The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

The Reasonable Security Practices and Procedures and Sensitive Personal Information rules could impact all information processing and business processes outsourced to India. The draft rule covers user information that is processed in India no matter where that information was originally collected. The rule defines sensitive personal information broadly, and it prohibits the collection of sensitive information unless it is to be used for a lawful purpose. The rule requires adherence to traditional fair information practices related to notice, choice and access. The rule further requires that organizations implement reasonable security practices and procedures and that they document a security program to demonstrate that it includes managerial, technical, operational and physical security measures that are appropriate to the nature of the information. In the case of a data breach, the organization could be asked to demonstrate those procedures to the appropriate agency.

The Due Diligence Observed by Intermediaries Guidelines require that an intermediary notify all users of computer resources of unethical and unsafe online activity that must be avoided, and police users that engage in such activity on sites the intermediary hosts. The Guidelines also require that intermediaries themselves refrain from such activity and provide information to government agencies related to prohibited behavior.

The International Trade Administration at the U.S. Department of Commerce is aware of these pending rules. We understand that Commerce is considering submitting comments on behalf of the U.S. government.