Regulation must match the speed of telecommunications

Regulation must match the speed of telecommunications

Telecommunication sector providers have enjoyed massive windfalls over the last few years through significant revenues and margins from new business models such as the cloud, security, payments and insurance services. While revenue streams have grown, stringent regulations and the cost of licences and other fees, continue to be pain points for service providers.

With the introduction of the Indian Telecommunication Bill, 2022 (bill), regulations in this and allied sectors are taking a more consumer-centric approach. This is not only specific to India but is also happening in advanced jurisdictions, such as the EU and the US. Focus has been on moving away from increasing compliance by consumers and customers to regulating private parties in a graduated manner. The graduation depends on the underlying technology used or built to provide services to the last-mile customer. The EU distinguishes between phone numbers to determine whether a particular service relies upon a phone number or is independent of it, and therefore whether it is subject to licences, authorisations and regulatory frameworks. Telecommunication laws in the US have also moved away from strict regulation of customer premises equipment, which is managed by the end users and is already subject to qualitative checks before being supplied.

Unfortunately, the bill as presently drafted does not provide clarity regarding customer equipment. It seems end users will have to apply for registration, authorisation or licences from providers. This runs contrary to the global consumer-centric regulatory approach, and will over-regulate services that have been freed from licensing elsewhere. The bill also blurs the lines between commercial-scale services and those that merely connect two individuals through audio, video or data. A light touch, graduated framework, akin to that in Malaysia, could be suitable for India, imposing different compliance requirements on pure software providers and cloud computing resellers. This would allow an appropriate distinction by factoring in the kind of service, the underlying technology and the intended service providers and recipients.

The rapid spread of the internet of things, connected devices already proliferating in our homes, workplaces, and the wider society in smart cities, is reliant upon 5G connectivity. To manage these devices, service providers need to be able to take advantage of the scalability and flexibility offered by the cloud against the backdrop of a nuanced regulatory framework. The success of any policy intervention will depend heavily upon capex concerns. Infrastructure and network sharing will be needed to cap the initial investment and generate value and efficiency in the deployment of the next-generation communications infrastructure. To ensure that such sharing does not morph into cartels, regulations will be vital to preventing price fixing, supply reduction, and investment limitation.

There already exist several telco-multi-network operator alliances, and the global proliferation of 5G may encourage such networks to go beyond just video and audio streaming and add gaming. While the national antitrust regulator does not consider the current situation merits investigation, legislators may propose rules and guidelines to ensure that the telecom market in India does not further consolidate.

With privacy discussions ongoing, the focus of regulations is on ensuring that consumers are highly empowered and do not have to rely upon the discretion of service providers for their rights. The Digital India dream is approaching its realisation in the form of technology and innovation, as well as the regulatory framework. The intent of the legislature regarding regulation seems to be recognising technical convergence and a future-proof, technology-agnostic law and policy environment. Discussions have taken place over reorienting the telecom, innovation and associated segments through a comprehensive legislative framework under a single Digital India Act. The government is no longer obdurate and is accommodating the private sector. There is hope that this conversation between public and private parties, will result in a coherent, cohesive, forward-looking, consumer-friendly framework. The future of the law lies in simplicity, and not duplicating efforts beyond what is necessary.

Ayushman Bharat Digital Mission: Privacy and security of healthcare data

Ayushman Bharat Digital Mission: Privacy and security of healthcare data

The Ayushman Bharat Digital Mission (ABDM) has been launched with the objective of digitising healthcare and bringing care delivery to the last mile. With the second level integration of DigiLocker services, ABDM has revitalised the conversation around the data security obligations of ABDM participants, as well as the state. Simply put, ABDM intends to create an interoperable ecosystem of healthcare facilities, government facilities, to facilitate processing, transfer, storage of a patient’s digitised healthcare records, to ensure continuity of care and last mile delivery of healthcare services. Naturally, with an increased incidence of cybercrimes targeted at healthcare institutions, in India and overseas, patients are suspect about the level of preparedness of such institutions, against an ever-changing landscape of security threats.

The absence of a comprehensive privacy and data protection framework in India necessitates ultimate reliance upon sectoral regulations, to regulate the data collection, storage practices of healthcare institutions. To that end, several policy documents have been issued by the National Health Authority (NHA) to guide stakeholders, on best practices for data protection, and to assist on the implementation of operational, infrastructural, and technical measures, as they enroll with ABDM. These policies are based on the principles of a consent-based framework, limitation on data collection, accountability, privacy by design, all hallmarks of a robust data privacy framework.

