share their data with them to assess their compliance with GDPR norms including the right to access data as well as to understand how their data was being processed and shared. They found that only 2 applications were responsive to their requests to access their own data and even then sometimes their data was being shared with third parties.
However, it is important to note here that India does not have a data protection law as yet. In the absence of personal data protection laws, it is probable that your data might be misused in various ways. One of these is the sale of the data to third parties such as advertisers who would then target you with specific advertisements based on the data they have accessed about you. For example, someone who has input into the application that they have commenced a pregnancy might be targeted with advertisements for baby products. According to a report by the Financial Times, the more intimate the information, the higher is its value, with information that a woman is expecting a baby and is in her second trimester of pregnancy being worth about 220 times more than the average person’s data. Other frequent buyers of medical data are insurance companies. Data related to any period related medical condition such as Polycystic ovary syndrome (PCOS) or any pregnancy complication that a person may have shared with the application could potentially end up affecting their ability to obtain insurance, how much they pay for coverage or the rate of interest on the loan.
You may have also come across the recent abortion debate in the United States which led some privacy experts urging people to uninstall their period tracking applications as it may affect abortion access.
Should users in India also be worried about whether their use of period tracking applications would affect their ability to access abortions? The short answer is no. India does not have the same level of the pro-choice v. pro-life debate as the United States. Access to abortion in India is governed under the Medical Termination of Pregnancy Act, 1971 which allows for termination of pregnancy upto twenty weeks under prescribed conditions and circumstances. While the Act has its own issues such as only allowing termination of pregnancy upto 20 weeks and being biased against “unmarried” women, the situation in India is relatively better than the ongoing debate in the United States, where abortion in many US states could end up being banned if Roe v. Wade is overturned by the United States Supreme Court.
Will the DPB, 2021 protect your period data?
Under Clause 3(21) of the DPB, 2021, ‘health data’ is the ‘data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services’. Further, under Clause 3(36) of DPB, 2021, ‘sensitive personal data’ refers to personal data that may reveal, be related to, or constitute health data, among others. All data collected by period tracking applications falls squarely within these definitions.
Under Clause 11 of the DPB, 2021, valid consent of the data principal is necessary in order for any data processor to process personal data. Therefore, if the DPB, 2021 is enacted in its present form, it will act as a safeguard against these period tracking application processing or sharing data of their users without consent. However, the Bill fails to adequately safeguard data of any sort in the case of data breaches. Clause 25 which deals with the breach of personal data states that in cases where a data breach may cause harm to the data principal, the data fiduciary must inform the Data Protection Authority. However, the clause does not require the data fiduciary to inform the data principal (in this case, users whose healthcare data is now public). It is instead left to the Authority to decide:
- whether the data fiduciary must inform the data principal,
- the remedial action the data fiduciary must undertake, and
- the details of the data breach that can be made public. Moreover, there are no penalties imposed on the data fiduciaries in the event of a data breach.
Further, the DPB, 2021 has retained Clause 18(2) of the 2019 Bill, which allowed data fiduciaries to reject requests for correction, completion, updation or erasure of personal data if they disagreed with such requests (on the basis that certain data is still necessary for the purpose for which it was processed).
To remedy some of the aforementioned issues, here are our recommendations:
- Strengthen the security framework: Companies must provide users with explanation of security practices and safeguards that their data will be subject to. Additionally, in case of a breach or hack, users must be informed about the incident and give details about the extent to which their data has been affected.
- User rights should not be curtailed: Data fiduciaries should not be given the power to reject the requests of users unilaterally.
- Key Takeaways: The JPC Report and the Data Protection Bill, 2021 #SaveOurPrivacy dated December 16, 2021 (link)
- Will India's Healthcare Data Be Protected? #PrivacyOfThePeople dated July 14, 2021 (link)