Outsourcing to India especially from EU is not a straightforward business when it come to EU Data Protection Act there are many myths and confusion floating around.
This article is about understanding some important factor to be considered while outsourcing from EU to India.
Critical factors of consideration:
1. Taxation
Different countries have different tax laws, discuss this with the service provider and let a taxation consultant from both side have a understanding on this.
2. The Influence of Local Laws on data security
Some countries have strict data protection and privacy laws, which might be a hindrance in outsourcing. Since there are no standard legal rules and regulations to follow, it is best to meet your outsourcing provider and make sure that you understand the requirements and adhere to both the legal systems. This will help you to sort out any legal issues of outsourcing.
3. Legal Systems
Rules of governance are different in different countries.
There is no legal system which can be used globally.
Different countries even have different intellectual property laws.
There are no standard legal rules and regulations to follow.
Outsourcing service providers also have to protect their business from civil penalties.
Conduct some research on the country that you want to outsource to and if the local laws of that country are a hindrance.
Conduct a risk assessment with the help of legal consultant, research if any peer company had been into such engagements. Discuss with service provider.
Identify implications and sanctions and burden to carry in the event of legal suit.
4. Dispute Settlement
If a customer from EU wants to sue an outsourcing provider in India, there would be plenty of issues. The India outsourcing provider would not want to go to the EU and the EU customer would not want to come to India.
There is also the legal issue of, where the case will be filed, as the case has to be fought in the country where the case is filed.
These two countries would also have two different legal systems.
When making a “settlement contract” ensure that you mention the system of dispute settlement.
Some Positive Things
Effective Changes in Indian Laws
Indian laws are always going through amendments and they are often changed to effectively meet the requirements of today and to be in unison with the latest international laws.
India complies to the “agreement on ‘trade related’ intellectual property right”.
India also accepted the "world trade organization agreement" even when outsourcing was just starting.
The Indian government has brought about many effective changes in patents, copyrights, designs, trademarks to meet the requirements of today.
Freedom of choice to choose any law
The India courts have always endorsed the choice of proper law.
If the choice of law in the legal contract has been expressed, then you can be sure that it will be supported in the Indian courts.
You can also decide which court would conduct the jurisdiction.
The sections of the Indian Civil Procedure Code and Sections of the Indian Evidence Act, govern the conclusiveness and enforcement of foreign judgments made in India.
Understand EU Data Protection Directive 95/46/EC
PDA - Stands for Personal Data Act
Personal Data - All kinds of information that directly or indirectly may be referable to a natural person who is alive.
For e.g. Name, Address, Place, IP address etc.
Data Subject - The data subject is the individual whom particular personal data is related to.
Note: The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
Data Controller - A person who alone or together with others (i.e. data processor) decides the purpose and means of processing personal data.
For e.g. any EU companies
Data Processor - A person who processes personal data on behalf of the controller of personal data.
For e.g. Any Indian Outsourcing Companies
3rd Country - A state/country that is not included in the European Union or part of the European Economic Area.
For e.g. India is 3rd country
BCR - Binding Corporate Rules ("BCR") are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
Four Building Blocks of Personal Data:
- “any information”
- “relating to”
- “directly or indirectly identified or identifiable”
- “natural person”
Example No. 1: Telephone Banking
In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data.
Example No. 2: Video surveillance
Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable.
Understand What is Personal Data Act Background
On 24 October 1995 the Personal Data Act came into force. The Personal Data Act is based on EU Directive 95/46/EC. Sweden was the 1st country in the world to enact a comprehensive law to protect the privacy of personal data on computers when it adopted the Data Act in 1973.
Purpose
The purpose of this Act is to protect people, against the violation of their personal integrity, by processing of personal data.
Eight Principles Governing PDA
1. Obtain and process information fairly
2. Keep it only for one or more specified, explicit and lawful purposes
3. Use and disclose it only in ways compatible with these purposes
4. Keep it safe and secure
5. Keep it accurate, complete and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it for no longer than is necessary for the purpose or purposes
8. Give a copy of his/her personal data to an individual, on request
Penalty
• May be sentenced to a fine or imprisonment of at most six months.
• If the offence is grave, the penalty may be imprisonment up to two years.
