In the United States, India is synonymous with outsourced data processing services and customer service call centers for credit card issuers, banks and retailers.  The flow of data between the two countries has been unrestricted and, to a large extent, unregulated.  This has now been changed.

In April 2011, India adopted new privacy regulations known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.   These rules apply to all organizations that collect and use personal data and information in India and are likely to affect any corporation that outsources to India or collects personal information there in its business. 

One of the more important provisions relating to foreign companies is that no organization inside India may transfer sensitive personal data to a third party outside of India unless the transferee ensures the same level of protection that is required by the Indian Rules.  Sensitive personal data is defined as financial information; passwords; physical, physiological, and mental health condition; sexual orientation; medical records and history; and biometric information. 

Therefore, online retailers and other American companies that routinely receive such information from organizations inside India will need to meet Indian privacy standards in order to continue receiving the information.  In addition, because these rules appear to apply even to information gathered about non-Indians, companies which outsource sensitive personal data collection to India will need to ensure that they meet the standards required by these new Indian Rules. 

Because the Indian Rules are in some ways more strict than American and European privacy law, companies doing business in India may need to update their privacy practices in order to comply.  For example, companies that outsource their customer service to India might need to change their practices to explicitly notify callers that their information is being collected and explain why it is being collected.  Additionally, companies that collect information labeled sensitive under Indian law may also need the callers’ consent via mail, fax, or e-mail before collecting any such information. 

Since overseas companies that collect personal information in India may need to update their practices to comply with Indian law, a summary of the new Indian Rules can be found below.  The Rules place some obligations on all information collectors and stricter ones on sensitive information collectors. 

General Obligations

  • Privacy Policy.  Any organization covered by the rule must enact a privacy policy and make it available on its website.  This policy must include a description of the information that is collected, the purpose of collection, to whom the information may be disclosed, and security practices for protecting the information. 
  • Notice and Use.  Organizations must take reasonable steps to ensure that information providers (consumers) know that their information is being collected, the purpose of collection, the recipients of the information, and the name and address of the agencies collecting and retaining the information.  Organizations may only use personal information for the purpose for which it was collected. 
  • Access and Correction.  Information providers must be given the opportunity to have access to their information to review it for accuracy.  Organizations must correct any information found to be inaccurate. 
  • Security.  Organizations are strongly encouraged to have a comprehensive documented information security program and policies that contain managerial, technical, operational, and physical control measures commensurate with the information assets and nature of the business.  In order to escape liability in the event of a breach, the organization must demonstrate that (i) it implemented its security control measures as they are set out in the documentation and (ii) those measures were reasonable security practices.  If an organization has implemented an approved industry code of practice and its compliance has been audited, it is deemed to have complied. 

Specific Obligations for Sensitive Personal Data

  • Limitations on Acquiring Information.  An organization may only collect sensitive personal data from a person if it is necessary in order to provide the person with goods or services.  In addition, the organization must receive written consent from the provider by letter, fax, or e-mail, regarding the purpose of use, and the provider may opt out and withdraw consent at any time.  However, if the information provider opts out, the organization may also cease providing goods and services.  The organization may not retain the information longer than necessary. 
  • Transferring Information.  Unless disclosure has been agreed to by contract or is required by law, organizations need to obtain prior consent of the provider before transferring sensitive personal data to a third party.  Also, no transfer of information may be made overseas unless the overseas party ensures the same level of protection provided for under the Indian Rules.