Privacy & Information Security Law Blog

On August 24, 2011, the Government of India’s Ministry of Communications & Information Technology issued a clarification regarding India’s new privacy regulations, known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”), under Section 43A of the Information Technology Act 2000.

Under the Rules, which were first published on April 11, an individual’s prior written consent is required to process or disclose sensitive personal data.  Outsourcing service providers in India had been concerned that it would be impossible to comply with this requirement given that they typically do not have direct contact with the individuals from whom they would need to obtain consent.  The clarification states that any “body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India” is exempt from the requirement to obtain consent.  Accordingly, Indian outsourcing service providers will not need to obtain consent from individuals before processing their data, regardless of whether the outsourcing services are provided to companies based in India or abroad.  The Rules will apply only to Indian companies that obtain sensitive personal data directly.

The clarification also defines “provider of information” (a term used in the Rules), as “those natural persons who provide sensitive personal data or information to a body corporate.”

Since the Rules were published, it has not been clear how they would apply in practice to companies that outsource their data processing activities to India.  The Indian government’s clarification should come as a welcome relief to the Indian outsourcing industry, and to the companies that use Indian outsourcing services.

View the Ministry’s Press Note.