Why India's outsourcers are kicking up a stink over whiff of tighter data privacy rules

New legislation would cripple Indian IT, say outsourcers...

New data protection rules are supposed to bring India in line with the West. But outsourcers on the subcontinent are arguing that the legislation goes too far, says Saritha Rai.

In April, Indian politicians flagged up their intention to introduce new privacy and data protection legislation. Their goal is to align Indian law with global practices and allay fears that data is unprotected in India. Three months later, outsourcing companies that handle data for global corporations are expressing their alarm and confusion over the changed rules on handling personal data.

The new provisions appended to India's Information Technology Act aim to enhance protection by stipulating how personal and confidential information from individuals, in India and outside, can be collected and used by companies and their intermediaries in India.


Under new privacy rules, all companies operating in India will have to obtain prior written consent by letter, fax or email before collecting personal dataPhoto: Shutterstock

All companies operating in India without exception are required to obtain prior written consent by letter, fax or email to collect personal data.

The written consent clause will make India's privacy laws more stringent than the EU data privacy directive or the US Gramm-Leach-Bliley Act, said Atul Vashistha, chairman of Pleasanton, California-based consulting firm Neo Group, in an alert to clients.

In one sweep, India has vaulted to the top of the world as having, arguably, the most overreaching set of privacy rules, said global privacy expert Brian Hengesbaugh, a partner at the Chicago offices of law firm Baker & McKenzie.

"If enforced, these rules would effectively be an industry killer for Indian outsourcing providers," said Hengesbaugh, a former special counsel to the US Department of Commerce who helped develop and implement the US government's domestic and international policy in privacy and electronic commerce.

Indian outsourcing firms and captives, particularly business-process outsourcers, handle huge amounts of personal and sensitive data from the West - either sent over by clients or collected directly by Indian call agents acting on their behalf.

They manage sales, enter orders, make collections and provide customer service. They process confidential healthcare records for hospitals. They track payroll and employee benefits for corporations. In doing so, they...