As businesses have expanded globally and evolved in scope, their relationship with their outsourcing teams has undergone a sweeping change. While price will always remain a crucial consideration, one key market development is the increased focus on the value-add and quality of product.
Increasingly, information technology outsourcing companies (IT outsourcing companies) have shifted their approach from plain basic agreements to tailored agreements which are focusing more on niche expertise in specific areas of Information Technology (IT) services and more competition driven arrangements. One common approach is the contract of IT outsourcing companies for sharing both risk and responsibilities with their clients. From a legal perspective, if a software development company intends to act as a service integrator, then a critical part of the contract will be focused on procurement related clauses. Thus, with increased specialisation in IT services, the trend is to look at multiple vendors and consider more partnerships with vendors who can offer niche expertise in specific areas.
The recent trend witnessed an increase in IT spending coupled with the scarcity of in-house engineering talent. It is believed, therefore, that businesses will see a larger share of IT teams working outside of the company.
In recent years we have seen a notable drift towards building high storage capacity devices or technological mediums along with IT outsourcing and this has proved to be a great market growth accelerator. Generally, it has been noticed that IT outsourcing vendors are introducing products which have high storage capacity specifically for applications that require large amount of data, for instance drones and other surveillance systems with video capacity. Additionally, the increasing trend of capturing high definition images and videos and the ever-increasing use of automated technologies is attracting more IT outsourcing than ever.
Further, India and other Asian nations have long been favoured as outsourcing destinations because of the availability of their affordable human resources. Therefore, the Indian market has been one of the most favourable destinations for IT outsourcing.
In India, considering the reforms in the ease of doing business, the investment in BP outsourcing (BPO) has increased rapidly. This increased investment comes on the back of a deeper engagement with vendors and, as this relationship grows, the shift in outsourcing projects from non-core segments to core business operations has also increased significantly. However, with this deeper engagement with the vendors, the lower end business functions will stabilise and the growth in the BPO is going to come from high-end and critical business functions. Today, BPOs are also using modern cloud services to ensure corporate data is consistently available, across devices and time zones, to the client organisation. This will further help them become an extension of the organisation despite geographical limitations. However, this development will necessitate an upskilling in the existing outsourcing market.
Multi-national corporations have long been the largest customers of BPO services, but the recent trend shows that even small businesses and start-ups are increasingly opting for BPO services. Start-ups, especially, have embraced telecommunications to ensure that tedious tasks, such as recruitment, can be taken up by BPOs and this has considerably helped them gain success.
Some verticals in BPO will continue to see traction. For instance, providing great customer service experiences and call centre outsourcing services are still the most popular outsourcing services, however, new trends have started emerging, more so from the technological aspect.
Customers often demand multi-channel communication and, as a result, competitive BPOs have recently started investing in tools which can provide a diverse set of social media management services, including social media monitoring and timely customer responses. This can lead to a more holistic approach towards resolving customer grievances and improved satisfaction for the outsourcing partners.
As industries are moving increasingly towards automation powered by artificial intelligence (AI), robotics and machine learning to streamline routine tasks, the outsourcing domain is going to witness some crucial changes. AI refers to the machines or the programs which are devised to execute or discharge the intelligent tasks that were meant to be done or accomplished by human beings. Further, blockchain technology refers to a decentralised network of computers which records, stores the data and displays the series of events in a chronological manner on a transparent and immutable ledger system.
Software automation is already seeing increasing investments from businesses and this will change the nature and proportion of work being outsourced. While it is estimated that software automation will lead to the replacement of BPO service providers, the actual impact is yet to be observed. Similarly, BPO service providers who get ahead of the curve and invest in software automation to keep up with the cost pressures are likely to gain benefits.
Advancement in technology is also impacting the outsourcing market in unexpected ways, with non-traditional work being outsourced. For instance, globally, the augmented reality market is growing at a very fast pace and clients are looking to leverage this technology for better customer experiences through more relevant virtual product demonstrations. Thus, the requirement for outsourcing tasks such as predictable tracking, rendering upgrades, detecting 3D objects, improving gesture recognition etc, has dramatically increased.
As outsourcing becomes more complex and involves more parties, smart contracts have jumped in the fray and enabled contracts to become more result and outcome oriented. A smart contract is a computer programme which can automate contract clauses and can ensure that certain clauses are triggered only when a set of conditions are met.
Recently in India, many organisations have piloted the use of blockchain technology to automate their transactions and have implemented a smart contract prototype to ensure accountability of their service level agreements (SLAs). However, the uptake has been slow due to the technical complexity of the product. However, with legal-tech products, which are increasing at an exponential rate, the entire scenario is expected to undergo a rapid change. Furthermore, use of blockchain technology in transactions is subject to regulations of the Reserve Bank of India (RBI) and investors must be mindful of the directions issued by RBI in this regard.
With rapidly growing digital advancement, India is opening new doors for technological trends. The demand for cloud computing has also increased significantly over the years. End-customers prefer cloud computing for data storage purposes and, because of this, outsourcing companies have a great need to employ and gain expertise in cloud platforms and their functionalities.
With more businesses operating on the cloud, security threats have become a greater concern and businesses are increasingly looking to eliminate possible threats by outsourcing their security needs. As a result, outsourcing providers have become more actively engaged in offering fully encrypted data sets as part of their services. Additionally, the functions outsourced to vendors are conducting of end-user security training and handling of end-user requests to support data security.
Another market trend is the development of Socially Responsible Outsourcing (SRO), also known as "Impact Sourcing". SRO is a technique where companies satisfy their business requirements while simultaneously maintaining the objective of achieving socially beneficial outcomes. It is concerned with maintaining service levels by employing socioeconomically disadvantaged workers in BPO centres. This also helps corporations to meet their diversity and social responsibility goals.
There is no single legislation or regulatory framework which directly governs outsourcing or outsourcing agreements in India and, because of this reason, multiple legislations are analysed separately to understand the implications of each. Key legislations are detailed below.
