Until recently, most pharmaceutical and research entities in India did not consider data protection a legal or compliance priority.
Introduction
In October 2025, reports emerged from Ahmedabad1 about large-scale irregularities in clinical drug trials conducted on human volunteers. Investigations later revealed that several pharmaceutical companies and intermediary Clinical Research Organisations2 (CROs) had been running multiple trials simultaneously, often through unauthorised private agents who recruited participants for small payments. Many volunteers were made to undergo repeated trials without medical supervision, using substandard syringes and inadequate safety measures resulting in serious risks to their health. Most participants were unaware of what substances were being tested on them, what side effects could occur, or why the trials were even being conducted.
While such incidents are alarming from a medical ethics standpoint, they also reveal a deeper and less discussed problem — the handling of personal data. Clinical trials generate vast amounts of sensitive personal information: medical histories, biological samples, and test results that are often stored and processed by third parties without proper oversight. When companies operate without robust data protection practices, two dangers emerge. First, participants’ private health data may be leaked, sold, or misused in ways that are discriminatory or socially damaging, for example, revealing infertility, genetic disorders, or other intimate details that could lead to stigma or loss of employment. Second, companies may compile such information into large, unregulated health databases, exploiting individuals’ data without consent or accountability.
Until recently, most pharmaceutical and research entities in India did not consider data protection a legal or compliance priority. However, with the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA), this negligence can now attract penalties running into crores of rupees. The law has introduced a paradigm shift; data protection is no longer a peripheral concern but a statutory obligation. The Ahmedabad episode, therefore, is not just a reminder of lapses in medical ethics; it underscores the equally critical need for a different kind of consent, not medical consent for treatment, but explicit consent for data processing.
Differences between medical consent and data protection consent
Traditionally, medical consent ensures that a patient understands the nature, risks, and benefits of a treatment or procedure. It is rooted in bioethics and the principle of autonomy patients must know what will be done to their body.
Data protection consent, by contrast, governs what will be done to their information. Under the DPDPA, consent serves as the primary legal basis for processing personal data. It must be:
1. free, specific, informed, and unambiguous;3
2. given after a notice describing what data are collected, for what purpose, and with whom they will be shared; and
3. revocable at any time.
In the context of clinical trials, this means that even if a participant has signed a medical consent form for a procedure, a separate and explicit consent is required for the collection, storage, analysis, and sharing of their personal data. Pharma companies, research institutions, and CROs must, therefore, treat data consent as an additional, non-negotiable requirement, not as a derivative of medical consent.
Consent, now as a legal requirement
The DPDPA introduces several distinctive features that differentiate its consent framework from other privacy laws such as the General Data Protection Regulation (GDPR):
1. Consent notices must be available in English and in Indian languages.4
2. Data principals (patients) have the right to access,5 correct,6 or erase7 their personal data.
3. They may nominate a representative to exercise these rights in cases of death or incapacity.
These provisions go beyond conventional healthcare-disclosure norms, aiming to render the consent process transparent, inclusive, and auditable. In clinical research, participants must now be informed not only about the treatment they undergo, but also about how the data generated from that treatment will be processed and retained.
Failure to distinguish between medical and data-protection consent exposes organisations to both ethical and regulatory liability. A pharmaceutical company may fully comply with the Indian Council of Medical Research (ICMR) “National Ethical Guidelines for Biomedical and Health Research Involving Human Participants, 2017”8 yet still breach DPDPA if it processes data without a valid legal basis.
Revisiting the Ahmedabad case illustrates this clearly. Participants were uninformed about how their personal data would be handled, where it would be stored, and whether it would be shared with third parties. Under the DPDPA, such conduct would amount to processing without consent an infringement carrying substantial penalties that can amount to Rs 250 crores (approx. USD 28 million) and harm to reputation.
Today’s patients and research volunteers are more digitally literate and privacy-conscious than ever before. They actively seek medical information online before giving consent and then they expect the same transparency when it comes to the use of their personal data. In this environment, obtaining informed data consent offers several advantages — it creates a verifiable record of lawful data processing, enhances participant confidence, reduces future disputes, and strengthens the credibility of healthcare and research institutions. Transparent communication about how data will be collected, stored, and shared not only fulfils regulatory obligations under the DPDPA but also reinforces ethical accountability.
DPDPA represents a broader cultural shift in how personal data are perceived and protected. In healthcare and research, this shift carries special ethical significance organisations must move beyond procedural compliance to uphold what may be termed a philosophy of digital dignity. Incidents like the Ahmedabad clinical trial controversy make clear that data protection is not merely a technological concern but a matter of trust. Genuine informed consent today encompasses both medical and informational dimensions, every participant has a right to know not only what is done to their body, but also what is done to their data.
Conclusion
As India enters its first era of comprehensive data protection, the healthcare and clinical-research sectors must refine their understanding of consent. The DPDPA does not supplant medical ethics, it complements and reinforces it. Where medical consent safeguards the body, data-protection consent preserves identity, privacy, and dignity.
*Senior Manager — Legal and Regulatory Affairs) in K&S Digiprotect Services Pvt. Ltd. He is a tech lawyer. Author can be reached at: adv.amanvarma@gmail.com.
1. The news report of India TV reporting major irregularities in clinical drug trials in Ahmedabad can be found here — Abhishek Sheoran, “Ahmedabad Crime Branch Uncovers Major Irregularities in Clinical Drug Trials | Exclusive”, India TV (8-10-2025) available at <https://www.indiatvnews.com/gujarat/ahmedabad-crime-branch-uncovers-major-irregularities-in-clinical-drug-trials-exclusive-2025-10-08-1011844>.
2. CRO’s are defined under the draft rules released by Central Government on 11-5-2023, New Drugs and Clinical Trials Rules, 2019, available at <https://cdsco.gov.in/opencms/opencms/system/modules/CDSCO.WEB/elements/download_file_division.jsp?num_id=MTAxNDI=> as “Clinical Research Organization” means a body commercial or academic or of other category owned by an individual or an organisation having status of legal entity by whatsoever name called to which the sponsor may delegate or transfer some or all of the tasks, duties and/or obligations regarding clinical trial, such transfer or delegation of contractual transfers or obligations must be in writing.”
3. Digital Personal Data Protection Act, 2023, S. 6(1) mandates consent to be free, specific, informed, etc.
4. Digital Personal Data Protection Act, 2023, S. 6(3) mandates consent to be provided through a well-informed notice in English and other major Indian languages.
5. Digital Personal Data Protection Act, 2023, S. 11 grants the data principal the right to access information regarding the processing of personal data.
6. Digital Personal Data Protection Act, 2023, S. 12 gives the right to data principals to get their personal data corrected, completed and updated from the data fiduciary.
7. Digital Personal Data Protection Act, 2023, S. 12(3) gives the right to data principals to get their personal data erased.
8. Indian Council of Medical Research, National Ethical Guidelines for Biomedical and Health Research Involving Human Participants, October, 2017, available at <https://ethics.ncdirindia.org/asset/pdf/ICMR_National_Ethical_Guidelines.pdf>.