New Indian Privacy Rules to impact CIOs

The new data protection law in India [1] adds a new, and potentially troublesome, layer of complexity for CIOs whose companies have operations in India or are involved in offshore outsourcing to India.

The Indian Privacy Rules apply to all organisations that collect and use personal data and information in India, including personal information collected from individuals located outside India.

Many of the requirements will be familiar to those who deal with EU or US data protection rules. For example, there is an obligation to provide notice to individuals when personal information is collected and a privacy policy must be made available to individuals.

There is also a right to access and correct personal information, as well as a requirement to secure information. However, CIOs should not be lulled into a false sense of security, as there are some crucial differences.

For example, prior written consent is required, without exception, to collect and use sensitive personal information. In this way the Indian Privacy Rules are much more restrictive than the EU and US data protection rules.

Although the Indian Privacy Rules are intended to support India's continuing development as a global data processing hub by showcasing India's commitment to strong data protection laws, CIOs are likely to find several aspects of them unattractive. For example:

 - They create an extra layer of regulation. The Indian Privacy Rules are not limited to the collection and use of personal information about Indian citizens, nor to situations where the Indian entity is acting as the "data controller" or "principal".

In fact, they seem to apply to any personal information collected from within India, regardless of whether the data are collected from individuals outside of India, and no matter what role the entity in India plays in the processing of the information.

Even personal information which simply "transits" through India (such as, data collected in India from individuals located outside of India and then transferred back outside India) must be processed in accordance with the Indian Privacy Rules. This means that personal information collected by an entity in one country, and then transferred to and processed within an Indian offshore operation, is subject to a second layer of potentially conflicting rules.

Related:

 - They are unclear in some important respects. For example, the term "Provider of Information" has not been defined. Does it apply to third-party providers of information, including service providers? This sort of ambiguity makes compliance difficult.

As a result of the new rules, companies that currently rely on India-based outsourcing service providers will be required to adjust their data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with U.S. or EU privacy rules.

In some cases, this may be unattractive from a business perspective. Taking the requirements to give notice and obtain consent as an example, most outsourcing customers do not want their offshore service providers to provide notice or to obtain consent from their customers or employees, even though the offshore provider will not have a direct relationship with these individuals.

So what should CIOs do?

 - Let service providers take the lead on finding compliant solutions. However, there are penalties (up to 2 years' imprisonment or a fine, and directors are also liable) so organisations with a presence in India may want to be more proactive and:

 - Assess operational scope. Identify with some granularity the extent to which data collection or processing systems are based in India. This will apply to both internally managed resources as well as those managed by external vendors.
  - Examine existing contracts or negotiate new contracts. The requirement to comply with applicable data privacy laws may not be sufficient. IT outsourcing vendors may seek to impose data security obligations on their customers to ensure that the customer complies with Indian law.
 - Monitor developments. Given the ambiguities and concerns voiced about the rules, one would hope that helpful guidance will be forthcoming sooner rather than later.

Chris Coulter is a technology and outsourcing partner and Ann Bevitt is a data protection partner at Morrison & Foerster, an international law firm

[1] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 ("Indian Privacy Rules")

Pic: Marc_Smith cc2.0