Indian Contract Act, 1872 (Contract Act)
The Contract Act is applicable to any contractual arrangement entered into either between Indian parties or between an Indian party and foreign party, only when such parties have mutually agreed that the arrangement is governed by Indian laws. The Contract Act provides for the elements of valid contract and remedies in case of any breach if the terms of contract. As the governing law of the contractual arrangement is Indian law, then the parties to the contractual arrangement are required to consider the terms and conditions related to consideration, warranties, indemnities and other relevant clauses where differences may arise.
Any inflow or outflow of foreign exchange into or from India is regulated by the Foreign Exchange Management Act, 1999 (FEMA), and related rules and regulations. The Department of Promotion of Industry and Industrial trade (DIPP), the Ministry of Commerce and Industry, the Government of India and the RBI amend these regulations from time to time. In the case of outsourcing, any investment, inflow or outflow of money must be analysed in accordance with the applicable provisions under the FEMA.
Companies Act 2013 (Companies Act)
Matters related to the incorporation of companies, the responsibilities of a company and the rights and duties of stakeholders are governed by the provisions of the Companies Act and rules enacted thereunder. The Companies Act regulates related party transactions, provisions related to deposits, loans and advances including inter-corporate loans, the manner of drawing up financial statements, and board and shareholder approvals. Therefore, in case of the incorporation of any company for the purpose of outsourcing activities in India, adherence to the provisions of the Companies Act is required.
Information Technology Act, 2000 (IT Act)
The IT Act is an important piece of legislation for outsourcing companies, especially for the companies dealing with data. It is very relevant for e-commerce entities which deal with online transactions, data protection and cybercrime, electronic communication and storage of information, and digital signatures. The implications under the IT Act are essential considerations when drafting an outsourcing contract in India. Further, the data protection laws of India are governed by the provisions of the IT Act and the rules enacted thereunder. In relation to this, the treatment and cross border transfer of sensitive data are major concerns for all stakeholders and is subject to the rules and regulations framed under the IT Act which prescribe certain security standards and practices that must be followed by any parties to an agreement.
Intellectual Property Rights
There are multiple legislations which govern the intellectual property rights (IPR) in India such as Copyright Act, 1957, Patents Act, 1970, Trade Mark Act, 1999, Designs Act, 2000, Geographical Indications of Goods (Registration and Protection) Act, 1999, and Semi Conductor Integrated Circuits Layout Design Act, 2000. All IPR legislations are harmonious with the provisions of the "Agreement on Trade-Related Aspects of Intellectual Property Rights, 1994" (TRIPS), to which India is a signatory. These laws are critical for any innovation-oriented company interested in outsourcing its business.
In India, there is a plethora of labour legislations which can broadly be classified into labour laws on wages, social security, industrial safety and welfare, and industrial relations. Furthermore, the applicability of labour laws in India depends on various aspects including the type of industrial or commercial activities undertaken by the business, the number of employees employed by the business and the nature of the work undertaken by the employees. As the means of doing business evolve in, the Government of India is in the process of consolidating the country's labour legislations. In this regard, the Code on Wages, 2019 has been recently enacted, consolidating the legislations on wages.
India has no specific legislation regulating outsourcing or outsourcing agreements. However, depending upon the type of industries and sectors, implications under certain sector specific legislations may arise which are summarised below.
All financial institutions are governed by the RBI. The RBI permits Indian Banks to outsource certain financial services, however, these are subject to certain restrictions issued by the RBI in “Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services”. These lay down a framework for managing the risks involved in outsourcing financial services. Broadly, core banking functions cannot be outsourced, and the liability of a given bank to its customers and the RBI cannot be diluted by way of an outsourcing contract.
In India some special regulations have been introduced to promote start-ups and these are applicable to start-ups in the area of outsourcing. The FDI Policy of India, 2017, provides consolidated rules regarding foreign investment in start-ups ensuring clarity and ease of doing business in India. However, any foreign investment in start-up companies is also governed by the Foreign Exchange Management (Transfer or Issue of Security by a Person Resident Outside India) Regulations, 2017.
Business Process Outsourcing
The Department of Telecommunications (DoT) operating under the aegis of the Ministry of Communications under the Government of India has laid down policies and guidelines that mandate companies providing call centre and other information technology enabled services using telecom resources must register as and obtain valid "other service providers" (OSP) registration. The list of companies providing call centre and other information technology-enabled services includes call centre operators, telemarketers, telebanking operators and network operation centres.
The outsourcing of e-commerce and related activities in India is generally regulated by the provisions of the IT Act. Recently, the Ministry of Electronics and IT has issued the Draft Information Technology Intermediaries Guidelines (Amendment) Rules, 2018, which intend to make internet companies accountable and secure. These draft rules have not yet come into force but provide a fair idea of the proposed regulations. They are crucial for any e-commerce company planning outsourcing services to India.
Manufacturing and Assembling
Entities looking to outsource manufacturing and assembling services must consider the applicable intellectual property rights of Indian law. Accordingly, the import of ancillary equipment, parts, spares, etc, is subject to strict rules, as laid down by the custom authorities of India. Further, issues including product liability, warranties and other regulatory liabilities can be regulated by incorporating suitable contractual provisions.
In the absence of any specific law on data processing and security, or any standalone authority for the protection of data in India, the provisions related to the protection of data and privacy are governed under the IT Act. The IT Act defines "reasonable security practices and procedures" to mean those practices and procedures designed to protect information from unauthorised access, damage and modification.
The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules), framed under the IT Act, have prescribed an exemplary standard of reasonable security practices, such as the provision of privacy and data policies to be followed by corporate entities. “Sensitive personal data and information” is defined in the SPDI Rules to include information relating to password, financial information such as bank account, credit card or debit card numbers, physical, physiological and mental health conditions, medical record and history, sexual orientation and biometric information. Regarding the handling of "personal information", the IT Act and SPDI Rules prescribe strict regulations for its collection, storage, usage, purpose of storage and disclosure to third parties. The disclosure of this information to any third party requires the clear understanding and explicit consent of the information provider.
