CONTACT US

Smartwatches As Silent Surveillance Tools: Assessing India’s Legal Framework For Wearable Health Data

  • Home
  • Smartwatches As Silent Surveillance Tools: Assessing India’s Legal Framework For Wearable Health Data

Every morning, before most of us have had our first cup of coffee, our wrist is already at work. Smartwatches and fitness bands silently record how we slept, how fast our hearts are beating, whether our blood oxygen levels dipped overnight, and the precise routes we travel throughout the day. By nightfall, these devices may possess a more detailed and continuous account of our physical condition than even our personal physicians. From heart rate variability and menstrual cycles to sleep architecture and stress response patterns, wearable devices generate a relentless stream of intimate biological information. This is not a distant technological possibility ; it is the lived reality of millions of Indians today[1].

The global wearable device market was valued at approximately USD 116 billion in 2021 and is projected to approach USD 265 billion by 2026.[2] Yet the scale of adoption has dramatically outpaced the law. India lacks a legislative framework that specifically recognises wearable health data as a distinct, high-risk category of personal information deserving heightened protection. The digital health data generated by a smartwatch shares the same degree of intimate physiological revelatory power as clinical records maintained by a hospital. Despite this equivalence, the two categories receive profoundly unequal legal treatment. The consequence is a structural regulatory vacuum ; one that enables continuous, real-time biometric surveillance by corporations and potentially by the State, while individual data principals remain largely without meaningful redress.

This article critically examines India’s existing data protection framework in the context of wearable health data. It argues that the current regime, even as updated by the Digital Personal Data Protection Act, 2023 (“DPDPA”), fails to adequately protect the informational autonomy of individuals. Three structural reforms are proposed as urgent legislative imperatives.

I. INDIA’S REGULATORY FRAMEWORK AND ITS INADEQUACIES

A. The IT SPDI Rules, 2011: A Legacy of Static Assumptions

India’s first serious attempt at regulating sensitive personal data arrived with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), enacted under Section 43A of the Information Technology Act, 2000. The Rules classified health data and biometric information as sensitive personal data, imposing obligations of informed consent, purpose limitation, and reasonable security practices upon bodies corporate. However, the SPDI Rules were designed for a fundamentally different technological environment: one of static medical records, structured databases, and formal institutional disclosures. They presuppose a discrete disclosure event ; a patient sharing records with a hospital ; rather than the continuous, ambient, passive transmission of biological signals from a wrist-worn device to overseas cloud servers.

B. The DPDPA, 2023: Meaningful Progress with a Critical Blind Spot

The DPDPA, together with the Digital Personal Data Protection Rules, 2025, represents the most substantive attempt thus far to modernise India’s data privacy architecture. The Act introduces consent-based processing, establishes the Data Protection Board of India, mandates purpose limitation, grants data principals rights of access, correction, and erasure, and provides for penalties of up to INR 250 crore for serious violations.[3] These are meaningful improvements. However, a critical structural deficiency persists: the DPDPA treats all personal data uniformly, without distinguishing between routine commercial metadata and the deeply intimate biological stream generated by wearable devices.

This contrasts sharply with the approach adopted by the European Union’s General Data Protection Regulation (“GDPR”), whose Article 9 designates health and biometric data as “special categories of personal data,” subject to a default prohibition on processing and permissible only under strictly prescribed conditions including explicit consent, medical necessity, or substantial public interest.[4] Under the GDPR framework, health data from smartwatches ; encompassing heart rate measurements, sleep quality scores, stress indicators, and continuous biometric tracking ; qualifies as special category data requiring the highest tier of legal protection. India’s current framework makes no equivalent distinction, leaving an ECG reading and an email address within the same undifferentiated legal category of “personal data.”

The Expert Committee on a Data Protection Framework for India, chaired by Justice B.N. Srikrishna and reporting in 2018, had specifically recommended that health and biometric data be treated as sensitive personal data attracting enhanced protections.[5] While the DPDPA’s implementing rules identify “Significant Data Fiduciaries” processing health data on a large scale as meriting additional compliance obligations, this falls considerably short of the statutory recognition of wearable biometric data as a categorically distinct and high-risk class of information.

II. THE CONSENT CRISIS: ARCHITECTURE, AUTONOMY, AND CONSTITUTIONAL STANDARDS

Central to the operation of the DPDPA is the principle of consent-based data processing. But meaningful consent presupposes genuine choice. The commercial architecture of wearable devices routinely presents users with a single bundled consent at the point of onboarding ; an all-or-nothing agreement covering step counting, sleep monitoring, stress analytics, menstrual cycle tracking, and location data simultaneously. A user cannot typically consent to heart rate monitoring while declining the harvesting of reproductive health data. The architecture structurally forecloses granular, purpose-specific choice.

