The Government of India has issued final privacy regulations that could make outsourcing to India difficult. The new privacy rules are tougher than the U.S. Gramm-Leach-Bliley Act or the EU Directive, and apply to any personal information, and not just that of Indian nationals but also of foreigners.

According to the Morrison & Foerster, some of the requirements are rigorous:

• A company must get written consent by letter, fax, or email for the collection of data.
• People can opt out at a later time and withdraw their consent.
• There are significant restrictions on disclosing personal data to third parties.
• When a person has given consent for the transfer of data, or it’s necessary by contract, a company can only send the data to an organization that provides the say level of security as the Indian regulations.
• People have the right to review their data and to correct it.

Some companies that outsource their back office processing services to India might move their back office services in-house or to other Asian countries or  South American countries.

Here is more on the final privacy regulations:

The new rules prescribe how personal information may be collected and used by virtually all organizations in India, including personal information collected from individuals located outside of India. Among other obligations, prior written consent will be required, without exception, to collect and use sensitive personal data. These consent requirements are far more restrictive than what is required under either the Gramm-Leach-Bliley Act or the EU Directive. As a result, U.S. and European multinational businesses that currently rely on their India-based operations or Indian outsourcing service providers to handle sales and other transaction-related calls from their U.S.- or EU-based customers (or even benefit-related calls from their U.S.- or foreign-based employees) may have to adjust their personal data collection practices to conform to Indian data protection rules, even though their current practices may comply fully with U.S. or EU privacy rules.