Found under various legislations and rules, the penalties for any breach of data security laws are as follows:
An outsourcing contract should deal with the protection of confidential information, banking information and any other confidential information, specifically highlighted is data of which disclosure to or use by third parties would be damaging for the foreign outsourcing entity. The foreign outsourcing entity and outsourcing provider should be aligned when it comes to the confidentiality of sensitive content, dispute settlement and liabilities following contract termination. Parties under a contractual arrangement should try to carve out efficient and impartial arbitration clauses while maintaining confidentiality during and after dispute resolution, should it occur.
Further, strict covenants should be laid down in relation to data ownership, data transfer, data processing, data security, transfer of data upon termination of the contract and indemnity for any breach thereof. Confidential information and non-disclosure may also be made a material consideration for the purpose of the contract.
For a breach of confidentiality relating to the misuse or unauthorised disclosure of personal information, the remedy of invoking arbitration can be implemented, provided there is an arbitration clause included in the agreement. The remedy of preventing disclosure by way of injunction may also be sought by the aggrieved party. The foreign outsourcing entity and outsourcing provider can, should there be a need, agree on foreign law being the applicable law in the case of any dispute which would entail additional data protection under the laws of the outsourcing entity’s country.
Intellectual property rights over and around data defined in contracts (including inventions, know-how, works of authorship, etc) may also be protected under India's intellectual property rights laws, subject to conditions stipulated in the respective legislations. In an outsourcing contract, issues pertaining to the ownership of information and data must be clear and unambiguous. Further, incorporating an inclusive definition of ‘confidential data’ in outsourcing agreements aids in enforcing the related intellectual property rights laws appropriately. In the context of the contractual protection of data, the most relevant legislation in India is the Copyright Act, 1957. This is on par with international standards, as specified in TRIPS.
Outsourcing is a method undertaken by businesses in which they hire another company or individuals to perform few specific task(s), undertake operations or provide services to the business.
Outsourcing, therefore, constitutes of a supplier and a customer. In contemplation of outsourcing, the supplier and customer enter into contractual arrangements which are mutually beneficial.
There are multiple supplier-customer models followed in India. Although there is no one standard supplier-customer model, the most common and frequently used is direct outsourcing. Under the direct outsourcing model, the customer does not have any equity contribution and merely procures services from the supplier.
Following business models can be considered under the direct outsourcing model:
The arrangements under a direct outsourcing model are often regarded as cost-efficient for customers. However, the issues related to security of data, intellectual property rights and confidentiality require a careful consideration in order to safeguard interest of the stakeholders.
As an alternative to a direct outsourcing model, a joint venture model (JV) can be utilised. Unlike the direct outsourcing model, JV arrangement creates additional obligations on the customer. Under a JV, the customer and the supplier both become stakeholders to the outsourcing arrangement. Further, a JV ensures that the customers and suppliers can collaborate and achieve a mutual understanding based on their business requirements. Generally, a JV is considered to be ideal when the two parties intend to collaborate and set up a new entity for the outsourcing specifications and interests.
A JV can be incorporated as a new company by both the parties, the customer and the supplier, or formed by acquiring the stakes in an existing entity. Further, a JV can be formed among multiple parties and deal with different levels of outsourcing services. Essentially, a JV operates as a separate legal entity from the customers and suppliers.
Since a JV model enables the customer and the supplier to share expertise and achieve goals in an effective and collaborative manner, the JV model results in yielding multiple benefits for all parties. Advantages include: control over the management of the JV; precise and clear determination of the outsourcing services required to be supplied to the customer by the supplier; proper provisions can be made to safeguard the interest of the parties over confidentiality terms; intellectual property rights; and data protection.
Additionally, a JV model can effectually set out terms relating to the rights and obligations of the parties, respective equity participation, profit sharing mechanisms, processes of dispute resolution, and exit. However, while determining these terms and conditions under the JV arrangement, the parties should consider the implications of applicable laws. However, a JV model can also incur additional burdens on the customer since the customer is involved in management of the JV. The management of affairs of a JV by the customer includes adherence to applicable regulatory compliances.
Captive and shared structures (discussed in 3.3 Captives and Shared Services Centres) is a further model for outsourcing.
A shared or captive service centre differs from the direct outsourcing model and JV. In a shared or captive service centre, the customer can exercise full control over the supplier. Shared and captive service centres are responsible for the handing and execution of the back-office operations, which are not related to the core business activities of the customer.
Under this model, the customer and the supplier are typically related to each other and the supplier is generally a wholly owned subsidiary (WOS) of the customer. In this model, the customers and the suppliers set up a captive entity and the services are outsourced to the concerned customer thereafter. The captive entity can be incorporated as a new company by the customer or the customer can purchase the stakes in an existing entity. Incorporating a captive entity or purchasing stakes in an existing entity is subject to implications under the corporate laws of India, such as the Companies Act and existing foreign exchange management laws.
The advantages of these captive entities are multi-fold and include effective control over the outsourcing activity, concerns pertaining to confidentiality, intellectual property rights and data protection are safeguarded, customer exercises exclusive management over the resources and supplies of the outsourcing, and easy exit options for the customer. However, the arrangement under the captive models can also result in a burden of cost and management for the customer since the customer has direct responsibility over the entity which includes the adherence to all regulatory compliances under any applicable laws.
In the past decade, the use of captive and shared centres seems to have increased due to a higher level of efficiency and the economic benefits associated with them.
A customer can take measures to ensure that their interests are protected in the contractual arrangement entered between the customer and supplier.
Some basic remedies available for a breach of understanding between the parties include the initiation of arbitration proceedings, approaching courts of law for monetary relief, or enforcing specific performance of contract. However, such a remedy is dependent on the inclusion of such specific clauses in the contractual arrangement between the supplier and customer.
For instance, the contracting parties can mutually agree on the governing law of the contract, the place and seat of arbitration in case of dispute and the appointment of an arbitrator to settle any arising disputes. However, if the above-mentioned clause is not included in an arrangement then litigation remains the only remedy.
In this regard, it is pertinent to note that, typically, the parties deliberately include a private arbitration clause due to their preference for out of court settlements and in order to avoid prolonged litigation. It is interesting to note that under such clause, the parties are free to choose the rules of arbitration and are not restricted to the national arbitration laws of the country.
