Effective with their publication on April 11, 2011,1 the Central Government of India (GOI) adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules), under Section 43A of The Information Technology Act, 2000, as amended by The Information Technology (Amendment) Act, 2008 (IT Act). The Rules define certain key, previously undefined, terms used in that Section and otherwise impose India’s first significant personal information privacy and data security regime.
These Rules have spawned widespread concern and debate regarding their interpretation. As discussed in this Legal Alert, literally read, the Rules impose extremely burdensome obligations relating to the collection of personal information by companies with no other contacts with India other than the utilization of outsourcing services provided from inside India. It has been recently reported that the CEO of the Data Security Council of India2 has stated that they have discussed these concerns with the GOI and expect that the GOI will clarify their interpretation of the rules in the near future.
Sutherland does not advise on Indian law, but has been in contact with legal advisers in India regarding the Rules and does regularly advise clients engaging service providers in India under various outsourcing arrangements.
Please see full publication below for more information.