Evan Schuman's StorefrontBacktalk

This is a huge deal. Consider, for example, the recent Epsilon data breach that exposed millions of E-mail addresses. Most customers whose data was breached had never heard of the company Epsilon and had no idea that the information they shared with, say, Disney Resorts or Marriott was being shared with Epsilon and, therefore, that their data security was dependent upon the security practices of Epsilon and all of Epsilon’s agents (Epsilon’s ISP, its contractors and consultants, etc.).

Now imagine the burden of telling every consumer the names and contact information of every data storage or processing entity with access to consumer information and re-notifying them if you or any of them decide to change storage or processing companies. Kinda makes you want to stop collecting unnecessary data, which may be the point.

The Indian regulations expressly require companies to apply whatever is the most stringent law that applies to them. Thus, if a company collects data in Massachusetts and offshores the data to Mumbai, then both Massachusetts and Indian law apply.

Unlike other data privacy laws, under Indian law it is not sufficient for data collectors and processors to have fair information collection, sharing and protection policies. The law requires both collectors and processors (including ISPs) to have written policies on things like sharing data that users don’t own (electronic theft), harassment, blasphemy, defamation, obscenity, pornography, libel, hateful and racially or ethnically disparaging information, and information relating to money laundering or gambling or that is otherwise unlawful.

Processors must also agree not to host, display, upload, modify, publish, transmit, update or share any information that harms minors in any way, infringes others’ intellectual property rights, impersonates others or spoofs the origin or destination of messages.

Finally, these companies must have policies that prohibit any action that “threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.” Pretty heady stuff for just collecting a consumer’s preference in the color of Legos.

Indian law also requires outsourcing companies to have a host of requirements with respect to ISPs and intermediaries (by contract) requiring termination of contracts under certain circumstances, to work within 36 hours to prevent a data breach, to retain records related to data breaches for at least 90 days, to inform customers if it has failed to comply with the law or with its own privacy policy, and to terminate access to those who have not complied with the privacy policy. The law requires notification of cybersecurity incidents to the Indian Computer Emergency Response Team.

All told, the Indian rules represent a fundamental shift in philosophy. Indeed, in many ways the new regulations are more stringent than the laws under which the personal data is collected. Indian outsourcing companies will initially have to scramble to create and enforce policies that comply with the new laws, and lawyers in India and abroad will have to write new contracts, new policies and new consent forms for data subjects.

Now, I wonder if we can outsource this legal work?

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.