India to Adopt Data Privacy Rules

Two powerful players in India’s outsourcing industry are drafting a data protection law designed to quell growing privacy concerns from their offshore clients.

India’s Ministry of Information Technology and the National Association of Software and Service Companies (Nasscom) in New Delhi expect the legislation to be in place early next year. It would provide legal safeguards to ensure data privacy protection in India, according to Nasscom President Kiran Karnik.

Such safeguards are required for all data leaving the European Union, which is a result of the EU Data Protection Directive and is what prompted India to act. But the regulations could prove beneficial for American companies as well.

No U.S. law currently prohibits information—such as Social Security and driver’s license numbers, employment histories, and medical records—from being shipped to or accessed from other countries, says William Bierce, attorney and president of New York City-based law practice Bierce and Kenerson. However, the number of U.S. companies required to comply with industry-specific and state laws is growing. Laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act, and California’s pending SB 1386 identity-protection law regulate what data companies can share. With offshore outsourcing deals, data protection provisions are usually written into service contracts.

Some CIOs worry whether a data protection law would have any teeth in India’s courts. But competition for offshore business should keep the courts on the straight and narrow. “Nasscom and India understand how vital a clear policy on data protection and privacy are to the trust and confidence of foreign clients,” says Bierce, adding that the rules will most likely be enforced by a special appellate court established under India’s Information Technology Act of 2000.

Nonetheless, CIOs must remain diligent about Indian vendors to ensure the privacy and security needs of their companies.

“India’s privacy legislation is positive, but much more important is for CIOs to ensure that their outsourcing agreements contain detailed and precise contractual specifications regarding data privacy and protections,” says Hank Zupnick, senior vice president and CIO of GE Real Estate, who works with several Indian IT services companies. Specific remedies for noncompliance should be spelled out in the contract, adds Zupnick, and the contract should have legal jurisdiction in the state or province where the CIO’s company is headquartered.