In the United States, India is synonymous with outsourced data processing services and customer service call centers for credit card issuers, banks and retailers. The flow of data between the two countries has been unrestricted and, to a large extent, unregulated. This has now been changed.
In April 2011, India adopted new privacy regulations known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These rules apply to all organizations that collect and use personal data and information in India and are likely to affect any corporation that outsources to India or collects personal information there in its business.
One of the more important provisions relating to foreign companies is that no organization inside India may transfer sensitive personal data to a third party outside of India unless the transferee ensures the same level of protection that is required by the Indian Rules. Sensitive personal data is defined as financial information; passwords; physical, physiological and mental health condition; sexual orientation; medical records and history; and biometric information.
Therefore, online retailers and other American companies that routinely receive such information from organizations inside India will need to meet Indian privacy standards in order to continue receiving the information. In addition, because these rules appear to apply even to information gathered about non-Indians, companies which outsource sensitive personal data collection to India will need to ensure that they meet the standards required by these new Indian Rules.
Because the Indian Rules are in some ways more strict than American and European privacy law, companies doing business in India may need to update their privacy practices in order to comply. For example, companies that outsource their customer service to India might need to change their practices to explicitly notify callers that their information is being collected and explain why it is being collected. Additionally, companies that collect information labeled sensitive under Indian law may also need the callers’ consent via mail, fax, or e-mail before collecting any such information.
Since overseas companies that collect personal information in India may need to update their practices to comply with Indian law, a summary of the new Indian Rules can be found below. The Rules place some obligations on all information collectors and stricter ones on sensitive information collectors.
If you have any questions about the information presented in this alert or how it may impact your business, please contact any member of our Privacy, Security and Social Media Team. We hope you find this information helpful. Stay current on important developments in data privacy law by following Baker Hostetler’s Data Privacy Monitor.
Authorship Credit: Peter Brown
Subscribe to Baker Hostetler’s Privacy News Alerts
Subscribe to Baker Hostetler’s Data Privacy Monitor Blog
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2011 Baker & Hostetler LLP