eDiscovery & Legal Document Services

Offshore Processing Data Protection


India has adopted new privacy regulations imposing obligations on any “body corporate” that “collects, receives, possesses, stores, deals or handles” personal information and will accordingly be relevant to both companies outsourcing to India as well as Indian service providers. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (adopted 11 April 2011) require companies to publish a privacy policy in connection with information collected by the company, restrict international data transfers and the processing of “sensitive personal data” and require compliance with certain security measures.

Companies are obliged to ensure that at the point of collection of any data, individuals must be made aware of the fact that, and the purpose for which, their data is being collected. Data is subject to a restriction on any processing for secondary purposes and must be processed only for the purpose for which it was collected.

In particular,  the prior written consent of an individual is required before sensitive personal data (which includes financial information such as account and card details, passwords, biometric data, physical, physiological and mental health conditions, medical records and sexual orientation) may be processed or transferred to another body corporate or person in India or abroad.

Sensitive personal information must not be disclosed to third parties without the consent of the individual, unless the disclosure is required by law, to comply with a legal obligation or by Government agencies under certain instances. For a transfer of data, the recipient entities data protection standards must be similar to those imposed by the Indian regulations and the transfer must be necessary for the performance of a contract (or the individual has otherwise consented).

Given the jurisdictional scope of the new regulations, overseas companies outsourcing to India will be required to ensure compliance with the India regulations as well as the laws of the data’s country of origin.

South Africa At present, South Africa does not have dedicated legislation addressing data protection, coverage being provided by rights to privacy under the South African Constitution and under common law. In addition, the Electronic Communications and Transactions Act 2002 provides a voluntary code in respect of personal information obtained through electronic means. At present, the European Commission does not deem South Africa’s data protection laws adequate for the purposes of data protection, with consequent restrictions imposed upon the ability to transfer data to South Africa.

The Protection of Personal Information Bill produced by the South African Law Reform Commission was introduced, in part, as a response to the EU Data Protection Directive requirements but has yet to be enacted by the South African Parliament. Accordingly, the Bill remains subject to amendment and it is therefore not clear to what extent the Bill may be changed prior to enactment (which is currently anticipated during the course of 2011). Subject to amendment in the course of enactment, the Bill has been drafted to adopt the EU data protection model and, in many respects, is similar to the United Kingdom’s Data Protection Act 1998.