Overview
Spice Route Legal’s Data Protection and Healthcare & Life Sciences practice is positioned as Tier 1 in India. As a global leading industry-focused data privacy law firm, we routinely operate at the intersection of healthcare and technology, developing unparalleled expertise in understanding the potential of the healthtech sector along with the challenges that plague the industry. As a result, we are routinely sought after by domestic and international businesses for expert counsel.
Our team comprises highly experienced and seasoned experts who understand the complexity of data privacy in the healthcare industry. We frequently advise both global and domestic healthcare, life sciences, and pharmaceutical behemoths, as well as innovative startups. From navigating regulatory challenges to licensing and intellectual property, our team has done it all! Liaising with global law firms, we have assisted global giants with cross-border health data transfers, genome data for vaccine development, and localising sensitive health data of Indian citizens. We have been recognised as one of the best data privacy law firms in the country by reputable legal directories. Additionally, we have aided numerous health-tech startups in fundraising and structuring their data storage and sharing arrangements in line with the compliance requirements.
Legal Framework of Data Protection Law and Healthcare in India
The healthcare industry is experiencing a notable convergence of technology and data, resulting in a widespread connection to data privacy laws. Currently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, issued under the Information Technology Act, 2000 (“SPDI Rules”), operate as the legal framework for data protection, by extension governing the collection and protection of sensitive health data collected by the healthcare industry. Additionally, the Indian Computer Emergency Response Team (“CERT-In”), established under the Act, has issued specific directions (“CERT-In Directions”) concerning best security practices, procedures, prevention, response, and reporting of cyber incidents.
India's legislative landscape surrounding data protection underwent a significant change in 2023 with the introduction of the Digital Personal Data Protection Act, 2023 (“the Act”). The legislation is expected to be enforced in 2024 once the government notifies the Digital Personal Data Protection Act Rules, which will include the procedural part of the law. The Act imposes stringent obligations on entities involved in the processing of personal data.
The enactment of the Act, as separate legislation to govern data and data processing, is aimed to bring India on par with Western countries and implement robust data protection practices. The healthcare industry is no exception, as it handles the most sensitive data. The legislation applies to both data acquired digitally and physical data that is eventually digitised. The Act defines "personal data" expansively to encompass any information identifying an individual, the data principal. It mandates Data fiduciaries, who determine the purpose and means of processing personal data, to either obtain explicit consent from the data principals or process data only for certain legitimate purposes outlined in the legislation. Therefore, in the healthcare industry, the data principal will be the patient and the data fiduciary will be the entity that determines the purpose and means of processing the patient data. A “data processor” who processes data on behalf of the data fiduciary on the other hand is not directly obligated by the Act.
The obtained consent must be freely given, informed, and unambiguous. Moreover, businesses are required to provide transparent notices detailing the purpose of data collection and processing, along with the grievance redressal mechanisms. The data privacy law firms in India predict that the processing of patient data by the healthcare industry is likely to fall under the specific legitimate purposes outlined in the legislation. In addition to the outlined obligations, selected sectors or companies will be notified as the “Significant Data Fiduciary,” who will adhere to more stringent obligations. Notably, existing laws such as the SPDI Rules already impose rigorous compliance obligations.
Whether businesses in the healthcare industry will be defined as significant data fiduciaries is yet to be determined during the enforcement phase. The businesses in the healthcare industry must audit and determine their role in data sharing and processing arrangements with the assistance of data privacy law firms, to avoid the largest sums of penalties imposed by the Act in case of a breach.
The enactment of the Act, as separate legislation to govern data and data processing, is aimed to bring India on par with Western countries and implement robust data protection practices. The healthcare industry is no exception, as it handles the most sensitive data. The legislation applies to both data acquired digitally and physical data that is eventually digitised. The Act defines "personal data" expansively to encompass any information identifying an individual, the data principal. It mandates Data fiduciaries, who determine the purpose and means of processing personal data, to either obtain explicit consent from the data principals or process data only for certain legitimate purposes outlined in the legislation. Therefore, in the healthcare industry, the data principal will be the patient and the data fiduciary will be the entity that determines the purpose and means of processing the patient data. A “data processor” who processes data on behalf of the data fiduciary on the other hand is not directly obligated by the Act.
The obtained consent must be freely given, informed, and unambiguous. Moreover, businesses are required to provide transparent notices detailing the purpose of data collection and processing, along with the grievance redressal mechanisms. The data privacy law firms in India predict that the processing of patient data by the healthcare industry is likely to fall under the specific legitimate purposes outlined in the legislation. In addition to the outlined obligations, selected sectors or companies will be notified as the “Significant Data Fiduciary,” who will adhere to more stringent obligations. Notably, existing laws such as the SPDI Rules already impose rigorous compliance obligations.
Whether businesses in the healthcare industry will be defined as significant data fiduciaries is yet to be determined during the enforcement phase. The businesses in the healthcare industry must audit and determine their role in data sharing and processing arrangements with the assistance of data privacy law firms, to avoid the largest sums of penalties imposed by the Act in case of a breach.
Navigating the Intersection of Health and Technology: Our Expertise in Data Privacy Law
Cross-Border Data Sharing
Requirements
Data Localisation
Requirements
Structuring Data Processing Agreements
& Terms and Conditions
Data Breach Disclosure Requirements
(CERT-IN)
DPO as a Service (Data
Protection Officer)
Cross-Border Data Sharing
Requirements
With the rapidly increasing global interest in the Indian healthcare industry, we have assisted global players in navigating the complexities of cross-border data transfers, aligning with both global and local practices.
Data Localisation
Requirements
As a leading data privacy law firm, we have assisted several health-tech companies with structuring their products in line with data localisation requirements.
Structuring Data Processing Agreements
& Terms and Conditions
Our requirements data team is adept at helping clients structure their data processing arrangements and tedraftrms and conditions for users that comply with regulatory .
Data Breach Disclosure Requirements
(CERT-IN)
We have assisted several companies in fulfilling disclosure requirements in cases of data breaches and ransomware attacks, closely working with the nodal agency to provide required information and cooperate with any investigations.
DPO as a Service (Data
Protection Officer)
Several multinational health-tech giants have appointed us as their Data Protection Officer.
Advised an AI/ML-powered telesurgery solutions provider on the classification of its product as 'software as a medical device' under Indian data protection laws.
Advised a subsidiary of an Indian conglomerate on the export of genome data processed in connection with clinical trials and R&D initiatives.
Advised an American multinational health-tech company on data protection regulatory issues.
Assisted a prominent health-tech company in identifying and implementing global data compliance measures across various countries.
Assisted a leading AI-powered health-tech company with a global data review, including an analysis of US health and data regulations.
Assisted an American health-focused non-profit with data collection practices related to its AI-enabled disease identification algorithm.
Advised an American healthcare solutions player on data transfer in alignment with Indian regulations.
Assisted a global pharmaceutical company with a transfer impact assessment on cross-border data transfers from the EU to India.
Acted as an outsourced Data Protection Officer for an American manufacturer of biomedical equipment for their India operations.
Key Contacts
Mathew
Chacko
Chacko
Praveen
Raju
Raju
Renuka
Abraham
Abraham
Aadya
Misra
Misra
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.