1. UNIVERSAL LEGAL
ATTORNEYS AT LAW
Sector Focus
Technology
Information Technology Vol.1, January 2010
This first issue dedicated to the IT sector deals with
1. Indian Technology Companies voluntarily accept the application of Foreign Data Protection Laws
– A Business Phenomenon
2. In the News
Expediting refund of Accumulated Credit to IT Companies that Export Services
If you have comments to this article please reach sameena.c@universal-legal.com
www.chugh.com
Affiliated to The Chugh Firm, USA

2. INDIAN TECHNOLOGY COMPANIES hard to find in the current economy. This forces the hand
VOLUNTARILY ACCEPT THE APPLICATION OF of the Indian Company to accept the business sin whole
FOREIGN DATA PROTECTION LAWS – A with the entirety of obligations that accompany dealing
with sensitive data.
BUSINESS PHENOMENON
One such primary obligation is compliance with the data
In his first speech to a joint session of the US Congress
protection policies and regulations that are applicable to
on 24th February 2009, US President Barack Obama said:
the outsourcer as well as trickle down obligations from
“We will restore a sense of fairness and balance to our
other outsourcing countries. Compliance with these
tax code by finally ending the tax breaks for corporations
obligations are extremely costly, tedious and violation
that ship our jobs overseas1”.
could result in facing a tremendous liability that small and
medium scale companies in India might not be able to
The IT Outsourcing Statistics 2009/2010 Report, based
accommodate.
on a survey of more than 200 IT organisations in US and
Canada, states that “the use of offshore service providers
In this backdrop, protected data recipients in India prior
remains stable year-over-year for large organizations, but
to contracting with an overseas outsourcer should focus
appears to be growing as an option for small/midsize
on understanding the association between:
organizations. About 21% of all IT organizations now
send some work offshore2.”
i. Their contractual liability imposed by the
commercial contract executed with the outsourcer
Despite being the go-to destination for IT outsourcing and
– within the discretion of the data recipients to
consulting, the flip side entails the liability of ensuring
negotiate their obligations in the contract.
compliance with foreign laws, foreign quality standards
ii. Their statutory liability in India – mandatory
and risk management so as to offer a comfort zone to
obligation
the business partner as well as to assure protection of
data that the Indian legislations are unable to offer
CONTRACTUAL LIABILITY
effectively. Every piece of work that is outsourced to a
foreign territory carries with it the movement of
The terms and conditions of every contract are focused
‘protected data’, dealing with which is constantly
on capturing the intent of the contracting parties that are
regulated in every country from where it originates.
determined on the basis of negotiating their interest,
minimizing liability, maximizing return and capping
Each jurisdiction hosts a set of data protection laws which
indemnity.
encompass divergent privacy policies and security
procedures such as the Health Insurance Portability and
Practically, most overseas commercial contracts executed
Accountability Act (HIPAA) of 1996 and Health
with an Indian recipient, whose subject matter covers
Information Technology for Economic and Clinical Health
transfer of ‘protected data’ specifically deal with
Act (HITECH) in the US, the Directive (95/46/EC) on the
mandatory compliance of the data protection laws of the
protection of individuals with regard to the processing of
country in which the ‘protected data’ originates or the
personal data and on the free movement of such data in
data protection laws are applicable to an outsourcer. The
Europe, The Privacy Acts in Australia, The Information
reason being that the entities disbursing such data are
Technology Act in India, etc. The data protection laws of
not only statutorily bound themselves to follow security
no two countries are exactly the same in letter and spirit
procedures and privacy policies but are also mandated to
which impacts every commercial transaction involving the
ensure that the same level of compliance is followed by
movement of protected data across borders
any recipient of such data despite where they are located
or how they use such data. Therefore, the Indian
In such a scenario, from an outsourcer’s perspective,
recipient who is party to such contract may not in effect
every corporation in a foreign jurisdiction that disburses
be statutorily bound to comply with the data protection
‘protected data’ has to be in compliance with the data
laws applicable to the outsourcer but become
protection law of its home country and is also mandated
contractually bound to comply with the same.
to ensure that despite where such data travels it
continues to be subject to the same or substantially
IT companies find themselves in a position where they
adequate compliance as assured in the home country or
require the business at any cost that results in their
such the home country could slap its resident corporation
diminished negotiating power. However, companies are at
with heavy statutory liabilities.
fault for not seeking to understand the nuances of foreign
security and privacy compliance requirements and are
From the perspective of an Indian recipient of protected
therefore unaware most times that the breach of these
data, in the prevailing global recessionary trend,
contractual obligations could result in a hefty contractual
companies are willing to comply with requirements of the
liability. In addition to the contractual liability, they could
outsourcer since the overseas revenue is hard earned and
1
http://www.cbsnews.com/stories/2009/02/24/politics/main4826494.shtml
2
http://www.computereconomics.com/temp/2009OutsourcingSample.pdf

