As The Washington Post has just reported, "[d]ata privacy rules enacted last month in India are now alarming some U.S. companies, which worry that they may be too restrictive":
The rules in India’s Information Technology Act govern the collection and use of personal information including banking and medical details. But business leaders in India and the United States worry that they add a cumbersome layer of disclosures such as obtaining written consent from each customer before collecting and using personal data.
But not everyone is worried. The reporter quotes at least one LPO company CEO in favor of the general spirit of the new law, and India's Deputy Minister for Information Technology, Sachin Pilot, defended the new provisions as follows:
[Pilot] dismissed the fears and said that the law addresses a long-pending demand of the IT industry for a legal framework for data protection. More than 2.8 million Indians work in the IT industry, and 9 million people are employed indirectly. “We are aligning ourselves with the global best practices. This law should end all the fears that any global company has about data being unprotected in India,” Pilot said. “Why would we bring a law that will kill our sunrise industry?” A 2010 report by the Data Security Council of India and the consultancy KPMG found that about 60 percent of banking customers who responded to a survey said that information security is a significant concern.
How will this new framework affect legal process outsourcing (LPO)? One effect may be to help put to rest one of the old "bug-a-boos" so often raised by naysayers, namely, the story that India, relative to the West, has no legal protection for data security. Now, as The Washington Post reports, India has data protection laws that arguably are tougher than those in the U.S. and Europe.
But will the "written consent" requirements put off legal outsourcing clients and cause them to go elsewhere besides India? Probably not. Most LPO service level agreements are already in the form of written contracts that either already are in compliance, or can be amended if necessary. Moreover, one of the keys to understanding the impact of the "written consent" requirement is the fact that it covers only "personal" information, which is not the kind of data that most offshore legal outsourcing companies generally receive:
The new measures were designed to ensure that all personal information that a company collects is secure. It obliges those who handle sensitive personal information — like passwords, bank account and credit card numbers, medical records, biometric data — to implement an elaborate technical, managerial, physical and operational information security practice and set up a dispute resolution process.
* * *
“On the face of it, the privacy laws may impose restrictions on Indian outsourcing providers to carry out any process or service for domestic or international clients that require receipt or dissemination of any information that can be termed ‘personal,’ ” said Manoj Malhotra, president of the Business Process Industry Association of India.
What exactly is "personal" data under the new rules? According to Rule 3 of the IT Rules, 2011, sensitive personal data or information has been defined as “information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of:
(b) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(c) physical, physiological and mental health condition;
(d) sexual orientation;
(e) medical records and history;
(f) Biometric information;
(g) any detail relating to the above clauses as provided to body corporate for providing service; and
(h) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise...."
LPOs are not call centers, and legal outsourcing lawyers and other LPO employees hardly ever obtain the above kind of information over the phone from clients or customers of clients. Call centers may worry about the new rules because their employees, by contrast, frequently receive personal data from client customers over the phone. But those customers usually have binding agreements with the banks, hospitals, credit card companies or other clients that use the call centers, and the clients usually have written agreements with the call centers. The required consents can be in the agreements.
Other aspects of the new rules not applicable to LPO companies include what appear to be some onerous restrictions and obligations imposed on Internet providers:
Google has protested some sections of the rules, which make Internet intermediaries responsible for any objectionable content, which is defined as “harassing,” “grossly harmful” or “ethnically objectionable.”
Google and other critics seem to have a good point here, but not one that relates to legal process outsourcing.
However, back to the issue of data security in relation to LPOs, ultimately the best protection lies in rigorous employee screening and motivation. The new legal rules, and more importantly, the kinds of onerous procedures that some companies use to police their employees, will do little if anything to help. In the name of “data security” and “confidentiality,” employees at some outsourcing companies are treated more like prison inmates than professionals. They are frisked as they enter and leave, CCTV cameras and keystroke monitoring software are trained on their every move, internet-usage is banned, and permission must be obtained to go to the toilet. But unless a company performs full body cavity searches, how can frisking or similar intrusions stop someone from walking in and out with a pen drive or a small camera? Ultimately, the best defense for data security and confidentiality is a cautiously chosen, meticulously screened, and highly motivated team of employees who are not treated as lawbreakers, and who see their career future with their company. Employees of that kind, whether in the West or in India, are the least likely to be involved in data theft or confidentiality breaches.