As in the US, there are calls that offshoring "is an accident waiting to happen" – and there seems to be some evidence for this view. For instance, US credit card giant Capital One pulled out of India after unauthorised credit levels were offered to customers by Indian call centre operators. Newspaper reports in the UK have referred to organised gangs offering a year's wages to foreign call centre staff in return for access to US and UK credit card details.
However, unlike the US, European Union customers are protected by a comprehensive privacy Directive, and part of that privacy protection is the requirement, placed on companies, not to transfer personal data to countries which do not offer an adequate level of protection. The result is that European Trades Unions have cited data protection as an issue which should be taken into account in many international out-sourcing deals. Stop the flow of personal data, the argument goes, then you may stop the outsourcing.
So for instance, David Fleming, National Secretary of UK's Amicus Union, has commented: "There are serious doubts over the security of personal data". The union has called for the UK's privacy commissioner to "urgently investigate offshore companies' data protection measures and to hold a public record of those companies which transfer personal data where there is not adequate legal protection."
As a response, the Indian Government has announced its intention to enact a new data protection regime which will help European and US companies when outsourcing to the sub-continent. Its National Association of Software and Service Companies (NASSCOM) is in the process of drafting legislation to amend the country's existing Information Technology Act of 2000, with the intention of bringing the data protection regime up to the standard required by the EU Directive.
But does India need a new law? If a company is established in the EU (the company is called a "Data Controller" to use the correct data protection jargon) and the supplier of call centre services (the "Data Processor") is in India, there are strong arguments that there is no need for an Indian law. The Indian Data Processor is NOT in control of personal data and can only process personal data under instructions of the Data Controller. If the Data Processor does something untoward (e.g. it has poor security, misuses the personal data in some way, or fails to follow the procedures specified in the contract for the disclosure of personal data), the Data Controller in the EU takes the blame. In other words, if the Indian Data Processor makes any mistake in the processing of personal data, the Data Controller in the EU can be sued, prosecuted or otherwise made liable for the consequences.
Additionally, all rights and freedoms granted to individual customers under EU Data Protection law are protected because the Data Controller is established in the EU. So, for example, if rights of access are exercised by a customer, the Data Controller has to retrieve the personal data from any Data Processor irrespective of where that Processor is located. That is the same for all rights – and that is why the UK's privacy commissioner says there is a presumption of adequacy for any transfer to Data Processors outside the EU.
So why does India need a Data Protection Act? It's certainly not to meet the needs of call centre Data Processors – it is because India wants to attract Data Controllers. And what does this mean? Rather than limit itself to being a supplier of services to corporate America and Europe, India sees itself as the place where such corporations can establish themselves. By wanting a European standard of Data Protection law, India has announced ambitions which extend well beyond being a mere supplier of services to the world's multi-national corporations. In effect, it wants to establish corporate India.
By Dr. Chris Pounder
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.