Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Privacy Laws In Asia May Cripple Data-Centric Outsourcing

Posted by timothy on from the death-by-a-thousand-permission-slips dept.

bizwriter writes "Think privacy issues are a pain when they affect consumers? Get ready for the grandfather of all corporate computing headaches. Big privacy-law changes in India and China are about to turn data-processing outsourcing into a hurdle-leaping, paperwork-generating mess."

31 of 98 comments (clear)

  1. Blah by Anonymous Coward · · Score: 5, Insightful

    From the perspective of someone who prefers their privacy I'm not seeing a problem.

    1. Re:Blah by Black+Parrot · · Score: 4, Insightful

      From the perspective of someone who prefers their privacy I'm not seeing a problem.

      Only problem I see is why we don't have laws like this. With teeth.

      Why haven't we seen an article titled "New US Law Will Cripple Data-Centric Outsourcing (and intrusive/careless management of data at home)"? And about 15 years ago?

      Oh, wait. I forgot who owns Congress. Silly me.

      --
      Sheesh, evil *and* a jerk. -- Jade
    2. Re:Blah by yacc143 · · Score: 5, Interesting

      Well, look at it like this, when such laws become standard around the globe, and for example the EU decides to reject the US-EU data safe heaven idiocy, US businesses will overload the phone system in DC to get such laws in the US too, because more and more revenue will be lost, because it will be simply illegal to use an US provider to do anything related with personal data. Until this happens I guess nothing will happen in the US on this front.

    3. Re:Blah by yacc143 · · Score: 2

      Or where a disgruntled employee has a bad day.

      Notice how the EU directive is already forcing ad networks to change how they operate (slightly I admit, but then that's what they are doing voluntary to avoid explicit regulations/fines for their practices).

      One last thought here is that everyone needs to be able to show proof that he is legally using MS Office. And in big organizations licenses (although they might have MS site licenses) are a headache. How come that they cannot put a similar amount of energy into keeping track how they come to have my data?

    4. Re:Blah by yacc143 · · Score: 4, Informative

      More likely customers from places with privacy laws will start to offer their business to non-US providers.

      Notice that the planned Indian regulations will probably make it a "safe 3rd party country" in EU-speak, meaning that personal data can be freely transfered out of the EU to India for processing or whatever because it has a similar level of legal privacy protection. Notice that the same thing EU-US is currently possible only with massive winking, and can end over night e.g. if the EU parliament gets pissed of enough about it.

    5. Re:Blah by countertrolling · · Score: 2

      Nonsense, tearing down the borders and allowing humans to migrate as they please will eliminate that problem, and the outsourcing issue entirely, in a new york second... The profit from trafficking comes from government restrictions on the freedom to move. This is the basic purpose borders serve today, to actually aid the slave trade, and drive down wages, etc. Every country is a kind of prison, and keeping you out is no different than keeping you in. Your passport is essentially an exit visa..

      --
      For justice, we must go to Don Corleone
    6. Re:Blah by Luckyo · · Score: 4, Informative

      Privacy laws like these have some of the same issues, in that it's impossible to perfectly follow them to the letter while still conducting business. The difference is the consequences are much higher. Since it's China and India I assume that bribing your way out is still possible, but the price is much higher and if you offer too low, you could end up dead (particularly in China).

      False. Essentially everyone here in EU follows them to the letter, and has done so for years. In some countries, well over a decade.

      The only people who cannot follow them, are either not in EU and do not want to follow EU laws, or are literally too stupid to follow them. They're actually very easy when you get an IT-admin's version of them, and very easy to follow. You do not need to be schooled in law to understand them, one hour review is enough for most people.
      As a comparison, when I was getting my security guard card for a summer job, legal rights and obligations took several days to teach and were a major part of the course.

      I'm saying this from experience, I spent several years maintaining local university's campus network as a local admin, and one of the things we got a wiki page on was privacy laws, what we're allowed to do, what we're not allowed to do, what users are allowed to do, and what users are not allowed to do.
      Interestingly, most of the stuff that opponents of privacy laws scream about as "this hinders my ability to maintain proper network management", as an admin you're actually exempt, by law. It's not a stupid piece of legislation by any means, and most certainly allows for maintaining very complex networks. You just have to actually want or feel obligated to follow the law.

