India’s $41 billion dollar outsourcing industry and its clients can breathe a sigh of relief; the Indian Government has issued an official clarification concerning their new broad privacy regulations.

As noted in an earlier blog, in April 2011, India adopted new privacy rules under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These rules are applicable to all organizations that collect and use sensitive personal data and information in India. These rules seemed to have a broad impact on India’s outsourcing industry.

The rules appeared to construct limitations on India’s outsourcers in both acquiring and transferring sensitive personal data. On the one hand, companies or their intermediaries appeared to be required to receive written consent from the information provider by letter, fax, or email, regarding the purpose of the use of the data under Rule 5(1) of the Privacy Rules.

Similarly, Rule 6 requires organizations to obtain prior consent of the information provider before transferring sensitive personal data to third parties unless disclosure has already been agreed to by contract or required by law. Further, no organization inside India would be able to transfer sensitive personal data to a third party outside of India unless the transferee ensures the same level of protection as required under the Indian Rules. Sensitive personal data is defined as financial information; passwords; physical, physiological, and mental health condition; sexual orientation; medical records and history; and biometric information.

This combination of likely restrictions proved relatively drastic and potentially burdensome to India’s outsourcing industry. The flow of data between the United States and India has long been unrestricted and largely unregulated. The new Indian Rules appeared more stringent than the existing privacy laws of the United States. To this extent, American companies doing business with India apparently needed to update their privacy practices in order to comply with the new privacy regulations.

At the same time, the rules were impractical. For instance, a requirement of written consent from every foreign citizen whose sensitive personal data moved through India’s enormous collection of call centers and other outsourcing operations would be cumbersome for Indian outsourcers to implement.

In response to industry concerns, the Indian Government has since clarified their recently adopted privacy regulations. India issued an official clarification recently, noting that sensitive personal data sent to India by customers outsourcing information technology work will not be covered by Rules 5 and 6 of the Privacy Rules. Rather, the new privacy rules only apply to Indian companies that collect information from “natural persons.” It is the companies collecting and sending the data, as opposed to the outsourcers, who are responsible for protecting the privacy of the data according to the rules of their respective countries. Therefore, United States companies sending data for processing to Indian outsourcers will be required to follow the privacy laws of the United States, not India.

However, this clarification might not be the last, as some believe Indian outsourcers have received preferential treatment under the Indian Government’s recent explanation. Further, such treatment allegedly violates the spirit of the Information Technology Act, the Act under which the Privacy Rules have been promulgated. Notably, Section 1(2) of the Act states that it applies to “the whole of India and…to any offence or contravention thereunder committed outside India.” For these reasons, the clarification restricting the application of the Privacy Rules to companies or persons located within India could eventually be struck down in court. We will follow the developments in India.

Photo of Peter Brown Peter Brown

Peter Brown is the national leader of Baker Hostetler’s Technology Law Practice. He maintains an active practice in technology, intellectual property, litigation and technology-related transactions. Mr. Brown also has broad experience in ADR as an advocate, arbitrator and mediator. He has acted as…

Peter Brown is the national leader of Baker Hostetler’s Technology Law Practice. He maintains an active practice in technology, intellectual property, litigation and technology-related transactions. Mr. Brown also has broad experience in ADR as an advocate, arbitrator and mediator. He has acted as an expert witness in technology and intellectual property matters. Among Mr. Brown’s representative litigation matters are the following:

The recent successful trial and appeal to the Second Circuit Court of Appeals of Scientific Components Corp. v. Sirenza Mcrodevices, Inc.

The trial and appeal of a landmark New York case upholding limitation of liability clauses in computer contracts

The prosecution of the first major litigation involving issues arising from open source software

Acted as lead counsel in the defense of a major U.S. outsourcing vendor in a dispute with a prominent insurance industry customer

Conducted jury and bench trials of technology and commercial trade secret disputes
Mr. Brown has been the lead counsel in litigated matters involving computer software, electronic components, telecom services, outsourcing, financial services, software development disputes, employment law, breach of contract claims, printing industry disputes, international trade issues, patents, trademarks and copyrights. Mr. Brown also has broad experience in technology transactions involving computer systems, electronic commerce, computer games, intellectual property, content distribution, outsourcing, hardware purchases and software licensing. His in-depth understanding of information technology and Internet legal issues has established him as a leading counselor in the structuring and implementation of a wide variety of technology and Internet systems, advisor on venture financing and counseling on data security and privacy.