Overnight, the privacy landscape in India has undergone a dramatic transformation. On April 13, 2011, India quietly issued final regulations implementing parts of the Information Technology (Amendment) Act, 2008, dealing with protection of personal information. These regulations could have a profound effect on multinational businesses that either outsource business functions to Indian service providers or maintain their own operations in India.

The new rules prescribe how personal information may be collected and used by virtually all organizations in India, including personal information collected from individuals located outside of India. Among other obligations, prior written consent will be required, without exception, to collect and use sensitive personal data. These consent requirements are far more restrictive than what is required under either the Gramm-Leach-Bliley Act or the EU Directive. As a result, U.S. and European multinational businesses that currently rely on their India-based operations or Indian outsourcing service providers to handle sales and other transaction-related calls from their U.S.- or EU-based customers (or even benefit-related calls from their U.S.- or foreign-based employees) may have to adjust their personal data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with U.S. or EU privacy rules.