Lack Of A Data Protection Law Puts Indian Abortion Seekers At Risk

India’s draft legislation for personal data protection (the Personal Data Protection Bill 2021), was recently withdrawn in Parliament. The government has stated that it intends to replace it with a ‘comprehensive framework’ and ‘contemporary digital privacy laws’. India’s landmark 2017 privacy judgement, Justice K.S. Puttaswamy (Retd) vs Union Of India (2017), holds that the right to privacy is protected as a fundamental and inalienable right under the Constitution. It states that the right to make reproductive choices, which includes the right to an abortion, is a part of women’s right to privacy. Importantly, it also provides a jurisprudential analysis of various constitutional values such as bodily integrity, liberty and dignity. However, one of the thorny areas regarding this right is the lack of an established or working definition of privacy within the Indian medical context and that of remedies for the violation of personal or medical privacy. It is important to look at the personal data protection rules from the perspective of abortion and reproductive health.

Sexual and reproductive health and rights (SRHR) and privacy: Layers beneath layers

There is still limited social acceptability in India for consensual sexual relationships outside marriage and pregnancies that may result from them. There have been instances of blackmail by service providers who threatened unmarried persons with informing their parents or other family members about their pregnancy. Abortion clinic personnel such as ultrasound technicians, who may not be not involved with the abortion procedure itself, have tended to blackmail unmarried abortion-seekers for money, sexual favours etc. Unmarried abortion seekers, especially those who are young, living with parents, or in clandestine relationships, often fear the consequencies of their families discovering their unwanted pregnancy, and by extension, their sexual encounter(s). Such incidents have far-reaching negative repercussions on their lives and their physical and mental health and well-being. 

A 2013 report by Neha Dixit shines a light on the experiences of some such women. Unmarried women, cohabiting couples, persons from marginalised communities, queer persons, gender-diverse persons, polyamourists, and practitioners of other forms of ethical non-monogamy often struggle to seek abortion service, because service providers tend to discriminate against them for being sexually active outside traditional roles in families. Persons who do not make traditional choices in their sex lives and sexual and romantic relationships have no legal protection against discrimination in seeking abortion in India. A 2019 study by research centre CEHAT showed that the majority of the survivors of rape they studied were denied a safe abortion. Married abortion seekers have been known to be denied an abortion on bases such as the lack of explicit consent by the abortion-seeker’s spouse, which is especially problematic for those living in a situation of domestic abuse, violence, or facing pressure from their families and communities to have children against their will. Where there is no blackmail, the presence of written and digitised records leads to a perpetual fear of being ‘outed’, at some point in time, shamed in private or public, and discriminated against for getting pregnant outside marriage, or having sexual relationships outside marriage. This fear is a source of mental distress or even trauma, based on the Hidden Pocket Collective’s observations as practitioners in the SRHR space. It is also a factor behind abortion-seekers considering life-threatening, medically unsafe abortions as their only viable option.

Thus, the right to privacy protects persons seeking an abortion who are married, unmarried and/or in non-conventional relationship arrangements, such as polyamoury. Confidentiality is often their first priority while seeking abortion services, even before they have seen a doctor in a clinical setting.

Several laws in India provide for access to sexual and reproductive health services, but they do not include or acknowledge the aspect of privacy. The Hidden Pockets Collective (HPC) conducted mapping studies of Primary Health Centres (PHCs), the term for government-owned healthcare facilities, in north India in 2020. HPC observed that doctors insisted that abortion service seekers furnish a copy of their Aadhaar number (also called the UID number, India’s national biometric ID) as a proof of their identity, for the steps preceding the abortion procedure. Many people who were a part of the study were not enrolled for an Aadhaar number, and thus were denied safe abortion.

The Medical Termination of Pregnancy (Amendment) Act 2021 [PDF], which is an amendment to the 1971 law, does accord privacy in writing for persons who visit a PHC or a hospital to get an abortion, by recording in a confidential manner and in a clinical settling that they accessed the service. According to regulation 5 of the Medical Termination of Pregnancy Regulations issued in 2003 [PDF], these records are to be maintained in a safe custody and sealed condition for five years from the date of the last entry, whereas regulation 4(5) states that information pertaining to the abortion can be disclosed to only the Chief Medical Officer of the State by a state directive. The 2021 Amendment brought some progressive changes to the law. 

A September 2022 judgement of the Supreme Court of India [PDF] stated that all women including unmarried women, victims of marital rape, non-cis-gender women, and those living in “non-traditional family structures” have equal rights for abortion under the MTP (Amendment) Act 2021. It also noted that they do not need the consent or authorisation of their spouses, families or any third-party for the abortion procedure. However, in practice, the fact remains that abortion in India is closely regulated by the State. The medical practitioner is tasked with making the decision about whether or not an abortion will be carried out, and a pregnant woman cannot, as a matter of right, ask for it. Owing to the social stigma attached to abortion, persons seeking an abortion are extremely wary of their personal details and those of the abortion being recorded. In practice, many layers of discrimination continue to affect persons seeking an abortion. Issues around sexual and reproductive health are taboo, which makes it very tough for abortion service seekers to articulate their needs. A breach of the confidentiality of their information could thus have severe, wide-ranging and adverse repercussions on them, a reality that we hope the data protection law/ framework takes into account.

