Feature

BPO Firms in India & China Face Challenges From New Privacy Laws

4 minute read
J. Angelo Racoma avatar

China and India are two popular destinations for outsourced business processes. Recent developments in the legal and regulatory environments in both countries might make it difficult for BPO firms to operate, particularly those that involve sensitive data such as contact details and personal information.

Draft Privacy Regulations in China Will Require Explicit Consent from Source

Privacy and intellectual property are highly valued concepts in the west, but the same might not be the case elsewhere. Consider the notoriety of China for reverse-engineering devices (even cars!) and getting away with mass-producing cheap knockoffs. This has gone to the extent that the Chinese are sometimes accused of economic espionage.

To help improve the business environment, legislators have been moving for laws that will better protect intellectual property, as well as privacy. Chinese legislators plan to address this with the introduction of new data security regulations that seek to enforce stricter controls over how to handle personal data, to wit:

  • Organizations that manage personal data are required to keep such confidential, and will need explicit consent from the owner before this data is shared or divulged to another party.
  • Specific restrictions will apply to collection, processing, use, transfer and maintenance of personal information.
  • These principles will also apply to personal data on computer networks, and not just data in digital storage media or hard copy.
  • Personal information cannot be exported unless given express permission by authorities or the law.

But given strict requirements, the question here would be whether the proposed rules might actually end up harming the thriving outsourcing industry that relies on foreign contracts for survival. These draft regulations are actually stricter than their US and EU counterparts. For example, while US companies are expected to protect personal information regardless of the physical location of the data, the draft Chinese rules will prohibit companies from moving data across borders altogether without explicit consent.

Learning Opportunities

India: Final Privacy Regulationin Place

While the Chinese privacy regulation is still in draft form, Indian legislators have approved the country's stringent privacy rules, which will require several layers of approvals and consent before data can be processed in any useful and meaningful way. Here are the provisions, as quoted by Morrison & Foerster (PDF):

  • Consent -- An organization will require written consent from each source of the personal sensitive data prior to collection. Such may not be collected unless for lawful purposes, and for a function necessary for the organization to perform its duties.
  • Right to opt out -- Participants can opt out at a later time, which will mean they have essentially withdrawn consent.
  • Third-party disclosures -- Disclosure of personal information to third parties will require prior consent, unless this is necessary in compliance with legal obligations. Further, sensitive personal data may not be published, and third-parties are prohibited from further disclosing data.
  • Transfer of information -- Sensitive personal data may be transferred to another organization that will ensure the same level of data protection only if necessary for the performance of the contract between the organization and the source of information.

In essence, both these regulatory measures will mean BPO providers in China and India might have to exert extra effort (and expense) in ensuring they get the necessary consent in place before they can even start to accept and process data. As such, this might prove to be a challenge to organizations that employ Chinese and Indian teams for their back-office work, which may include HR, bookkeeping, records management and the like.

It's a tradeoff between security and ease-of-access, in which case a certain balance is best to ensure an adequate level of privacy, but without being restrictive enough to adversely affect the viability of doing business in these countries.