Indian law may satisfy EU data protection concerns

Aiming to quell concern from Western users of outsourcing services, India is likely to have a tighter data protection and privacy regime in place later this year. The National Association of Software and Service Companies (NASSCOM) in Delhi is confident that new measures will be passed as law in the coming session of India's parliament, said Kiran Karnik, president of NASSCOM which is working closely with the government on the new rules.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell

India's elections for a new federal government started Tuesday, and the new parliament, is expected to take up the new legislation for data protection, will be installed by Aug. 6.

The Indian government is under increasing pressure, from business process outsourcing (BPO) operations and call centers in India that handle large volumes of data from the U.S. and Europe, to pass a data protection law.

"It is becoming extremely important for India to have in place a distinctive legal regime promoting data protection," said Pavan Duggal, a Delhi-based cyber law consultant. "This is necessary to create appropriate confidence among investors and foreign companies to the effect that the data they send to India for back office operations is indeed safe, and there are appropriate statutory mechanisms in place should a breach of data take place."

Opponents of offshore outsourcing to India have often cited the absence of a data protection and privacy law in India as a strong reason for stopping the movement of call center and BPO work to the country. Labour MEPs (Members of European Parliament) affiliated with the Amicus trade union in the U.K. announced in April that they would ask the European Commission -- the European Union's executive branch -- to protect British consumers whose personal data is being transferred to India, warning that offshore outsourcing is "an accident waiting to happen."

Rather than have a separate law to deal with data security and privacy issues, the government is considering an amendment to its Information Technology Act of 2000. NASSCOM is currently in the process of inserting new clauses in the IT Act 2000, and these are currently being reviewed by the government, said Karnik, who added that NASSCOM is confident that the amendments will meet regulatory requirements of major customers of the Indian BPO industry.

The Information Technology Act of 2000 currently only covers unauthorized access and data theft from computers and networks, with a maximum penalty of about US$220,000, and does not have specific provisions relating to privacy of data. The new clauses are likely to enable the Information Technology Act to conform to the so-called adequacy norms of the European Union's Data Protection Directive and the Safe Harbor privacy principles of the U.S., according to NASSCOM.

The adequacy norms allow the E.U. to declare that third-party countries have levels of data protection that conform to European standards and thus allow data on E.U. citizens to be transmitted outside of the union.

Government officials were not available for comment, but according to informed sources, after the new rules are in force, India plans to negotiate with the E.U. to get it to recognize India as a country that offers an adequate level of protection for personal data.

Until a tighter data protection legal regime is in place, foreign customers are relying upon contractual obligations to impose obligations for protecting and preserving data, according to Duggal. "However, foreign customers are increasingly realizing that such contractual obligations are not necessarily the best effective remedy available," said Duggal. "This is so because in the event of a breach of the security of data, getting effective remedy under the contractual obligations is itself problematic, time consuming and self defeating. Having appropriate statutory protection with stipulated statutory penalties, damages and other remedies would act as a good deterrent against the breach of data privacy."

Duggal added that the government should consider penalties up to between $5.5 million to $11 million for breaches of data.

Even though the government has delayed the implementation of a legal framework for prosecution of data and privacy breaches, Indian BPO companies have implemented processes such as the BS7799 standard for information security management of the London-based British Standards Institution.

"Clients expect outsourcing companies they do business with in India to provide at the process level the same capability to ensure privacy, confidentiality, and security of data that their local outsourcers have," said Prakash Gurbaxani, chief executive officer of TransWorks Information Services Ltd., a Mumbai-based BPO and call center company.

Standards such as BS7799, and the ISO17799 standard for information security of the International Organization for Standardization (ISO), based in Geneva, restrict the quantity of data that can be made available to employees of BPO and call centers. "One of the things that you do, for example, is that you make sure that the agent workstation has no other software than is required for the job, has no Internet access that could be potentially used to e-mail say a credit card number to someone else," said Gurbaxani. "You also ensure that the office is paperless so that no data can be copied out."

Despite these checks, there has been some fraud in the Indian BPO industry, although it has mainly gone unreported, according to Duggal. One case that however got reported was of an employee in a call center in Noida, who last year misused the credit card and other details of a U.S. citizen to buy consumer electronics equipment from the Indian operation of Sony Corp. "He was caught, arrested and subsequently convicted for online cheating in the subcontinent's first cyber crime conviction," said Duggal, who was the counsel for Sony.

Stray cases of fraud should not however be blown out of proportion to make it appear that fraud is widespread in India's BPO industry, according to industry sources. The risks of BPO operations, such as fraud prevention, are risks that all financial services companies have to deal with irrespective of what countries they operate in, Karnik said.