This article originally appeared in Outsource Magazine Issue #24 Summer 2011
Privacy issues have been a minefield in offshore outsourcing projects for many years. That minefield has become even more explosive with the publication of a new data protection law in India. And the horizon looks scarcely better with both China and the Philippines, two other key offshore outsourcing destinations, both progressing their own sets of laws on data privacy.
In the short term, the new Indian regulations could have a significant effect on offshore outsourcing. More broadly, the outsourcing industry now needs to grapple with the prospect of data protection laws applying in both the source and host counties of offshore projects.
For years, efforts to develop omnibus privacy legislation in India proceeded in fits and starts. Draft privacy bills were issued and then withdrawn. But on 13 April 2011, India quietly issued final regulations implementing parts of the Information Technology (Amendment) Act 2008, dealing with protection of personal information. The new rules prescribe how personal information may be collected and used by virtually all organisations in India, including personal information collected from individuals located outside India.
There are three main problem areas created by the new Indian rules. These arise from: the “double-dip” effect of an outsourcing project having to comply with two sets of privacy rules; areas of ambiguity in the new Indian rules themselves; and areas where the Indian rules are more restrictive than typical Western privacy rules.
The snappily-titled Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”), apply to all organisations that collect and use personal data and information in India.
So, in many respects, the new Privacy Rules aren’t especially innovative or unusual. The complication comes from the fact that they have to be applied in addition to the data protection rules in the source country of the outsourcing.
The Privacy Rules are not limited to the collection and use of personal data about Indian citizens or residents, nor to situations where the Indian entity is acting as the “data controller” or “principal”. As a result, the Privacy Rules appear to apply to any personal information collected from within India, regardless of whether the data are collected from individuals who reside outside of India, and no matter what role the entity in India plays.
The rules apply to any violation of the Indian rules committed outside India. Therefore, personal information that is collected in India from individuals located outside of India and then transferred back outside India must be collected, used, and protected in accordance with the Privacy Rules. It may come as a surprise to a UK-based outsourcer that data collected by its Indian outsourcing service provider and then transferred back to the UK remains subject to the Indian rules as well as the UK Data Protection Act.
Secondly, there are a number of areas where the new Indian rules aren’t clear about what needs to be done. For example, the term “Provider of Information” has not been defined and, although in most instances, the term likely refers to the individual who provides the information (i.e., the data subject), until the term is interpreted by the Indian courts it’s conceivable that it could be more broadly interpreted to apply to third-party providers of information, including service providers. This ambiguity isn’t going to help offshore project teams reach a definite conclusion that they have fully complied with the new rules.
Thirdly, the new Indian rules require prior written consent, without exception, to collect and use sensitive personal data. These consent requirements are far more restrictive than what is required under either the EU Data Protection Directive or the US Gramm-Leach-Bliley Act.
This may have an impact on companies that currently rely on India-based outsourcing service providers to handle sales and other transaction-related calls from their customers. If such calls involve sensitive data, the customers may have to adjust their personal data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with US or EU privacy rules.
Most customers will be looking to their India-based service providers to take the lead and come up with compliant solutions. But in the light of the penalties (up to two years’ imprisonment or a fine, and directors are also liable), many customers will not want to rely solely on their service providers to come up with a solution – unless they have no presence in India and are beyond the reach of Indian authorities. So far, few service providers have a clear answer.
The Indian IT Ministry is saying publicly that the Privacy Rules will provide a boost to the offshore outsourcing industry and demonstrate to international companies that their data is safe in India, which has been a long-standing demand of the Indian IT industry. Unfortunately however, that misses the point, which is not to create a data protection environment in India that resembles the EU so that all the concerns about India will go away. Rather, the issue of concern to foreign governments and customers who outsource to India is that they need to be able to pursue rogue employees of service providers that violate the service contract and use data in ways that are not permitted by the contract. Such enforcement remains very slow. India’s data protection rules are irrelevant here for the purposes of outsourcing. Data controllers already have to protect their customer (or employee) data in accordance with the rules in place where the data are collected (e.g., EU rules apply to EU data controllers that collect data within the EU). There is no need for a second, and in many respects, parallel, system.
China and the Philippines
Although India may retain its preeminent position in the list of the world’s largest offshore outsourcing destinations, many other countries are snapping at India’s heels – not least China and the Philippines. These countries are joining India in seeking to tighten up control over outsourced data.
The Chinese government has issued draft guidelines providing a relatively comprehensive framework for processing personal data in China. As with India, China’s guidelines throw up issues of “double-dip”, ambiguity and increased restriction.
The most significant way in which the Chinese guidelines are different from the US and the EU rules relates to the transfer of data. If these data security guidelines are enacted, express consent from an individual must be obtained in connection with the transfer of personal information to any other organisation. There are no exceptions provided, unlike in the EU where sharing customer information is permitted without consent if it is necessary to complete a contract between the customer and the company.
In the Philippines, legislation in draft form is moving through the system. The draft law now explicitly states that data processors are covered by the Filipino act on personal data. Given this expanded scope and, in particular, the requirement to provide data subjects with notice and obtain express consent unless an exception applies, these proposed rules could have a negative effect on companies that either outsource business functions to Filipino service providers or maintain their own operations in the Philippines.
The implications for the outsourcing industry of these new Indian regulations, and the equivalents in other key offshore destinations, are not yet clear. Until the new Privacy Rules are clarified, outsourcing providers in India may be required to insist that they provide notice and obtain consent from every individual who calls a helpdesk or customer service. IT outsourcing vendors may seek to impose data security obligations on their customers to ensure that the customer complies with Indian law.
It is unfortunate that neither the new Indian Privacy Rules nor the draft equivalents elsewhere take the position that, to support the local offshore outsourcing industries, the data protection rules only apply to situations where the organisation is acting as a data controller.
In an ideal world, personal information which is collected by an entity in a source country and then transferred to and processed within the offshore operation (or is collected and processed inside the country in order to supply a service) should not be subject to a second layer of potentially conflicting data protection rules.
Service providers are, of course, typically required by contract to use data only as instructed by the data controller and to keep the information secure. Imposing multiple layers of potentially conflicting privacy obligations on either the entity processing that information or the entity responsible for its collection, use and disclosure, results in an excessive compliance burden and increased complexity with no demonstrable benefit to individuals.
Moreover, most outsourcing customers don’t want their offshore service providers to provide notice or to obtain consent from their customers or employees. In most cases, the offshore provider doesn’t have a direct relationship with the organisation’s customers or employees.
The new Indian Privacy Rules (and their equivalents in other key offshore destinations) have wide scope and extraterritorial application. Multinational organisations with operations in India or other key offshore destinations, or those that simply rely on offshore service providers to collect personal information on their behalf, should re-assess their current data privacy practices to determine whether or not they comply with these new Privacy Rules.
With the growing number of data protection rules in place, the extraterritorial reach of some of these rules is creating problems, particularly in the outsourcing context. Offshore service providers, now,and going forward, need to demonstrate to their customers that the new wave of offshore data protection rules isn’t going to add a new set of unforeseen costs to the offshore outsourcing model.
About the Author
Alistair Maughan is a partner at international law firm Morrison & Foerster, based in the London office. He is co-chair of the Technology Transactions Group and a member of the Global Sourcing Group; he focuses on outsourcing and technology-based projects for major companies and public sector organisations.