    7. Re:Blah by golodh · · Score: 4, Insightful
      The proposed new rules (http://www.bnet.com/blog/technology-business/new-privacy-laws-in-india-and-china-could-make-it-outsourcing-ugly/10620) are:

      * Those that hold personal data must receive explicit consent to divulge that data to third parties.

      * There are specific restrictions ''during the collection, processing, use, transfer and maintenance of personal information.''

      * Personal data cannot be exported unless specifically allowed by law or government authorities.

      * A company must get written consent by letter, fax, or email for the collection of data.

      * People can opt out at a later time and withdraw their consent.

      * There are significant restrictions on disclosing personal data to third parties.

      * When a person has given consent for the transfer of data, or it`s necessary by contract, a company can only send the data to an organization that provides the say level of security as the Indian regulations.

      * People have the right to review their data and to correct it.

      Reading the proposed new rules I totally fail to spot anything unreasonable. On the contrary, any bona-fide company that uses fair and transparent privacy rules will be in compliance without altering a thing about their operational procedures.

      So tell me, precisely what part of those proposed rules sounds as if it would hamper a bona-fide company from carrying out its bona-fide processing of personal data they obtained with consent?

    8. Re:Blah by St.Creed · · Score: 2

      So tell me, precisely what part of those proposed rules sounds as if it would hamper a bona-fide company from carrying out its bona-fide processing of personal data they obtained with consent?

      It would hamper bona-fide companies that wish to resell everything they know about you without restriction from doing so. Waaaah! Evil commie alert! :)

      I completely agree with you though - this seems like a fairly normal set of rules to me. If you value your privacy, that is.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  2. Are you kidding? by Anonymous Coward · · Score: 5, Insightful

    If by "Big privacy-law changes" you mean they're going to have some, then yes that will make it harder for companies to just offshore data processing to these countries and not worry about what happens. How on Earth you can try and paint that as a bad thing for those of us who actually, you know, like having privacy after our details are farmed off to some offshore data processing facility is beyond me.

    1. Re:Are you kidding? by SmurfButcher+Bob · · Score: 3, Funny

      Offshore data processing is just so Web 1.0. In the Web 2.0 world, it's "Data Rendition".

      --

      help me i've cloned myself and can't remember which one I am

  3. What's the problem? by bmo · · Score: 5, Informative

    >A company must get written consent by letter, fax, or email for the collection of data.

    Fucking awesome.

    >People can opt out at a later time and withdraw their consent.

    Fucking awesome

    >There are significant restrictions on disclosing personal data to third parties.

    Fucking awesome.

    >When a person has given consent for the transfer of data, or itâ(TM)s necessary by contract, a company can only send the data to an organization that provides the say level of security as the Indian regulations.
    People have the right to review their data and to correct it.

    Fucking awesome.

    The only people who have a problem with this are the ones who are intent on anally-raping your and my personal information with no reach-around.

    So when do we get this in the States?

    --
    BMO

    1. Re:What's the problem? by Black+Parrot · · Score: 3, Insightful

      The real question when do we get a government that is more concerned about the welfare of the population than corporate profits?

      Shortly after people start voting for good government instead of knee-jerk issues or whoever promises the best combination of tax cuts and handouts for yourself.

      IOW, never.

      --
      Sheesh, evil *and* a jerk. -- Jade
    2. Re:What's the problem? by TheRaven64 · · Score: 2

      I suspect that India is actually doing this because they want business from the EU. The lack of such laws is the current reason why EU businesses can't outsource this stuff to US or Indian companies (except ones like Amazon that have wholly owned subsidiaries in the EU to ensure that they are covered by EU, not US, law). Now they can't outsource it to US companies, but they can to India or China.

      --
      I am TheRaven on Soylent News
    3. Re:What's the problem? by xMrFishx · · Score: 4, Informative

      That sounds very much like the UK's Data Protection Act.

    4. Re:What's the problem? by yacc143 · · Score: 2

      Not really.

      The law not only makes it illegal to transfer the data out of country (which makes that electronic access problematic), it also makes it illegal to use the data at all if you do not have the explicit consent of the person. Not much an issue for companies that want to outsource their customer handling (because they have that consent usually through the contract with their customers), but an issue for companies storing information about persons they have no reasonable interaction with.

      So in such privacy regime it's usually quite legal to process data about Joe Doe and his new PC, but it's getting more hairy about storing the browsing history of Joe Doe, but storing Jane Does browsing habits who has never had business with Dell, is a definite no-go.

