Laws for Outsourcing of IT Service & Work
The business entities and firms are nowadays taking advantage of technology for models like offshoring so as to reduce their costs without a without a corresponding decline in quality. However, with the growth and development of technology the problem related to same is also growing by leaps and bounds. Most developed countries in the world, especially the USA are engaged in outsourcing majority of its industrial and trading contracts, offshore to developing countries like India to reap the benefits of cost effective and proficient work force. However, concerns like data confidentiality and security issues have emphasised the necessity for businesses to take considerable care when handling with crossborder transactions.
Data Protection under Indian Legislation
The companies that outsource services to Indian suppliers share their data on a daily basis. Therefore, in an outsourcing agreement various data protection issues may arise such as lack of or inadequate security arrangements in place for the supplier in storing and handling personal data, the customer’s personal data and confidential information getting used in breach of the contract, lack of adequate disaster recovery and backup provision.
India doesn’t have a statute governing the protection of confidential information and trade secrets. Further, there’s no statute handling data protection or privacy matters specifically. Moreover, various Indian courts including the Supreme Court of India have recognized that the right of privacy is an integral part of the right to life and personal liberty, which is a fundamental right under the Indian Constitution. Data can be protected in India through Indian Contract Act, 1872 (ICA), Specific Relief Act, 1963 (SRA), Indian Penal Code 1860 (IPC) and most importantly under Information Technology Act, 2000 (IT Act).
Indian Contract Act, 1872 (ICA)
Data can be protected under contract law, by incorporating confidentiality and data protection clauses in contracts. The provisions of the ICA are applicable to any contractual arrangement between Indian parties and with any foreign entity (in the event Indian laws have been chosen by the parties as the governing law). Therefore, an outsourcing contract could be governed by the principles and provisions of the Contract act. As per the provisions of this act, when a party commits a breach of contract, the other party is entitled to receive compensation for any loss or damage caused to it.
Specific Relief Act, 1963 (SRA)
The Specific Relief Act contains provisions for the granting of specific relief in respect of contractual arrangements instead of general relief (that is, damages or compensation as laid out in the ICA). Therefore, in the case of breach of contract, if the remedy of monetary compensation isn’t adequate, and it’s impossible to determine the damages, specific performance of the contract could also be granted so as to ensure justice.
Indian Penal Code, 1860 (IPC)
The IPC can be an efficient means to stop data theft. For the offences like misappropriation of property, theft or criminal breach of trust results in the imprisonment and fine under the IPC. The IPC provides a comprehensive definition of the term ‘movable property’ which includes all the corporal properties. Therefore, the data stored in the type of data on papers and within the computer can be conveniently and safely considered movable property, since it’s capable of moving from one place to a different.
Information Technology Act, 2000 (IT Act)
The IT Act offers data protection as it prohibits theft of data and hacking. It deals with online transactions, data protection and cyber offences. Moreover, also provides legal recognition to electronic commerce, which facilitates commercial e-transactions. Under section 43A of the IT Act, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices leading to wrongful loss or wrongful gain to any individual, then such body corporate could also be held liable to pay damages to the person so affected. Furthermore, section 72A of the IT Act provides for disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable.
How can Parties to an Outsourcing ensure Protection of their Data?
Customers can protect their data through various steps. They can insist on unlimited liability for breach of confidentiality, share data on a ‘need to know” basis only, make background checks of employees, mark any shared information as confidential, agree on policies and procedures and checks for the supplier to maintain in relation to storage and security of data, insist on an adequate disaster recovery and backup facility and carry out timely audits of the processes to store.
Moreover, customers can draft non-disclosure agreements with the supplier’s employees, in order that it can take direct action against the employees without relying on the supplier. Where the supplier or its employees have breached contractual obligations, depending on the facts of the case, the customer can start a direct criminal and or civil action against them.
The need for a law on data protection is paramount if India is to sustain investor confidence, especially among foreign entities that send large amounts of information to India for back-office operations. Data protection is vital for outsourcing arrangements that entrust an Indian company with an overseas company’s confidential data or trade secrets, and private data. The proposed “Personal Data Protection Bill, 2019” in Lok Sabha for data protection will ensure adequate safeguards, and also appoint a regulator to watch the collected data and its usage.
Authored By: Adv. Anant Sharma & Riddhi Khandelwal