By NARAYAN KARANTH – Director, Head of Legal Services & Immigration
‘Gold Rush’ for India’s legal services
Over the recent years, India’s outsourcing industry has improved its image. Its done this by introducing a raft of regulations around information technology, security and data usage. It is now a force to be reckoned with when it comes to legal services outsourcing and it is currently in the midst of a new Gold Rush
Image Copyright: indiamart.com
Due diligence while choosing your outsourcing partner requires careful review. Before you embark on a long-term relationship, you want a company that has a mutually beneficial business model, gives you value, good technology, processes expert professionals and above all, data security. You also want them operating in an environment that supports you and protects your business.
Legal services outsourcing to India has become an accepted and valuable business model for both corporate legal departments and law firms globally. This is due to firms having increasingly tighter budgetary constraints aimed at fulfilling larger and more complex mandates and India’s changes in the law.
In this blog, we’ve pulled together into one place, highlights of the key regulations, guiding business outsourcing in India that focuses on the issues mentioned. The regulations effected people’s choice of considering India when it came to IT, data security and usage.
Firstly, Indian courts have interpreted “data protection” within the ambit of “right to privacy” as implicit in Articles 19(1)(a) and 21 of the Constitution. Although India does not have a code exclusively dealing with data protection, the Contracts Act and the Information Technology Act chiefly govern this area.
Indian Contracts Act and Code of Civil Procedure
Under the Contracts Act 1872, parties are at liberty to agree for any lawful terms to protect their interest (§23), and subject themselves to foreign laws or to the jurisdiction of foreign courts. Under the Code of Civil Procedure 1908, the judgment and decree of a foreign court can be executed in India (§44).
The Information Technology (IT) Act 2000
The IT Act regulates collection, processing, storage, use or transfer of data and provides penal provisions for any infractions. Specifically, the IT Act explicitly provides damages to the person affected due to negligent handling of his/her sensitive data (§43-A). The Act also imposes a penalty of roughly $150,000 for downloading data without consent or introducing any computer contaminant or computer virus into any computer or computer network (§43). Further, the IT Act provides punishment for hacking (§66), dishonestly receiving stolen computer resource or communication device (§66-B), identity theft (§66-C), cheating by personation by using computer resource (§66-D), and violation for privacy (§66-E).
Additionally, §72-A provides punishment for breach of confidentiality and privacy. This provision bars service providers or its intermediators from disclosing the information they received to any third party, without the consent of the person concerned, or in breach of a lawful contract.
The IT Act’s extra-territorial applicability (§75) reaches offences or contraventions under the IT Act committed outside India by any person (including non-Indian) using computer or computer network located in India.
Privacy Rules, 2011
In 2011, pursuant to the enactment of the European Union’s strict and stringent data protection laws, India enacted new set of rules — the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules). Privacy rules provide a list of “sensitive personal data”, and describe reasonable security practices and procedures that corporations are required to adopt.
Cert-In Rules, 2013
In addition to these obligations and penalties, the Department of Electronics and Information Technology that periodically publishes rules to supplement its provisions for the regulation of data privacy and personal data protection, brought into force the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (Cert-In Rules). The Cert-In Rules define “Cyber Security Incidents” as any incident that results in (i) unauthorized access, denial or disruption of service; (ii) unauthorized use of a computer resource for processing or storage of information; or (iii) changes to data or information without authorization.
The Cert-In Rules impose mandatory notifications on service providers, intermediaries, data centers and corporations in the event of certain types of cyber security incidents, including the unauthorized access of IT systems or data. Corporations are required to notify any incidents to the Computer Emergency Response Team (CERT-In), a government body established to collect, analyze and disseminate information on cyber incidents, provide forecasts and alerts about cyber security incidents, provide emergency measures for handling cyber security incidents and coordinate cyber incident response activities.
National Association of Software and Service Companies
The National Association of Software and Service Companies (NASSCOM) has setup Data Security Council of India (DSCI), a premier industry body on data protection, to make the cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy. DSCI engages with governments, regulators, industry associations and think tanks on policy matters.
As you can see, these set of rules protect the interest of information providers from their sensitive data being mishandled by corporations. Now you know you have got the best and the most trusted partnership model in place. This comes with the power and combination of strong commercial experience with the right people, the right processes and the right technology that helps you reduce costs and increase compliance – turning legal from a cost center to revenue generator.
