The new data protection law in India [1] adds a new, and potentially troublesome, layer of complexity for CIOs whose companies have operations in India or are involved in offshore outsourcing to India. The Indian Privacy Rules apply to all organisations that collect and use personal data and information in India, including personal information collected from individuals located outside India. Many of the requirements will be familiar to those who deal with EU or US data protection rules. For example, there is an obligation to provide notice to individuals when personal information is collected and a privacy policy must be made available to individuals. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe There is also a right to access and correct personal information, as well as a requirement to secure information. However, CIOs should not be lulled into a false sense of security, as there are some crucial differences. For example, prior written consent is required, without exception, to collect and use sensitive personal information. In this way the Indian Privacy Rules are much more restrictive than the EU and US data protection rules. Although the Indian Privacy Rules are intended to support India’s continuing development as a global data processing hub by showcasing India’s commitment to strong data protection laws, CIOs are likely to find several aspects of them unattractive. For example: – They create an extra layer of regulation. The Indian Privacy Rules are not limited to the collection and use of personal information about Indian citizens, nor to situations where the Indian entity is acting as the “data controller” or “principal”. In fact, they seem to apply to any personal information collected from within India, regardless of whether the data are collected from individuals outside of India, and no matter what role the entity in India plays in the processing of the information. Even personal information which simply “transits” through India (such as, data collected in India from individuals located outside of India and then transferred back outside India) must be processed in accordance with the Indian Privacy Rules. This means that personal information collected by an entity in one country, and then transferred to and processed within an Indian offshore operation, is subject to a second layer of potentially conflicting rules. – They are unclear in some important respects. For example, the term “Provider of Information” has not been defined. Does it apply to third-party providers of information, including service providers? This sort of ambiguity makes compliance difficult. As a result of the new rules, companies that currently rely on India-based outsourcing service providers will be required to adjust their data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with U.S. or EU privacy rules. In some cases, this may be unattractive from a business perspective. Taking the requirements to give notice and obtain consent as an example, most outsourcing customers do not want their offshore service providers to provide notice or to obtain consent from their customers or employees, even though the offshore provider will not have a direct relationship with these individuals. So what should CIOs do? – Let service providers take the lead on finding compliant solutions. However, there are penalties (up to 2 years’ imprisonment or a fine, and directors are also liable) so organisations with a presence in India may want to be more proactive and: – Assess operational scope. Identify with some granularity the extent to which data collection or processing systems are based in India. This will apply to both internally managed resources as well as those managed by external vendors. – Examine existing contracts or negotiate new contracts. The requirement to comply with applicable data privacy laws may not be sufficient. IT outsourcing vendors may seek to impose data security obligations on their customers to ensure that the customer complies with Indian law. – Monitor developments. Given the ambiguities and concerns voiced about the rules, one would hope that helpful guidance will be forthcoming sooner rather than later. Chris Coulter is a technology and outsourcing partner and Ann Bevitt is a data protection partner at Morrison & Foerster, an international law firm [1] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“Indian Privacy Rules”) Pic: Marc_Smithcc2.0 Related content feature Gen AI success starts with an effective pilot strategy To harness the promise of generative AI, IT leaders must develop processes for identifying use cases, educate employees, and get the tech (safely) into their hands. By Bob Violino Sep 27, 2023 10 mins Generative AI Innovation Emerging Technology feature A fluency in business and tech yields success at NATO Manfred Boudreaux-Dehmer speaks with Lee Rennick, host of CIO Leadership Live, Canada, about innovation in technology, leadership across a vast cultural landscape, and what it means to hold the inaugural CIO role at NATO. By CIO staff Sep 27, 2023 6 mins CIO IT Skills Innovation feature The demand for new skills: How can CIOs optimize their team? By Andrea Benito Sep 27, 2023 3 mins opinion The CIO event of the year: What to expect at CIO100 ASEAN Awards By Shirin Robert Sep 26, 2023 3 mins IDG Events IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe