If you outsource any of your operations to India or otherwise have operations in India, new rules issued by India’s Central Government on April 11, 2011, could have serious consequences for these operations. These consequences, however, are not limited to just the customer of outsourcing services; the service provider is also subject to these rules and may well share in the burden of complying with them.

The rules are officially known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Privacy Rules”). They were issued by India’s Central Government in accordance with statutory authority granted under The Information Technology Act, 2000 (the “Act”),1 as amended by The Information Technology (Amendment) Act, 2008 (the “ITAA”).2 The Privacy Rules were supposed to clarify two terms of a key privacy compliance provision in the Act,3 however, they go much further. The Privacy Rules put in place significant new obligations that cover the collection, use, disclosure or transfer of information. Information qualifying as “sensitive personal data or information” (e.g., passwords, financial information, and medical records) is subject to tighter regulation, above that applying to information.

If not changed, the Privacy Rules will force companies to re-examine their information practices in India, including outsourcing arrangements. It is difficult, however, to imagine that these rules will be meaningfully implemented in their present form due to the significant requirements they impose on the outsourcing industry and its customers. Based on our conversations with industry insiders, we understand that India’s outsourcing trade association, the National Association of Software and Services Companies (“NASSCOM”), will take steps to influence changes to the Privacy Rules to make them more accommodating to the outsourcing industry. Of course, it is still possible that the Privacy Rules will remain in place without change.

Our goal with this Advisory is to inform you of obligations under the Privacy Rules that could have a material impact on the way you manage your information practices in India. We caution, however, that there is still much that is unknown about the Privacy Rules, including whether they will remain in effect for very long and whether they will be enforced.4 Despite the potentially transformative nature of the Privacy Rules and their wide ranging impact if enforced, much is uncertain regarding their final implementation.

Information, Personal Information, and Sensitive Personal Data or Information

The Privacy Rules establish a new, almost EU-like data privacy regime with rules covering collection, use, disclosure, and transfer of information, and privacy policy requirements. The Privacy Rules also establish requirements for the security of information.

This new regime is divided among three categories of information: (i) information; (ii) personal information; and (iii) sensitive personal data or information. “Information,” the broadest term, is defined in the Act to include “data, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche.”5 The term “Personal Information” is defined in the Privacy Rules as a subset of Information and includes “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate,6 is capable of identifying such person.”7 Finally, “Sensitive Personal Data or Information” is a subset of Personal Information and is defined as: “such personal information which consists of information relating to: (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”8

Requirements Under the Privacy Rules

The Privacy Rules lay out a comprehensive list of requirements that apply to combinations of these information categories. We explore many of these requirements below9 and include just a few of the many issues with these requirements that U.S. companies and their service providers should consider. More issues will likely surface as the outsourcing industry and its customers digest the rules further.

Privacy Policy

Any company or any person who on behalf of a company collects, receives, possesses, stores, deals or handles information,10 must provide a privacy policy for handling of or dealing in personal information, including sensitive personal data or information and ensure that the privacy policy is available for view by those who provide the information.11 The requirement to maintain a privacy policy therefore attaches to anyone who collects, receives, possesses, stores, deals or handles any type of information, while the privacy policy must specifically address personal information and sensitive personal data or information. This requirement does not distinguish between an outsourcing customer (the “Controller” as typically encountered in countries adopting an EU Data Directive type law) or a service provider (the “Processor” as typically encountered in countries adopting an EU Data Directive type law).

Required Disclosures to Data Provider

When a company is collecting information directly from an individual, a company must take such steps as are, under the circumstances, reasonable to ensure that the person concerned has knowledge of: (i) the fact that the information is being collected; (ii) the purpose for which the information is being collected; (iii) the intended recipients of the information; and (iv) the name and address of the agency collecting the information and the agency that will retain the information.12 As with the privacy policy, this requirement attaches to any company that collects any type of information. Obviously, this requirement presents a number of challenges for data collected in and/or from the United States that is stored and processed by service providers in India.

Similarly, service providers operating customer care centers and many other customer focused processes will also have to implement new, extensive and probably costly procedures to comply with this requirement.

