Compliance with data protection regulations, that seem to be becoming more stringent in different parts of the world, especially in European countries, is posing increased challenges to the free flow of information across borders and is impacting the IT/BPO industry in India. The legal challenges being faced by companies in data-flows from client countries can be identified by examining the points below:

  • Data flow restrictions: The amendments to the German DPA make it difficult for the data controller to transfer German citizens’ data to third countries, especially of employees. France and Netherlands have also amended their DPAs, which supposedly make it difficult for such data transfers to take place.
  • Contracts with data processors: An impression is getting created that the amendment to the German DPA obligates the data controllers to have more detailed contracts with data processors. Will this amount to rewriting of, or amendment to the contracts?
  • Data breach notifications: Introduction of new obligation by countries like Germany and France for data controller to inform the data protection authorities as well as the data subjects about data breaches and its likely impact on the service providers.
  • Bureaucratic processes for registering with respective DPAs (submitting databases, data files & contracts): In case service providers directly collect personal information on behalf of data controllers and / or hire local staff and process their personal data, what are their obligations?
  • Rising penalties for data breaches: UK’s DPA imposes a maximum fine of £500,000 for ‘serious breaches’. Similarly, French and German DPAs also impose a fine of up to €600,000 for each data breach. Is this redefining the liability of service providers?
  • Expanded powers of supervisory authorities to intervene: The amendment to the German DPA provides for expanded power to the data protection authority to intervene in the cross border transaction governed by the contracts. How is this impacting the business relationships? Is it contributing to cost escalation?
  • Lack of clarity in the interpretation of various regulatory requirements that have implications on the data flows especially with respect to the distribution of obligations and liabilities between data controller and data processor.

    In order to take a unified view and to evolve a consensus on approaching the diversity of data protection laws and requirements imposed by various governments, DSCI constituted a DSCI Advisory Group on Legal Issues in Data-Flows.

Following is the agenda for the DSCI Advisory Group on Legal Issues in Data-Flows
  • Against the background of recent regulatory amendments in some EU member states that make regulatory requirements more stringent and raise the liabilities for data breaches and non-compliance, discuss the challenges faced and impact on IT and BPO companies in India as ‘data processors’ including:
    • Data Flow Restrictions esp. with respect to data transfer of EU citizens to India including the employee data
    • Re-writing of Contracts
    • Data Breach notifications
    • Bureaucratic processes for registering with respective Data Protection Authorities
    • Rising penalties for data breaches
    • Expanded powers of supervisory authorities
    • Lack of clarity in the interpretation of various regulatory requirements
  • Discuss and deliberate different approaches / recommendations that can help Indian outsourcing industry overcome the identified challenges. For e.g. harmonization of regulatory requirements, lobbying with regulatory bodies to categorize India as a country having ‘adequate level of protection’, ‘Binding Safe Processor Rules’ for data processors like ‘Binding Corporate Rules’ for MNCs, Recognition of DSCI Security & Privacy Frameworks, etc.
  • Identify the relevant audience for submitting and discussing the identified issues and approaches / recommendations. For e.g. WTO, WITSA, EU, DPAs, FTC, etc.
  • Strategy for taking the outcomes of these deliberations to the identified audience
  • Role of DSCI and NASSCOM

Members’ Name Designation Organization
Mr. Pazhamalai Jayaraman CISO & GM-IRM & Policy Compliance Wipro
Mr. P S Venkat Subramanyan Head – Data Protection Practice CSC
Mr. Maria Bellarmine CISO & Head Information Security (Compliance) Group Tech Mahindra
Ms. Nandita Jain Mahajan Chief Privacy Officer & Director IBM GPS
Mr. Sabyasachi Chakrabarty Chief Security Officer-APAC British Telecom
Mr. Santosh Mohanty VP -Head of Component Engineering Group TCS
Mrs. Shobhana Nikam Head of Legal, Fidelity India Fidelity
Mr. Pradeep Verma VP-Technology FirstSource