Additionally, as per the contractual arrangements, parties are required to tailor the clauses in a suitable manner to preserve their interests and avoid loopholes which could be misused by the other party. To this end, certain clauses can be incorporated into contractual arrangements, such as indemnity, representations and warranties, limitation of liability, intellectual property rights and confidentiality or secrecy.
These clauses are framed in such a manner that ensures the interest of the customer is safeguarded from possible misuse.
The clause of representation and warranties is made water tight to ensure that the non-defaulting party is always covered in the case of any breach of representation given by the defaulting party.
The indemnity clause, under which the customer is indemnified by the supplier, covers all acts or deeds of the supplier which cause damage to the customer, yet are not considered damages, contemplated under the agreement.
Commonly inserted is the clause of confidentiality in which the parties ensure that whatever information was shared with the other party as part of the arrangement is not shared or made public without the consent of the other party.
It is pertinent to note that the clauses are inserted in such a manner that they survive beyond the term of the agreement and ensure that the customer and their business is not jeopardised in any manner and, in turn, provides reasons to approach the relevant adjudicating authority to seek damages for breach of any a clause.
Therefore, the parties must ensure that proper party specific clauses are inserted in the agreement in a clear and crisp manner in order to ensure that the outsourcing agreement does not contain any redundant or ambiguous clauses that could be detrimental to the customer.
The termination clause in an agreement provides for the manner in which the parties to an agreement may opt to terminate the contractual relationship between them. Under all agreements, the clause regarding termination of the contract is set out by the parties by way of a pre-determined date and details certain triggering events for termination, such as termination by cause or termination by will.
In the case of termination of the outsourcing contractual arrangement by way of a pre-determined date, the parties ensure the completion of their reciprocal obligations towards each other. Upon fulfilment of the reciprocal obligations, and in the absence of novation, the contract is terminated. This termination signals the completion of the conditions for which the agreement was initially entered into.
Either party to an agreement may also terminate an agreement by cause, ie, due to the occurrence of certain events which are identified and stipulated by the customers and suppliers as a possible "cause" of termination of the contract in the contractual arrangement. Causes include:
In this manner, a definite termination procedure can be set out by the parties. Deviation from this, by either party, can result in entitling the other party the right to seek compensation. Therefore, the contracting party must ensure that the terms and conditions pertaining to the termination of the contract are effectively set out as any deviation from the determined termination procedure may result in wrongful termination.
However, if the contractual arrangement does not provide for a triggering point for termination then parties to the contract shall not be eligible invoke the termination clauses and, in an event of terminating the agreement based on a criterion not contemplated under the agreement, the non-terminating party shall have a valid ground to either initiate arbitration proceedings or approach a court of law to resolve the issue.
It must be noted, by the parties entering into an outsourcing arrangement, that the conditions pertaining to the termination are subject to the specific requirements of the business and the termination clause of each outsourcing arrangement must be vetted accordingly.
Under the contract laws of India, in the instance of a breach of a contract, the aggrieved party is entitled to seek relief from the other party. The law provides for damages sought for the instances of direct loss, including reasonably foreseeable loss, and not for indirect loss. Although the term "damages" is not defined under the contract laws of India, the meaning can be determined through judicial interpretations which confer right to claim compensation on the non-defaulting party for any breach of contract by the defaulting party.
In India, damages for such losses have been categorised into direct damages and consequential damages. Direct damages arise from a breach of the terms of the contract by one party whereas consequential damages are the loss which arises as a natural consequence of the breach of contract.
Section 73 of the Indian Contract Act, 1872, provides for compensation for loss or damage caused by breach of contract and sets out provisions for the compensation to the aggrieved party. It does not entitle any party to compensation for any indirect loss arising out of breach of terms of the contract. While ascertaining the damages, it is to be ensured that the money can substitute the loss incurred by the aggrieved party and put the aggrieved party in the same situation they would have been in should the performance of the contract have been as agreed. As a general practice, a clause of indemnity covering direct and indirect damages can be included in an agreement.
Further, loss of profit or goodwill may result in a loss to the aggrieved party. Any liabilities arising out of loss of goodwill or business are generally governed by the contractual arrangement between the parties.
However, implications under sector-specific laws, such as intellectual property rights, may also have implications. For instance, under the provisions of Trade Mark Act, 1999, wherein the usage of the trade mark as a business name identical to another party without authorisation may result in an infringement of the trade mark and could impact the goodwill of the aggrieved party. In this a situation, the aggrieved party shall become eligible to claim damages from the party infringing the trade mark and approach the suitable forum for breach, as contemplated in their contractual arrangement.
Although, there are no specific or implied terms pertaining to outsourcing contracts in India, the sector-specific guidelines must be separately considered to understand the applicability of any implied terms in the industry.
The transfer of employees in India is dependent on the contractual relationship between the employer and employee and must be in accordance to the legislative enactments contemplating the arrangements between the employer and employee.
When the employment terms are governed by the contracts entered between the employer and the employee, the terms of these agreements are subject to implications under contract law and India's labour laws. It is pertinent to note that, in case of the transfer of an employee by an employer to a company within its group, the employment agreement may itself provide for such a transfer. Should this be the case, depending upon the terms and conditions of the employment agreement and the understanding between the employee and the employer, the transfer of the employee can be made effective.
However, in the case of a transfer of undertakings, where the employees are transferred to the new employer, implications under the labour laws pertaining to industrial relations, such as the Industrial Dispute Act, 1947 (IDA), may arise. When a particular employee is categorised as a "workman" under the labour laws, then the statutory compliances, as contemplated under the applicable labour laws, will have to be followed. Such compliances mandate the compulsory requirement of a notice period and payment of compensation, to be undertaken by an employer contemplating the termination of an employee subject to the rules and regulations made under the IDA and implications arising from other applicable labour laws.
Further, in the case of transfer of undertakings, the employer must ensure adherence to the compliances under the applicable labour welfare legislations, such as provisions related to employee benefit funds and gratuity.
