New Indian Privacy Rules Could Force The Hand Of Many U.S. Retailers

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

New data security regulations in India may make retailers think twice about outsourcing functions that involve consumer information to the subcontinent. The new government rules, which took effect in April, could impact virtually all retailer IT operations if anything is located in India.

How strict are these new rules? They require rapid notification of data breaches—but the rules also require getting express written consent from customers for using their data; getting consent if you want to have third-parties handle the data; providing consumers with contact information about every party who has access to their data; and allowing consumers to have their data purged from all your systems.

For those retail execs thinking, "This isn't such a big deal. This only impacts our call center, because that is all we operate in India," think again. The rules are an example of what the legal community calls the fruit of the poisonous tree. Under this scenario, the rule wouldn't solely impact call center operations. If the information collected from a call center was used anywhere else in the chain—such as if any of that call center data was stored in CRM files or it was used, directly or indirectly, to help in-store, E-Commerce, M-Commerce, supply chain or any other part of the chain—then those divisions would also be subject to the same stringent Indian rules.

The rules also call for any privacy breach to be subject to whatever law is most strict. Usually that will mean the Indian law. However, if—for example—California has even tougher requirements and a retailer is subject to California law but also has an outsourced call center or data center in Mumbai, Indian courts will use the more stringent state requirements.

For most retailers, that could require serious second thoughts about outsourcing to India. Let's face it, retailers typically outsource to foreign countries because they want to save money. This savings can result from lower labor costs, lower insurance or real estate costs, lower manufacturing costs and lower overhead of compliance costs—and usually a lighter regulatory environment.

However, a rash of highly publicized break-ins and thefts of personal information has apparently led the Indian government to decide that the best way to promote India as a haven for data centers, call centers and other outsourced data processing is not to lower privacy and security regulations but to raise them. "Look," the government seems to be saying, "your customer data will be secure here, and our data centers must protect it."

So what previously was the subject of contractual wrangling between companies and their outsourcers now has whatever "teeth" are added by the threat of government enforcement—all in the name of promoting business.The new rules, like many European and Asian data privacy laws, require any entity that "collects, receives, possesses, stores, deals or handles" personal information to create and provide to the data subjects a privacy policy that clearly sets out its practices and policies on the use of that information and how the subjects' privacy will be protected. The policy must identify any "sensitive personal data" collected or processed, explain the purposes for which the data is collected and used, and provide "reasonable" security practices and procedures.

The new regulations also effectively recommend the rather stringent ISO 27001 information security standard, as long as compliance with that standard (or an approved industry code of practice) is certified or audited annually.

But several things set the Indian law apart from most European laws, which may impact a retailer's decision about whether to outsource data processing to an Indian company. These include:

  • The ISO standards
  • Although Indian law does not technically require companies that collect, store or process personal data to comply with the ISO 27001 security standard, it is the only standard expressly mentioned as being acceptable. It is perhaps the most comprehensive standard for data security in the general commercial world, and it provides detailed procedures for all aspects of data security. Most data privacy laws simply say things like "provide reasonable security considering the size and complexity of the organization and the sensitivity of the information collected." The new Indian rules seem to go much further.

  • Express written consent
  • Indian law now requires both companies that collect and companies that store or process certain personal information to obtain express written consent from the data subject—the customer—for such collection and processing. It is not clear whether a simple warning banner or click-through agreement will meet this standard.

    The statute provides that collectors and processors "shall obtain consent in writing through letter or fax or E-mail from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information." Sensitive personal information is defined as including things like passwords, bank account and credit-card numbers, medical records, records of sexual orientation and biometric data.

  • Withdrawal of consent
  • Customers have the right to withdraw consent for both the use and the processing of their sensitive personal information at any time. As a consequence, both the data collector and all of its processors must have mechanisms in place to purge sensitive personal information from their systems, to track requests for removal of information and to validate that removal from not only all of their systems but their business associates' systems.

  • Consent for re-processing
  • With some limits, consumers also have to consent to any third-party access to their sensitive personal information.

  • Contact information
  • If information is shared by the retailer or its agents (including sharing to the agents), customers must be given contact information about every party who has access to their information.

    This is a huge deal.This is a huge deal. Consider, for example, the recent Epsilon data breach that exposed millions of E-mail addresses. Most customers whose data was breached had never heard of the company Epsilon and had no idea that the information they shared with, say, Disney Resorts or Marriott was being shared with Epsilon and, therefore, that their data security was dependent upon the security practices of Epsilon and all of Epsilon's agents (Epsilon's ISP, its contractors and consultants, etc.).

    Now imagine the burden of telling every consumer the names and contact information of every data storage or processing entity with access to consumer information and re-notifying them if you or any of them decide to change storage or processing companies. Kinda makes you want to stop collecting unnecessary data, which may be the point.

  • Piling on
  • The Indian regulations expressly require companies to apply whatever is the most stringent law that applies to them. Thus, if a company collects data in Massachusetts and offshores the data to Mumbai, then both Massachusetts and Indian law apply.

  • Push-down good citizenship
  • Unlike other data privacy laws, under Indian law it is not sufficient for data collectors and processors to have fair information collection, sharing and protection policies. The law requires both collectors and processors (including ISPs) to have written policies on things like sharing data that users don't own (electronic theft), harassment, blasphemy, defamation, obscenity, pornography, libel, hateful and racially or ethnically disparaging information, and information relating to money laundering or gambling or that is otherwise unlawful.

    Processors must also agree not to host, display, upload, modify, publish, transmit, update or share any information that harms minors in any way, infringes others' intellectual property rights, impersonates others or spoofs the origin or destination of messages.

    Finally, these companies must have policies that prohibit any action that "threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation." Pretty heady stuff for just collecting a consumer's preference in the color of Legos.

  • Termination and control over intermediaries
  • Indian law also requires outsourcing companies to have a host of requirements with respect to ISPs and intermediaries (by contract) requiring termination of contracts under certain circumstances, to work within 36 hours to prevent a data breach, to retain records related to data breaches for at least 90 days, to inform customers if it has failed to comply with the law or with its own privacy policy, and to terminate access to those who have not complied with the privacy policy. The law requires notification of cybersecurity incidents to the Indian Computer Emergency Response Team.

    All told, the Indian rules represent a fundamental shift in philosophy. Indeed, in many ways the new regulations are more stringent than the laws under which the personal data is collected. Indian outsourcing companies will initially have to scramble to create and enforce policies that comply with the new laws, and lawyers in India and abroad will have to write new contracts, new policies and new consent forms for data subjects.

    Now, I wonder if we can outsource this legal work?

    If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.