    5. Re:What's the problem? by yacc143 · · Score: 3, Informative

      As I said, only wording and tiny details are different from the EU data protection directive, which is as it happens the source where the UK act got cloned from.
      (The UK actually being one of the countries that do not care much about privacy, IMHO, so I guess they basically choose the most basic implementation allowed)

      Guess the sky has not fallen on the heads of the Brits yet, so one can quite well prosper with privacy.

    6. Re:What's the problem? by turbidostato · · Score: 2

      "Illegal!"

      Only it is not.

      "Their server logged your IP address"

      Which is a fair business asumption, so no need of explicit consent. *But* you will need to take care of it as the personal data it is (so you can't pass it away to a third party to process it for different purposes than proper technical web site function). No problem.

      "You then registered for a forum on that website, entering your name and email address."

      And then you are advised what those name and address are going to be used for, which is for the sole purpose you collected them to start with -accessing that forum or web site and nothing else, and ask for your consent. No problem.

      "you tried to buy something, giving out your credit card number."

      And, again, you are advised what your credit card number is going to be stored for, and reassured it is not going to be used for any other purposes but those needed to properly complete the transaction and those based on legal requirements. No problem.

      You seem to forget EU has been living under these kind of laws for more than a decade and the sky hasn't still fallen over our heads.

  4. Re:Actually, this sounds like a clever way of... by thsths · · Score: 3, Interesting

    Maybe, but I think the EU should have done this long ago. The "safe harbour" regulation, where companies in the US promise to stick to EU law, is not worth the paper it is written on. Of course the NSA, FBI, DHS and some other three letter agencies have access, and maybe even more people.

    The only way to keep data safe is to keep it under one jurisdiction. It is a sad state of affairs, but it is an accurate description of reality.

  5. Result: jettison all personal data by shoppa · · Score: 3, Insightful

    I don't see what the problem with the new laws is. They make it somewhere between uneconomical and impossible for companies to archive personal data (about me and you and others) forever without a well-defined use. What's the big deal?

    For a long time there's been the hope in every company, that if they archive every piece of personal data, including every search term I've ever used and every cookie ever in my browser and everything I've ever bought at the grocery store or drugstore while using a credit card or loyalty card, that somehow this would pay off to them monetarily. They've already been paying money and effort to store this data probably without any obvious benefit to them. If these new regulations drive home the point that there's no point in storing all that useless information because of regulatory costs, what they'll do is simply stop storing it. No problem. Their IT suddenly becomes much more efficient because they are doing useless storage and archiving. They'll probably get a higher profit margin as a result.

    It's kind of scary. At many big non-IT companies, IT costs have risen to as much as 6% to 10% of their cost of doing business. This is simply unsustainable. As IT technologies improve, IT should become a cheaper and smaller part of every company. Not get more and more expensive.

    1. Re:Result: jettison all personal data by Black+Parrot · · Score: 4, Insightful

      It's kind of scary. At many big non-IT companies, IT costs have risen to as much as 6% to 10% of their cost of doing business. This is simply unsustainable.

      Wouldn't that judgement kind of depend on how much IT is contributing to their business? If it reduces your payroll, multiplies the number of customers you can reach, allows you to give those customers faster or otherwise better service at reduced cost, and allows you to make better business decisions, 10% might be a helluva bargain.

      --
      Sheesh, evil *and* a jerk. -- Jade
  6. Re:Actually, this sounds like a clever way of... by jbolden · · Score: 3, Interesting

    Yeah I think that's great. Indian outsourcing companies are basically making it hard for companies to ever get their data back. So either they will need knowledgeable staff in the USA to pull all their data off the Indian systems or it stays in India forever.

    Good. About time US companies realize, make India your IT center you are subject to Indian IT law.

  7. This might bring some outsourced jobs back home by petes_PoV · · Score: 3, Funny

    Provided we can meet the standards of the customers in India and China

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  8. Like Jerry Seinfeld's man-bag . . . by wrencherd · · Score: 2

    . . . this seems to be European.

    The new rules outlined in TFA appear to basically ensure the level of "informational self-determination" that is supposed to be granted to EU citizens according to their court of human rights.

    In that respect it could simply be what's required to keep that kind of business coming from Europe.

  9. Re:China? by thejynxed · · Score: 2

    That's because China has one "authority" for all information to start with - the government.

    Currently, such information "control" is only a wet dream in Congress.