The law governing the registration and working of trade unions is given under the Trade Unions Act of 1926 (Trade Union Act). In accordance to the Trade Union Act, a trade union typically provides a platform for employees to seek redressal of their issues by collectively bargaining with the employer about any concern in regard to the conditions of their employment and make efforts to resolve such disputes amicably by agreement rather than intimidation.
As per the Trade Union Act and other applicable laws of India, there is no specific requirement that a consultation should take place with a trade union or a "workers council" before outsourcing any activity. However, even though such consultation is not a mandatory condition, a consultation can be opted for by the parties based on the arrangement between a trade union and the employers.
Further, the labour legislations in India provide for the formation of works committee (different to a "workers council") under the IDA. The IDA was enacted to safeguard the interest of workmen (as defined therein). As regards the provisions of IDA, the works committee is a mandatory requirement for any employer employing 100 or more workmen (as defined in the IDA) on any day in the preceding twelve months. Statutorily, it is mandatory that a works committee has an equal representation of employers and workmen (as defined under the IDA) engaged in the establishment, ie, the number of representatives of workmen on the Committee shall not be less than the number of representatives of the employer.
All employers, fulfilling the above stated criteria, are statutorily responsible to ensure the formation of such works committee (in place of a "workers council") to promote an amicable relationship between employers and workmen and to safeguard the interest of the workmen.
In India, labour laws are enacted and enforced by both, the Central Government and the concerned State Government. Therefore, the applicability of the labour laws on an entity acting as a customer may attract implications under the labour laws enacted by the Central Government as well as the concerned State Government.
The Indian labour laws do not have any specific provisions under any statute contemplating the transfer of employees, except in cases of the transfer of ownership or the management of a business undertaking. The IDA has also been enacted to safeguard the interests of workmen which inter alia provides for the procedure of termination of "workman" to be undertaken by an industrial establishment.
For instance, in the case of the transfer of employees in the group companies, effective terms are typically, set out in the employment agreements and such employees are generally governed by the agreement itself. In such cases, the employees can be transferred merely by serving of a notice by the employer on the concerned employee in terms of the employment agreement.
However, in an event that the business is being transferred in an outsourcing transaction in accordance to the IDA then the company shall not be required to provide such termination notice and compensation to such workman by following conditions stipulated under the IDA.
Apart from the IDA, a supplier may also engage contract labourers to provide outsourcing services to the customers. In such a situation, the employer, ie, the supplier, shall be typically subject to the Contract Labour (Regulation and Abolition) Act 1970.
However, in case the appointment or termination of such contract labourer becomes customer dependent and all clauses governing the employment of the contract labourer are as per the instructions of the customer then the responsibility of such contract labourers shall transfer from the supplier to the customer then the customer himself will become liable to comply with the applicable legislations of India and all implications flowing from such law shall be enforced against the customer itself.
Therefore, it be noted that it is essential that the business structure and the working of an outsourcing business is analysed properly in accordance to the applicable laws of India so as to ensure that any labour law implication is not causing any excess liability on the customer or creating any excess obligation on the supplier, as the case may be.
The terms governing asset transfer are tailored based on the type of asset(s) being transferred and the purpose of the transfer. The terms are often governed by applicable laws pertaining to transfers and the contractual arrangement between the parties.
For instance, the transfer of immoveable property such as sale, mortgage and lease, are governed under the applicable immovable property laws of India. Under the property laws of India, any transfer of such immoveable property is also required to be analysed from the purview of applicable stamp legislations and the Registration Act, 1908 (Registration Act). The stamp legislations in India vary from State to State and provide for levy of stamp duty on documents evidencing transfer of immoveable properties. Similarly, the Registration Act mandates the registration of documents pertaining to certain immovable property.
In the case of transfer of moveable property, the contractual arrangement between the parties determines the terms of the arrangement. One important clause under this arrangement is the evidencing of physical delivery of the moveable property from one party to the other. However, depending on the nature of the movable property, there may be additional clauses incorporated into the agreement depending on any additional procedural requirements for a transfer. The additional provisions shall be subject to the provisions of the Contract Act, the Sale of Goods Act, 1930, the Companies Act and other similar legislations, as the case may be.
Unlike movable and immovable property, the transfer of intangible property such as patent, trademarks, software and licence (Intellectual Property Rights) are of a major concern for any customer outsourcing its service from a supplier. The customer is required to be careful of the various Intellectual Property Rights required to undertake the outsourcing transaction and ensure that it obtains exclusive, royalty-free and perpetual right on such Intellectual Property Rights from its supplier. Additionally, the customer should be not be restricted from an agreement of this kind and should be eligible to transfer Intellectual Property Rights merely by execution of an assignment deed. However, the execution of an assignment deed will be subject to applicable stamp legislations and the Registration Act. Therefore, the clauses of the agreement must be drafted in a comprehensive manner, depending on the kind of asset, cover all the possible consequences and safeguard the interest of the customer.
The year 2018-19 was a busy year for technology law and policy practitioners in India as the Government of India introduced several regulatory measures and policy initiatives that caused a significant stir and are likely have a long-term impact not only on the technology sector in India, but also outsourcing as a whole. Influenced by several global developments and local concerns, such as the Cambridge Analytica data scandal, Snowden's revelations about foreign surveillance, the ever-expanding menace of so-called fake news and misinformation and increasing concerns over the exploitation of citizens' data, the Government rolled out a number of recommendations and proposed legislative changes during this period which are expected to drastically alter the technology regulatory landscape in India.
First and foremost, is the Personal Data Protection Bill. India is, as are many countries, grappling with balancing considerations of privacy, innovation and national security when it comes to data. With over half a billion internet users, India generates huge volumes of digital data. However, it does not have an overarching legislative framework to regulate how this data can be processed without hurting the interests of its citizens. The only guidance available is in the form of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 which lay down a few basic tenets for the collection, storage and processing of certain identified categories of "sensitive personal data or information" of natural persons such as financial information and health data. Enacting the Personal Data Protection Bill in India will have a direct impact on the outsourcing sector in India, girn the obligations it attempts to implement on data processors
In 2017, India's apex court recognised the privacy of individuals as a fundamental right under the Indian Constitution and highlighted the need for a privacy legislation. In response to this, the Government set up a committee of experts (theCommittee) to look into the contours of a privacy legislation. The Committee came up with a draft Personal Data Protection Bill (Bill) after country-wide consultations, which was released in the year 2018. Subsequently, the Government conducted a series of consultations and a revised Bill is expected to be released any time soon. It is expected that the Bill will be passed in the Parliament in 2020.
