Outsourcing to India May Not Be Affected by Privacy Rules
Personal data sent to India by companies outsourcing work to service providers in the country will not be covered under the country's stringent new rules for the collection of personal data, an executive of a data protection standards company set up by the National Association of Software and Service Companies (Nasscom) said.
The new Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 require companies or their intermediaries to take consent in writing from individuals about the use of the sensitive personal information they collect.
The Indian government has assured outsourcers that it will be issuing a clarification soon that the rules do not cover personal data collection by companies abroad, said Kamlesh Bajaj, CEO of the Data Security Council of India, a company set up by Nasscom to set standards for data security and privacy for outsourcers.
The key element of the clarification will be that the new rules apply only to a "body corporate" in India, he added. A spokesman of the country's Ministry of Communications and IT said he had no comment on this issue.
Indian companies that handle data will however continue to be governed under those parts of the rules that require them to follow stringent security procedures as processors of data, Bajaj said.
India may have gone a bit too far trying to put in place a tough data protection and privacy regime to impress investors, and clients of Indian outsourcers, according to analysts.
The new rule requiring written consent for collection of sensitive personal data presents numerous questions as to its practicality and how it can be implemented, particularly in the context of an outsourcing arrangement where the customer is, for example, in the U.K. and the service provider is located in India, said Lawrence Graham LLP, a firm of London-based business lawyers, in a recent note.
As a result of the new rules, companies that currently rely on India-based outsourcing service providers will be required to adjust their data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with U.S. or European Union privacy rules, Lawrence Graham said.
The current rules, which came into force in April, do not make a distinction between Indian outsourcers and their customers abroad, and it would appear that customers abroad will also have to follow the stipulated procedures for the collection of personal data, including seeking written approval from the individuals from whom they collect the data, said Pavan Duggal , a cyber law consultant and advocate in India's Supreme Court.
Indian outsourcers, particularly the business process outsourcing (BPO) firms, process a lot of data that is collected and sent to them by their customers in the U.S. and Europe. Indian call centers and BPO firms also collect data from individuals on behalf of their customers.
The collection of personal data abroad by Indian companies will not come under the new rules, because Indian companies will be collecting this data on behalf of the customer who is abroad and governed by laws in his country, Bajaj said.
Duggal however believes that even in such situations, the collection of data by Indian call centers will have to be done by taking the written consent of the person whose information is collected, unless the government altogether removes the provision in the new rules. BPO operations in India processing data collected abroad will still have to ensure that permission was received in writing even for the data collected abroad, he added.
The reasonable security practices and procedures imposed on service providers by the new rules will not be known or understood by the vast majority of Indian outsourcers, which are mainly small outfits, Duggal said. So they will almost always be in infringement of the law, he added.
The requirement that companies implement security best practices such as those laid down by the International Standards Organization (International Organization for Standardization) and other standards bodies will impose a high cost on these small companies, as they try to get these certifications, Duggal said.
As they handle content, outsourcers will also come under the category of intermediaries under a different set of controversial rules of the country's IT Act, he added.