...wade though vast tracts of confidential data such as passwords, bank account information, credit card numbers, medical records and biometrics.
Written consent for helpdesk and customer support calls
Under the new rules, Indian outsourcers or India-based captives would be required to obtain written consent from every individual calling helpdesk or customer support. Penalties for violations range from lengthy prison terms and fines of several thousand dollars. The new rules make even company directors liable for prosecution.
Until recently, investors and multinationals complained that India's data security and privacy laws are lax and outdated.
On the other hand, outsourcing companies say they have complied with Western privacy laws, and are worried about the addition of a cumbersome layer of disclosures to end customers before collecting personal data. These measures will burden them with additional costs, they say.
For instance, if a Western financial or healthcare provider allows access and processing of its data by an Indian outsourcer, the new privacy rules would reach across continents and impose a duty to obtain consent from consumers or patients. This process would require dramatic restructuring of US and European companies' privacy interactions with their end users.
Two leading outsourcing companies, Convergys and Wipro, have not responded to specific questions about the practicalities and logistics of following the new privacy rules.
Back-office competition from the Philippines
India's $76bn outsourcing industry has much at stake. Just last year, the Philippines overtook India to become the world's largest force in back-office centres. In practice, many companies would choose to place their data-processing functions in the Philippines, Malaysia or elsewhere, said Baker & McKenzie's Hengesbaugh.
As companies panic over the new rules, India's outsourcing industry lobby group Nasscom has swung into action to review the rules in a dialogue with the government. The group said the government has clarified that personal data handled by outsourcing companies will not be regulated under the new privacy laws.
Kamlesh Bajaj, CEO of Data Security Council of India, Nasscom's data protection and privacy regulator, told silicon.com, "We hope to have a clarifying notification by the end of July."
If India finds a way to rationalise or supersede the proposed rules, the outsourcing industry will be placated. If not, India's outsourcers believe the big privacy law changes promise to turn into a paperwork-intensive, bureaucratic nightmare.
Saritha Rai is an India-based journalist and commentator who covers technology, business and society from her ringside seat in Bangalore.