India demands EU data secure nation status but still lacks robust data protection laws


According to a report in the Economic Times of India, the Indian government has demanded that the European Union designate her as a data secure country. The request came in the context of current bilateral free trade agreement negotiations. An Indian government official is reported saying “Recognition as a data secure country is vital for India to ensure meaningful access in cross border supply.” The official goes on the state that “we have made adequate changes in our domestic data protection laws to ensure high security of data that flows in.”

Seasoned India-watchers may disagree. Traditionally India has had no dedicated privacy or data protection laws, with various statutory aspects scattered under a number of enactments, such as India’s cyber law, The Information Technology Act 2000. In 2011, India finally enacted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 to implement parts of the Information Technology (Amendment) Act 2008. The 2011 Rules cover a subset of personal data (referred to as sensitive personal data, but unhelpfully the meaning of this term differs from that used in the Data Projection Directive) and lay down security practices and procedures that must be followed by organisations dealing with such sensitive personal data.

The 2011 Rules were broad in scope and ambiguously drafted. The impact on the outsourcing sector was unclear and subsequent clarifications had to be rushed through by the Indian government. These clarifications helped somewhat but were still found wanting, with one commentator describing them as “half baked.”

The EU’s Data Protection Directive permits personal data to be transferred to third countries (i.e. countries outside of the EEA) if that country provides an adequate level of protection. The current list covers only a handful of countries including Canada, Switzerland and Jersey, and more recently New Zealand. The US is not deemed adequate but personal data sent under the Safe Harbor scheme is considered to be adequately protected. India is not deemed to offer adequate protection. Accordingly it has become standard practice to use the approved EC model clauses wherever EU-based outsourcing involves data transfer and offshore processing in India. These clauses, which provide an alternative lawful means of data transfer, place strict obligations on both parties to ensure privacy of data and are considered by some to be onerous and to act as a disincentive for business.

Thirty percent of India’s $100-billion IT and business process outsourcing industry comes from customers based in the European market. Industry representatives are concerned that India defends and grows her share of the European outsourcing market, although for the time being it is worth pointing out that none of her main competitors, such as China, the Philippines, Singapore and South Africa, have achieved data secure nation status. As reported in the Economic Times of India, according to Ameet Nivsarkar, vice-president of Nasscom, the trade association which represents the Indian software industry, “if European companies start insisting on a data secure status as a critical factor for giving business, it will become a very important criterion for perception of a country. Nonetheless, most of our companies adhere to very high level of data security.”

India has a strong track record of performing-low end data processing but desires to move up the value chain into more sophisticated outsourced work in sectors such as healthcare, clinical research and engineering design. Achieving data secure nation status will support this; the process however is a relatively arduous, and potentially political, one involving:

  • a proposal from the Commission,
  • an opinion of the Article 29 Working Party,
  • an opinion of the Article 31 Management Committee delivered by a qualified majority of Member States,
  • a thirty-day right of scrutiny for the European Parliament, to check if the Commission has used its executing powers correctly, and
  • the adoption of the decision by the College of Commissioners.

It will be interesting to see how the EU reacts to India’s demands, especially given the current proposals to reform EU data protection legislation in order to strengthen individual rights and tackle the challenges of globalisation and new technologies. Uruguay, Australia and Japan are all ahead of India being at different stages of advancement in the process. One thing seems clear – India will need to ensure her data protection laws and enforcement regime will stand up to EU scrutiny if she is serious about wanting to join the small but growing club of nations with EU data secure status.