Aiming to quell concern from Western users of outsourcing services, India is likely to have a tighter data protection and privacy regime in place later this year. The National Association of Software and Service Companies (NASSCOM) in Delhi is confident that new measures will be passed as law in the coming session of India's parliament, said Kiran Karnik, president of NASSCOM, which is working closely with the government on the new rules.
India's elections for a new federal government started yesterday, and the new parliament, expected to take up the new legislation for data protection, will be installed by Aug. 6.
The Indian government is under increasing pressure from business process outsourcing (BPO) operations and call centers in India that handle large volumes of data from the U.S. and Europe to pass a data protection law.
"It is becoming extremely important for India to have in place a distinctive legal regime promoting data protection," said Pavan Duggal, a Delhi-based cyber law consultant. "This is necessary to create appropriate confidence among investors and foreign companies to the effect that the data they send to India for back-office operations is indeed safe and there are appropriate statutory mechanisms in place should a breach of data take place."
Opponents of offshore outsourcing to India have often cited the absence of a data protection and privacy law in India as a strong reason for stopping the movement of call center and BPO work to the country. Labor members of the European Parliament affiliated with the Amicus trade union in the U.K. announced in April that they would ask the European Commission -- the European Union's executive branch -- to protect British consumers whose personal data is being transferred to India, warning that offshore outsourcing is "an accident waiting to happen."
Rather than have a separate law to deal with data security and privacy issues, the government is considering an amendment to its Information Technology Act of 2000. NASSCOM is in the process of inserting new clauses in the law, and these are currently being reviewed by the government, said Karnik.
NASSCOM is confident that the amendments will meet regulatory requirements of major customers of the Indian BPO industry, he said.
The Information Technology Act of 2000 covers only unauthorized access and data theft from computers and networks, with a maximum penalty of about $220,000, and does not have specific provisions relating to privacy of data. The new clauses are likely to enable the act to conform to the so-called adequacy norms of the European Union's (EU) Data Protection Directive and the Safe Harbor privacy principles of the U.S., according to NASSCOM.
The adequacy norms allow the EU to declare that third-party countries have levels of data protection that conform to European standards and thus allow data on EU citizens to be transmitted outside of the union.
Government officials weren't available for comment, but sources said that once the new rules are in force, India plans to negotiate with the EU for recognition of India as a country that offers an adequate level of protection for personal data.
Until a tighter data-protection legal regime is in place, foreign customers are relying upon contractual obligations to impose obligations for protecting and preserving data, according to Duggal.
"However, foreign customers are increasingly realizing that such contractual obligations are not necessarily the best effective remedy available," said Duggal. "This is so because in the event of a breach of the security of data, getting effective remedy under the contractual obligations is itself problematic, time-consuming and self-defeating. Having appropriate statutory protection with stipulated statutory penalties, damages and other remedies would act as a good deterrent against the breach of data privacy."
Duggal added that the government should consider penalties of $5.5 million to $11 million for breaches of data.
Even though the government has delayed the implementation of a legal framework for prosecution of data and privacy breaches, Indian BPO companies have implemented processes such as the BS7799 standard for information security management of the London-based British Standards Institution.
"Clients expect outsourcing companies they do business with in India to provide at the process level the same capability to ensure privacy, confidentiality and security of data that their local outsourcers have," said Prakash Gurbaxani, CEO of TransWorks Information Services Ltd., a Mumbai-based BPO and call center company.
Standards such as BS7799, and the ISO17799 standard for information security of the International Organization for Standardization (ISO), based in Geneva, restrict the quantity of data that can be made available to employees of BPO and call centers. "One of the things that you do, for example, is that you make sure that the agent workstation has no other software than is required for the job, has no Internet access that could be potentially used to e-mail, say, a credit card number to someone else," said Gurbaxani. "You also ensure that the office is paperless so that no data can be copied out."