Attitudes Toward Privacy: A Comparison of India and the United States
The “right to privacy” has become a 21st century rallying cry of many industrialized nations around the world. Technological advances in most industrialized countries have increased the potential for third party access to or theft of one’s nonpublic personal information, which has resulted in governmental efforts to legislate privacy protections of varying degrees. However, the unique language and cultural differences among nations contribute to cross-cultural differences in privacy expectations and in the regulatory models for privacy protection. Of particular interest are the cross-cultural differences between the U.S. and India, due to the boom in business process outsourcing (BPO) to Indian companies by U.S. companies.
A study conducted in 2004 by Carnegie Mellon University (the “Study”) reveals that privacy perceptions differ greatly between Indians and Americans. According to some sources, India controls 44% of the global outsourcing market of software and back-office services. U.S. companies constitute one of the largest blocs of clients of the BPO industry. As a result, cross-border transfers of personal information from other countries, and the U.S. in particular, into India have raised questions about the ability of Indian companies to adequately protect this information. Indian employees have access to a wealth of personal information about customers of foreign companies. They handle tasks such as transcribing of medical records, processing of credit card applications and bills, handling of mortgage loan applications, and reviewing of insurance claims. Many countries, such as Canada and member countries of the European Union, have laws that require protective measures be applied with the cross-border transfer of personal information belonging to their citizens. And while at this time no U.S. law prohibits the cross-border transfer of the personal information of U.S. citizens, U.S. companies are increasingly being required to comply with industry-specific laws enacted by the U.S. Congress as well as state laws, in both cases that regulate the use and transfer of customers’ personal information. Additionally, multinational U.S. companies are required to provide adequate safeguards, as determined by the European Union, or obtain EU Safe Harbor designation, when engaging in cross-border transfer of the data of citizens of EU countries.
Questions have arisen about the ability of Indian companies to protect personal information transferred to India under BPO services contracts, and, more importantly, the effectiveness of that protection. As yet, India has not adopted any privacy protection legislation, despite the efforts of the Indian Ministry of Information Technology and the National Association of Software and Service Companies (NASSCOM), two powerful players in India’s BPO industry. In 2004, these agencies drafted a data protection law that was intended to amend the Information Technology Act of 2000, which lacks any protections for sensitive personal information. However, their efforts were not successful, and no such legislation was enacted. Further, India has no agency equivalent to the U.S. Federal Trade Commission to issue, administer, and enforce data privacy rules.
Several reasons have been offered as explanation for why the Indian legislature has not been motivated to enact data privacy legislation: 1) its history does not contain may incidents of privacy breaches; 2) there is not serious resentment in India toward a centralized government; 3) given the population density, privacy is not a great concern; and 4) identity theft has not been a problem in India.
Some similarities do exist between the legal approach to protecting the right to privacy in the U.S. and in India. For example, neither the U.S. nor the Indian constitution expressly recognizes a right to privacy. The case law of both countries has acknowledged a right to privacy derived from constitutional rights to free speech and other constitutional rights. Further, both countries rely in large part upon self-regulatory efforts by industry groups to protect personal information. However, the U.S. and Indian approaches diverge because the U.S. has enacted various laws regulating certain industries and affording protection to certain types of personal information
Thus, Indian companies operate without specific legal or regulatory requirements related to personal information privacy protection, other than those imposed by contract. Depending on the specificity of the contractually-mandated privacy protections, the degree of protections will vary considerably from company to company, and perhaps from client to client.
Even where Indian companies have undertaken security precautions, other internal problems can impact the effectiveness of those precautionary measures. Business corruption continues to be a perceived problem in India, affecting the level of confidence by foreign companies in Indian BPOs. Infrastructure problems continue to plague business development, despite massive infrastructure building that is underway. Additionally, political risks arising out of India-Pakistan relations and nuclear missile testing, border disputes, and separatist groups also present the potential for instability.
Recognizing the need to provide assurances of privacy protection of nonpublic personal information to its foreign clients, many BPO service providers in India have engaged in self regulation, in recognition of the damage that could be inflicted on the Indian BPO industry resulting from major security abuses. Through the efforts of NASSCOM, stringent security measures have been developed and recommended to BPO service providers, such as the following:
- armed guards posted outside offices
- entry is restricted by requiring microchip-embedded swipe cards
- bags and briefcases are prohibited in the work area
- key information, such as passwords, is encrypted and unseen by employees
- employees are monitored via closed-circuit television
In addition, NASSCOM has been active in establishing cyber crime sections within police departments, and has commissioned the creation of a national database of call center workers so employers can more easily obtain a security risk check for potential employees.
Nevertheless, the standards by which any such requirements are implemented must be viewed in light of the general attitudes of the Indian employees towards personal privacy. Such attitudes inform the employees’ behavior and conduct and can greatly impact the effectiveness of contractual privacy protection mandates.
