Q How concerned should investors in India be about data protection?

A Overseas investors looking to invest in India should have data protection regulatory concerns high on their agendas. Many perceive the issue as a potentially onerous hurdle that could dissuade their boards and shareholders from committing to an investment in India. Those opposed to the outsourcing trend have highlighted data protection regulatory concerns as reasons not to continue with this trend.

This in turn has put the Indian government under pressure to enact data protection laws to protect the lucrative Indian business process outsourcing (BPO) industry. New data protection law is now at the draft stage.

Q Can overseas investors be penalised for not complying with data protection standards in India?

A Penalties that can be imposed on overseas investors that do not comply with data protection laws include fines and personal criminal liability.

The range of obligations that must be met are wide ranging and are very relevant to businesses that seek to invest in India. Using the outsouurcing trend as an example, there are data protection requirements that relate to the security service levels which by law must be imposed on a service provider, and the steps which must be taken by a European business before data that includes information about individuals is sent outside the European Economic Area to countries such as India.

Q How does European legislation impact on India’s BPO industry?

A The EU directive 95/46/EC is specific on the requirements for the transfer of data. It states that personal data of EU nationals cannot be sent to countries that do not meet the EU “adequacy” standards with respect to privacy. The directive also sets down the principles regarding the transfer of data to third countries.

Under this directive the third country should provide an adequate level of protection to personal data of the citizens of EU member states. It states: “The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.”

Q If and when India adopts a data protection law, how will it address these issues?

A Indian businesses have to state how they will address these issues in order to win overseas investment. In the case of Europe, they also need to demonstrate a high level of understanding of the European data protection laws, regulations and industry codes of practice – the contracts that they are asked to sign will make this a formal, legally-binding requirement.

India started a process of economic liberalisation in the 1990s. One of the main features of this process has been to simplify rules and regulations to attract foreign investment. As a result of this, India is becoming easier to enter from a regulatory and commercial point of view but there are still issues to overcome. Indian privacy standards for the outsourcing company are just one issue of many that need to be addressed.

Tony Khindria is the founding partner of Lexindia, an Indian law firm with offices in London, Delhi and Paris. He is author of Foreign Direct Investment in India, published by Sweet & Maxwell (1997) and Khindria on Business Law An Indian perspective, published by Butterworths LexisN