The toll of a privacy violation

The 2021 Amendment to the Medical Termination of Pregnancy Act, was for the first time that unmarried persons in India were provided the same legal status as married persons in the context of access to abortion. This was a significant step, because previously service providers tended to deny abortion services to unmarried persons on account of the legal grey area, as well as criminal liabilities involved under two other laws (one against child sexual abuse and another meant to prevent female foeticide). There are no negative consequences for service providers who deny an abortion. Doctors and service providers often did not adequately inform unmarried persons who sought an abortion about how their confidentiality would be maintained. On the other hand, such persons ended up assuming that it is illegal for them for get an abortion.

However, having a right to privacy does not translate to practical utility, if “informational privacy” itself is not defined within our communities and our digital and physical infrastructures for persons who are unmarried and/ or in non-traditional relationship arrangements.

The Code of Medical Ethics of the American Medical Association (AMA) states that, “Patient privacy encompasses a number of aspects, including personal space (physical privacy), personal data (informational privacy), personal choices including cultural and religious affiliations (decisional privacy), and personal relationships with family members and other intimates (associational privacy).”

There is no unified, established definition of privacy like the AMA in the Indian medical establishment. In the context of doctor-patient confidentiality, the Medical Council of India (MCI) Code of Ethics Regulations [PDF] state that a physician “shall not disclose the secrets of a patient that have been learnt in the exercise of his/her profession except – i) in a court of law under orders of the Presiding Judge; ii) in circumstances where there is a serious and identified risk to a specific person and/or community; and iii) notifiable diseases.” They also say that the confidential information learnt from a patient regarding their individual and domestic lives should not be revealed unless required by law.

For abortion-seekers, the consequences of a breach of confidentiality of an abortion may range from slut-shaming, social injury, forced marriages, violence or even death. Pregnancy outside wedlock is considered an act of bringing shame to the family or community, and thus, grounds for honour killings in some places. Social and religious beliefs about pregnancy and abortion held by the family or community may also cause abortion-seekers to face stigma or violence. Young persons who are discovered to have had pre-marital sex are sometimes forced to marry because of taboo over pre-marital sex. The cost to the mental health and well-being of abortion-seekers is thus high, a topic that has not been adequately studied yet in the Indian context.

Increased digitisation and lack of privacy

The bare minimum requirement for protecting the privacy of persons seeking an abortion, that is, storing sealed paper records of the information about abortion services is inadequate. Under the Digital Health Mission, all individuals are set to receive a Health ID number (Ayushman Bharat Health Account or ABHA number), which is linked to their Aadhaar number. The ABHA number is currently a voluntary opt-out system, which means that the number will be generated for everyone by default. Those who do not wish to have an ABHA number assigned to them are required to explicitly opt-out of the system, which is a challenge due to a lack of awareness and digital literacy. The Aadhaar number itself is linked to an individual’s name, mobile number, biometric information which includes (iris scan and fingerprints), home address, date of birth and other identifying details. Additionally, all medical records, of all individuals, including those of abortion services they availed, are set to be digitised and stored in a centralised database. This includes the digitisation of paper records that are to be stored sealed and in safe custody and disclosed only under a state directive, as mentioned previously.

The increased digitisation of abortion data discounts the fact that cyber attacks on India’s digital health infrastructure are among the highest in the world, as a result of which data is leaked and/or stolen, which leads to a violation of privacy. Major breaches of the Aadhaar database – the world’s largest biometric ID database – have repeatedly occurred over the years putting the data of over a billion people on sale and at risk of being abused and misused. All of these concerns only aggravate the previously-stated apprehensions about breach of confidentiality and privacy unless the forthcoming data protection legislation/framework can reasonably assure abortion service seekers.

There are some laws, such as the Information Technology (Amendment) Act, 2008 , and the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 [PDF], that require companies to protect sensitive data of its customers by way of securing it. However, in the absence of penalties, it is extremely challenging at present to hold violators accountable, nor are companies motivated to adopt robust security standards.

Values stemming from a right to privacy such as confidentiality of medical records, doctor-patient confidentiality, non-insistence on spousal consent can all potentially contribute to more effective access to safe abortion. A clearer definition of privacy may encourage more people to access services meant for them, without the fear of their privacy being breached, and its negative ramifications. The now-withdrawn Personal Data Protection Bill 2021 and its previous versions defined “health data”, classified it as “sensitive personal data”, and provided a consent framework. There is no clarity yet about safeguarding non-personal and anonymised data from being deanonymised or otherwise being used in ways that sensitive personal information can and will be breached.

We hope to see the new draft framework for personal data protection:

1. Clearly identify the necessary and proportionate conditions for collecting, accessing, and storing data related to healthcare, that is, there needs to be a clear link between purpose and public interest. This is especially relevant in light of the real and perceived tensions between the law that prohibits the determination of the sex of a foetus (which is meant to prevent sex-selective abortions of the female foetus) and the right to get an abortion.

   • Define the conditions for which sensitive health data, such as abortion records, may be summoned by the state, along with its necessity, purpose, and scope, the entities who may be authorised to access such data, the duration for which such records may be kept, the duration after which they shall be deleted, and the penalities for violations of these norms. 

2. Clearly identify, in consultation with civil society, concerns about privacy and confidentiality, the need and purpose of linking Aadhaar to the ABHA number, as well as having a centralised database to collect, link and store all health records in a centralised database.

3. Identify and provide safeguards, both technical and non-technical for the above.

We believe that these steps would bring about trust and confidence of individuals in the rules, laws and framework meant to protect their privacy and the confidentiality of their personal decisions such as getting an abortion.