UK legal profession cetain of uncertainties of Indian data protection law

The Indian Data protection law, which was introduced last month, has created uncertainty in the outsourcing sector and clarification is needed on a rule that could create a burdensome business process.

Although it is being welcomed, the outsourcing industry wants clarification  on the finer details.

The law, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, was introduced last month. There have been fears that an article within it, that states that processors of data must gain consent from the person the data is about, will be over burdensome.

The new rule is section 43A of the Indian IT Act. According to the Times of India it states “that a corporate shall have to obtain permission through letter or fax or email from each client before collection of sensitive information. Thus, BPOs will have to inform the client regarding purpose of usage before collection of such information, if they go by the new IT rules 2011.”

This would create additional work and potential hurdles for Indian suppliers obtaining consent from the customers of their clients.

Peter Brudenall, lawyer at UK law firm Lawrence Graham, says businesses are worried about the new rules on obtaining consent. He said the Indian government seems to have gone further but he added that there needs to be some clarification.

Katherine Ollerhead, lawyer at Berwin Leighton Paisner, says the rules suggest that any company that processes data needs to get consent. This is because the rules do not seem to differentiate between the controller of the data (the client of the service provider) and the processor (the service provider). If true it would mean service providers in India having to seek consent from all the customers of a client to process the data.  

But she says there is a waiting game to see the clarification from the Indian government. She agrees with Brudenall that the Indian law appears to go further than the law in the UK.

This article in the Times of India suggests there will be clarification soon.

If you want to see the new rules in full see click on the image below.

Thumbnail image for india pdf.png


Indian suppliers are processing and storing the personal data of their clients’ customers. For example if an Indian company provides BPO services to a bank it will have the details of customers on its systems. Until last month India did not really have data protection laws that matched the levels of protection of the law in the US or Europe.

Not surprisingly this was always seen as a risk with offshoring to India. UK corporates have got around this problem because most companies providing outsourcing services from places such as India sign up to standard EU-approved contractual clauses to govern the security arrangements for the data processing.

But the panic amongst the outsourcing industry over news India’s data protection law is unnecessary according to outsourcing lawyer Kit Burden.

Burden at DLP Piper says there has been a lot of panic, mainly from the US, about the new law because it requires businesses to gain consent from people who have their data stored or processed by an outsourcer.

Burden says he has been through the legislation and it actually means that consent only has to be given once. This would be given by the controller of the data, who would be the client of the service provider.

He welcomes the new legislation and he says if Europe accepts it as being as strict as its own it would negate the need to put workarounds in contracts.

Phil Lee, a lawyer at Field Fisher Waterhouse, is an expert in this area. He gave me his thoughts.

“There’s uncertainty as to when and how the new rules apply.  On a narrow reading, they might apply only where no contract exists between the outsourcer and its service provider – seldom the case in international outsourcing (generally only in on-shore, intra-group outsourcing).  
It’s also unclear what the rules are for processing “sensitive personal data” (such as medical records and financial data).  Service providers need consent before processing “sensitive personal data”,  but clarity is missing as to whether it can rely on consents already obtained by its client – if not, this could have a significant impact on outsourced operations.  
The Indian data privacy rules bear strong resemblance to European rules in terms of data access, data retention and purpose limitation.  They also provide clarity as to the security standards expected of service providers.  In effect, they impose certain mandatory data privacy standards that outsourcers would normally impose contractually.  By doing so, they give outsourcers greater confidence that, when sending data to India, they will fulfil European data export rules to ensure “adquate” protection for their data.
However, there are key differences between Indian and European standards.  Outsourcers should not assume that their service provider’s compliance with Indian data privacy rules will meet European requirements – it won’t.  The outsourcer will still need to perform an appropriate level of due diligence and impose suitable contractual terms on its service provider in order to protect data.”

If you have any thoughts please put them in the comments section.