E-Pharmacies and operations thereof have been a contentious issue for long. While the issue remains static largely due to the delay in the notification of the E-Pharmacy Rules that were drafted in 2018, there is significant litigation that has ensued as well. The Government is contemplating whether e-pharmacies should be allowed to sell medicines online and, in this vein, the Drugs Controller General of India (“DCGI”) has issued show-cause notices to over 20 e-pharmacies to give them an opportunity to explain their operations and compliance with the regulations. As litigation ensues and rival contentions are presented before the courts[1], the Indian Government is currently seeking proper legal opinion on the regulation of e-pharmacies.
One of the main concerns raised by the Government is the risk associated with customer data and privacy thereof, pertaining to collection of personal health data by e-pharmacies. The Government fears that such sensitive data could be leaked or misused. The e-pharmacies have time and again assured the Government that data protection is a top priority for them. The Ministry of Electronics and Information Technology has already released a draft of the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”), which incorporates the recommendations tabled by a Joint Parliamentary Committee vide its report published in December 2021. The promulgation of the DPDP Bill will bring about a significant overhaul in the Indian personal data protection regulatory regime. However, until that time, the current data protection regulatory regime in India will continue to be governed by the Information Technology Act, 2000 (“IT Act”) and the rules framed thereunder – specifically the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal or Information) Rules, 2011 (“SPDI Rules”). The SPDI Rules generally apply to body corporates (or any person on their behalf) that process and/ or store any ‘sensitive personal data or information’, including physical, physiological, and mental health conditions; and medical records and history.
Additionally, under the SPDI Rules, consent is to be obtained when any sensitive or personal data is collected for a lawful purpose, connected with a function or activity of a body corporate and is considered necessary for that purpose. However, given that the nature of such consent is not clearly defined under the SPDI Rules, e-pharmacies generally rely on established principles of contract law and standard e-commerce practices to obtain consent from their customers. Furthermore, customers have the option to not provide the data or information that the e-pharmacies seek. Customers are also usually provided with a mechanism to withdraw consent, which they may have given earlier.
Furthermore, the Electronic Health Record Standards for India, 2016 (“EHR Standards”)[2], a set of standards, as notified by the Ministry of Health and Family Welfare, Government of India, on December 30, 2016, inter alia, lay down principles in relation to protection, privacy, disclosure, and preservation of Protected Health Information (“PHI”) and Electronic Protected Health Information (“ePHI”). According to the EHR Standards, physical or electronic records generated by a healthcare provider are held in trust by them on behalf of patients. The EHR Standards also provide that patients have the privilege to restrict access to, and disclosure of individually identifiable health information and need to provide explicit consent, which will be audited, to allow access and/ or disclosure. Further, specific consent must be obtained for fair use of such personal information for non-routine and non-healthcare purposes. However, in certain cases, the EHR Standards permit the use and disclosure of protected/ sensitive information without the authorisation of a patient, if such data is completely anonymised and involves the complete removal of all information that identify a patient as provided under the standards itself. E-pharmacies must ensure that all patient data and information sought to be collected by them are compliant with the provisions of the applicable data protection regulatory regime in India.
Additionally, a majority of e-pharmacies being Marketplace E-commerce entities, also qualify as an “Intermediary” under Section 2(1)(w) of the IT Act. Therefore, in view of Section 79(1) of the IT Act, which exempts an intermediary, in this case – e-pharmacies, from being liable for any third party information, data, or communication link made available or hosted by it, which could be any information provided by the individual sellers or transactions undertaken by the sellers on such platform. Interestingly, the distinction between the role played by a marketplace platform and an actual seller of goods has previously been discussed before the Hon’ble High Court of Karnataka in Kunal Bahl vs. State of Karnataka and Snapdeal Private Limited vs. State of Karnataka[3]. The matter pertains to a challenge mounted by Snapdeal promoters against criminal proceedings initiated pursuant to an alleged violation of Section 18(c) of the Drugs and Cosmetics Act, 1940 for exhibiting drugs for sale on their platform without a license. The Hon’ble High Court quashed the proceedings in view of safe harbour for intermediaries under Section 79 of the IT Act, and thereby observed that although Snapdeal owned and operated the platform, it was actually the sellers, who had exhibited and offered its products for sale on Snapdeal’s platform. The Court also held that Snapdeal (including its directors) being an intermediary ought to be exempted from criminal prosecution.
Undoubtedly, e-pharmacies need to comply with the existing data protection regime operative in India, but given the exemption of liabilities that intermediaries enjoy, the Government’s contemplation of restricting the operations of e-pharmacies, citing data protection non-compliances and data misuse concerns, appear unfounded. Sale of medicines through intermediaries such as E-pharmacies is governed largely using standard operating procedures as other e-commerce marketplaces who have access to customers’ sensitive personal data and are required to be in complete compliance with the IT Act read with the SPDI Rules.
It is crucial to note that the sale of medicines and drugs from e-pharmacies has benefitted the public at large, especially patients based in remote locations and Tier-II/ Tier-III cities where access to authentic and affordable medicines remains limited. Through e-pharmacies, a consumer can also find out about the availability of a medicine, especially drugs for rare medical conditions, at the click of a button, instead of physically reaching out to multiple brick and mortar pharmacies spread across a large area. With increased internet coverage, e-pharmacies have begun servicing an increasingly larger section of the population, which is benefitting from access to quality medicines. E-pharmacies proved their mettle during the COVID-19 lockdown when access to medicines, medical devices and drugs were severely impacted and home delivery of medicines to patients assumed greater significance. The Government has repeatedly spoken about the need to ensure that essential drugs and medical devices reach the remotest of locations. It has constantly stressed on the need to go digital.. Whilst some may argue that this regime is not ideal, at the very least, it ensures that entities dealing with personal data do not get a free hand and there is some degree of regulation. In fact, as a rule, e-pharmacies currently operating in India appear to be cognizant of, and in compliance with the same.
If the current Government exercise provides clarity on regulation of e-pharmacies, that would be a welcome step. However, the Government must also be mindful of the fact that any attempt to overregulate and/ or restrict the sale of medicines through online channels may not bode well for establishing a widespread public health system. The need of the hour is a balanced regulation that would eventually put all concerns to rest.
For further information, please contact:
Ashwin Sapra, Partner, Cyril Amarchand Mangaldas
ashwin.sapra@cyrilshroff.com
[1] https://www.cnbctv18.com/healthcare/government-regulate-epharmacies-tata-1mg-16243211.htm
[2] https://www.nhp.gov.in/NHPfiles/EHR-Standards-2016-MoHFW.pdf
[3] Criminal Petition No. 4676 of 2020 and Criminal Petition No. 4712 of 2020
