As mentioned in a prior post on this blog, earlier this year the Indian Ministry of Communications and Information Technology issued new privacy and data security rules under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “Privacy Rules”). The strict consent requirements relating to the collection and sharing of sensitive personal data or information seemed to threaten the viability of India’s successful outsourcing industry and affect the data collection practices of non-Indian companies who are otherwise in compliance with data security and privacy requirements in their home jurisdictions. On August 24, 2011, the Ministry issued a release clarifying certain aspects of the Privacy Rules which will undoubtedly cause the Indian outsourcing industry and non-Indian companies to breathe a sigh of relief.
Rule 5(1) of the Privacy Rules requires a company to obtain prior written consent through letter, fax or email when collecting sensitive personal data or information from the provider of such information. Rule 6 of the Privacy Rules requires companies to obtain prior consent to disclose or share sensitive personal data or information with third parties. These rules would have made it extremely difficult for Indian call center operators and Indian providers of business process outsourcing services to operate as it would mean, for example, that a call center operator providing customer service on behalf of a U.S. bank or insurance company would have to obtain a caller’s prior written consent before it could collect any personal account or health information required to respond to the caller’s questions or to share such information with the bank or insurance company of whom the caller is a customer. However, the ministry has clarified that Rules 5 and 6 do not apply to companies providing services relating to the collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside of India. However, companies collecting sensitive personal data or information from individuals pursuant to a contractual obligation directly with such individuals would still be subject to these Rules. Further, in instances where the prior written consent requirement would still apply, the ministry’s release clarifies that “consent given by any mode of electronic communication” is acceptable. This implies that consent provided by checking a consent box as part of an online account registration process would satisfy the consent requirement of the Privacy Rules and that letter, fax and email are not the only acceptable means of obtaining consent.
Another important clarification made by the ministry relates to the potential extra-jurisdictional application of the Privacy Rules. The Privacy Rules have been promulgated under the Indian Information Technology Act (2000) (the “IT Act”). Section 1(2) of the IT Act states that it applies to “the whole of India and…to any offence or contravention thereunder committed outside India.” However, the ministry’s release clarifies that the Privacy Rules only apply to companies or persons “located within India.” Therefore, concerns that foreign companies not located in India may have to comply with provisions of the Privacy Rules mandating the publication of online privacy policies containing certain required disclosures and the appointment of a grievance officer to address privacy-related issues seem to have been alleviated.
The release also clarifies that the term “provider of information” as used in the Privacy Rules refers to a natural person who provides sensitive personal data or information to an Indian company.
With these clarifications, Indian companies providing outsourcing services, non-Indian customers of such services and multi-national companies doing business in India now have guidance on when compliance with the Privacy Rules is required and how such compliance with the Privacy Rules can be achieved.