New Privacy Laws in India and China: A Barrier to Outsourcing

Indian Outsourcing operationsNew rules that significantly alter the privacy landscape in India and have profound implications for multinational companies outsourcing business to India or operating in India became effective April 13, 2011, when India introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules. Meanwhile as India inks and publishes these new rules, a law is being proposed in China, which will create similar hurdles for the outsourcing community.
Organizations with operations in India and China will now need to review their existing data processing arrangements and contract terms in light of these new requirements. This article provides an overview of these data privacy rules and their potential effect on multinational businesses that outsource industry functions or maintain their operations in these nations.

Recent developments in the regulatory environments in both India and China may spell the end to outsourcing in these nations. On April 13, 2011, the Indian Central Government issued final regulations implementing the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules. This new regulatory scheme will apply to all organizations that collect and use personal data in India. Based on India’s new rules, no organization doing business in India can transfer sensitive personal data to a third party outside of India unless the transferee guarantees the same level of protection as required under Indian law. However, many of the new consent requirements are more restrictive than privacy protections afforded under U.S. or E.U. law. As a result, organizations from the West that currently rely on Indian-based outsourcing companies to handle sales (or technical support) must improve their current data collection practices to be on par with Indian law. For example, India’s new rules require that organizations notify individuals when their personal information is collected via letter, fax, or email. Individuals then have the ability to “opt out” of the data collection at any time. The new regulations also stipulate that individuals now have the ability to review their collected data and correct or amend personal information.

The Indian IT Ministry takes the position that these new rules will boost offshore outsourcing by demonstrating India’s progress towards a safer informational landscape. However, foreign companies may find adhering to these new rules to be cost intensive, and search elsewhere for back-office support.  Although India has inked and published its new rules, a similarly strict set of laws in China is awaiting final approval. The proposed rules in China create similar hurdles for the outsourcing community. China’s proposed rules also require firms holding personal data to obtain explicit consent before they can divulge data to third parties. The rules also include specific restrictions during the “collection, processing, use, transfer, and maintenance of personal information.”

The new privacy laws in India and China will have a profound effect on multinational businesses that outsource industry functions or maintain their operations in these nations. As currently drafted, both India’s and China’s new rules may prohibit an outsourcing company from transferring data received (whether from a third party or through internal investigation) to that company’s affiliate. Whether an outsourcing firm can return data to the company that hired it for support is also questionable. Companies that operate in these nations, or simply rely on offshore service providers to collect personal information on their behalf, must re-assess their current privacy practices to ensure compliance with these new rules. Outsourcing companies must also be certain that their employers are in compliance with their nation’s laws, or they too will feel the wrath of these new, stringent regulations.