The ABDM scheme allows for a unique account to be created and be ascribed to respective individuals as Ayushman Bharat Health Account (ABHA). The integration of DigiLocker services with ABHA will allow DigiLocker’s robust security framework to provide a secure document exchange platform between health information processors and healthcare institutions to share health records, on the basis of clear and affirmative consent of the users. As reliance is placed on AADHAAR for the purposes of availing DigiLocker services too, the level of security that is warranted under the scheme is higher.

While the government has made available guidelines for implementation, and supplementary handholding measures for stakeholders in the healthcare industry, users must also be cognizant of their rights in respect of their healthcare data. Patients must recognise that their affirmative consent will form the basis for processing of their data by entities; and such consent can be revoked at any time and user can seek deletion of their data, when it no longer has a pre-defined purpose. The user continues to control and choose between which document may be made accessible to another ABDM registered service provider.

Transparency measures, on part of the entities, can empower users to understand the extent of data collection, and allow them to make well-informed decisions concerning their information’s security. With interoperable solutions, movement of records would be swift – however, it will be important that the private entities which are registering with ABDM follow the protocols mandated for a closely knit ecosystem and allow for same levels of security to be applied to their data sets. Stakeholders are required to inform users of such rights, and implement user-friendly frameworks, interfaces within their ecosystem, to enable users to make and action such requests. This goes beyond the requirements of ABDM, but accounts for the extant privacy laws which apply across sectors. Similarly, the government is also duty bound to ensure that the information which is accessed by the central repository continues to remain secure and as the apex court has now ensured that right to privacy is a fundamental right, the end users will have recourse against the government at state and the center.

A Data Protection Officer must be mandatorily appointed by such entity, who shall act as the point of contact for users to make any request, complaint, regarding their information’s processing activities. In the event that such complaint is left unresolved by the healthcare provider, users can reach out to the ABDM-Grievance Redressal Officer  (ABDM-GRO) under the grievance portal of ABDM website. As entities are required to appoint Grievance Officers, they can be reached out to by the end users, and will also be allowed to reach out to the appellate authority, as prescribed under the DigiLocker rules.

The current law allows for breaches to be reported by an user under the Information Technology Act, and shall be entitled to compensation; however enforcement around the same does not yield in a high sum, and there are not enough precedents that can be relied upon by an end user to build their case. However, recently the CERT-In Directions, 2022, have brought in changes which requires every entity managing digital systems, connected network architecture to report security incidents and breaches with CERT-In. This has got the companies to ensure that their affairs in relation to collection and management of data, and related infrastructure continue to be kosher. One task that remains to be done is building awareness amongst all the stakeholders, which can only happen through higher participation, more conversations.

Law gives telemedicine patients a shot in the arm

Law gives telemedicine patients a shot in the arm

Technology has assumed a big role in delivering healthcare services, particularly in the wake of the pandemic. The healthcare infrastructure of the country was brought to its knees due to the caseload during the Covid period.

Historically discouraged due to vast technological, financial, and legal barriers, the medical industry has undergone a massive overhaul now. Lowering data costs, penetration of the internet and improving user confidence have led to the steady adoption of telehealth services, a trend that is on the rise.

However, some long-standing concerns remain in the mind of patients such as the lack of transparency about the credentials of the doctor, improper patient diagnosis, concerns regarding misuse of a patient’s health information etc.

Though the practice of telemedicine has been legal in the country, these issues (including an inherent lack of trust on the part of patients, as well as practitioners) continued to persist. In 2020, the Union government came up with a framework for facilitating health-related services. It drafted legislation for public consultation in 2022 to bring further reforms to the existing law.

The Telemedicine Practice Guidelines, 2020 (TPG), were issued to offer assistance to healthcare professionals towards adopting telemedicine and provide protocols for physician-patient relationships. It focuses on patient evaluations and management, continuity of care, referrals for emergency services, privacy and security of the patient records, correspondence etc among other considerations.

As per the law, medical practitioners are required to adhere to the same professional and ethical norms applicable in traditional in-person care and exercise their professional judgment to determine the efficacy of teleconsultation, in the interests of the patient. Furthermore, the practitioners must be aware of any shortcomings of a particular mode of communication and they should inform patients of the same.

