The Government of India’s Ministry of Communications & Information Technology has issued a clarification regarding India’s new privacy regulations, known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)

Under the Rules, which were first published on April 11, an individual’s prior written consent is required to process or disclose sensitive personal data. Outsourcing service providers in India had been concerned that it would be impossible to comply with this requirement given that they typically do not have direct contact with the individuals from whom they would need to obtain consent. The clarification states that any “body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India” is exempt from the requirement to obtain consent.

Accordingly, Indian outsourcing service providers will not need to obtain consent from individuals before processing their data, regardless of whether the outsourcing services are provided to companies based in India or abroad. The Rules will apply only to Indian companies that obtain sensitive personal data directly.