New Privacy Laws in India and China Could Make IT Outsourcing Ugly

Think privacy issues are a pain when they affect consumers? Get ready for the grandfather of all corporate computing headaches. Big privacy-law changes in India and China are about to turn data-processing outsourcing into a hurdle-leaping, paperwork-generating mess.

Start with the proposed rules from the People's Republic. The country has suffered bad PR fromserious allegations of China-based online economic espionage. However, there's another whole problem area: security in outsourced IT services because of high personnel turnover and little cultural recognition of the importance of data security. So the government has called for the following:

Those that hold personal data must receive explicit consent to divulge that data to third parties.
There are specific restrictions "during the collection, processing, use, transfer and maintenance of personal information."
Personal data cannot be exported unless specifically allowed by law or government authorities.

As currently proposed, the restrictions could prohibit an outsourcer from transferring data received from a company to that company's affiliate. There's even a question as to whether an outsource firm could return data to the company that sent it the first place.

At least the Chinese rules are still in a relatively early draft. Not so with India, which issued some final privacy regulations in the middle of last month, according to an article by two Morrison & Foerster lawyers:

The new rules prescribe how personal information may be collected and used by virtually all organizations in India, including personal information collected from individuals located outside of India. Among other obligations, prior written consent will be required, without exception, to collect and use sensitive personal data. These consent requirements are far more restrictive than what is required under either the Gramm-Leach-Bliley Act or the EU Directive. As a result, U.S. and European multinational businesses that currently rely on their India-based operations or Indian outsourcing service providers to handle sales and other transaction-related calls from their U.S.- or EU-based customers (or even benefit-related calls from their U.S.- or foreign-based employees) may have to adjust their personal data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with U.S. or EU privacy rules.

According to the lawyers, the new privacy rules seem to apply to any personal information, and not just that of Indian nationals. Some of the requirements are rigorous:

A company must get written consent by letter, fax, or email for the collection of data.
People can opt out at a later time and withdraw their consent.
There are significant restrictions on disclosing personal data to third parties.
When a person has given consent for the transfer of data, or it's necessary by contract, a company can only send the data to an organization that provides the say level of security as the Indian regulations.
People have the right to review their data and to correct it.

This will be a major challenge for Western companies that use Indian firms as back office processing centers. Expect to see companies bringing some degree of data processing back in-house again, as well as investigating new potential outsource locations in South America. Or until enough wealthy business owners complain to the Chinese and Indian governments about the amount of business they might lose.

Related:

Image: morgueFile user melodi2, site standard license.

Erik Sherman

Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.

Twitter Facebook

More from CBS News