The constitutional standard against which this practice must be assessed is set by the Supreme Court of India’s landmark nine-judge bench judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1. The Court, unanimously recognising privacy as a fundamental right under Articles 14, 19, and 21 of the Constitution, held that informational self-determination ; the capacity of an individual to control what information is shared, with whom, and for what purpose; is intrinsic to constitutional personhood and human dignity.[6] Take-it-or-leave-it consent architectures, which condition access to a product on the wholesale surrender of intimate biological data, sit in direct tension with this constitutional vision of meaningful individual autonomy. As wearable devices evolve from fitness trackers into continuous physiological monitoring systems, the law must evolve beyond checkbox formalities.

III. COMMERCIAL EXPLOITATION: INSURERS, EMPLOYERS, AND THE ANONYMISATION FALLACY

A. Insurance Discrimination and Workplace Surveillance

The commercial risks attendant upon unregulated wearable data are immediate and concrete. Professor Elizabeth A. Brown of Yale Law School has documented extensively how wearable health data enables employers and insurers to make predictive assessments of individual risk that would not be possible through traditional means.[7] A person’s resting heart rate, irregular sleep patterns, or low physical activity metrics could function as proxies for actuarial risk classification, enabling health insurers to effectively penalise individuals for physiological characteristics beyond their control. In India, no explicit sectoral regulation by the Insurance Regulatory and Development Authority of India currently prohibits such practices.

The risks in employment contexts are equally acute. Workplace wellness programmes increasingly incentivise employees to share wearable data. Where consent to such sharing is tied to employment benefits, it cannot meaningfully be regarded as freely given. The conceptual distance between a “wellness programme” and covert biometric workplace surveillance narrows considerably in the absence of independent, revocable, and granular consent protections.[8]

B. The Anonymisation Fallacy

Corporations frequently assert that health data, once anonymised or aggregated, ceases to attract privacy[9] protection. This claim is both empirically contestable and legally insufficient. A systematic review published in The Lancet Digital Health by researchers at Duke University concluded that de-identification of wearable biometric data routinely fails to prevent re-identification, particularly where multi-modal datasets ; combining physiological signals such as heart rate and electrodermal activity with physical movement data ; allow unique individual signatures to be reconstructed with alarming accuracy. A combination of resting heart rate patterns, sleep architecture, gait signature, and stress-response profiles can function as a reliable biological fingerprint. Removing a name does not render a person anonymous, and legal frameworks that presuppose otherwise risk enshrining a dangerous legal fiction at the expense of individuals whose most intimate data is commercially commodified.

IV. STATE SURVEILLANCE AND CONSTITUTIONAL LIMITS

The privacy risks inherent in wearable technology are not confined to corporate misuse; they extend equally to State access. Section 69 of the Information Technology Act, 2000 empowers designated government authorities to intercept, monitor, and decrypt information transmitted through any “computer resource” on broadly framed grounds including the sovereignty, integrity, and security of India, and the maintenance of public order.[10] A smartwatch ; continuously transmitting biometric, locational, and health data through networked digital infrastructure ; plainly constitutes such a computer resource. The potential for State access to intimate physiological data generated in real time is therefore neither speculative nor remote.

The constitutional framework established in Puttaswamy requires that any infringement of the right to privacy satisfy the tripartite test of legality (a law authorising the intrusion), necessity (the intrusion must serve a pressing social need), and proportionality (the means must be proportionate to the objective pursued).[11] In the specific context of wearable health data and continuous biometric surveillance, these tests have never been subjected to judicial scrutiny. As wearables become further embedded in daily life and intimate biological monitoring becomes commercially ubiquitous, the constitutional confrontation between State surveillance power and the individual’s right to bodily privacy appears not merely likely, but constitutionally inevitable.

V. THREE URGENT LEGISLATIVE IMPERATIVES

India’s data protection framework requires three structural reforms to adequately govern wearable health data.

First, wearable-generated biometric and health data must be expressly recognised in statute as a high-risk category of personal data, attracting heightened protection equivalent to, and informed by, the special categories framework under GDPR Article 9. This recognition should trigger mandatory specific consent requirements, explicit purpose limitation, granular opt-in architecture for discrete processing activities, readily accessible withdrawal mechanisms, and mandatory Data Protection Impact Assessments as a precondition to large-scale processing.

Second, sectoral regulators ; specifically the Insurance Regulatory and Development Authority of India and the Ministry of Labour and Employment; must promulgate explicit rules prohibiting the use of wearable-generated health data for insurance premium discrimination or employer surveillance absent freely given, specific, and independently revocable consent. The inherent power asymmetry of employment and insurance relationships renders formal consent architecturally illusory absent such structural protections.

