New Indian Privacy Rules to impact CIOs

June 4, 2011

The new data protection law in India [1] adds a new, and potentially troublesome, layer of complexity for CIOs whose companies have operations in India or are involved in offshore outsourcing to India.

The Indian Privacy Rules apply to all organisations that collect and use personal data and information in India, including personal information collected from individuals located outside India.

Many of the requirements will be familiar to those who deal with EU or US data protection rules. For example, there is an obligation to provide notice to individuals when personal information is collected and a privacy policy must be made available to individuals.

There is also a right to access and correct personal information, as well as a requirement to secure information. However, CIOs should not be lulled into a false sense of security, as there are some crucial differences.

For example, prior written consent is required, without exception, to collect and use sensitive personal information. In this way the Indian Privacy Rules are much more restrictive than the EU and US data protection rules.

Although the Indian Privacy Rules are intended to support India’s continuing development as a global data processing hub by showcasing India’s commitment to strong data protection laws, CIOs are likely to find several aspects of them unattractive. For example:

– They create an extra layer of regulation. The Indian Privacy Rules are not limited to the collection and use of personal information about Indian citizens, nor to situations where the Indian entity is acting as the “data controller” or “principal”.

In fact, they seem to apply to any personal information collected from within India, regardless of whether the data are collected from individuals outside of India, and no matter what role the entity in India plays in the processing of the information.

Even personal information which simply “transits” through India (such as, data collected in India from individuals located outside of India and then transferred back outside India) must be processed in accordance with the Indian Privacy Rules. This means that personal information collected by an entity in one country, and then transferred to and processed within an Indian offshore operation, is subject to a second layer of potentially conflicting rules.

– They are unclear in some important respects. For example, the term “Provider of Information” has not been defined. Does it apply to third-party providers of information, including service providers? This sort of ambiguity makes compliance difficult.

As a result of the new rules, companies that currently rely on India-based outsourcing service providers will be required to adjust their data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with U.S. or EU privacy rules.

In some cases, this may be unattractive from a business perspective. Taking the requirements to give notice and obtain consent as an example, most outsourcing customers do not want their offshore service providers to provide notice or to obtain consent from their customers or employees, even though the offshore provider will not have a direct relationship with these individuals.

Source New Indian Privacy Rules to impact CIOs

%d bloggers like this: