Indian IT and business process management companies such as Cognizant and Genpact are flagging risks related to the prospect of data protection policies in the country, saying it could impact their businesses and expose them to increased regulatory scrutiny. India is considering a draft data protection bill that suggests critical personal data of Indian users held by digital and global firms be stored and processed only in the country. The draft was part of the recommendations made by a panel on data protection led by former Supreme Court judge Justice Srikrishna. The suggestion has concerned global giants which say the cost associated with collecting and managing the user database will be considerable.
IT and BPM firms possess data from employees and clients in the country, and stricter rules governing their location and storage could raise their costs, they have warned. “The Digital Information Security in Healthcare Act (DISH) is under consideration in India, which proposed legislation including significant penalties related to disclosure of healthcare data. Other countries have enacted or are considering enacting data localisation laws that require certain data to stay within their borders,” Cognizant said in its annual filing with the US Securities and Exchange Commission.
The DISH Act, which was discussed last year, is expected to provide for establishment of National and State eHealth Authorities and Health Information Exchanges and to standardise and regulate the processes related to collection, storing, transmission and use of digital health data. This is separate from the data protection and localisation it is proposing. IT firms already comply with US laws governing healthcare data.
“Complying with changing regulatory requirements requires us to incur substantial costs, exposes us to potential regulatory action or litigation, and may require changes to our business practices in certain jurisdictions, any of which could materially adversely affect our business operations and operating results,” Cognizant added. Business process management company Genpact also warned about the potential impact of new rules. “Evolving laws and regulations in India protecting the use of personal information could also impact our engagements with clients, vendors and employees in India,” Genpact said in its annual filing with the SEC.
Even more concerning to the industry are the intermediary guidelines, which cover law enforcement cooperation on data and take down requests. “Now, if you have a debate like that where (there is concern that) every state official can do anything with that data, you ask yourself why would somebody send their data to India,” Anant Maheshwari, Microsoft India managing director. The National Association of Software and Services Companies has also flagged technology regulation as a potential risk to growth in FY20.