The controller may also be liable to pay compensation to a registered person for damage and violation of personal integrity caused by the processing of personal data
Understand Provisions and Exceptions to Data Transfer
There are eight data protection principles (the principles) in the Act with which data controllers are required to comply.
In principle, it is forbidden to transfer personal data that is being processed to a country outside the EU/EEA that does not have an adequate level of protection for personal data and protection for “right to access” of data subject.
Article 25 of Directive 95/46/EC regulates the transfer of personal data.
Provision
If you decide you need to transfer personal data outside the EEA, you will need to:
Conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects; or
If you do not find there is an adequate level of protection, put in place adequate safeguards to protect the rights of the data subjects, possibly using Model Contract Clauses or Binding Corporate Rules; or
Consider using one of the other statutory exceptions to the Eighth Principle restriction on international transfers of personal data.
Model Contract Clauses as a basis for transferring personal data outside the EEA
EU has approved four set of model contract clauses listed below:
Set I: No longer available for new user but continues to have effect in relation to arrangements put in place prior to 15th May 2010
Set II: Controller to Controller (clause template no.c2004-5721)
Transfers from data controllers in the EEA to data controllers outside the EEA.
Set II: Controller to Processor (clause template no.c2010-593)
Transfers from data controllers in the EEA to data processors outside the EEA.
If you use these model clauses in their entirety in your contract, you will not have to make your own assessment of the adequacy of protection afforded to the rights of data subject in connection with your transfer of their personal data.
Exceptions to PDA
The data subject has unambiguously given his free and informed consent to the proposed transfer.
The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request.
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party.
The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims
The transfer is necessary in order to protect the vital interests of the data subject
Summary
Purpose of EU data protection directive is to protect the personal data.
There are restrictions to transfer personal data outside EU.
There are certain provisions available to transfer personal data outside EU.
Just by signing BCR or Model Clauses, we cannot assume the approval for data transfer since these document expect the required Technical, Administrative and legal controls has been put in place.
There will be certain restriction to certain part of the data or the equipment's processing these data due to the Risk Acceptance Strategy.
Note: The author reserves the right not to be responsible for the topicality, correctness, completeness or quality of the information provided. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected since the objective of this article is to spread awareness and provide some insight to various concepts, terminologies etc.
This article is about understanding some important factor to be considered while outsourcing from EU to India.
Critical factors of consideration:
1. Taxation
Different countries have different tax laws, discuss this with the service provider and let a taxation consultant from both side have a understanding on this.
2. The Influence of Local Laws on data security
Some countries have strict data protection and privacy laws, which might be a hindrance in outsourcing. Since there are no standard legal rules and regulations to follow, it is best to meet your outsourcing provider and make sure that you understand the requirements and adhere to both the legal systems. This will help you to sort out any legal issues of outsourcing.
3. Legal Systems
Rules of governance are different in different countries.
There is no legal system which can be used globally.
Different countries even have different intellectual property laws.
There are no standard legal rules and regulations to follow.
Outsourcing service providers also have to protect their business from civil penalties.
Conduct some research on the country that you want to outsource to and if the local laws of that country are a hindrance.
Conduct a risk assessment with the help of legal consultant, research if any peer company had been into such engagements. Discuss with service provider.
Identify implications and sanctions and burden to carry in the event of legal suit.
4. Dispute Settlement
If a customer from EU wants to sue an outsourcing provider in India, there would be plenty of issues. The India outsourcing provider would not want to go to the EU and the EU customer would not want to come to India.
There is also the legal issue of, where the case will be filed, as the case has to be fought in the country where the case is filed.
These two countries would also have two different legal systems.
When making a “settlement contract” ensure that you mention the system of dispute settlement.
Some Positive Things
Effective Changes in Indian Laws
Indian laws are always going through amendments and they are often changed to effectively meet the requirements of today and to be in unison with the latest international laws.
India complies to the “agreement on ‘trade related’ intellectual property right”.
India also accepted the "world trade organization agreement" even when outsourcing was just starting.
The Indian government has brought about many effective changes in patents, copyrights, designs, trademarks to meet the requirements of today.
Freedom of choice to choose any law
The India courts have always endorsed the choice of proper law.
If the choice of law in the legal contract has been expressed, then you can be sure that it will be supported in the Indian courts.
You can also decide which court would conduct the jurisdiction.
