Think privacy issues are pain when they affect consumers, get ready for the grandfather of all corporate computing headaches. Big privacy-law changes in India and China are about to turn data processing outsourcing into a hurdle leaping, paperwork-generating mess. From the People’s Republic, start with the proposed rules. The country has suffered bad PR from serious allegations of China-based online economic espionage. Although, there is an another whole problem area, security in outsourced Information Technology services because of the high personnel turnover and little cultural recognition of the importance of data security.
The governmant has called for the following, those that hold personal data must receive explicit consent to divulge that the data to third parties. There are specific restrictions that during the collection, processing, use, transfer and maintenance or personal information. The personal data cannot be exported unless specifically allowed by the law or government authorities. As the currently proposed, the restrictions could prohibit an outsourcer form transferring data received from a company to that company’s affiliate. There is even a question as to whether an outsource firm could return data to the company that sent it the first place.
According to an article by two Morrison and Foerster lawyers, at least the Chinese rules are still in a relatively early draft, not so with the India which issued the final privacy regulation in a middle of last month. Including the personal information collected from individuals located outside of India, the new rules prescribe how personal information may be collected and used by virtually all organization in India. Among the other obligations, the prior written consent will be required without exception, to collect and use sensitive personal data. The consent requirements are far more restrictive than what is required under either the Gramm-Leach-Bliley Act or the EU Directive. As the result, the US and European multinational businesses that currently rely on their India-based operations or Indian outsourcing services providers to handle sales and other transaction-related calls from the US or EU based customers that may have to adjust their personal data collection practices to conform to Indian data protection rules despite of their current practices that may comply fully with the US or EU privacy rules.
The new privacy rules seem to apply to any personal information and it is not just that of the Indian nationals. People can choose out a later time and withdraw their consent. There are significant restriction on disclosing personal data to the third parties. When a person has given consent for the transfer of the data, or it is necessary by contract a company that can only send the data to an organization that is providing the say level of the security as the Indian regulations. The major challenge for the Western companies that use Indian as back office processing centers expect to see companies bringing some degree of the data processing back in house again as well as investing a new potential outsource locations in the South America. It is enough wealthy for the business owners complain to the Chinese and Indian governments about the amount of the business that they might lose.
REFERENCE:
http://www.theoutsourceblog.com/2011/05/new-privacy-laws-in-india-and-china-could-make-it-outsourcing-ugly/