If enacted in its current form, the Bill will introduce notable transformations in the way personal and sensitive personal data is processed in India and require corporates and individuals that process personal data, both in and out of outsourcing agreements, to implement certain processes and organisational measures, such as "privacy by design", in order to fulfil their obligations, much like the European Union's General Data Protection Regulation (GDPR). Personal data that has been rendered irreversibly anonymous is excluded from the ambit of the Bill.
The Bill also proposes establishing an all-new central regulatory, enforcement and adjudicatory body called the data protection authority (DPA) with the power to issue detailed codes of practices for data protection.
The main thrust of the Bill is to lay down a set of regulations under which the personal data of "data principals" (ie, data subjects) or the natural persons may be collected and details the purpose of this collection of how it may be processed by "data fiduciaries" or similar entities (ie, data controllers). Under the Bill, personal data can be processed by obtaining a lawful consent, in compliance with a law or court order, or for certain approved exemptions.
The Bill seeks to impose several other conditions on data fiduciaries in order to process personal data. One key condition is that data fiduciaries would be required to provide a notice to the data principals specifying, among other things, the various purposes for which personal data will be processed, even if the data is not collected directly from the data principal.
The Bill proposes heightened compliances for data fiduciaries who process children's personal data. These entities would be required to incorporate mechanisms for age verification and parental consent. Further, it envisages that the DPA may notify "guardian data fiduciaries", who operate commercial websites or online services directed at children or process large volumes of children's personal data. The Bill seeks to prohibit these guardian data fiduciaries from taking part in the profiling, tracking, behavioural monitoring, or targeted advertising directed at children, or undertaking other processing that may cause significant harm to children.
The DPA may also notify "significant data fiduciaries" depending on the volume of personal data they process, the sensitivity of this data, the risk of harm from processing, annual turnover, use of new technologies and other relevant factors. A data fiduciary that falls under this umbrella would need to register with the DPA and implement heightened organisational measures and higher compliance standards such as undertaking data protection impact assessments, conducting audits and maintaining records throughout the life cycle of data processing.
Another category of entities that would come under the purview of the Bill is "data processors" or entities who process data on behalf of data fiduciaries, most relevant for outsourcing agreements. The Bill provides that these entity's must be contractually engaged by data fiduciaries and can only process data in accordance with the instructions of the data fiduciaries. A data processor can involve another data processor to process personal data only with the authorisation of the data fiduciary.
In its current form, the Bill will enable India to attract more business in the outsourcing sector by putting in place a data protection regime that is on par with the highest international standards, thereby enabling India to meet standards of adequacy that have been prescribed by other jurisdictions for transferring data to India.
It is expected that the DPA will roll out codes of practice to specify the obligations of data fiduciaries and data processors in greater detail, including consent and notice requirements, transparency and accountability measures, security safeguard standards and mechanisms to respond to data breaches.
Like the GDPR, the Bill also contemplates that data principals will have certain rights vis-à-vis a data fiduciary, such as the right to request a data fiduciary to confirm whether it is processing or has processed their personal data and to provide a brief summary of this data and the processing activities undertaken with respect to it. Other rights of the data principal include the right to receive their personal data in a portable format, and the right to restrict or prevent continued disclosure of personal data by a data fiduciary in certain cases, including unlawful processing.
Under the current legal regime, there is no prohibition on cross-border flow of personal data unless it falls within specific categories of data that are required to be stored in India. However, the Bill, if enacted, would allow the Government to notify certain data as "critical personal data" that can only be processed in India. There is no guidance within the Bill or in the Committee's deliberations as to which categories of data would qualify as critical personal data.
Generally, the cross-border transfer of non-sensitive personal data is only permissible if the Government finds that the jurisdiction to which it is being transferred provides an adequate level of protection to such data. One of the most prominent requirements under the Bill is the obligation to store in India a "serving" copy of all personal data. The intention appears to be to require data fiduciaries to store a mirror copy of all personal data.
The Bill goes on to specify the situations in which categories of personal data that are not critical personal data may be transferred outside the country. For instance, if the transfer is subject to standard contractual clauses or intra-group schemes approved by the DPA, or it is to a country, or a sector within a country or a particular international organisation permitted by the Government, and the data principal has consented to such transfer, it would be permissible under the Bill. It is possible that such measures will be viewed as undesirable by other nations, which can adversely impact international trade relations, and the outsourcing sector in India in general, if other countries take similar steps to restrict flow of data into India.
In a significant departure from the current regime which lacks any serious penalties, the Bill specifies strict penalties and compensation for the contravention of its provisions. The penalty for the unlawful processing of personal data or sensitive personal data or children's personal data, non-compliance with security related provisions, or violation of cross-border transfer related provisions of the Bill may extend up to INR150 million or 4% of the total worldwide turnover of the data fiduciary for the previous financial year, whichever is higher.
Notably, significant data fiduciaries who contravene their obligations under the Bill, and any data fiduciary which fails to comply with data breach-related obligations, may be subject to a penalty of up to INR50 million or 2% of their total worldwide turnover, whichever is higher. Violation of certain provisions of the Bill, such as re-identification of data, may also result in criminal penalties. In addition to these penalties, any data principal who has suffered harm as a result of the contravention of the provisions of the Bill may seek compensation from the data fiduciary, or even the data processor in case there is culpability on their part.
