Wake-up call for Indian BPOs

  We have been seeing a number of cases in the recent past, where all kinds of data misuse cases have been reported in the business process outsourcing (BPO) sector. Typically, these cases could have happened in any other jurisdiction across the world. However, in India, these cases are a wake-up call for not only the entire BPO industry, but also for all its existing and potential/future clients. There is an urgent need for ensuring that the potentiality of such instances can be reduced to the bare minimum. It would indeed be a Utopian thought to expect that there would be no instance of misuse of data of any kind whatsoever in any environment. The human mind is universal and the criminal aspect in the human psyche is prevalent in all jurisdictions. As such, the only purpose of law is to ensure that there is sufficient deterrence for people to prevent them from adopting such illegal conduct. The Indian Information Technology Act, 2000, has not defined the BPO service provider in specific terms. However, the law has given a definition to the term “network service provider”. This term has been drafted and defined in the widest possible manner to incorporate within its ambit all kinds of intermediaries. Since all the BPO companies are indeed intermediaries, who are dealing with third party information or data in their capacity as an intermediary, they all come within the ambit of a “network service provider”. Section 79 of the Indian Cyberlaw makes network service providers liable for all third party data or information made available by them in all cases barring two. This Section is primarily in the form of a clarificatory provision, as it uses the words “for the removal of doubts, it is hereby declared…” Considering the fact that Indian Cyberlaw is indeed a special law, it is clear from the cumulative reading of the law that this provision, relating to the liability of network service providers for third party data or information, is indeed a special provision and would prevail over anything inconsistent in any other law in force in India. It is not that the law does not provide any exit mechanism for network service providers from the ambit of liability for third party data or information. In fact, the Indian Cyberlaw gives a fair chance to network service providers to come out of the liability rim if they are able to prove that they had no knowledge of any contravention of the provisions of law. Alternatively, the law provides that if a network service provider proves that despite due diligence, he could not prevent the commission of any offence or contravention under the law, he is free from any kinds of liability for third party data or information made available by him. It is extremely difficult to prove non-knowledge in a court of law or in the event of a dispute. Normally, proof of non-knowledge is a very hard option to exercise. As a result, the only way forward for any network service provider, including a BPO unit, to disclaim any liability for third party data or information made available by him, is to prove that he had exercised all due diligence. Due diligence, as a concept, has not been defined in the Indian Cyberlaw. However, it goes without saying that complying with the Indian Cyberlaw would indeed come within the ambit of due diligence. BPO operations in India are already complying with various relevant laws in different target foreign jurisdictions. However, there is urgent need for added compliances under the Indian Cyberlaw. The Indian Cyberlaw has normally been perceived to be applicable for the cyber medium and companies concerning internet. However, the generic definitions and drafting of its various provisions leave no doubt that the provisions of the IT Act, 2000 are fully applicable to any entity which uses computers, computer systems or computer networks for the purposes of dealing with third party electronic information or data, whether for processing, transmitting or any other purpose. With the passage of time, foreign clients shall increasingly insist upon Indian BPO units to provide proof of the fact that they had exercised adequate due diligence within the meaning of the Indian Information Technology Act, 2000, to prevent their liability for third party data or information made available by them. This is all the more so, as under some US laws, CEOs and CFOs in that country have to certify various information security and accounting practices adopted by them when they outsource data. It is, therefore, in the best interests of the BPO sector to have documentary evidence to show that they have indeed exercised all due diligence within the meaning of the Information Technology Act, 2000.