As a global hub of outsourcing work, companies based in India handle and process personal data from around the world on a regular basis. And there is a robust and growing digital economy in India, with all of the attendant privacy risks. 

So, why is it that you almost never hear about privacy and data protection issues arising from India? 

Essentially, it’s because it’s unclear whose job it is to enforce privacy laws in India, such as they exist. Unquestionably, it is the Ministry of Electronics and Information Technology that oversees and administers the IT Act of 2000, which creates guidelines around what sensitive personal information is and how it must be handled and protected. 

Yet, overseeing and actually enforcing against bad actors are two different things. In its annual report, for example, MEIT notes all of the work it is doing to educate India about cybersecurity, including issuing alerts of attacks and creating training programs, but there isn’t a single mention of any enforcement action or other “effective deterrence” as provided for in the IT Act of 2000. 

Rather, as it currently stands, citizens need to petition the courts if they feel their privacy rights have been violated. True, there is the potential for stiff penalties (even jail time) for violators if the courts side with complainants, but actual cases are relatively rare. 

Notably, there is a case against Facebook and WhatsApp proceeding right now, brought by two Indian students, following Facebook’s change of terms and conditions to allow people to opt-in to having their profiles in WhatsApp and Facebook linked together. 

And it may be that very case that spurs India to move its data protection regulations forward. As part of those proceedings, Attorney General Mukul Rohatgi let judges know that the Telecom Regulatory Authority of India is planning to put together new regulations on online data privacy, hopefully to be delivered for consideration this fall. 

Should that go through, it is likely India will adopt many of the world’s emerging trends surrounding notice and consent for the use of personal data, limits on data processing, and even some version of the so-called right to be forgotten, whereby individuals can petition to have information regarding them either removed from the web or a corporate or public database. 

Until that comes to pass, however, India could not be said to have a robust culture of data privacy. 

What they do have, though, is a culture of making their clients happy. This is why it’s vital that you have data protection documentation of your own that you can share with Indian vendors. The anecdotal evidence among IAPP members is that they’ll do what you ask them to regarding data handling, but you need to be specific in your instructions. If you have governance documents, robust policy that clearly articulates how your organization handles personal information, you’ll be able to ask your Indian vendor to do the same. 

Just saying you expect them to abide by, say, European data protection law, or that you need them to be HIPAA compliant, won’t do the trick. They might make a go of it, but they likely don’t have the organizational architecture in place to make it operationally happen. Instead, they’ll probably look around for some text to create a policy, hand that policy out to all of their employees, and then hope for the best. 

Which, to be fair, is what many large companies around the globe do right now. Only in the last decade or so have we seen privacy and data protection operationalized at global multi-national firms. 

So, ask of your Indian vendors what you would ask of your own operational privacy team: 

  • That there be someone designated as the head of privacy policy implementation who is accountable for policy enforcement. 
  • That there be broad-based privacy awareness training for all employees, and that those employees handling personal information have role-based training to educate them about privacy pitfalls. 
  • That their information security is up to international standards (perhaps ISO 270001) and is frequently updated to account for new attack vectors. 
  • That there is a plan for auditing the compliance with internal privacy policy. 

Finally, if this is a long-term or substantive engagement, you should ask, as you would for most vendors of this kind, for the right to audit their program yourself. Don’t take their word for it. 

It may very well be that India soon joins the growing trend of countries implementing modern privacy and data protection law. Until that time, however, it’s best to make sure your vendor management plans are in working order if you’re processing data in India.