If the treatment cannot be done digitally, it must be “paused” or be “validated” with any required diagnostic reports, laboratory investigations, or a local referral to a physical facility, for examination.

The law enables the practitioner to discontinue and disengage from an ongoing consultation if they feel teleconsultation does not serve the purpose.

During digital consultation, the law prevents practitioners from receiving any information from the users without their explicit consent. The professional is not allowed to assume anything, instead, explicit consent is mandated under data privacy legislation for the usage and processing of health information.

The TPG imposes inherent restrictions on the ability of a healthcare practitioner to prescribe medications drugs should be prescribed when physicians are confident that they have relevant and adequate information. While there is a lot of dissatisfaction among practitioners about the list of drugs that can be prescribed over teleconsultation.

In addition to this, the patient continues to be the focal point, and nothing should be done without documentation. A practitioner I have been working with says “digital consultations premise themselves on ‘documentation” it is to keep both the patient, as well as the practitioner safe and aware at all times.

ESG In Finance: Through The Looking Glass

ESG In Finance: Through The Looking Glass


Environmental, social, governance (ESG) is the focal point of all regulatory and policymaking agendas across the world. The financial service sector is no recluse, and there are pivots for changing this landscape for the better too. Environmental criteria refers to the energy consumption of the company, the resources it consumes, the waste it discharges and the impact it has on the lives of living beings. The social criteria addresses the relationships that the company has (builds and aims to build) with the communities where it does business in; labor relations, social diversity and inclusion, all form part of this. Governance as a criterion focuses on the internal systems, practices, processes, and compliance with the law[1].

In this article, we will discuss the prominent sectors and regulators who have considerable inputs with respect to ESG in the finance ecosystem. As a matter of fact, the cryptocurrency industry which is infamous for its opacity and lack of acceptance, is also fraught with ESG concerns, which we will explore right off the bat.

Blockchain, Cryptocurrencies and more than Crypto

There are apparent challenges in the form of sustainability of cryptocurrencies, for there is a phenomenal rise in demand for energy. Unilateral rhetoric of crypto-mining leading to undoing of all environment sustainability efforts, or that of it being the sustainable and green-er industry, has led to vested interests coming to the fore. Depending on the message the regulator wants to send out, we have seen governments swaying from being passive about it, to either banning it, or regularizing it.

                An industry which is not averse to creating shockwaves, across the business world, ESG concerns, and sustainability have been on the forefront of many discussions. The differing opinions in this domain come from proof of work (PoW) and proof of stake (PoS) mechanisms, with PoW being treated as the sub-par technology with higher energy consumption. To the dismay of most, as per the Bitcoin Mining Network Report published by CoinShares in 2019, almost 73% of the energy utilized towards mining activities stem from renewable energy sources[1].      Without disregard to any mechanism of cryptocurrency, the ecosystem will examine the better efficient assets, which would suit for large-scale adoption.

In fact, there have been studies across cases and geographies, of strengthened ESG helping reduce companies’ risk of any adverse government actions. One might even go on to say that it engenders government support[2]. This could be one of the key areas of focus for the cryptocurrency segment, which yearns for legitimacy and faster adoption. Goes without saying that for countries to meet their SDGs[3], regulatory actions may impose higher costs for carbon-intense industries; this

[1] Witold Henisz, Tim Koller, Robin Nuttall. Five ways that ESG creates value, Getting your environmental, social, and governance proposition right links to higher value creation. Here’s why. McKinsey Quarterly, November 2019. Accessible at:, last accessed on May 26, 2022, at 1214 hrs.

[2] Christopher Bendiksen & Samuel Gibbons. The Bitcoin Mining Network – Trends, Composition, Average Creation Cost, Electricity Consumption & Sources. CoinShares Research. December 03, 2019. Accessible at:, last accessed on May 26, 2022, at 1515 hrs.

[3] Supra note 1, at p. 5.

[4], last accessed on May 24, 2022, at 1825 hrs.

might be an opportune moment for this sector to revamp their operations and embrace energy-efficient operations.

It is important for us to consider that ESG is beyond just “E”, and this is where this sector has felt the most criticism; there is very little impetus put on the social inclusion and digital aspects of this industry. However, with digital transformation, decentralized finance, individuals now have easier access to financing, almost no banking fees, better rates on savings, and financial inclusion is being better afforded in this manner. Distributed ledger technology, including blockchain, has the potential and has been utilized to deliver, realize SDGs, on an unparalleled scale.  Governance will continue to be adaptive with more awareness, better representation, and willingness to assume risks and strategies for ESG. Fortunately, for this nascent industry, which has so many use cases, the teams which are at the forefront, all appear to be skilled strategy makers, and are highly adaptive with respect to the requirements that may be sought at a regulatory level, social level or at the level of consumer awareness.

Asset and Fund Managers

Moving away from the much recent world of cryptocurrencies, the sturdy and conventional set-up of asset and fund managers, and asset owners are also being required by regulators and investors, alike, to embed sustainable investment[4] across their business activities and to adapt to all facets of ESG.

European Union

One of the interesting approaches undertaken was by the European Union. The focus is four-pronged: (1) Taxonomy – focusing on a unified classification on what can be considered environmentally sustainable economic activities; (2) Disclosure – focusing on obligations on the institutional investors and asset managers to disclose how they integrate ESG factors in their risk processes; (3) Benchmarks – creation of categories of benchmarks, comprising low-carbon and positive carbon impact benchmarks; and, (4) Sustainability Preferences – requirement to include ESG considerations into the advice that investment firms and insurance distributors offer to their clients[5].

The European Commission’s delegated acts[6], allowed for the taxonomy regulation[7] (EU Taxonomy) to apply from January 01, 2022. These regulations and the delegated acts are designed to help the investors in making informed decisions on economic activities which are economically

[5] Michelle Adcock. ESG and Sustainable Finance: Regulatory insights on environmental, social and governance topics on the horizon. Accessible at:, last accessed on May 26, at 1844 hrs.

[6] A communication was first made in 2018, towards this. Communication From the Commission To The European Parliament, The European Council, The Council, The European Central Bank, The European Economic And Social Committee And The Committee Of The Regions Action Plan: Financing Sustainable Growth, European Commission. Accessible at:; last accessed on May 26, 2022, at 1859 hrs.

[7] COMMISSION DELEGATED REGULATION (EU) 2021/2178 of 6 July 2021 supplementing Regulation (EU) 2020/852 of the European Parliament and of the Council by specifying the content and presentation of information to be disclosed by undertakings subject to Articles 19a or 29a of Directive 2013/34/EU concerning environmentally sustainable economic activities, and specifying the methodology to comply with that disclosure obligation; Accessible at:; last accessed on May 26, 2022, at 1834 hrs; and, COMMISSION DELEGATED REGULATION (EU) 2021/2139 of 4 June 2021 supplementing Regulation (EU) 2020/852 of the European Parliament and of the Council by establishing the technical screening criteria for determining the conditions under which an economic activity qualifies as contributing substantially to climate change mitigation or climate change adaptation and for determining whether that economic activity causes no significant harm to any of the other environmental objectives; Accessible at:; last accessed on May 26, 2022, at 1836 hrs.

[8] REGULATION (EU) 2020/852 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019/2088; Accessible at:; last accessed on May 26, 2022, at 2033 hrs.

sustainable; but do not disallow investments in activities which are ineligible under this EU Taxonomy. This is the first jurisdiction which has such taxonomical prescriptions in place. The Members of the European Parliament have sought a legislative proposal to include in the EU Taxonomy for sustainable activities any crypto-asset mining activities that contribute substantially to climate change, by 1 January 2025[8].

United States of America

President Biden’s Executive Order[9] on the responsible development of digital assets also requests reports from various US federal agencies which should address the effect of consensus mechanisms on energy usage. This order requested the various federal agencies exploring the short, medium, and long-term effects of new digital asset technologies, such as proof-of-stake cryptocurrency mining, on climate change and the energy sector.

With investors becoming more aware, they have expressed a need for more consistent, comparable and reliable information about how a registrant has addressed climate-related risks when conducting its operations and developing its business strategy and financial plan. Per the Securities Exchange Commission’s (SEC) proposed rules[10], outside the audited financial statements, (1) narrative disclosures about climate-related risks, their impact and how the company manages them; and (2) quantitative disclosures about greenhouse gas (GHG) emissions will now have to be made. Additionally, within the audited financial statements, there are disclosure requirements towards aggregate amount of climate-related costs both expensed and capitalized.


