Data privacy rules enacted last month in India are alarming some US companies, which say they may be too restrictive.
The rules govern the collection and use of personal information, including banking and medical details. US and Indian business leaders worry that they add a cumbersome layer, such as obtaining written consent from customers before collecting and using data.
Google has protested some sections of the rules, which make Internet intermediaries responsible for any objectionable content, defined as “harassing,’’ “grossly harmful,’’ or “ethnically objectionable.’’
The rules apply to all Indian organizations and affect multinational corporations that outsource operations to India or have back offices there.
The new measures were designed to ensure that all personal information is secure. It obliges those who handle sensitive information — passwords, bank account and credit card numbers, medical records, biometric data — to implement an elaborate technical, managerial, physical, and operational security practice and set up a dispute resolution process.
“What if some customers just say no when a request for consent is sent to them from a service provider in India that they have never heard of? Companies here cannot take that risk. They will just decide to take their business elsewhere,’’ said Miriam H. Wugmeister, a New York lawyer.
India’s deputy minister for information technology, Sachin Pilot, said the law addresses a long-pending demand of the IT industry for a legal framework for data protection. “We are aligning ourselves with the global best practices,’’ Pilot said.