Hefty penalties on BPOs compromising customer privacy

The Indian government will shortly impose hefty penalties on business process outsourcing (BPO) firms that compromise on the data privacy of individual customers. It is likely to tighten the provisions linked to data privacy and data protection in the Information Technology (IT) Act, 2000, and is working closely with the US to emulate existing global best practices in the realm of data security and privacy, a senior official in the communications ministry told ET. 

There is a view in sections of the government that the present IT Act, 2000, does not adequately address data privacy concerns of individuals . And hence the need for more stringent legislation by way of penal provisions to effectively deal with companies passing on sensitive personal in-formation of individuals to third-parties without prior consent. 

The matter was deliberated at length at telecom department meeting where senior officials from the US commerce department were present. "The government is dead serious about data privacy and is likely to tighten the present norms to ensure private data is accessible only through a process of law," said an official in the communications ministry privy to these discussions. But a key provision that could undergo a review is the one that requires companies to obtain prior approval in writing from individuals regarding the use of their personal information collected. 

The new Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data or Information) Rules 2011, require companies or their intermediaries to take approval in writing from individuals about the use of the sensitive personal information they collect. 

In this light, US government officials present at the telecoms department meeting are learnt to have sought clarity on whether US companies collecting such personal information back home and passing on to Indian BPO firms will be exempt from India's rules pertaining to collection of personal data. It remains to be seen whether overseas companies relying on Indian BPOs will also be required to re-align their data collection norms to fall in line with India's data protection rules, even though their practices may be fully compliant with US or EU data privacy norms.(ET)