Does Personal Data Protection Bill Protect Women's Intimate Data Shared By Menstruation Apps?

India is deliberating on its first-ever law that promises data protection, privacy, and digital empowerment to its citizens.

The Personal Data Protection Bill, 2019 (PDP) lays down provisions for combating the misuse of personal data in the country and makes it mandatory for the firms dealing with user data to ensure like data protection, storage and management. However, speculation is being raised about women's privacy which is under threat from menstruation apps.

It is alleged that the menstruation apps that collect information about women's health, sexual life, mood, etc. to tell them the most fertile day of the month during their next period are sharing users' data with social media giants like Facebook.

New research from UK-based advocacy group Privacy International has revealed that some period-tracking apps like MIA Fem and Maya were sharing sensitive data with Facebook. The apps shared information such as when the user logged contraception use, monthly periods, and menstruation symptoms, with the social network, the group said Monday.

Women who used these apps ended giving unprecedented access to the sensitive personal details about their sex life and frequency, what contraception they use, how their moods alter in a course of a cycle, the nature of the vaginal discharge and even whether we plan to have babies.

The Wall Street Journal in February 2019 found that Flo Period & Ovulation Tracker informed Facebook about when a user was menstruating or intending to get pregnant. However, Flo has stopped the practice.

"Consent is not just about a box to check," The Guardian quoted Eva Blum-Dumont, a researcher at Privacy International as saying. "It is about being able to understand what you consent to and being able to refuse," she added.

According to the Privacy International report, intimate details of the private lives of millions of users across the world are shared with Facebook and other third parties without those users' free, unambiguous and informed or explicit consent, in the case of special-category (sensitive) personal data, such as data relating to a user's health or sex life.

Provisions In Data Protection Bill

With 401.74 million smartphone users, 601 million internet users Indians are one of the largest data consumers in the world. In such a scenario, the privacy and safety of Indian women become an essential part of their fundamental rights. To get details about the provisions regarding the prevention of women's intimate data, The Logical Indian reached out to experts on the field.

We were told that there are two types of data, personal data and sensitive personal data, which includes financial data, health data, sexual orientation, biometric data, genetic data, gender status.

A certain degree of extra protection on what a business can and cannot do with respect to these type of data exists in the scheme of the Data Protection Bill. The type of data the menstruation apps collect should be categorised as sensitive personal data and may fall under the umbrella term of health data, but the ambiguity around it remains unanswered in the Bill.

The Bill has no provisions for the protection of sensitive personal data of women which are obtained by the menstruation apps. Such information should only be accessed after receiving the explicit permission of the user. Targeted advertisements should be restricted.

Under the new Bill, the central government can exempt any of its agencies from the provisions of the Act in the interest of the security of the state, public order, sovereignty, integrity of India and friendly relations with foreign states.

In a first, the bill proposes social media platforms to come up with a mechanism in which "for every user who registers their service from India or uses their service from India, a voluntary verifiable account mechanism has to be made."

The provision puts the burden of creating the mechanism on the company. Additionally, the companies will also be tasked with including security audits, appointing a data protection officer, and performing data protection assessments, based on the volume of data they collect from users. Social media platform providers will also be asked to enable customers to verify their accounts.

Justice Srikrishna said that giving the government the power to direct anyone to provide all their non-personal data is "a dangerous trend".

The responsibility should not be on users to worry about what they are sharing with the apps they have chosen. The responsibility should be on the companies to comply with their legal obligations and live up to the trust that users will have placed in them when deciding to use their service.

The Logical Indian with the support of Internet Freedom Foundation is running a campaign to make people aware of the Data Protection Bill and also we shall be drafting a response to the bill. You can strengthen the effort by signing the pledge here: https://bit.ly/38I7CQ0 and follow our #SaveOurPrivacy on Facebook.

Also Read: What Happens When the Personal Data Protection Bill Becomes A Law?