The passing of new data protection laws in India, intended to ease concerns about outsourcing, may in fact add complexity to the issues, according to a recent CIO magazine report.
For years, many companies based in developed countries have leveraged outsourcing solutions to reduce expenses. By hiring firms in developing economies to perform certain tasks, companies are able to save considerable amounts of money.
Often, this did not come at the expense of quality. Especially in emerging economies, such as India and Brazil, it has been possible to receive high-quality services for an affordable price.
According to the report, India recently passed a new data protection law that may present significant challenges for offshore outsourcers.
The new legislation, called the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, applies to all organizations – local and foreign – that collect and utilize personal data in India.
The report claimed that the new rules present several key challenges for outsourcing firms. Firstly, there is the problem of "double-dipping" – the rules apply in addition to the laws of the country from which the data comes. As such, companies will need to ensure compliance with two similar, but not identical, sets of regulations.
A second concern is that the Indian rules appear to be more restrictive than regulations in many Western countries. For example, they require prior written consent, without exception, for the collection or use of sensitive personal data.
Finally, the report claimed, the new rules lack clarity. Because certain terms are not defined, it may prove difficult to determine how they apply to typical scenarios.
India is not the only country making its data protection regulations more demanding. The European Union recently began implementing the so-called Cookie Law, which requires that companies attain users' express permission before storing usage information.