Our 27 June post on the new Indian data privacy regime discussed the key provision of the Information Technology (Amendment) Act 2008 and its implementing regulations, the new Rules. It also considered some of the questions left unanswered by the Rules. What categories of personal data do the Rules apply to? How is the required consent to be obtained? To what extent do the Rules apply to organizations not based in India but with outsourced operations there, or to Indian subsidiaries of global organizations? How will an organization currently compliant with US and / or European data privacy standards need to amend its compliance solutions for the new Indian Rules?
The recent guidance from the Ministry of Communications and Information Technology was gratefully received by those organizations struggling to understand the implications of the Rules. Importantly, the Ministry clarified that those Indian outsourcing service providers handling personal data within India, on behalf of a customer located either within or outside of the country, need not obtain consent from the relevant individuals in order to process their data in India. The Ministry’s statement casts this clarification in wide terms, stating that sections 5 and 6 of the Rules (relating to the collection and disclosure of personal information) will not apply to Indian outsourcing services providers, other than in relation to the data of their own India based personnel or customers, or to individuals who contract directly with them. The Ministry’s statement further clarifies that the applicability of the Rules is limited to Indian entities only, and therefore does not extend to non-Indian entities using service providers in India. Such entities instead remain bound by their own national data privacy laws, including any local law consent requirements and data subject rights (however, they are not subject to additional obligations under the new Indian Rules).
This clarification will significantly lighten the compliance burden for the Indian outsourcing industry, and will consequently ease the way for their customers outside of India. This does not mean, however, that outsourcing providers will be obligation-free when it comes to protection of privacy. Rather than complying with sections 5 and 6 of the Rules, the Ministry’s statement emphasizes the importance of appropriate data protection language in the contractual arrangements in place between the Indian outsourcing provider and its customer, and the pervasive requirement for adequate data security safeguards.
This clarification is much-needed and helpful. Still, fundamental questions remain, particularly around the nature of the data to which each provision of the new Rules applies, the differing views on the required security standards and audit mechanisms, and the Indian government’s and senior court’s approach to application, interpretation and enforcement.