The Study is instructive for understanding how employees of Indian service providers view the sensitivity of private data, and their contractual responsibilities for the protection of that data. It reveals significant cultural differences that can have a substantial impact on the degree of care towards personal information exercised by employees of Indian BPO companies.
Generally, Indian culture favors extended family living arrangements, with an average of 5 persons per Indian household, compared to 2.8 persons in American households. In contrast, America culture places great importance on individuality. According to the 2000 U.S. Census, 26% of all U.S. households were single-person households, which although far behind Sweden at 46%, was nevertheless substantially greater than that of India where the incidence of a single-person household is rare. Because India is a collectivist society, Indians tend to place more trust in others, and as a result there is more trust in those to whom they provide personal information.
The Study also revealed that the very concept of privacy meant different things to the Indian and American Study subjects. To the Indian subjects, “privacy” meant personal space, while the American subjects thought of “privacy” in terms of personal information. When asked what they thought of the statement, “Data security and privacy are not really a problem because I have nothing to hide,” 89% of the Indian subjects agreed, and 21% of the American subjects disagreed, revealing a marked difference in the perception of whether personal data was something valuable to be protected.
When asked specifically about computerized personal data, the Indian subjects showed a surprising lack of awareness as to the ease with which computerized personal data could be compromised or stolen. There were also striking differences in the perception of the risk of identity theft, with 21% of the Indian respondents expressing concern about identity theft, in contrast to 82% of the American respondents who were concerned.
The Study’s conclusions suggest that the expectation of personal data privacy by Indians is lower than that of Americans, and that Americans are more cognizant of the risks associated with the computerization of their personal data than their Indian counterparts. Although the demographics of the subjects of the study were generally comparable between the Indians and Americans, and the education levels of both groups was overwhelmingly post high school, the Indian subjects were less technologically knowledgeable than their U.S. counterparts. Thus, the differences in awareness of the risks to personal data associated with computerized data may be attributable to this apparent difference in technology sophistication.
In conclusion, self regulation – and compliance with contractual confidentiality requirements – will likely be approached differently in India than in the U.S., based upon the different attitudes toward privacy itself. And absent protective legislation and regulation governing Indian companies either from the U.S. (comparable to the EU Directive on Data Privacy, which employs an adequacy test or requires a “Safe Harbor” protection) or from India, it is important that U.S. companies that are outsourcing functions that require the cross-border transfer of their customers’ or employees’ personal information make a point of employing explicit contractual provisions with respect to the use and protection of the data. Detailed provisions such as descriptions of nonpublic personal information that is to be considered confidential data, how the data may be used by the Indian company, limitations on which employees may have access to the data, and expectations with respect to firewalls or other security measures to protect against unauthorized access both within and from outside the company, should all be described in great detail wherever possible. Training of employees regarding legal and ethical conduct, a requirement for insurance to cover losses arising out of security breaches, and nondisclosure agreements to be signed by employees, are also important provisions to include. Ideally, audits and reviews of the work site and training materials should be part of the due diligence process before engaging the Indian company to assure that the company has the capability to implement the requirements. Including an international arbitration provision for dispute resolution along with dictating choice of law, forum, and language can be helpful for resolving disputes in a fair and expeditious manner. Finally, a requirement for the adoption of the international standards of best practices of ISO/IEC on data privacy and a third party certification of compliance will provide assurances of the safeguards sought by foreign outsourcing companies.With an understanding of the limited legal protections afforded by Indian law to nonpublic personal information, as well as the cultural differences in attitudes toward privacy between the U.S. and India, U.S. companies that outsource operations which require transfer of customer or employee data files can better protect themselves from potential data security breaches. It is important to remember that while business process outsourcing to Indian BPO companies may be economically advantageous, the contractual delegation to a third party service provider does not shift the ultimate responsibility for data protection. Outsourcing to Indian BPO companies without adequate contractual protections, and without sufficiently investigating the company’s philosophy and actual safeguards in place for maintaining the privacy of the transferred nonpublic personal data, is a risky business move.
“Privacy Perceptions in India and the United States: An Interview Study,” Ponnurangam Kumaraguru, Lorrie Faith Cranor, School of Computer Science, Carnegie Mellon University, and Elaine Newton;, Engineering and Public Policy, Carnegie Melon University; www.cs.cmu.edu/~ponguru/tprc_2005_pk_lc_en.pdf.
 “Offshore Outsourcing to India by U.S. and E.U. Companies,” Barbara Crutchfield George and Deborah Roach Gaut, 6 U.C. Davis Bus. L.J.. 13 (2006).
 Id., p.13.
 Id., p.6.
 Id., p 5.
 Study, Section 4.1
 Study, Section 4.2
 Study, Section 4.3.