Access

A company or any person on its behalf shall permit the provider of information, as and when requested by them, to review the information they provide and ensure that any personal information or sensitive personal data or information found to be inaccurate or deficient shall be corrected or amended as feasible.13 A company is not responsible for the authenticity of the personal information or sensitive personal data or information supplied by the provider of the information.14 The right of access has long been present in the EU Data Directive and similar laws,15 but presents a potentially significant implementation burden where it has not been required previously.

Written Consent

Before a company or any person on its behalf may collect sensitive personal data or information, the company must obtain consent in writing through letter, fax or email from the provider of the sensitive personal data or information.16 This requirement presents numerous questions as to its practicality and how it can be implemented, particularly in the context of an outsourcing arrangement where the customer is in the United States and the service provider is located in India. This provision might require, for example, any company that requires provision of a bank account number to an Indian call center to have previously received written consent from the individual to collect that information. Note though that this requirement only applies to sensitive personal data or information, not to the broader terms information or personal information. Nonetheless, the definition of sensitive personal data or information is quite wide, encompassing many categories of information frequently collected in India-based operations.

Disclosures

Any disclosure of sensitive personal data or information from a company to a third party requires prior permission from the provider of such information, who has provided such information under a lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the company and the provider of information, or where the disclosure is necessary for compliance with a legal obligation.17 The third party that receives the sensitive personal data or information from the company or any person on its behalf is prohibited from disclosing it further.18 These requirements are subject to exceptions for disclosure to government entities.19

This requirement has potentially huge implications for the outsourcing industry. If the company collecting the information is the service provider, and the third party is the customer of the service provider, this clause would appear to require prior permission from the information provider for the service provider to disclose the information to the service provider’s customer. Moreover, the customer would appear to be prohibited from any further disclosure of the information. This situation might arise, for example, in an HR transaction where the Indian service provider receives benefits related information directly from an individual (who is the employee of the outsourcing customer). It would also appear that where the customer receives the sensitive personal data or information directly from the individual, consent from each individual would need to be obtained to disclose that information to the service provider, unless the contract between the individual and the customer permits such disclosure.

Transfer

A company or any person on its behalf may transfer sensitive personal data or information including any information to another company or person in India, or located in another country, that ensures the same level of data protection that is adhered to by the company as provided for under the Privacy Rules.20 This transfer is allowed only if it is necessary for the performance of a lawful contract between the company or any person on its behalf and the provider of the information or where consent to the transfer was obtained from the data provider.21 There is an ambiguity in this provision in that the clause “that ensures the same level of data protection” could apply either to the company or person in India, or it might apply to the country. If the clause is construed to apply to the country, then this clause takes on an EU-like “adequate level of protection” requirement,22 requiring countries receiving data from India to have equally protective laws. The second half of this requirement is particularly burdensome, unless consent has been provided, since it will be necessary to establish that the transfer is necessary for contractual performance.

Data Security Requirements

In addition to defining sensitive personal data or information in the Privacy Rules, the Indian Central Government also defined reasonable security practices and procedures:

A [company] or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.23

The Privacy Rules provide that a company that implements the ISO 27001 standards, or other codes of best practices of industry associations that have received approval by the Central Government, is deemed to have complied with reasonable security practices and procedures provided that such standards or codes of best practices have been certified or audited on a regular basis by entities through an independent auditor, duly approved by the Central Government.24

The definition of reasonable security practices and procedures in Section 8 of the Privacy Rules is intended for purposes of further defining the private right of action in Section 43A of the Act.25 Section 5(8) of the Privacy Rules, however, provides that a company or any person on its behalf shall keep information secure as provided in Section 8 of the Privacy Rules.26 Thus, Section 5(8) of the Privacy Rules purports to create a direct statutory breach if a company fails to implement the reasonable security practices and procedures defined in Section 8 of the Privacy Rules.

Another key aspect of the Privacy Rules is a requirement that in the event of a security breach, a company is required to demonstrate, as and when called upon to do so by a designated government agency, that it has implemented security control measures as per its documented information security program and information security policies.27 Thus, when and to the extent the Central Government enforces these rules, a company that collects and stores information in India must anticipate the possibility that in the event of a breach the Indian government may elect to verify that the company was complying with its information security policies.

Conclusions

The Privacy Rules raise many questions for U.S. companies with operations in India. If the Privacy Rules were to be enforced today, industry insiders in India have suggested that the majority of outsourcing operations that involve personal information would be found to violate the Privacy Rules and it would take a considerable amount of time and effort to get the industry in compliance.