Correction: An earlier version of this article incorrectly described the law firm Morrison & Foerster as based in New York. It is based in San Francisco. Miriam H. Wugmeister, who was correctly described as a partner, works in the firm’s New York office. This version has been corrected.
Data privacy rules enacted last month in India are now alarming some U.S. companies, which worry that they may be too restrictive.
The rules in India’s Information Technology Act govern the collection and use of personal information including banking and medical details. But business leaders in India and the United States worry that they add a cumbersome layer of disclosures such as obtaining written consent from each customer before collecting and using personal data.
Google has protested some sections of the rules, which make Internet intermediaries responsible for any objectionable content, which is defined as “harassing,” “grossly harmful” or “ethnically objectionable.”
The rules about data privacy will apply to all Indian organizations and will affect multinational corporations that outsource business operations to India or have opened back-offices here.
The new measures were designed to ensure that all personal information that a company collects is secure. It obliges those who handle sensitive personal information — like passwords, bank account and credit card numbers, medical records, biometric data — to implement an elaborate technical, managerial, physical and operational information security practice and set up a dispute resolution process.
Some say they are far more restrictive than American and European data privacy laws, and may put off customers.
“What if some customers just say no when a request for consent is sent to them from a service-provider in India that they have never heard of? Companies here cannot take that risk. They will just decide to take their business elsewhere, to China or Philippines,” said Miriam H. Wugmeister, a partner with the New York office of the San Francisco-based law firm Morrison & Foerster, which counsels many American companies that have outsourced to or set up service companies in India. “Every other country which has data privacy laws has exempted the service provider or vendors from these obligations.”
The Indian law, Wugmeister said, will radically alter India’s outsourcing business.
India’s $41 billion outsourcing industry shares the concerns of its clients, too.
“On the face of it, the privacy laws may impose restrictions on Indian outsourcing providers to carry out any process or service for domestic or international clients that require receipt or dissemination of any information that can be termed ‘personal,’ ” said Manoj Malhotra, president of the Business Process Industry Association of India. “The law talks about what needs to be protected. There is some ambiguity about how it will be implemented. Different clients will interpret it differently.”
He said that the industry body will review provisions of the law with the government and the overseas clients in coming weeks.
But India’s deputy minister for information technology Sachin Pilot dismissed the fears and said that the law addresses a long-pending demand of the IT industry for a legal framework for data protection. More than 2.8 million Indians work in the IT industry, and 9 million people are employed indirectly.
“We are aligning ourselves with the global best practices. This law should end all the fears that any global company has about data being unprotected in India,” Pilot said. “Why would we bring a law that will kill our sunrise industry?”
A 2010 report by the Data Security Council of India and the consultancy KPMG found that about 60 percent of banking customers who responded to a survey said that information security is a significant concern.
Some U.S. companies have welcomed the general spirit of the law. “The law will end the last remaining arguments people have against outsourcing to India,” said Russell Smith of SDD Global Solutions, a New York law firm that runs a legal-process-outsourcing business in India.