It’s been a long time coming, but in April this year the Indian government brought its data privacy rules into line with European requirements.
The recent changes raise a couple of questions for UK businesses:
- How do they affect transfers of personal data to group companies or suppliers based in India?
- Will they impact the way in which Indian suppliers provide services?
This note provides a brief overview of the changes and a summary of their impact on UK businesses, by addressing the questions above.
OVERVIEW OF THE CHANGES
Until 2008, there were no data privacy rules in India, and even following the implementation of the first set of rules in the IT (Amendment) Act 20081, the measures were limited in scope to civil penalties for failure to protect personal data and civil and criminal penalties for disclosure of information without consent in certain circumstances or in breach of contractual obligations.
To bolster these protections, the Indian government introduced (with effect from 13 April 2011) the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 20112 (under powers conferred under s87(2) read with s43A of the IT Act 20003). The new rules regulate the collection, disclosure, transfer and storage of sensitive personal data, and widen the scope of the regulation in s43A of the 2000 Act.
As under European laws, the rules are based around a set of principles for protecting personal data. The most significant one of these is the absolute requirement to obtain consent from individuals (by letter, fax, e-mail or online) before collecting their information.
Other key requirements include: informing individuals that personal information about them has been collected and the purpose of that collection; not retaining personal data for longer than is necessary; only using personal data for the purpose for which it was collected; giving individuals access to their personal data, the ability to correct inaccuracies and a right to opt-out of providing personal data; publishing a privacy policy; complying with restrictions on processing sensitive personal data and international data transfers; establishing a dispute resolution mechanism; and implementing additional security measures.
So far, the rules lack some of the nuances of the European laws and this has raised some concerns. Alarm had been expressed (particularly in the US) that the new rules are too restrictive and could deter foreign companies from doing business in India – the opposite from the intended effect.
In particular, it has been unclear how the absolute requirement to obtain consent would apply to Indian outsourced service providers who are required to access the personal data of their customers’ customers. Amid concerns that the Indian service providers would need to obtain consent from the individuals to whom the data relates (even though they may not have direct contact with them), the Indian government has (on 24 August 2011) issued clarification to give Indian service providers the all clear. The clarification exempts the service provider from requirements of obtaining written consent and providing choice, access and correction mechanisms, as these are the responsibility of the organisation engaging it (under the applicable data privacy rules in its own country) and which has the direct relationship with the end customer.
The clarification states that any ‘body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India’ is exempt from the requirement to obtain consent. As such, it will only apply to Indian companies to the extent they obtain personal data directly and not as part of an outsourced service provision arrangement.
Further clarification is also required on other aspects of the new rules as, on the face of it, data subjects have an unlimited right to access to their personal data (without any of the exceptions provided under European laws) and consent can be unilaterally withdrawn by the data subject. Without reasonable safeguards, these requirements could create a disproportionate impact on Indian businesses.
Indian businesses will hope that that the Indian government will take a pragmatic approach to these rules, as it has for the consent requirements for outsourced service providers, to minimise the impact of the new rules – but what about UK businesses, what’s the impact on them?
IMPACT ON UK BUSINESSES
How do the new rules affect transfers of personal data to group companies or suppliers based in India?
The new rules will affect transfers between group companies if the personal data originates from India as the Indian entity, in order to comply with the new rules, will need to ensure that all other group companies accessing the data meet the requirements of the new rules. For many companies, appropriate measures will already be in place to ensure that all intra-group transfers of personal data comply with European or US requirements – however, the new Indian rules are different (albeit similar) and UK businesses with Indian affiliates will need to monitor developments in India to ensure that group-wide data privacy procedures are in line with the Indian rules.
In respect of transfers of personal data from UK businesses to Indian suppliers, European data protection laws will apply as normal and it is these rules (not the Indian ones) that UK businesses will need to be mindful of.
Will the new rules impact the way in which Indian suppliers provide services?
The new rules impose certain mandatory data privacy standards that UK businesses would normally impose contractually. As such, they should give additional comfort to UK businesses that Indian outsourced service providers will comply with those requirements and, in turn, ensure that the UK business meets its obligation under European laws to ensure adequate protection for personal data.
But it should not be forgotten that there are still key differences between the European and Indian requirements and it will not be enough just to rely on Indian protections. UK businesses must still ensure that ‘adequate protection’, most commonly achieved using the EU-approved model clauses, is in place with the Indian service provider.
The new rules are a step forward, helping to bring India into line with European practices and will give further comfort to customers of Indian service providers that personal data is secure. In practice, UK businesses are unlikely to see a step-change, as many leading service providers will already comply with best practice to meet their customers’ requirements. UK businesses should be reassured by recent developments, which bolster the protections Indian companies must put in place without (due to the recent clarification) hindering the way in which they provide services to UK businesses and their customers.
Notes