India, with its exceptional technological advancement in the finance space, and with being the cradle of several institutional investors and funds, now also has its regulator suggesting regulations for ESG ratings. As companies are being forced to integrate ESG with their business practices, the Securities Exchange Board of India (SEBI) is also aligning itself with the global practices. The SEBI released a consultation paper[11] on January 24, 2022, focusing on evaluation and rating of ESG related parameters by ESG rating providers. The paper goes on to say, “since the activities of ESG ratings providers (ERPs) are typically not subject to regulatory oversight at present, increasing reliance on such unregulated ESG rating providers in securities markets raises concerns about the potential risks it poses to investor protection, the transparency and efficiency of markets, risk pricing, and capital allocation, among others.

This seems a step in the right direction and will bring a certain level of transparency and uniformity to the ecosystem. It has been reported that a total of 11 mutual fund schemes, with INR 13,000 crore rupees ($1.72 billion) under their management in India, have ESG as their theme[12], which stresses on the need to regulate ESG rating process. The proposal is to have SEBI accredit these ERPs and has also suggested that every ERP should have at least one specialist in data analytics,

[9]; last accessed on May 26, 2022, at 2055 hrs.

[10]; last accessed on May 26, 2022, at 2058 hrs.

[11] Enhanced Disclosures by Certain Investment Advisers and Investment Companies about Environmental, Social, and Governance Investment Practices (Proposed Rules), SEC; accessible at:; last accessed on May 26, 2022, at 2125 hrs. The Proposed Rules were open for comments till May 20, 2022, and then and amended version was released on May 25, 2022, open for public comments for 60 days from date of publication in Federal Register.

[12]; last accessed on May 26, 2022, at 2138 hrs.

[13]; last accessed on May 26, 2022, at 2146 hrs.

sustainability, finance, information technology, and law. Factoring concerns related to interested parties, the proposed paper also seeks ERPs to formulate clear policies and make disclosures on their websites, to avoid conflict of interest. An ERP should not provide ESG ratings to its related entities or securities issued by them or the ERP.

Subsequently, SEBI has constituted an advisory committee[13] on Environmental, Social and Governance (ESG) matters, whose terms of reference include enhancements in Business Responsibility and Sustainability Report[14], ESG ratings and ESG investing.


We have witnessed that when it comes to ESG concerns, environment does find a lot of prominence, mostly following all the international commitments, signing of climate-change accords, and net-zero emission targets. However, with companies realizing that to bring in a competitive advantage they need sustainability, ESG issues are up higher, if not right on top, of board agendas. The need for social investing has never been greater, in the face of Covid-19 pandemic, the disparity in gender roles when it comes to workplaces became a lot apparent. The institutional investors have the scale, the wherewithal that is required for making a change in social inclusion, a reality.

It is not incorrect to say that the investors demands actually motivate the behavior of the institutions. While there is skepticism in regulatory push, the demands of the investors are being felt on the capital markets, which in turns drives the need for ESG to be integrated into business practice. The time to blend ESG into practice is now, and the world of finance is capable of driving the change.

[14]; last accessed on May 26, 2022, at 2154 hrs.

[15] SEBI has mandated that the BRSR will be applicable to the top 1,000 listed entities (by market capitalization) for reporting on a voluntary basis for FY2021–22 and on a mandatory basis from FY2022–23.

Bagmisikha Puhan, Associate Partner

Bagmisikha is a technology lawyer with about seven years of experience. Her primary areas of practice are regulatory advisory and general corporate and commercial with specific emphasis on subject areas such as privacy, healthcare, telecommunications and space commercial. She has advised clients in creating privacy frameworks and has helped them implement the same at an enterprise level. She has advised and assisted healthcare institutions and associations in government agencies for regulatory and policy matters.

Software as a Medical Device [SaMD] – Blurred Lines for Regulation?

Software as a Medical Device [SaMD] – Blurred Lines for Regulation?

The COVID – 19 pandemic, acted as a catalyst to accelerate the uptake of technological solutions in the healthcare industry, for the purposes of monitoring, diagnosis, treatment, prevention of diseases and disorders alike. A recalibration of interests during a tumultuous period has refocused the demographic’s attention on their personal health, with wearable devices, applications to monitor vital statistics, provide lifestyle advisories, garnering widespread interest.

