India has recently introduced rules that govern the collection and processing of personal information. The rules were introduced under India's Information Technology (Amendment) Act 2008. This act provides penalties for companies that do not implement "reasonable security practices and procedures".

There is currently much debate regarding the scope of application of the new rules. For Western companies that have outsourced part of their business processes to India, the most important question appears to be whether the rules will also apply to personal information of persons that do not reside in India. There is additional debate about whether the rules will apply universally as a "minimum standard" or only if a company does not have its own internal data privacy rules.

One thing is certain: if the rules are applicable, they provide for more stringent data privacy restrictions than most Western data privacy legislation. For example, the rules' definition of "sensitive" personal data is broader than under the European data protection directive 95/46/EC, and also includes financial information, biometric information and passwords. Moreover, sensitive personal information may only be processed with the consent of the "information provider", which can be either the person to whom the personal information relates or a party that has obtained his or her personal information.

The rules further set out that a transfer of sensitive personal information to a third party inside or outside India is only allowed if such transfer is necessary for the performance of a lawful contract or on the basis of consent of the person to whom the personal information pertains. It is not yet clear whether such lawful contract or consent should be in addition to the general consent needed for processing of sensitive data as set out above. Moreover, a transfer of sensitive personal information is only allowed if the third party recipient inside or outside India provides for a similar level of data protection as provided under the Rules. It is not yet known how it should be established that the recipient meets this requirement.

Additionally, the rules impose stringent requirements on information security of personal information in general. Companies are required to comply with reasonable security practices and procedures that contain adequate managerial, technical, operational and physical security measures. If a Data Recipient has implemented IS/ISO/IEC 27001 or any other security standard approved by India's government and has its compliance with this standard externally audited, the Data Recipient will be deemed to have met this security requirement. It is not yet known whether other industry standards such as SAS Type II are considered sufficient in this respect.

De Brauw will further research the applicability and the effects of the Rules in close cooperation with its partner firms in India area.