Vast amounts of global personal data flow through India, including as a result of its major outsourced services industry. For that reason, India’s recently adopted data privacy regulations, which implement the Information Technology (Amendment) Act 2008, have the potential for a profound impact on global businesses with either their own or outsourced operations in India. Importantly for global companies with outsourced functions or vendor relationships, the rules are not limited to the collection and use of personal information about Indian citizens. For any global operation with sensitive personal information stored in India, the notice and choice and data security provisions are particularly notable.
The potential reach of the regulations is wide, purporting to reach any business collecting and using personal data in India, of individuals located either in or outside of India, regardless of that businesses role in a larger data structure. The regulations therefore apply to both the entity primarily controlling any relevant data and any entities merely handling that data on another’s behalf: whilst there is a distinction made in certain sections of the Act and the regulations, it is not yet clear how this will work in practice. Further, the Act catches any breaches committed outside of India, meaning that a data structure in which data is collected in India (including of non-Indian located individuals) and then transferred outside of India will need to be compliant with the new regulations, throughout the entire data flow.
This potential extra-territorial application of the new rules, to processing carried out on any data exported outside of India, may well involve significant compliance programme shake ups for businesses processing data through India, depending of course on how far along the data processing chain the Indian regulator will enforce the rules in practice. It is not yet clear how this particular aspect of the new rules will be enforced. Given the controversy over the strict new rules in general and the initial negative responses from major Indian outsourcing providers and users, the government and regulator will no doubt be treading the fine line between giving teeth to the rules themselves and placating one of the country’s major service industries.
In addition to this wide reach, the requirements of the regulations are comprehensive and relatively strict, even in light of the detailed European privacy regime.
- Collection and processing requirements: Personal data may be processed only for lawful purposes, and only to the extent necessary for the legitimate functions or activities of the business. Further, processing may only be carried out for the purposes for which the data was originally collected: processing for secondary purposes is therefore prohibited
- Notice to individuals: At the time when personal data is collected, the relevant individual must be told (a) that their data is being collected and by which entity; (b) for what purposes it is being collected; and (c) the intended recipients of the data.
- Sensitive personal data: The collection and handling of sensitive personal data will only be possible with the prior written and informed consent of the data subject (and the individual must be free to withdraw this consent at any time). Further, and in a major change to European privacy law conceptions of ‘sensitive personal data’, sensitive personal data under the new Indian regulations will include all password, financial information and biometric data (in addition to the medical and sex life information which are more typical of the European rules).
- Data transfer / export: Transfers of sensitive personal data may only be made within India or to countries which ensure the same level of privacy protection as India, and solely where the individual has consented to the transfer, or where the transfer is necessary for the performance of a contract with the individual.
- Disclosure to third parties: Personal data may only be disclosed to third parties with the prior consent of the individual (unless for the purposes of a contract with the relevant individual, or for compliance with a legal obligation). Consent to the disclosure of sensitive personal data must be made in writing.
- Data access and correction: The individual has the right to review their personal information and to require any inaccuracies to be corrected.
- Security: Reasonable security practices must be in place and available to the relevant individuals, together with comprehensive information security programmes and policies, in proportion to the types of data collected and the nature of the business. ISO 27001 is deemed sufficient for these purposes (provided it is sufficiently audited). A company that holds sensitive personal data or information in a computer system that it owns, controls or operates, and that is negligent in implementing and maintaining reasonable security practices and procedures, and causes wrongful loss or wrongful gain to another person, has to pay damages to the person so affected. However, compliance with a written agreement with such provisions or other applicable law may be adequate, i.e. the statutory provisions may only apply where there is neither an agreement nor any applicable law.
For businesses already working towards compliance with the European and US privacy regimes, the requirement of greatest potential impact here is the inclusion of password and financial information within the definition of sensitive personal data. This is major shift from the European view of sensitive personal data, and casts the strict prior consent and data export requirements for sensitive personal data in a whole new light. Once financial information is collected in India, it may be time consuming and administratively difficult to get it back out again, creating a new hurdle in the data flows of global businesses.
The financial sanctions for breaches of the new rules are relatively low, though custodial criminal sanctions may also be imposed – approximately US$ 2,250 or up to 2 years imprisonment for a direct breach of the Act or the implementing regulations, and approximately US$ 4,500 or up to 3 years imprisonment for any service providers disclosing information in breach of contract. Company directors may also be liable personally, subject to evidence that the breach occurred without their knowledge or that they tried to prevent it. Whether or not company directors will end up losing any sleep over these sanctions remains to be seen, as the Indian government and regulator have not yet issued any guidance on how they intended to enforce the new rules or how they will be using their enforcement powers.
The practical result of the regulations may mean that businesses which operate in or outsource operations to India, and which handle personal data collected in India as a result (of individuals located in India, or elsewhere including the US and Europe), especially financial information, could find themselves needing to materially revise user communications and contracts in order to collect prior written consent to Indian collection, storage or processing, including where such solutions are currently compliant with EEA and US privacy rules. At this initial stage, it is important for businesses outsourcing to India to consider the following:
- What types of your data are you (and your vendors) sending to and receiving from India, paying close attention to consumer / end-user / employee facing processes?
- How are your service providers planning to comply with these new rules? Reach out to key service providers and review contractual terms and procedures.
- How could you implement stricter consent requirements, to cover the handling of financial information for example, in practice, and how may new compliance steps taken by your service providers impact your wider business operation outside of India?
On a longer term view, once the new rules are established and as and when we see real enforcement, the regulations may well trigger a serious re-think for businesses outsourcing to India, as the administrative and technical burdens of compliance begin to swallow up operational and labour costs savings. To continue the theme, the Chinese government is also moving towards a much more comprehensive system of privacy regulation, indicating that explicit consent requirements for disclosure of data to third parties and strict data export requirements are looming on the horizon.
Latham & Watkins LLP does not practice Indian law.