The sections of the Indian Civil Procedure Code and Sections of the Indian Evidence Act, govern the conclusiveness and enforcement of foreign judgments made in India.
Understand EU Data Protection Directive 95/46/EC
PDA - Stands for Personal Data Act
Personal Data - All kinds of information that directly or indirectly may be referable to a natural person who is alive.
For e.g. Name, Address, Place, IP address etc.
Data Subject - The data subject is the individual whom particular personal data is related to.
Note: The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
Data Controller - A person who alone or together with others (i.e. data processor) decides the purpose and means of processing personal data.
For e.g. any EU companies
Data Processor - A person who processes personal data on behalf of the controller of personal data.
For e.g. Any Indian Outsourcing Companies
3rd Country - A state/country that is not included in the European Union or part of the European Economic Area.
For e.g. India is 3rd country
BCR - Binding Corporate Rules ("BCR") are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
Four Building Blocks of Personal Data:
- “any information”
- “relating to”
- “directly or indirectly identified or identifiable”
- “natural person”
Example No. 1: Telephone Banking
In telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data.
Example No. 2: Video surveillance
Images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable.
Understand What is Personal Data Act Background
On 24 October 1995 the Personal Data Act came into force. The Personal Data Act is based on EU Directive 95/46/EC. Sweden was the 1st country in the world to enact a comprehensive law to protect the privacy of personal data on computers when it adopted the Data Act in 1973.
Purpose
The purpose of this Act is to protect people, against the violation of their personal integrity, by processing of personal data.
Eight Principles Governing PDA
1. Obtain and process information fairly
2. Keep it only for one or more specified, explicit and lawful purposes
3. Use and disclose it only in ways compatible with these purposes
4. Keep it safe and secure
5. Keep it accurate, complete and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it for no longer than is necessary for the purpose or purposes
8. Give a copy of his/her personal data to an individual, on request
Penalty
• May be sentenced to a fine or imprisonment of at most six months.
• If the offence is grave, the penalty may be imprisonment up to two years.
The controller may also be liable to pay compensation to a registered person for damage and violation of personal integrity caused by the processing of personal data
Understand Provisions and Exceptions to Data Transfer
There are eight data protection principles (the principles) in the Act with which data controllers are required to comply.
In principle, it is forbidden to transfer personal data that is being processed to a country outside the EU/EEA that does not have an adequate level of protection for personal data and protection for “right to access” of data subject.
Article 25 of Directive 95/46/EC regulates the transfer of personal data.
Provision
If you decide you need to transfer personal data outside the EEA, you will need to:
Conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects; or
If you do not find there is an adequate level of protection, put in place adequate safeguards to protect the rights of the data subjects, possibly using Model Contract Clauses or Binding Corporate Rules; or
Consider using one of the other statutory exceptions to the Eighth Principle restriction on international transfers of personal data.
Model Contract Clauses as a basis for transferring personal data outside the EEA
EU has approved four set of model contract clauses listed below:
Set I: No longer available for new user but continues to have effect in relation to arrangements put in place prior to 15th May 2010
Set II: Controller to Controller (clause template no.c2004-5721)
Transfers from data controllers in the EEA to data controllers outside the EEA.
Set II: Controller to Processor (clause template no.c2010-593)
Transfers from data controllers in the EEA to data processors outside the EEA.
If you use these model clauses in their entirety in your contract, you will not have to make your own assessment of the adequacy of protection afforded to the rights of data subject in connection with your transfer of their personal data.
Exceptions to PDA
The data subject has unambiguously given his free and informed consent to the proposed transfer.
The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request.
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party.
The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims
The transfer is necessary in order to protect the vital interests of the data subject
Summary
Purpose of EU data protection directive is to protect the personal data.
There are restrictions to transfer personal data outside EU.
There are certain provisions available to transfer personal data outside EU.
Just by signing BCR or Model Clauses, we cannot assume the approval for data transfer since these document expect the required Technical, Administrative and legal controls has been put in place.
There will be certain restriction to certain part of the data or the equipment's processing these data due to the Risk Acceptance Strategy.
Note: The author reserves the right not to be responsible for the topicality, correctness, completeness or quality of the information provided. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected since the objective of this article is to spread awareness and provide some insight to various concepts, terminologies etc.
Comments
Post a Comment