Sector Focus; Information Technology; Issue 1 February 2010


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sector Focus; Information Technology; Issue 1 February 2010

  1. 1. UNIVERSAL LEGAL ATTORNEYS AT LAW                 Sector Focus  Technology    Information Technology Vol.1, January 2010 This first issue dedicated to the IT sector deals with 1. Indian Technology Companies voluntarily accept the application of Foreign Data Protection Laws – A Business Phenomenon 2. In the News Expediting refund of Accumulated Credit to IT Companies that Export Services If you have comments to this article please reach Affiliated to The Chugh Firm, USA
  2. 2. INDIAN TECHNOLOGY COMPANIES hard to find in the current economy. This forces the hand VOLUNTARILY ACCEPT THE APPLICATION OF of the Indian Company to accept the business sin whole FOREIGN DATA PROTECTION LAWS – A with the entirety of obligations that accompany dealing with sensitive data. BUSINESS PHENOMENON One such primary obligation is compliance with the data In his first speech to a joint session of the US Congress protection policies and regulations that are applicable to on 24th February 2009, US President Barack Obama said: the outsourcer as well as trickle down obligations from “We will restore a sense of fairness and balance to our other outsourcing countries. Compliance with these tax code by finally ending the tax breaks for corporations obligations are extremely costly, tedious and violation that ship our jobs overseas1”. could result in facing a tremendous liability that small and medium scale companies in India might not be able to The IT Outsourcing Statistics 2009/2010 Report, based accommodate. on a survey of more than 200 IT organisations in US and Canada, states that “the use of offshore service providers In this backdrop, protected data recipients in India prior remains stable year-over-year for large organizations, but to contracting with an overseas outsourcer should focus appears to be growing as an option for small/midsize on understanding the association between: organizations. About 21% of all IT organizations now send some work offshore2.” i. Their contractual liability imposed by the commercial contract executed with the outsourcer Despite being the go-to destination for IT outsourcing and – within the discretion of the data recipients to consulting, the flip side entails the liability of ensuring negotiate their obligations in the contract. compliance with foreign laws, foreign quality standards ii. Their statutory liability in India – mandatory and risk management so as to offer a comfort zone to obligation the business partner as well as to assure protection of data that the Indian legislations are unable to offer CONTRACTUAL LIABILITY effectively. Every piece of work that is outsourced to a foreign territory carries with it the movement of The terms and conditions of every contract are focused ‘protected data’, dealing with which is constantly on capturing the intent of the contracting parties that are regulated in every country from where it originates. determined on the basis of negotiating their interest, minimizing liability, maximizing return and capping Each jurisdiction hosts a set of data protection laws which indemnity. encompass divergent privacy policies and security procedures such as the Health Insurance Portability and Practically, most overseas commercial contracts executed Accountability Act (HIPAA) of 1996 and Health with an Indian recipient, whose subject matter covers Information Technology for Economic and Clinical Health transfer of ‘protected data’ specifically deal with Act (HITECH) in the US, the Directive (95/46/EC) on the mandatory compliance of the data protection laws of the protection of individuals with regard to the processing of country in which the ‘protected data’ originates or the personal data and on the free movement of such data in data protection laws are applicable to an outsourcer. The Europe, The Privacy Acts in Australia, The Information reason being that the entities disbursing such data are Technology Act in India, etc. The data protection laws of not only statutorily bound themselves to follow security no two countries are exactly the same in letter and spirit procedures and privacy policies but are also mandated to which impacts every commercial transaction involving the ensure that the same level of compliance is followed by movement of protected data across borders any recipient of such data despite where they are located or how they use such data. Therefore, the Indian In such a scenario, from an outsourcer’s perspective, recipient who is party to such contract may not in effect every corporation in a foreign jurisdiction that disburses be statutorily bound to comply with the data protection ‘protected data’ has to be in compliance with the data laws applicable to the outsourcer but become protection law of its home country and is also mandated contractually bound to comply with the same. to ensure that despite where such data travels it continues to be subject to the same or substantially IT companies find themselves in a position where they adequate compliance as assured in the home country or require the business at any cost that results in their such the home country could slap its resident corporation diminished negotiating power. However, companies are at with heavy statutory liabilities. fault for not seeking to understand the nuances of foreign security and privacy compliance requirements and are From the perspective of an Indian recipient of protected therefore unaware most times that the breach of these data, in the prevailing global recessionary trend, contractual obligations could result in a hefty contractual companies are willing to comply with requirements of the liability. In addition to the contractual liability, they could outsourcer since the overseas revenue is hard earned and 1 2