The regulators have taken a proactive approach to provide legislative guidance for the regulation of the new age digital solutions in healthcare, and further harness the technologies to create a cooperative healthcare ecosystem within the country. The Medical Device Rules, 2017 (MD Rules), modeled after Food and Drug Administration of USA (FDA) regulations and the European Union Medical Devices Regulations (EU MDR), provides for a regulatory framework in India for the manufacture and sale of medical devices in India.

Medical Device Rules, 2017

It is interesting to note that MD Rules introduced the concept of a software as a medical device, whether as a part of a hardware component or as a stand-alone product, subject to onerous testing requirements and regulatory approval. Typically, software medical device [in combination with hardware product or standalone basis] qualify as in vitro diagnostic medical devices .

The MD Rules imposes a risk-based approach to classify and regulate medical devices, and mandates submission of detailed information on the software design and development process and evidence of the validation of the software, as used in the finished device .

MD Rules further imposes quality management checks upon the manufacturer of the medical device; manufacturers are required to establish documented procedures and maintain records for the validation of the application of computer software (and its changes to such software or its application) for production and service provision that affect the ability of the product conform to specified requirement.

The MD Rules were issued in 2017, and have been further amended, to bolster the regulatory framework to govern the quality and standard of medical devices. It is pertinent to note however, that the provisions of these Rules are broad-ranging, universally applicable upon all forms and classes of medical devices; there is an urgent need to update/ modernize the regulations, in view of the considerable new age solutions available in healthcare technology. This is evidenced by the renewed legislative focus in USA and EU, where discussions have commenced to modernize the medical device regulation ecosystem.

Legislative Action in Parallel Jurisdictions

Consumer safety and wellbeing represents the guiding principles for any policy discussion/ decision in the healthcare industry. The prevalence of real time data on an ongoing basis, with the use of wearables and smart devices, has germinated the concept of “gamification of the human body”, and permits consumers to make proactive decisions on their lifestyle, basis the inputs from these devices. Further, artificial intelligence capabilities are being increasingly relied upon to create new and important insights from the vast amount of data generated during the delivery of health care every day.

In view of the same, regulators have sprung into action across jurisdictions, to commence discussions, inviting stakeholder consultations and legislating upon the pertinent issues in relation to the new age software medical devices, discussed herein.

Wearable Smart Devices

Remote or wearable patient monitoring devices include (1) non-invasive remote monitoring devices that measure or detect common physiological parameters and, (2) non-invasive monitoring devices that wirelessly transmit patient information to their health care provider or other monitoring entity. In view of the garnering consumer interest and industry applications, the FDA released a guidance document in 2016 to provide clarity on the definition of a general wellness device.

The guidance document defines general wellness products as products that meet the following two factors: (1) are intended for only general wellness use, as defined in this guidance, and (2) present a low risk to the safety of users and other persons. General wellness products may include exercise equipment, audio recordings, video games, software programs and other products that are commonly, though not exclusively, available from retail establishments (including online retailers and distributors that offer software to be directly downloaded), when consistent with the two factors above.

Citing low risk levels associated with such products, the guidance document purports to classify wearable medical devices such as heart rate monitors (Apple Watch) and applications like MyFitnessPal as general wellness products. The distinction between a general wellness product and a medical device is vital to ensure undue compliances, conditions are not imposed upon unsophisticated devices, which do not make claims bout medical benefits such as disease prevention, treatment, mitigation, or cure.

It is further interesting to note that the FDA document scopes in applications as well under the scope of general wellness products, subject to its compliance with all the conditions. We may surmise that an application may further qualify as a medical device, should it qualify per the necessary conditions imposed in law.

Similar guidance documents have been issued by UK’s Medicines and Healthcare products Regulatory Agency (MHRA) to determine if a particular product would qualify as a medical device. Further, reliance has been placed on the “intended purpose” of the device itself, to determine its standing in law. For instance, a wearable device may collect, analyze and process the heart rates of a person, and may be regulated separately as under:

  • In the event the analysis is done to determine the proper functioning of the body, and keep track of the general health, condition of the heart [general wellness device]
  • In the event the analysis is done to determine if the person suffers from tachycardia and similar ailments. [medical device]

AI/ ML in software devices

The discussion around regulation of AI/ ML capabilities in medical devices germinated in 2019, vide the issuance of a discussion paper by the FDA, which described the agency’s plan to regulate premarket review for AI and ML driven software modifications. Basis inputs from stakeholders and further review by the agencies, the FDA published an action plan on AI-ML‒based SaMD.

