As mentioned in a prior post on this blog, earlier this year the Indian Ministry of Communications and Information Technology issued new privacy and data security rules under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “Privacy Rules”). The strict consent requirements relating to the collection and sharing of sensitive personal data or information seemed to threaten the viability of India’s successful outsourcing industry and affect the data collection practices of non-Indian companies who are otherwise in compliance with data security and privacy requirements in their home jurisdictions. On August 24, 2011, the Ministry issued a release clarifying certain aspects of the Privacy Rules which will undoubtedly cause the Indian outsourcing industry and non-Indian companies to breathe a sigh of relief.

On February 16, 2010, the EU Article 29 Working Party published Opinion 1/2010, in which it clarified the definitions of “data controller” and “data processor” as those designations are used within the European Data Protection Directive. The Working Party’s opinion is welcome guidance, as such designations are often difficult to apply in practice, especially given the increasing complexity of globalization, organizational differentiation, and information and communication technologies.

I recently spoke with Lora Bentley of IT Business Edge regarding privacy, data security, and cloud computing — There’s More Than One Way to Tackle Privacy in the Cloud.