New data security regulations in India may make retailers think twice about outsourcing functions that involve consumer information to the subcontinent. The new government rules, which took effect in April, could impact virtually all retailer IT operations if anything is located in India.
How strict are these new rules? They require rapid notification of data breaches—but the rules also require getting express written consent from customers for using their data; getting consent if you want to have third-parties handle the data; providing consumers with contact information about every party who has access to their data; and allowing consumers to have their data purged from all your systems.
For those retail execs thinking, "This isn't such a big deal. This only impacts our call center, because that is all we operate in India," think again. The rules are an example of what the legal community calls the fruit of the poisonous tree. Under this scenario, the rule wouldn't solely impact call center operations. If the information collected from a call center was used anywhere else in the chain—such as if any of that call center data was stored in CRM files or it was used, directly or indirectly, to help in-store, E-Commerce, M-Commerce, supply chain or any other part of the chain—then those divisions would also be subject to the same stringent Indian rules.
The rules also call for any privacy breach to be subject to whatever law is most strict. Usually that will mean the Indian law. However, if—for example—California has even tougher requirements and a retailer is subject to California law but also has an outsourced call center or data center in Mumbai, Indian courts will use the more stringent state requirements.
For most retailers, that could require serious second thoughts about outsourcing to India. Let's face it, retailers typically outsource to foreign countries because they want to save money. This savings can result from lower labor costs, lower insurance or real estate costs, lower manufacturing costs and lower overhead of compliance costs—and usually a lighter regulatory environment.
However, a rash of highly publicized break-ins and thefts of personal information has apparently led the Indian government to decide that the best way to promote India as a haven for data centers, call centers and other outsourced data processing is not to lower privacy and security regulations but to raise them. "Look," the government seems to be saying, "your customer data will be secure here, and our data centers must protect it."
The new regulations also effectively recommend the rather stringent ISO 27001 information security standard, as long as compliance with that standard (or an approved industry code of practice) is certified or audited annually.
But several things set the Indian law apart from most European laws, which may impact a retailer's decision about whether to outsource data processing to an Indian company. These include:
Although Indian law does not technically require companies that collect, store or process personal data to comply with the ISO 27001 security standard, it is the only standard expressly mentioned as being acceptable. It is perhaps the most comprehensive standard for data security in the general commercial world, and it provides detailed procedures for all aspects of data security. Most data privacy laws simply say things like "provide reasonable security considering the size and complexity of the organization and the sensitivity of the information collected." The new Indian rules seem to go much further.
Indian law now requires both companies that collect and companies that store or process certain personal information to obtain express written consent from the data subject—the customer—for such collection and processing. It is not clear whether a simple warning banner or click-through agreement will meet this standard.
The statute provides that collectors and processors "shall obtain consent in writing through letter or fax or E-mail from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information." Sensitive personal information is defined as including things like passwords, bank account and credit-card numbers, medical records, records of sexual orientation and biometric data.
Customers have the right to withdraw consent for both the use and the processing of their sensitive personal information at any time. As a consequence, both the data collector and all of its processors must have mechanisms in place to purge sensitive personal information from their systems, to track requests for removal of information and to validate that removal from not only all of their systems but their business associates' systems.
With some limits, consumers also have to consent to any third-party access to their sensitive personal information.
If information is shared by the retailer or its agents (including sharing to the agents), customers must be given contact information about every party who has access to their information.
This is a huge deal.This is a huge deal. Consider, for example, the recent Epsilon data breach that exposed millions of E-mail addresses. Most customers whose data was breached had never heard of the company Epsilon and had no idea that the information they shared with, say, Disney Resorts or Marriott was being shared with Epsilon and, therefore, that their data security was dependent upon the security practices of Epsilon and all of Epsilon's agents (Epsilon's ISP, its contractors and consultants, etc.).
Now imagine the burden of telling every consumer the names and contact information of every data storage or processing entity with access to consumer information and re-notifying them if you or any of them decide to change storage or processing companies. Kinda makes you want to stop collecting unnecessary data, which may be the point.
The Indian regulations expressly require companies to apply whatever is the most stringent law that applies to them. Thus, if a company collects data in Massachusetts and offshores the data to Mumbai, then both Massachusetts and Indian law apply.
Unlike other data privacy laws, under Indian law it is not sufficient for data collectors and processors to have fair information collection, sharing and protection policies. The law requires both collectors and processors (including ISPs) to have written policies on things like sharing data that users don't own (electronic theft), harassment, blasphemy, defamation, obscenity, pornography, libel, hateful and racially or ethnically disparaging information, and information relating to money laundering or gambling or that is otherwise unlawful.
Processors must also agree not to host, display, upload, modify, publish, transmit, update or share any information that harms minors in any way, infringes others' intellectual property rights, impersonates others or spoofs the origin or destination of messages.
Finally, these companies must have policies that prohibit any action that "threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation." Pretty heady stuff for just collecting a consumer's preference in the color of Legos.
All told, the Indian rules represent a fundamental shift in philosophy. Indeed, in many ways the new regulations are more stringent than the laws under which the personal data is collected. Indian outsourcing companies will initially have to scramble to create and enforce policies that comply with the new laws, and lawyers in India and abroad will have to write new contracts, new policies and new consent forms for data subjects.
Now, I wonder if we can outsource this legal work?
If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.