  3. 3. also face statutorily liabilities in India under Section 43A person shall be punished with of the Information Technology Act detailed below. imprisonment for a term which may extend to three years, or with a fine STATUTORY LIABILITY which may extend to five lakh rupees, or with both.” India currently has no organized law specific to data protection on the same plane as the US’s HIPAA or the This Section can however only be attracted when secured European Community’s Directive (95/46/EC) or the UK’s access is received with the intent to cause loss. The Data Protection Act, 1998. As there is currently no statutory framework governing The only semblance to statutory data protection in India security practices and procedures, the section shifts the is the Information Technology Act, 2000 (IT Act): determination of “reasonable security practices and procedures” to the agreement executed between the Section 43A inserted by way of parties and a violation of such contractual obligation amendment in 2008 to meet could result in a statutory liability for damages. This competing data protection laws of statutory liability for damages could be any amount other countries, states that “Where a Section 43A does not specify any cap. body corporate, possessing, dealing or handling any sensitive personal By virtue of this section, there is neither a clear-cut data or information in a computer security nor privacy policy nor protections afforded under resource which it owns, controls or the IT Act to data that leaves Indian shores. In India, the operates, is negligent in only statutory protection is under Section 43A subject to implementing and maintaining the qualifications specified above that is afforded to reasonable security practices and protected data received in India, processed in India or procedures and thereby causes received from overseas processed in India. wrongful loss or wrongful gain to any person, such body corporate shall be NEED IN INDIA liable to pay damages by way of compensation, to the person so To secure the technology boom and further innovation in affected.” India it is crucial for India to move form a zero data protection law state to a state that affords protection to For the purpose of giving effect to the above section; data at comparable international levels. The industry "reasonable security practices and procedures" means lobbies and associations have a huge role to play to security practices and procedures designed to protect emphasize this so as to eliminate the current back foot such information from unauthorized access, damage, use, they bear that weakens their business standing in huge modification, disclosure or impairment, as may be contracts There needs to be in place a complete, specified in an agreement between the parties or as may domestic, independent data protection code that is both be specified in any law for the time being in force and in globally recognised as well as one that secures the the absence of such agreement or any law, such interests of businesses in India. reasonable security practices and procedures, as may be prescribed by the Central Government in consultation Until such time, companies in India that negotiate with such professional bodies or associations as it may contracts overseas should effectively perceive, deem fit. understand, and internalize the specifics of their contractual commitments including the repercussions of a Section 72A of the Act states that breach of foreign data protection obligations that they “Save as otherwise provided in this have agreed to fulfill. Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other
  4. 4. IN THE NEWS Disclaimer This document is intended as a news update and is not legal advice to any person or entity. Before acting on the basis of information in this document please obtain specific legal advice that may vary per the facts and circumstances presented. Universal Legal does not accept any responsibility for losses or damages arising to any person EXPEDITING REFUND OF using this information in a manner not intended by the firm. ACCUMULATED CREDIT TO IT COMPANIES THAT EXPORT SERVICES Where can you contact us? The Service Tax Department of the Ministry of Finance vide Circular No. 120/01/2010-ST Bangalore 302 REGENCY ENCLAVE, 4 MAGRATH ROAD, BANGALORE - 560 025. attempts to mitigate the difficulty faced by T +91 - (080) – 4123 3140 exporters of services like BPO’s in claiming PARTNERS: Partha P Mandal, Ramesh Thyagarajan their refund of accumulated credit. The notification3 clarifies the meaning of ‘inputs’ Chennai and ‘input services’ and its nexus to the 9/5, PADMANABHA NAGAR, II STREET, ADYAR, CHENNAI- 600 020. exports thereby directing the refund T +91 - (044) – 4218 7857 sanctioning authorities have been mandated to PARTNERS: Aarthi Sivanandh, Kavitha Vijay decide all claims within 30 days of their receipt. New Delhi A-2, EAST OF KAILASH, NEW DELHI - 110 065 T +91 - (011) - 46581691 PARTNER : Kapil Arora Mumbai 312 TURF ESTATE, SHAKTI MILL LANE, OFF DR. MOSES RD MAHALAXMI, MUMBAI – 400011, +91 - (022)–4004 6647 T + 91 – (022) 40046647 PARTNER :Sharanya G Ranga Also accessible on 3 AFFILIATED TO THE CHUGH FIRM In India The Chugh Firm is restricted for regulatory reasons (as are all international/foreign registered law firms) from practicing local law. This means that if a matter needs advice on any India law issues we will arrange for this advice to be provided and issued by Universal Legal in India. Los Angeles: 15925,Carmenita Road, Cerritos, CA 90703-2206 :(562)2291220 | :(562)2291221 Silicon Valley: 4800,Great America Pkwy, # 310, Santa Clara, CA95054 :(408)9700100 | :(408)9700200 st New Jersey: 70,WoodAvenue South, 1 Floor , Iselin,NJ08830 :(732)2058600 | :(732)2058601 Atlanta: 2310 Park lake Drive,# 525,Atlanta, GA30345 :(770)2701860 | :(770)2706460