The action plan discussed the need for a tailored regulatory framework for AI/ ML based SaMD, and further encourage robust methodological framework for the evaluation and implementation of machine learning algorithms, including identification and elimination of bias and promotion of algorithm robustness in scientific community. The action plan further stresses upon the need for a robust cybersecurity network to build patient confidence in these technologies.

The European framework around medical device and AI regulation is governed by the EU MDR and In Vitro Diagnostic Regulations (IVDR), that, came into force on 26 May 2021. Further, with the notification of the Artificial Intelligence Act, clarity will be sought on its alignment with the existing regulatory frameworks, which may create duplicate quality control mechanisms, testing protocols for the use of AI/ ML solutions in medical devices .

Singapore has co-developed a set of recommendations, in association with state regulators, to encourage the safe development and implementation of AI centric medical devices . In addition, the document also provides better clarity to industry stakeholders on the regulatory requirements for AI centric medical devices. The exclusive aim is to support patient safety and to improve trust in the ecosystem.


Lawful and legitimate processing of health data has the potential to unlock new benefits for the end users, and has the potential to overhaul the global healthcare industry. However, regulators must muster all their regulatory might to rein in and administer the innovative bug of developers and manufacturers worldwide.

Regulation in this area will undoubtedly increase compliance burden, but also provide the necessary clarity, reduce litigation risks, and give SaMD manufacturers with the confidence they need to innovate and leverage these new age technologies in the healthcare sector to its maximum extent. Continuous dialogue between stakeholders is key in this respect, to ensure that the legacy of Therac – 25 is not repeated in the modern age. The only consolation being, the regulators have now the keenness to prevail over such untoward incidents, and also proscribe such actions from repeating themselves.

In a peculiar set-up that the healthcare industry is, reliance on self-governing, automated processes would mean not just boosting consumer confidence, but also having the necessary buy-in from the practitioner who is wielding the tool. Till the healthcare practitioner, is convinced of the efficacy and the purported utility of the solutions, the ethical concerns, biases in the systems cannot be completely eroded. We have seen in past that there is an inherent risk in adoption and reliance on techniques which are driven by Artificial Intelligence and Machine Learning. With new technologies and solutions being brought to the fore, it should not be a case of “overpromise” and “under-delivery”. At the end of the day, any perceived “dehumanization” of the healthcare sector will cause great disbalance and disservice.

Bagmisikha Puhan, Associate Partner

Bagmisikha is a technology lawyer with about seven years of experience. Her primary areas of practice are regulatory advisory and general corporate and commercial with specific emphasis on subject areas such as privacy, healthcare, telecommunications and space commercial. She has advised clients in creating privacy frameworks and has helped them implement the same at an enterprise level. She has advised and assisted healthcare institutions and associations in government agencies for regulatory and policy matters.

Siddhant Gupta, Associate

Siddhant Gupta is an Associate with TMT Law Practice. He is a graduate of the 2015-2020 batch from Symbiosis Law School, Pune and his core areas of interest lies in the areas of Intellectual Property Laws, Media and Entertainment Laws. Siddhant has previous internship experience in intellectual property and litigation fields and interned with TMT Law Practice in 2020. During his time with TMT Law Practice, Siddhant gained valuable experience in the sectors of Telemedicine, Data Privacy, Gaming Laws and Corporate Laws.


The rules framed by the Bar Council of India prohibits Advocates from advertising or soliciting work. By clicking “I Agree” you acknowledge that, there is no advertisement, solicitation, invitation or inducement (of any nature whatsoever) from TMT Law Practice (Firm). The purpose of this website is to provide the user with information about the Firm, its practice areas and its advocates, which information is being provided on the user’s specific request.

The contents on this website should not be construed as legal advice in any manner and any information obtained or materials downloaded hereof are at the user’s volition and any use thereof shall not create lawyer-client relationship. The Firm is not liable for any action taken by the user relying on material or information available on this website.

The content of this website is Intellectual Property of the Firm

    Internship Opportunities

    Upload CV

      Work With Us