Third, the legal presumption governing anonymisation must be reversed. The burden of demonstrating that re-identification is practically impossible must rest upon the corporate entity commercialising the data, not upon the citizen whose body generated it.[12] This reversal is empirically warranted in light of the scientific evidence on biometric re-identification and normatively compelled by the constitutional principle articulated in Puttaswamy: individuals should not forfeit control over their most intimate biological information merely because technology has rendered its extraction effortless.

CONCLUSION

Wearable technology has quietly transformed the human body into a continuous, commercially valuable source of biometric data, collapsing the conceptual and legal distinction between healthcare, commerce, and surveillance. Yet India’s legislative framework continues to govern this intimate stream of biological information as though it were no different from ordinary digital metadata. This approach is constitutionally untenable. The right to privacy, as unanimously articulated by the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India, grounded in dignity, autonomy, and informational self-determination ; demands a legislative response calibrated to the unique nature and gravity of real-time wearable health data.

The DPDPA represents an important legislative advance, but its current architecture leaves wearable health data effectively undefended as a distinct and vulnerable class of information. Unless India’s data protection framework evolves to reflect the constitutional stakes of continuous biometric surveillance ; by recognising wearable health data as a high-risk category, prohibiting exploitative sectoral uses, and reversing the anonymisation presumption ; the fundamental right to privacy risks remaining, in practice, a promise inscribed in judicial doctrine but daily undermined by the silent operation of a wristwatch.

[1] Swagata Zarkar, Rahul Kailas Bharati and Shobha Bawiskar, ‘Wearable Devices and Digital Health Platforms: Forensic Analysis and Data Security Challenges’ (SSRN, 2024).

[2] Lucy Chikwetu, Yu Miao, Melat K. Woldetensae, Diarra Bell, Daniel M. Goldenholz and Jessilyn Dunn, ‘Does De-identification of Data from Wearables Give Us a False Sense of Security? A Systematic Review’, The Lancet Digital Health, Vol. 5(4), e239–e247 (2023) (Duke University School of Medicine).

[3] § 33, Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023); Digital Personal Data Protection Rules, 2025.

[4] Art. 9(1), General Data Protection Regulation (EU) 2016/679; GDPR for Wearable Technology: Compliance Guide’ (GDPR Local, 2025).

[5] Committee of Experts on a Data Protection Framework for India (Chair: Justice B.N. Srikrishna), A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (Ministry of Electronics and Information Technology, July 2018).

[6] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.

[7] Elizabeth A. Brown, ‘The Fitbit Fault Line: Two Proposals to Protect Health and Fitness Data at Work’, 16 Yale Journal of Health Policy, Law, and Ethics 1 (2016) (Yale Law School Legal Scholarship Repository).

[8] Chikwetu, supra note 1, at 1.

[9] Kenny Gutierrez, ‘Privacy in Wearables: Innovation, Regulation, or Neither’, 13 Hastings Science & Technology Law Journal 21 (UC Law SF, 2022).

[10] § 69(1), Information Technology Act 2000.

[11]supra note 6, at 3.

[12] C. Brassart Olsen, ‘To Track or Not to Track? Employees’ Data Privacy in the Age of Corporate Wellness, Mobile Health, and GDPR’, International Data Privacy Law, 10(3), 236–252 (Oxford University Press, 2020).

Recent posts

ACKNOWLEDGEMENT

The rules of the Bar Council of India prohibit lawyers and law firms from soliciting work and advertising. By proceeding further and clicking on the “I AGREE” button herein below, I hereby acknowledge that I, of my own accord, intend to know more and subsequently acquire more information about CORP LEGEX for my own purpose and use. I further acknowledge that there has been no advertisement, solicitation, communication, invitation or inducement of any sort whatsoever from CORP LEGEX or any of its members to create or solicit an attorney-client relationship through this website. I further acknowledge having read and understood and perused through the content of the DISCLAIMER mentioned below and the Privacy Policy.

DISCLAIMER

This website (www.corplegex.com) is a resource for informational purposes only and is intended, but not promised or guaranteed, to be correct and complete. CORP LEGEX does not warrant that the information contained on this website is accurate or complete, and hereby disclaims any and all liability to any person for any loss or damage caused by errors or omissions, whether such errors or omissions result from negligence, accident or any other cause. Any information obtained or downloaded from this website is completely at the user’s volition and their own discretion and any further transmission, receipt or use of this website would not create any attorney-client relationship. The contents of this website do not constitute, and shall not be construed as, legal advice or a substitute for legal advice. All material and information (except any statutory enactments and/ or judicial precedents) on this website is the property of CORP LEGEX and no part thereof shall be used, without the express prior written consent of CORP LEGEX.

AGREE
DISAGREE