The Bill discussed above requires the storage of a serving copy of all personal data to which it applies, in India and mandates the processing of "critical personal data" is undertaken only in India. Further, even data that does not fall into this category may only be transferred outside India subject to the satisfaction of specific conditions. This approach towards data storage was a result of the Committee's belief that it would go a long way towards facilitating the enforcement of the domestic data protection law in a successful manner, both for law enforcement access and in preventing foreign surveillance. The Government has been, for many years, raising concerns over the lack of access to Indian data stored in foreign servers. This demonstrable preference for data localisation is now a common trend in the Government's regulatory and policy decisions. Outsourcing from India into other jurisdictions can face a downturn if the flow of data is restricted in this manner.
Elements of localisation existed previously as well. One early example of data localisation is under the Unified License for telecom, under which all telecommunication service providers in India are prohibited from transferring any accounting or user information to any person or place outside India. Similarly, insurance laws require registered insurers to maintain all original policyholder records in India.
In the same vein, India's banking regulator, the Reserve Bank of India (RBI) issued a notification in April 2018 directing payment system providers to ensure that all data relating to payment systems operated by them is stored in a system only in India. For any foreign leg of a transaction, the data could be stored in the foreign country, if required. This data included full end-to-end transaction details and information collected, carried, and processed as part of the message or payment instruction. The directive has far reaching implications as it applies to all payment transactions, including those involving banks, payment system providers, payment gateways, intermediaries, third party vendors and any other players in a payment ecosystem. The onus of ensuring compliance is placed on the payment system provider.
This directive was silent on the legality of overseas payment processing. In June 2019, the RBI provided a much-needed clarification that payment transactions may be processed overseas, if so desired by the payment system providers. However, the complete end-to-end transaction details must be deleted from the systems abroad and brought back to India within one business day or 24 hours, whichever is earlier, and stored locally in India. The RBI also clarified that, in cross-border transactions, a copy of the domestic leg may be stored abroad. Therefore, whereas the directive created something resembling a chilling effect on the idea of outsourcing operations of payment businesses, it is now clear that, if required, payment system providers can process such data overseas, although it cannot be stored there and must be sent back to India.
Localisation also features in the Draft E-commerce Policy (Draft Policy) issued by the Government, which proposes strategies for regulating access to data, and controlling cross-border data flows. The Draft Policy envisages that data generated by users through the use of social media, e-commerce, search engines and community data (through IoT) devices, will be stored only in India and seeks to restrict the transfer of such data outside India. It also provides that any business entity that processes sensitive data in India and stores the same abroad cannot make it available to other business entities or third parties, even if the customer consents to it. Moreover, foreign regulators cannot store the data abroad without the permission of the Government. The Draft Policy is expected to be finalised in the coming months.
The mandate to store data (be it personal data or payments data or data of any other kind) in India will present the outsourcing industry in India with fresh opportunities since businesses who hitherto fore favoured overseas service providers will be encouraged to seek out Indian alternatives. It will no doubt add to the cost of compliances and cost for local storage. However, it is expected that this will increase local outsourcing and the number of data centers in India.
During its deliberations on the Bill, the Committee had recognised the need to protect non-personal data including community data and had recommended a separate consultation. The Government has also repeatedly hinted in the recent past that it was planning to regulate non-personal data.
This appeared in the discussion paper on "National Strategy for Artificial Intelligence" (AI) by the Government think tank, NITI Aayog, which spoke about the Government making the large amounts of data lying with it (such as climate data, non-strategic remote sensing data, regional language speech, soil health data etc) available for public good. It also went on to say that Indian corporates should be mandated to share their data for social good. By way of an example, the NITI Aayog said that the transportation pattern of individuals collected by service providers and aggregators could be used to create AI that can predict and manage traffic.
The Draft Policy and the National Economic Survey 2018-19 recognised the economic value of non-personal data by comparing it to a public good and a national asset over which citizens can exercise an inherent sovereign right. The Government has, through these documents, been pushing the narrative that data originating in India belongs to the Indian people as a collective and should be held in trust, on their behalf, by the Government.
In September 2019, the Government constituted a committee of experts to study various issues relating to non-personal data and to make specific suggestions for regulation of non-personal data in India. Though the scope of the discussion is unclear, the committee is set to deliberate upon a data governance framework pertaining to community as well as other forms of data and will include anonymised data, which has currently been left out of the scope of the Bill. Considering that a large number of data sets that are currently unregulated may come under the purview of regulation, it is likely that the recommendations of this committee will have a significant impact on the outsourcing sector. However, at this stage this is merely speculative, and the actual impact will depend on the final outcome of the consultation.Cloud computing has advanced by leaps and bounds into and beyond the domain of traditional outsourcing. However, cloud service providers (CSPs) are more exposed to the risks of third-party content in the digital world.
The Government has been working to set up a light-touch regulatory framework for cloud services through industry bodies. As part of this, in late October 2019 it released a consultation paper inviting stakeholder comments on registration of such industry bodies, their governance structure, thresholds for mandating CSPs to become members of industry bodies, minimum requirements of a code of conduct for the member CSPs, etc. The ongoing development of a regulatory framework for cloud services is crucial to the cloud services sector in India.
The Government has been increasingly concerned about the spread of misinformation over social media platforms and its ability to create social unrest. There have been several instances of rumours on these platforms which have led to lynching and riots. In response to this, the Government proposes to amend the safe harbour rules available to intermediaries such as social media platforms and prepared the new draft Information Technology (Intermediaries Guidelines) (Amendment) Rules, 2018 (Amendments), to update the Information Technology (Intermediary Guidelines) Rules, 2011. The definition of intermediaries is broad to enough to include service providers such as cloud service providers and certain other outsourcing service providers.
The Amendments seek to introduce new restrictions and obligations on intermediaries (such as social media companies and internet service providers) seeking to avail protection with respect to third party information. The most significant of these is a mandate for intermediaries with more than five million users in India toincorporate a company in India. Other changes proposed include requiring intermediaries to enable the tracing of an originator of information on its platform. This is significant since Indian courts are currently grappling with whether the Government can direct intermediaries who have enabled end-to-end encryption to decrypt certain information. The Amendments will also require intermediaries to deploy technology-based automated tools or mechanisms to proactively identify and remove or disable public access to unlawful information or content.