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  10. Re:China? by yacc143 · · Score: 2

    Not exactly. Privacy does not exist in the US because neither the businesses nor the government wants it. The business like to collect whatever they want, ignoring some percentage of wrong data (so who cares that Mr. Smith cannot get a cable subscription, because of some wrong data somewhere), because it's more economical to ignore that than to allow the persons affected to correct it.

    And the government loves it because between Patriot Act, ...., and legal interpretation (e.g. emails stored on an external email server loose the expectation of privacy), the government gets access to stuff they would not be able get normally.

  11. Re:US companies just ignore the laws by yacc143 · · Score: 2

    Simple to solve that one. Express the fine as a percentage of global revenues, like the EU does for anti-competitive practices. Notice how US companies do try to appease EU regulations in this area. Notice that the US companies most affected, e.g. ad networks, are already trying to appease the EU privacy regulations. (E.g. masking IP addresses in data collected and so on.)

  12. Before we all jump on the bandwagon by theshowmecanuck · · Score: 2

    Before we all jump on the bandwagon and cheer about how great this is, let's see how well the new laws are enforced before we get too excited. That is with respect to the Indian laws, which are already enacted or seem close to being so. As far as China goes, let's see what the actual laws are going to be, and how well they are going to be enforced.

    There are a lot of bureaucrats in both countries with deep pockets. And both of these countries are ranked pretty far up there in terms of the Corruption Perception Index. At least compared to North America and Europe. Which is why American and Canadian companies probably like doing business over there; and why European companies probably wish they could. At least North America and Europe will now be playing on the same level now... once they pay their bribes.

    --
    -- I ignore anonymous replies to my comments and postings.
  13. Re:Actually, this sounds like a clever way of... by Jah-Wren+Ryel · · Score: 2

    The only way to keep data safe is to keep it under one jurisdiction. It is a sad state of affairs, but it is an accurate description of reality.

    Bzzzt. The only way to keep data safe is to not hand it over to some other party in the first place. These laws are great and all, but the lobbyists can get them changed next year and now all of that data that people have given up under the impression of safety is fair game for full exploitation.

    --
    When information is power, privacy is freedom.
  14. When data collection is illegal... by Paul+Fernhout · · Score: 2

    ...only outlaws will have your data? :-)

    An alternative David Brin-like transparent society suggestion to make data mining go both ways:
        "The need for FOSS intelligence tools for sensemaking etc. "
        http://pcast.ideascale.com/a/dtd/76207-8319

    That said, I'm not against privacy laws... But I can wonder what the unintended consequences may be.

    For example, is HIPAA really helping make medicine better? Example:
        http://crazymer1.wordpress.com/2010/01/10/hipaa-laws-unintended-consequences/
    "Anyone whose loved one suffers from severe mental illness has most likely run smack dab into the HIPAA laws when they try to help their loved one. The way they stand right now, HIPAA Laws (Health Insurance Portability and Accountability Act of 1996) are a hindrance rather than a help for the severely mentally ill population."

    Sometimes trying to regulate into law what should be the product of a health life-affirming culture is not a great idea in the end. Our culture has lots of problems, including with respect for privacy, but it is not clear that laws are the best way to solve these problems.

    A big part of these problems, for example, relate to economic uncertainty if you are seen in a bad light. With something like a "basic income", privacy issues at least in some areas might not be as important. So there may be other more fundamental ways to address some of these issues. related:
        http://basicincome.iovialis.org/e00.html

    Another big issue is simply a broad imbalance of economic power, which might be addressed in part to a return to a 92% progressive tax rate, as the USA had a few decades ago in its boom years. Or, perhaps more corporate charter revocations when corporations do not put the public interest first, as used to be routine a century or two ago?

    More on 21st century enlightenment, from the RSA:
        http://www.youtube.com/watch?v=AC7ANGMy0yo

    --
    A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
  15. Re:Where's the surprise? by turbidostato · · Score: 2

    "did I mention that in practice Apache's default configuration is illegal?"

    It is not. It is only that you should consider Apache logs as containing personal data and take care of them accordingly. As long as you plan to use those logs for its obvious purpose (technical maintenance) you don't need explicit consent: it is implicit by the fact you reached them with your browser.

    "Notice how the EU has forced most (even US-based) ad networks to work around that by at least masking the last byte of the address."

    That's only a mid-true: add servers collect IP address in order to process them as personal data (i.e. to focus their message), so they need explicit consent for collecting them: they don't get explicit consent for that, they can't collect them. Quite simple.