Offshore Outsourcing has become a big business in developing countries such as India and China because that is where high skilled IT jobs can be executed efficiently at reasonable costs. This business opportunity comes with its risks - the Security of Data and Privacy concerns, as companies outsourcing the work have virtually no control over their data when it is sent for processing in third countries. Hackers and intruders can have a field day if they happen to break the security net and steal data thereby taking unauthorized benefit from that data. Firms sending sensitive data such as social security number and other personal details of their customers to third countries for processing, to a large extent, depend on another firm’s security measures and data access policies. The most obvious risks involve the access, storage and transfer of data.

European Union and U.S. have a host of privacy laws, which secures the privacy of customers’ data. European Directive on Personal Data Privacy and U.S. Safe harbour principles are case in point. They require the third parties to have ‘adequate’ safeguards against pilferage of data and on that basis firms outsourcing offshore has to fix up deals with firms of third countries. The issue here is that being a top destination of offshore outsourcing - is India ready with ‘adequate’ regulations and laws regarding data privacy and protection.

Presently, the business process outsourcing industry is doing the business on what can be called ‘compensating controls’. This refers to the money spent on implementation of necessary processes, tools and controls to plug any leak of data thereby safeguarding against any leak of data and money lost on that account. Alternatively the third country firms bring in provisions in their contractual obligations regarding External Audit and Inspection, Zero violation clauses and commitment to International Data Protection Standards. When faced with questions of breach of data and different legal systems, Firms often sign contracts under the law governing the Outsourcer to mitigate the risk of delay in the practice and implementation of Indian law. Some Outsourcers set up contracts and working relationship in the form of offshore development center guidelines created by themselves.

On the issue of adequate law, Information Technology Act, 2000 was brought into force but that too, according to industry sources, is not an adequate ‘tool’ to protect against security breaches and therefore amendments have been proposed. NAASCOM, the premier body of IT professionals has come up with a modal data protection law on the lines of the European Directive and has send it for the gubernatorial consideration.

In this scenario it is imperative for India to come up with a separate legislation that can deal with the twin objective of data privacy and its protection. Once the required legislation comes into force it can give a boost to the already buoyant outsourcing industry.