Outsourcing companies in India will be exempt from some of the provisions of the country’s new privacy regulations.
The new privacy and data protection rules, introduced earlier this year, asserted that any organisation collecting personal data from another body must seek consent from the subject of that data.
Indian outsourcers had worried that this would mean they would need to get permission from their clients’ customers in order to handle their data.
"These rules would have made it extremely difficult for Indian call center operators and Indian [BPO] providers to operate," wrote Paresh Trivedi, a senior associate at law firm Proskauer Rose LLP. "[I]t would mean, for example, that a call center operator providing customer service on behalf of a US bank or insurance company would have to obtain a caller’s prior written consent before it could collect any personal account or health information required to respond to the caller’s questions."
According to Miriam Wugmeister and Cynthia Richlaw, of law firm Morrison & Foerster, "industry both within and outside India expressed concern that the privacy rules would decimate the outsourcing industry".
However, India’s Ministry of Communication and Technology has issued a clarifiction, explaining that any organisation "providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the [consent] requirement.
"The April rules were leading to misinterpretation as if they imposed an additional consent burden on outsourcer…This was seen as a disincentive for the outsourcing industry," Dr Kamlesh Bajaj, CEO of the Data Security Council of India told the Hindu newspaper. "The Department has clarified that this was not the intent and that the rules (on sensitive personal data or information) are not applicable to companies outside India."
Questions remain for Indian outsourcers and their clients, Wugmesiter and Richlaw wrote. "For example, do the
privacy rules apply to employers in India? Do service providers in India need to obtain consent in order to
transfer information to their corporate customers? Is a password by itself sensitive information subject to all of
the privacy rules?"