As in the US, there are calls that offshoring "is an accident
waiting to happen" – and there seems to be some evidence for this
view. For instance, US credit card giant Capital One pulled out of
India after unauthorised credit levels were offered to customers by
Indian call centre operators. Newspaper reports in the UK have
referred to organised gangs offering a year's wages to foreign call
centre staff in return for access to US and UK credit card
details.
However, unlike the US, European Union customers are protected
by a comprehensive privacy Directive, and part of that privacy
protection is the requirement, placed on companies, not to transfer
personal data to countries which do not offer an adequate level of
protection. The result is that European Trades Unions have cited
data protection as an issue which should be taken into account in
many international out-sourcing deals. Stop the flow of personal
data, the argument goes, then you may stop the outsourcing.
So for instance, David Fleming, National Secretary of UK's
Amicus Union, has commented: "There are serious doubts over the
security of personal data". The union has called for the UK's
privacy commissioner to "urgently investigate offshore companies'
data protection measures and to hold a public record of those
companies which transfer personal data where there is not adequate
legal protection."
As a response, the Indian Government has announced its intention
to enact a new data protection regime which will help European and
US companies when outsourcing to the sub-continent. Its National
Association of Software and Service Companies (NASSCOM) is in the
process of drafting legislation to amend the country's existing
Information Technology Act of 2000, with the intention of bringing
the data protection regime up to the standard required by the EU
Directive.
But does India need a new law? If a company is established in
the EU (the company is called a "Data Controller" to use the
correct data protection jargon) and the supplier of call centre
services (the "Data Processor") is in India, there are strong
arguments that there is no need for an Indian law. The Indian Data
Processor is NOT in control of personal data and can only process
personal data under instructions of the Data Controller. If the
Data Processor does something untoward (e.g. it has poor security,
misuses the personal data in some way, or fails to follow the
procedures specified in the contract for the disclosure of personal
data), the Data Controller in the EU takes the blame. In other
words, if the Indian Data Processor makes any mistake in the
processing of personal data, the Data Controller in the EU can be
sued, prosecuted or otherwise made liable for the consequences.
Additionally, all rights and freedoms granted to individual
customers under EU Data Protection law are protected because the
Data Controller is established in the EU. So, for example, if
rights of access are exercised by a customer, the Data Controller
has to retrieve the personal data from any Data Processor
irrespective of where that Processor is located. That is the same
for all rights – and that is why the UK's privacy commissioner says
there is a presumption of adequacy for any transfer to Data
Processors outside the EU.
So why does India need a Data Protection Act? It's certainly not
to meet the needs of call centre Data Processors – it is because
India wants to attract Data Controllers. And what does this mean?
Rather than limit itself to being a supplier of services to
corporate America and Europe, India sees itself as the place where
such corporations can establish themselves. By wanting a European
standard of Data Protection law, India has announced ambitions
which extend well beyond being a mere supplier of services to the
world's multi-national corporations. In effect, it wants to
establish corporate India.
By Dr. Chris Pounder of Masons, the firm behind OUT-LAW.COM,
and Editor of Data Protection and Privacy Practice.
Contact: Chris.pounder@masons.com
