New Indian Privacy Rules Could Force The Hand Of Many U.S. Retailers
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
New data security regulations in India may make retailers think twice about outsourcing functions that involve consumer information to the subcontinent. The new government rules, which took effect in April, could impact virtually all retailer IT operations if anything is located in India.
How strict are these new rules? They require rapid notification of data breaches—but the rules also require getting express written consent from customers for using their data; getting consent if you want to have third-parties handle the data; providing consumers with contact information about every party who has access to their data; and allowing consumers to have their data purged from all your systems.
For those retail execs thinking, “This isn’t such a big deal. This only impacts our call center, because that is all we operate in India,” think again. The rules are an example of what the legal community calls the fruit of the poisonous tree. Under this scenario, the rule wouldn’t solely impact call center operations. If the information collected from a call center was used anywhere else in the chain—such as if any of that call center data was stored in CRM files or it was used, directly or indirectly, to help in-store, E-Commerce, M-Commerce, supply chain or any other part of the chain—then those divisions would also be subject to the same stringent Indian rules.
The rules also call for any privacy breach to be subject to whatever law is most strict. Usually that will mean the Indian law. However, if—for example—California has even tougher requirements and a retailer is subject to California law but also has an outsourced call center or data center in Mumbai, Indian courts will use the more stringent state requirements.
For most retailers, that could require serious second thoughts about outsourcing to India. Let’s face it, retailers typically outsource to foreign countries because they want to save money. This savings can result from lower labor costs, lower insurance or real estate costs, lower manufacturing costs and lower overhead of compliance costs—and usually a lighter regulatory environment.
However, a rash of highly publicized break-ins and thefts of personal information has apparently led the Indian government to decide that the best way to promote India as a haven for data centers, call centers and other outsourced data processing is not to lower privacy and security regulations but to raise them. “Look,” the government seems to be saying, “your customer data will be secure here, and our data centers must protect it.”
So what previously was the subject of contractual wrangling between companies and their outsourcers now has whatever “teeth” are added by the threat of government enforcement—all in the name of promoting business.
-Marc
June 26th, 2011 at 6:14 pm
Really nice write up, however, don’t you think keeping in mind the EU Law on data protection, Indian law is meant to facilitate outsourcing business. EU directives on data protection does not allow an EU country to transfer daa to a country that does not follow adequate data protection measures. The new law it seems is bound to encourage clients from EU to outsource their work to India. Moreover, even US is introducing a new data protection law this year in July that too is supposed to enforce stringent data protection measures.