Subscribe
Subscribe
- News
- Columns
- Interviews
- Law Firms
- Apprentice Lawyer
- Legal Jobs
- हिंदी
- ಕನ್ನಡ
The United States first ushered into the era of de-criminalizing abortions in Roe v. Wade (1973) by declaring a regulation restricting abortion as unconstitutional. This landmark judgment not only reshaped the reproductive rights of women but also heightened concerns around privacy for women’s sensitive data.
In January 2021, the Federal Trade Commission ordered a popular period tracker app (“the App”) to notify its users that its data was shared with marketing services like Google and Facebook. Later on, FTC announced a settlement stating the App must undergo an independent review of its privacy policy and must obtain user permission to share any health information. Following the case, the app revised its privacy policy and now even provides the option to use the App in ‘Anonymous Mode’. Anonymous mode allows users to keep a log of their health data without the requirement to share personally identifiable data even with the app itself.
In 2022, in the case of Dobbs v. Jackson, the Supreme overturned the Roe v. Wade judgment thereby taking away the constitutional right to abortion, except in certain severe abnormality or emergencies, in the United States.
This:
i. Impacted availability of abortion services in the U.S.
ii. Led to a sharp rise in the use of fertility-related technologies, such as period-tracking apps.
iii. Raised several concerns over data collection practices observed by various apps to track reproductive health, menstrual cycles and fertility. The vulnerability of this type of sensitive data could be estimated by it being weaponized to target women amidst the restriction on abortion in the States.
In the changing climate just before the overturning of Roe v. Wade, a Nebraska mother-daughter duo faced charges in a case of illegal abortion. The Police had obtained Facebook messages between the two that the authorities alleged showed evidence of an illegal self-managed medication abortion. A woman from Indiana was the first one to be charged and convicted for feticide in ending her own pregnancy. Evidence included texts exchanged between her and her friend in which she talked about her plans to take pills that induce abortion.
The popularity of period apps has grown significantly over the past decade, with an estimated 55 million users globally in 2022. Flo, Clue, Period Calendar, and Stardust are among the leading period apps, and new ones are introduced to the market each year.
The reason for their popularity could be multi-folded. Some of them include:
1. Track menstrual cycles;
2. Track fertility to plan conception;
3. Track moods, energy levels, sexual activity, sex drive, insomnia, flow, spotting, and other symptoms, before, during, and after menstruation;
4. Remind users to change pads/tampons;
5. Discuss menstruation with others who use the app in a discussion forum;
6. Reach out to medical practitioners to ask questions.
The privacy apprehensions around these apps are founded due to the type of sensitive data collected by them which includes:
1. Menstrual cycles data;
2. Fertility and ovulation data;
3. Pregnancy;
4. Sex life;
5. Location;
6. Moods;
7. Health records and underlying medical conditions.
A study by ORCHA examined 25 apps and found out:
1. Only 1 app stored the data in the device owned by the user, the rest shared with developers;
2. 84 per cent of apps allowed sharing sensitive personal data beyond the developer’s system, third parties;
3. 68 per cent did that for marketing;
4. 40 per cent for research; and
5. 40 per cent for improving developer services with app itself.
Given the volume and sensitivity of data collected by the period tracking apps, they become hoarders of extremely sensitive and intimate details of their users, posing the following risks:
1. A potential data breach or leak can compromise highly sensitive data of users.
2. Monitoring behavior, preferences and health lifestyle of users without their (users’) knowledge and/or consent.
3. Disclosure of such data to law enforcement agencies under ‘legal obligations’ – Imagine a public authority initiating prosecution against you based on your health records that show a possibility of an abortion!
4. Sharing personal data with third parties such as advertisers and insurance agencies for example - use by insurance companies to determine whether to give health insurance or not based on the output/diagnosis made by the app.
5. Other privacy concerns and non-compliance with personal data collection and processing practices.
It must be noted that the data collected by these apps being extremely private and sensitive needs special protection under the law.
The United States
In the US, health data is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA governs how covered entities, such as healthcare providers and insurers, handle Protected Health Information (PHI). However, most period-tracking apps fall outside HIPAA's purview because they are not considered as healthcare providers or covered entities.
The US Food and Drug Administration (FDA) does not include general wellness apps like menstrual trackers unless they provide a diagnostic function. For example, developing an app to assist women choosing levonorgestrel-releasing intrauterine system can be classified as a medical device. This app uses artificial intelligence based bleeding pattern prediction algorithms to estimate a woman’s future bleeding pattern in terms of intensity and regularity. In contrast, an app that only provides tracking services without any additional feature would not qualify to be a medical device.
United Kingdom
In 2023, the UK’s Information Commissioner’s Officer (ICO) reviewed period and fertility apps and conducted a poll to reveal data privacy concerns over using period tracking apps. The polls results showed that around 54 per cent of people who use the apps believed that they had notices an increase in baby or fertility related adverts since signing up, with 17 per cent describing this as distressing.
In the UK, the General Data protection Regulation (GDPR) provides a robust framework for data protection, including specific provisions for sensitive health information.
The European Union
1. GDPR Framework – Puts this data in special category of sensitive data under Article 9. Such data can be processed when users give their explicit consent.
2. EU AI Act - Under this Act, AI systems that process health-related data, including period-tracking apps, could potentially fall into the high-risk category due to the sensitive nature of the data involved.
3. Just like the US, the European Medical Devices Regulation (MDR) does not include general wellness apps like menstrual trackers unless they provide a diagnostic function.
India
India has come a long way in promoting menstrual hygiene across cities with various government schemes such as Rashtriya Kishor Swasthya Karyakram, Scheme for Promotion of Menstrual Hygiene, and Jan Aushadhi Suvidha Sanitary Napkin.
However, there is little acknowledgement about the fact that menstrual data of women needs to be protected given the current era of data privacy.
By virtue of the functions performed by period tracking apps and the sensitive health data collected by them, they would be classified as medical devices. Medical Devices in India are governed under the Drugs and Cosmetics Act, 1940 and the Medical Devices Rules, 2017. A medical device includes a software that is intended by its manufacturer to be used specially for human beings which in addition to other purposes, may assist with:
(i) Diagnosis, prevention, monitoring, treatment or alleviation of any disease or disorder, or
(b) Control of conception.
In India, the Central Drugs Standard Control Organisation (CDSCO), a part of the directorate General of Health Services, is a major medical device and diagnostic organisation. It must be noted that there are currently no official privacy rules or regulations governing digital medical devices or software.
In the absence of any regulatory mechanism, period tracking would be governed by the following laws:
1. The Information Technology Act, 2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules) - Despite the absence of a special regulatory mechanism for period tracking apps, the Information Technology Act, 2000 and the Sensitive Personal Data Protection Rules, 2011 lay down a framework for mechanisms to protect sensitive personal data.
2. The Digital Personal Data Protection Act, 2023 (DPDP Act) - The DPDP Act holistically covers organisations and institutions collecting personal data in digital form and places obligations on them to ensure data privacy throughout data lifecycle. Additionally, the DPDP Act also provides for designing certain data fiduciaries as Significant Data Fiduciaries based on the sensitivity and volume of data processed by them and also puts forth hefty penalties for non-compliance.
3. The Ministry of Health and Family Welfare has also suggested establishing the National Digital Health Authority which will be responsible for developing India’s integrated Health Information System. The government has also developed a strategy document under National Digital Health Mission for ‘Making India a Digital Health Nation enabling digital healthcare for all.' Period tracking apps specifically would be governed under the sectoral laws.
Categorization of period tracking apps on the basis of sensitivity of data is necessary and on potential risks and harms.
Classification of period tracking apps as medical devices to ensure stringent safety standards and adherence to regulatory oversight similar to other medical devices. Such measures would enhance user safety and accountability among developers.
Enhancing transparency in privacy policies is essential for users' understanding. Policies should be simplified and made more accessible to users, clearly outlining data-sharing practices and user rights in accordance with the applicable data protection laws.
Creating dedicated regulatory bodies focused on FemTech privacy to help oversee compliance and protect user rights effectively. These bodies could work towards standardizing practices across different jurisdictions and ensuring that user data is handled responsibly.
These recommendations seek to strengthen the protection of women's health information and encourage user empowerment and well-informed decision-making.
About the authors: Vikrant Rana is the Managing Partner of SS Rana & Co. Anuradha Gandhi is a Managing Associate and Rachita Thakur is an Associate at the firm.
Shambhavi Pandey, Intern at SS Rana & Co. has assisted in the research of this article.
If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.