Indian law may satisfy EU data protection concerns

Aiming to quell concern from Western users of outsourcing services, India is likely to have a tighter data protection and privacy regime in place later this year. The National Association of Software and Service Companies (NASSCOM) in Delhi is confident that new measures will be passed as law in the coming session of India's parliament, said Kiran Karnik, president of NASSCOM which is working closely with the government on the new rules.

India's elections for a new federal government started Tuesday, and the new parliament, is expected to take up the new legislation for data protection, will be installed by Aug. 6.

The Indian government is under increasing pressure, from business process outsourcing (BPO) operations and call centers in India that handle large volumes of data from the U.S. and Europe, to pass a data protection law.

"It is becoming extremely important for India to have in place a distinctive legal regime promoting data protection," said Pavan Duggal, a Delhi-based cyber law consultant. "This is necessary to create appropriate confidence among investors and foreign companies to the effect that the data they send to India for back office operations is indeed safe, and there are appropriate statutory mechanisms in place should a breach of data take place."

Opponents of offshore outsourcing to India have often cited the absence of a data protection and privacy law in India as a strong reason for stopping the movement of call center and BPO work to the country. Labour MEPs (Members of European Parliament) affiliated with the Amicus trade union in the U.K. announced in April that they would ask the European Commission -- the European Union's executive branch -- to protect British consumers whose personal data is being transferred to India, warning that offshore outsourcing is "an accident waiting to happen."

Rather than have a separate law to deal with data security and privacy issues, the government is considering an amendment to its Information Technology Act of 2000. NASSCOM is currently in the process of inserting new clauses in the IT Act 2000, and these are currently being reviewed by the government, said Karnik, who added that NASSCOM is confident that the amendments will meet regulatory requirements of major customers of the Indian BPO industry.

The Information Technology Act of 2000 currently only covers unauthorized access and data theft from computers and networks, with a maximum penalty of about US$220,000, and does not have specific provisions relating to privacy of data. The new clauses are likely to enable the Information Technology Act to conform to the so-called adequacy norms of the European Union's Data Protection Directive and the Safe Harbor privacy principles of the U.S., according to NASSCOM.

The adequacy norms allow the E.U. to declare that third-party countries have levels of data protection that conform to European standards and thus allow data on E.U. citizens to be transmitted outside of the union.

Government officials were not available for comment, but according to informed sources, after the new rules are in force, India plans to negotiate with the E.U. to get it to recognize India as a country that offers an adequate level of protection for personal data.