Potential for substantial effects on India's outsourcing
India has recently introduced rules that govern the collection and processing
of personal information. The rules were introduced under
India's Information Technology (Amendment) Act 2008. This act
provides penalties for companies that do not implement
"reasonable security practices and procedures".
There is currently much debate regarding the scope of
application of the new rules. For Western companies that have
outsourced part of their business processes to India, the most
important question appears to be whether the rules will also apply
to personal information of persons that do not reside in India.
There is additional debate about whether the rules will apply
universally as a "minimum standard" or only if a company
does not have its own internal data privacy rules.
One thing is certain: if the rules are applicable, they provide
for more stringent data privacy restrictions than most Western data
privacy legislation. For example, the rules' definition of
"sensitive" personal data is broader than under
the European data protection directive 95/46/EC, and also includes
financial information, biometric information and passwords.
Moreover, sensitive personal information may only be processed with
the consent of the "information provider", which can be
either the person to whom the personal information relates or a
party that has obtained his or her personal information.
The rules further set out that a transfer of sensitive personal
information to a third party inside or outside India is only
allowed if such transfer is necessary for the performance of a
lawful contract or on the basis of consent of the person to whom
the personal information pertains. It is not yet clear whether such
lawful contract or consent should be in addition to the general
consent needed for processing of sensitive data as set out above.
Moreover, a transfer of sensitive personal information is only
allowed if the third party recipient inside or outside India
provides for a similar level of data protection as provided under
the Rules. It is not yet known how it should be established that
the recipient meets this requirement.
Additionally, the rules impose stringent requirements on
information security of personal information in general. Companies
are required to comply with reasonable security practices and
procedures that contain adequate managerial, technical, operational
and physical security measures. If a Data Recipient has implemented
IS/ISO/IEC 27001 or any other security standard approved by
India's government and has its compliance with this standard
externally audited, the Data Recipient will be deemed to have met
this security requirement. It is not yet known whether other
industry standards such as SAS Type II are considered sufficient in
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
With the increase in usage of technology in businesses, the ease of doing business has undoubtedly gone up, but this also presents certain concerns including the protection of personal information and data.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).