India poised to tighten data protection law

India is likely to have a tighter data protection and privacy regime in place later this year, after bowing to pressure from...

India is likely to have a tighter data protection and privacy regime in place later this year, after bowing to pressure  from Western users of outsourcing services.

The National Association of Software and Service Companies (NASSCOM) in Delhi is confident that new measures will be passed as law in the coming session of India's parliament, said Kiran Karnik, president of NASSCOM which is working closely with the government on the new rules.

India's elections for a new federal government started on Tuesday, and the new parliament, required to take up the new legislation for data protection, will be installed by 6 August.

"It is becoming extremely important for India to have in place a distinctive legal regime promoting data protection," said Pavan Duggal, a Delhi-based cyber law consultant. "This is necessary to create appropriate confidence among investors and foreign companies to the effect that the data they send to India for back-office operations is indeed safe, and there are appropriate statutory mechanisms in place should a breach of data take place."

Opponents of offshore outsourcing to India have often cited the absence of a data protection and privacy law in India as a strong reason for stopping the movement of call centre and BPO work to the country.

Labour MEPs affiliated with trade union Amicus said they would ask the European Commission to protect British consumers whose personal data is being transferred to India, warning that offshore outsourcing is "an accident waiting to happen".

Rather than have a separate law to deal with data security and privacy issues, the government is considering an amendment to its Information Technology Act of 2000.  NASSCOM is in the process of inserting new clauses in the IT Act 2000,  and these are being reviewed by the government.

The act in its existing form only covers unauthorised access and data theft from computers and networks, with a maximum penalty of  about $220,000, and does not have specific provisions relating to privacy of data. The new clauses are likely to enable the act to conform to the so-called adequacy norms of the European Union's Data Protection Directive and the Safe Harbor privacy principles of the US, according to NASSCOM.

The adequacy norms allow the EU to declare that third-party countries have levels of data protection that conform to European standards and thus allow data on EU citizens to be transmitted outside of  the union.

Government officials were not available for comment, but according to informed sources, after the new rules are in force, India will negotiate with the EU to get it to recognise India as a country that offers an adequate level of protection for personal data.

Until a tighter data protection legal regime is in place, foreign customers are relying upon contractual obligations to impose obligations for protecting and preserving data, according to Duggal.

"However, foreign customers are, increasingly, realising that such contractual obligations are not necessarily the best effective remedy available," said Duggal.

"This is so because in the event of a breach of the security of data, getting effective remedy under the contractual obligations is itself problematic, time consuming and self defeating. Having appropriate statutory protection with stipulated statutory penalties, damages and other remedies would act as a good deterrent against the breach of data privacy."

Duggal added that the government should consider penalties up to between $5.5m to $11m for breaches of data.

Even though the government has delayed the implementation of a legal framework for prosecution of data and privacy breaches, Indian BPO companies have implemented processes such as the  BS7799 standard for information security management.

"Clients expect outsourcing companies they do business with in India to provide at the process level the same capability to ensure privacy, confidentiality, and security of data that their local outsourcers have," said Prakash Gurbaxani, chief executive officer of TransWorks Information Services, a Mumbai-based BPO and call centre company.

Standards such as BS7799, and the ISO17799 standard for information security, restrict the quantity of data that can be made available to employees of BPO and call centres.

"One of the things that you do, for example, is that you make sure that the agent workstation has no other software than is required for the job, has no internet access that could be potentially used to e-mail say a credit card number to someone else," said Gurbaxani. "You also ensure that the office is paperless so that no data can be copied out."

Despite these checks, there has been some fraud in the Indian BPO industry. One case reported was of an employee in a call centre in Noida, who last year misused the credit card and other details of a US citizen to buy  electronics equipment from Sony.

"He was caught, arrested and subsequently convicted for online cheating in the subcontinent's first cyber crime conviction," said Duggal, who was the counsel for Sony.

Stray cases of fraud should not however be blown out of proportion to make it appear that fraud is widespread in India's BPO industry, according to industry sources. The risks of BPO operations, such as fraud prevention, are risks that all financial services companies have to deal with irrespective of what countries they operate in, Karnik said.

John Ribeiro writes for IDG News Service

Read more on IT outsourcing