Over the years, the offshore outsourcing industry has grown used to dealing with issues raised under the UK, EU or US data protection laws, and CIOs and experienced outsourcing and privacy practitioners have developed effective solutions to most of the problems presented.
Those happy days are now gone. India has issued a new data protection law which will trap unwary offshore outsourcing projects. And two other key offshore outsourcing destinations — China and the Philippines — are both progressing their own sets of laws on data privacy.
Issued quietly on April 13, the snappily-titled Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 apply to all organisations that collect and use personal data and information in India. There are three main problem areas created by the new rules.
- The new rules apply in addition to any existing data protection rules in the source country of the data. So effectively there’s a ‘double-dip’ effect of a project having to comply with two sets of privacy rules which are similar, but slightly different.
- The new Indian rules are unclear in many respects. Lots of terms are undefined and it’s not clear exactly how they apply to particular typical scenarios.
- In some respects the Indian laws are more restrictive than typical Western rules – especially when it comes to the treatment of so-called ‘sensitive data’. The rules require prior written consent, without exception, to collect and use sensitive personal data which is far more restrictive than the comparable EU or US laws.
The Indian IT Ministry takes the position that these new rules will boost offshore outsourcing by showing international companies that their data is safe in India.
But that wasn’t really the point.
Data controllers already have to protect their data in accordance with the rules in place where the data is collected, and most Western outsourcers felt that they’d done enough to protect data subjects’ rights by the time they’d been through the data protection hoops required by UK, EU or US law to enable offshore transfer of data to take place.
So there wasn’t really a need to create a data protection environment in India that resembles the EU in order to make all the concerns about India go away.
Rather, the issue of concern to foreign governments and customers that outsource to India is that they need to be able to pursue rogue employees of service providers that misuse or misappropriate data in ways that are not permitted by the contract. Such enforcement remains very slow.
The new Indian privacy rules have wide scope and extraterritorial application.
Companies that have operations processing data in India, or that simply rely on offshore service providers to collect personal information on their behalf should re-assess their current data privacy practices to ensure they comply with these new rules.
Alistair Maughan is a partner at Morrison & Foerster, an international law firm. Follow him on Twitter @ICToutsourcelaw