3. also face statutorily liabilities in India under Section 43A person shall be punished with
of the Information Technology Act detailed below. imprisonment for a term which may
extend to three years, or with a fine
STATUTORY LIABILITY which may extend to five lakh
rupees, or with both.”
India currently has no organized law specific to data
protection on the same plane as the US’s HIPAA or the This Section can however only be attracted when secured
European Community’s Directive (95/46/EC) or the UK’s access is received with the intent to cause loss.
The Data Protection Act, 1998.
As there is currently no statutory framework governing
The only semblance to statutory data protection in India security practices and procedures, the section shifts the
is the Information Technology Act, 2000 (IT Act): determination of “reasonable security practices and
procedures” to the agreement executed between the
Section 43A inserted by way of parties and a violation of such contractual obligation
amendment in 2008 to meet could result in a statutory liability for damages. This
competing data protection laws of statutory liability for damages could be any amount
other countries, states that “Where a Section 43A does not specify any cap.
body corporate, possessing, dealing
or handling any sensitive personal By virtue of this section, there is neither a clear-cut
data or information in a computer security nor privacy policy nor protections afforded under
resource which it owns, controls or the IT Act to data that leaves Indian shores. In India, the
operates, is negligent in only statutory protection is under Section 43A subject to
implementing and maintaining the qualifications specified above that is afforded to
reasonable security practices and protected data received in India, processed in India or
procedures and thereby causes received from overseas processed in India.
wrongful loss or wrongful gain to any
person, such body corporate shall be NEED IN INDIA
liable to pay damages by way of
compensation, to the person so To secure the technology boom and further innovation in
affected.” India it is crucial for India to move form a zero data
protection law state to a state that affords protection to
For the purpose of giving effect to the above section; data at comparable international levels. The industry
"reasonable security practices and procedures" means lobbies and associations have a huge role to play to
security practices and procedures designed to protect emphasize this so as to eliminate the current back foot
such information from unauthorized access, damage, use, they bear that weakens their business standing in huge
modification, disclosure or impairment, as may be contracts There needs to be in place a complete,
specified in an agreement between the parties or as may domestic, independent data protection code that is both
be specified in any law for the time being in force and in globally recognised as well as one that secures the
the absence of such agreement or any law, such interests of businesses in India.
reasonable security practices and procedures, as may be
prescribed by the Central Government in consultation Until such time, companies in India that negotiate
with such professional bodies or associations as it may contracts overseas should effectively perceive,
deem fit. understand, and internalize the specifics of their
contractual commitments including the repercussions of a
Section 72A of the Act states that breach of foreign data protection obligations that they
“Save as otherwise provided in this have agreed to fulfill.
Act or any other law for the time
being in force, any person including
an intermediary who, while
providing services under the
terms of lawful contract, has
secured access to any material
containing personal information
about another person, with the
intent to cause or knowing that
he is likely to cause wrongful loss
or wrongful gain discloses,
without the consent of the person
concerned, or in breach of a lawful
contract, such material to any other

4. IN THE NEWS Disclaimer
This document is intended as a news update and is not legal advice
to any person or entity. Before acting on the basis of information in
this document please obtain specific legal advice that may vary per
the facts and circumstances presented. Universal Legal does not
accept any responsibility for losses or damages arising to any person
EXPEDITING REFUND OF using this information in a manner not intended by the firm.
ACCUMULATED CREDIT TO IT
COMPANIES THAT EXPORT SERVICES
Where can you contact us?
The Service Tax Department of the Ministry of
Finance vide Circular No. 120/01/2010-ST Bangalore
302 REGENCY ENCLAVE, 4 MAGRATH ROAD, BANGALORE - 560 025.
attempts to mitigate the difficulty faced by
T +91 - (080) – 4123 3140
exporters of services like BPO’s in claiming PARTNERS: Partha P Mandal, Ramesh Thyagarajan
their refund of accumulated credit. The
notification3 clarifies the meaning of ‘inputs’ Chennai
and ‘input services’ and its nexus to the 9/5, PADMANABHA NAGAR, II STREET, ADYAR, CHENNAI- 600 020.
exports thereby directing the refund T +91 - (044) – 4218 7857
sanctioning authorities have been mandated to PARTNERS: Aarthi Sivanandh, Kavitha Vijay
decide all claims within 30 days of their receipt.
New Delhi
A-2, EAST OF KAILASH, NEW DELHI - 110 065
T +91 - (011) - 46581691
PARTNER : Kapil Arora
Mumbai
312 TURF ESTATE, SHAKTI MILL LANE, OFF DR. MOSES RD
MAHALAXMI, MUMBAI – 400011, +91 - (022)–4004 6647
T + 91 – (022) 40046647
PARTNER :Sharanya G Ranga
info@universal-legal.com
Also accessible on www.chugh.com
3
http://www.servicetax.gov.in/circular/st-circular10/st-circ-120-2k10.htm
AFFILIATED TO THE CHUGH FIRM
www.chugh.com
In India The Chugh Firm is restricted for regulatory reasons (as are all international/foreign registered law firms) from practicing local law. This means that if a matter
needs advice on any India law issues we will arrange for this advice to be provided and issued by Universal Legal in India.
Los Angeles: 15925,Carmenita Road, Cerritos, CA 90703-2206 :(562)2291220 | :(562)2291221
Silicon Valley: 4800,Great America Pkwy, # 310, Santa Clara, CA95054 :(408)9700100 | :(408)9700200
st
New Jersey: 70,WoodAvenue South, 1 Floor , Iselin,NJ08830 :(732)2058600 | :(732)2058601
Atlanta: 2310 Park lake Drive,# 525,Atlanta, GA30345 :(770)2701860 | :(770)2706460