BPOs may not be held liable for data theft

October 29, 2005

If the government has its way, the Indian business process outsourcing industry will not be held liable for any leakage of confidential client data.

"The proposed amendments to the Information Technology Act seek to exclude BPOs from being a network service provider. This will mean that they will not be held liable for any data theft or other such offences," said an official in the Information Technology department.

The department is drafting a new IT law and hopes to table the Bill during the winter session of Parliament, scheduled to start on November 21.

Outsourcing and India: Complete Coverage

With no data protection laws in the country, the move raised serious accountability issues in the industry, said cyber law expert Pavan Duggal. But Nasscom refused to comment on the matter when contacted.

Nasscom had earlier supported a separate data protection law but did not comment on whether or not BPOs should be brought within the scope of network service providers.

Some countries are pushing India to put in place data protection laws covering the entire gamut of services, from BPOs to pharmaceuticals.

Experts said the exclusion of BPOs from the ambit of network service providers would mean that they would not be held responsible for the theft of any confidential information of foreign clients, like credit card or bank account details.

"The decision will spell disaster for the sunrise industry as dilution of the law will not provide any safeguard to foreign clients against data theft or other such violations," Duggal said.

The proposals will be finalised in a week. They will make the Indian BPO industry, which is facing competition from other low-cost destinations, unattractive for outsourcing.

Officials said the draft Bill sought to hold cyber cafes and search engines liable for data theft.