As mentioned above, Indian courts are looking into the role of intermediaries in a number of cases. These cases have been clubbed and will be heard together by the Supreme Court following the notification of the Amendments. The Government has indicated, before the Supreme Court of India, that it will notify the Amendments by 15 January 2020.
The ruling of the Supreme Court will have far reaching implications as the definition of an intermediary is very broad and includes any party receiving, transmitting, storing or processing any third-party information or providing any service with respect to that information. All kinds of service providers, search engines, online payment sites etc, are covered within this definition, including cloud storage providers. Therefore, this has a major impact on IT and IT-enabled services that have outsourced their activities to India and are considered to be intermediaries.
There have been developments in relation to Aadhaar. The Aadhaar is a unique 12-digit number issued to Indian residents, based on their biometric and demographic data. It is perhaps the world's largest biometric ID system and is managed by the Unique Identification Authority of India (UIDAI). From the time of its introduction, Aadhaar has been mired in controversy in relation to its implications for privacy rights, its constitutionality, the steps taken by the Government to enrol persons under the Aadhaar program etc. Aadhaar has been used as a means for authentication of identity, especially in the context of delivery of targeted benefits - however, its scope expanded far beyond welfare schemes. Aadhaar evolved into a default requirement for availing facilities such as banking and financial services, employment, education, and even to make regulatory filings such as tax returns.
The many negative consequences of Aadhaar prompted a series of rights-based litigation, culminating before the Supreme Court of India. In September 2018, the Supreme Court, in a landmark judgment, upheld the constitutional validity of the Aadhaar project. However, it withdrew provisions of the Aadhaar legislation that enabled private parties to use Aadhaar authentication services offered by the UIDAI under a private contract. It also struck down the mandatory requirement of linking the Aadhaar number with bank accounts and mobile numbers.
Soon after this, the Government amended the Aadhaar laws. The new laws allow Aadhaar holders to verify their identity through specified offline modes without authentication. The voluntary use of Aadhaar number in physical or electronic form for identity verification, by way of authentication or offline verification has also been expressly permitted. The entities performing authentication and offline verification are now required to adhere to higher security standards while undertaking these processes. Outsourcing service providers will now need to re-design the processes wherever they provide services relating to the Aadhaar eco-system. The civil penalties that can be imposed on non-compliant entities in the Aadhaar ecosystem, may now extend up to INR10 Million for each contravention, and in the case of continuing violations, an additional penalty of INR1 Million per day.
Other service providers (OSP) registration is required to be taken by all entities operating IT-enabled services in India. While it started out as a means to track call centres in India, its initial scope was expanded with the passing of time by executive orders to include any form of IT-enabled services. The bulk of the outsourcing sector in India, being providers of IT-enabled services, are subject to this registration requirement. Though initially intended as a light-touch regulatory framework, the lack of a centralised approach to enforcement led to different local regulators and technology-specific regulations making it a compliance heavy regime. It also prevented many players from implementing work-from-home and cloud technologies in their delivery centres, and also negatively impacted colocation models. As the sector most sensitive to OSP regulation, outsourcing had to bear the compliance burden imposed by this regime, which has weighed it down, including onerous bank guarantee and documentation requirements, high levels of scrutiny, and high costs of procuring the mandated telecom resources.
On 21 October 2019, the Telecom Regulatory Authority of India (TRAI) issued its recommendations for revising the OSP framework. The TRAI recommends limiting the applicability of the OSP registration framework to provision of voice-based services on an outsourced basis, ie, on behalf of another entity.
The TRAI also recommends the relaxation of registration requirements relating to OSPs, such that only OSPs providing voice-based services ie, using voice call or voice-based applications, would have to register. Captive contact centres, ie, entities that provide services to their own customers or employees, will be exempted from the registration requirement and OSPs providing services which are purely based on data/internet and involve no voice connectivity would be required to only go through an intimation process. The requirement of getting multiple registrations for multiple OSP centres has been done away with, and a single registration for multiple OSP centres of one company has been introduced.
Another significant recommendation is with respect to contact centre service providers (CCSP) and hosted contact centre service providers (HCCSP). These are service providers who provide call centre infrastructure such as EPABX, IVR, call handling, customer relationship management etc, through their data centers or cloud facilities. The TRAI has recommended that these service providers must be Indian companies registered with the telecom department. The TRAI goes on to provide that if the service providers are involved in resale of telecom resources to OSPs they must obtain a virtual network operator telecom license from the department.
Another significant liberalisation is with respect to the work from home permission required for the OSPs. OSPs are not permitted to allow work from home unless they submit a bank guarantee and obtain a permission. They are also required to come up with a provider provisioned VPN to the home agent location to get the permission in the first place. The cost and impractically of the provider provisioned VPN deterred most OSPs from taking the work from home permission. The TRAI has recommended to do away with the provider provision VPN requirement. The TRAI has also permitted OEMs and their agents to login remotely for equipment maintenance.
The current regime also requires OSPs to provide bank guarantees of up to INR10 Million for permissions for sharing infrastructure and work from home permission. The TRAI has recommended to do away with the bank guarantee requirement. However, strict penalties for violation of conditions relating to work from home and infrastructure are now proposed to be directly imposed under the OSP regime.
These recommendations will become law if and when implemented by the Government and it is to be seen whether all recommendations make it to the law. If implemented, these measures will enable operational flexibility and will help OSPs to increase efficiencies and will help outsourcing sector in India.
Looking ahead, 2019 is proving to be a significant year for technology regulation and policy making and, consequently, the outsourcing sector in India. The enactment of the much-awaited Personal Data Protection Bill will put in place a data protection regime for India that is in line with GDPR standards and establish India as a global leader in the data discourse. It will also provide a substantial push to the outsourcing sector given that it will help India meet adequacy standards. The Government is also undertaking a series of consultations in varied fields such as cloud computing, OTT services including video, artificial intelligence, and regulation of non-personal data. We are likely to see further legislations and policy statements around localisation, local incorporation and regulation of both personal and non-personal data.
The Residency, 7th Floor
133/1, Residency Road
Bangalore – 560 025
+91 80 4343 4646
+91 80 4343 4699www.trilegal.com