Think privacy issues are a pain when they affect consumers? Get ready for the grandfather of all corporate computing headaches. Big privacy-law changes in India and China are about to turn data-processing outsourcing into a hurdle-leaping, paperwork-generating mess.
Start with the proposed rules from the People's Republic. The country has suffered bad PR fromserious allegations of China-based online economic espionage. However, there's another whole problem area: security in outsourced IT services because of high personnel turnover and little cultural recognition of the importance of data security. So the government has called for the following:
- Those that hold personal data must receive explicit consent to divulge that data to third parties.
- There are specific restrictions "during the collection, processing, use, transfer and maintenance of personal information."
- Personal data cannot be exported unless specifically allowed by law or government authorities.
At least the Chinese rules are still in a relatively early draft. Not so with India, which issued some final privacy regulations in the middle of last month, according to an article by two Morrison & Foerster lawyers:
The new rules prescribe how personal information may be collected and used by virtually all organizations in India, including personal information collected from individuals located outside of India. Among other obligations, prior written consent will be required, without exception, to collect and use sensitive personal data. These consent requirements are far more restrictive than what is required under either the Gramm-Leach-Bliley Act or the EU Directive. As a result, U.S. and European multinational businesses that currently rely on their India-based operations or Indian outsourcing service providers to handle sales and other transaction-related calls from their U.S.- or EU-based customers (or even benefit-related calls from their U.S.- or foreign-based employees) may have to adjust their personal data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with U.S. or EU privacy rules.According to the lawyers, the new privacy rules seem to apply to any personal information, and not just that of Indian nationals. Some of the requirements are rigorous:
- A company must get written consent by letter, fax, or email for the collection of data.
- People can opt out at a later time and withdraw their consent.
- There are significant restrictions on disclosing personal data to third parties.
- When a person has given consent for the transfer of data, or it's necessary by contract, a company can only send the data to an organization that provides the say level of security as the Indian regulations.
- People have the right to review their data and to correct it.
- Chinese Hack Global Oil Industry and Other Business; What Else Is New?
- Intel's -- and the Entire Tech Industry's -- Big Competitor: China
- Doing Business in South Korea? Your Strategy Plan Should Factor in the Saber Rattling
- China as No. 2: Why Its Days as a Manufacturing Outsourcer Are Numbered
- Andy Grove Is Right, Industry Needs Its Own Manufacturing