India Adopts New Privacy Rules - InformationWeek
Cloud // Cloud Storage
07:02 PM
Connect Directly

India Adopts New Privacy Rules

Organizations doing business in India may be forced to re-evaluate how they handle personal information.

Amid worldwide lobbying by IT companies to promote the harmonization of data protection laws for the sake of cloud computing, India last month quietly issued new privacy rules that impose significant limitations on how businesses can handle personal information.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, or "Privacy Rules," were issued in April to implement India's 2008 IT Security Act amendment.

Because the rules implement an existing law, they did not undergo the prolonged period of public comment and industry input that typically precedes the passage of a law. Nonetheless, they "have all the force of a full-blow data privacy law," said Miriam Wugmeister, head of the global privacy practice at law firm Morrison & Foerster, in a phone interview.

The degree to which companies will comply with these rules remains unclear, as does the extent to which Indian authorities will enforce them. But Wugmeister believes the new privacy regime has the potential to dramatically affect the business landscape for IT companies in India and for overseas companies that contract IT services with Indian companies.

The Privacy Rules oblige organizations to notify individuals when their personal information is collected via letter, fax, or email. They require covered organizations to make a privacy policy available, to take steps to secure personal information, and to offer a dispute resolution process related to the collection and use of personal information.

"The law applies to all companies in India getting any information from anywhere," said Wugmeister. "On the face of it, it doesn't exempt the service provider."

What this means is that any personal collected in India, or outside of India and transferred into the country, is governed by these rules. As a consequence, Wugmeister suggests that outsourcing providers in India may be required to notify every person seeking assistance at a call center about their data handling practices and to obtain consent to handle personal data. Outsourcing providers, she says, may also be forced to make sure their customers' data handling practices match the requirements laid down in the new rules.

India's new Privacy Rules arrive as large IT companies like Microsoft are calling for more consistent international privacy and data protection laws, so cloud computing companies can transfer data across borders without legal uncertainty.

"[W]ith the migration to the cloud, it is increasingly important that data, in fact, be able to move across borders, and even around the world, albeit with real and effectively legal safeguards," argued Microsoft's general counsel Brad Smith in a speech delivered to the French National Assembly in January.

India's new rules may reflect a desire by lawmakers to court cloud computing providers, particularly those in the E.U., where data protection laws are stringent. But winning business from the E.U. may come at a cost. U.S companies may not want to adhere to India's relatively strong standards and could seek outsourcing partners in other countries.

Given the importance of IT to India, however, it seems likely that overly burdensome regulations will be relaxed, go unenforced, or be superseded by subsequent legislation.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll