Legal issues related to offshore outsourcing to India

Cheap-Labour--More gain, a good bet? Most developed nations in the world, especially the USA has engaged in outsourcing a majority of their industrial and trading contracts, offshore to developing countries like India to ensure benefits of inexpensive labour and cost reductions. This smart theory in the world skyrocketing costs involved in undergoing resources and labour expenses has expanded the competitive foreign market and benefitted the source company in every way. From the list of outsourcing countries that have emerged to fight it out amongst themselves, India reigns the top slot. According to outsourcing provider Intercom India, outsourcing is "a specialized service wherein a responsible provider manages an entire business operation or business function including support, staffing and information technology, to improve business performance and increase shareholder value." It has not only emerged in a particular industry doing some intermittent work but has marked an unimaginable growth in last few decades. This influx of outsourcing business contracts with the availability of highly educated labour, high production gains with having to pay peanuts continues to add to the daunting picture of its unresolved legal issues. A 2010 report stated with the expected growth in the outsourcing business in India from 34% in 2009 to 52% in 2010, the legal issues concerning employment laws, intellectual property laws, data-privacy and bankruptcy, multi-jurisdictional issues and the lack of any specific dispute resolution body, the maze of unanswered and uncontrolled legal issues will suffer complicated litigations. It is an unending loop forming a viscous circle where business contracts are outsourced to offshore companies, which if faces legal issues are handed over to law firms which again in the form of legal process outsourcing is outsourced to the offshore market.

This paper seeks to address the legal issues impetus to offshore outsourcing to India and find out the answers to the concerns most often raised by critics of offshore outsourcing like (1) potential waiver of privilege; (2) potential disclosure of sensitive or confidential information; (3) unauthorized practice of law; (4) quality control; and (5) potential conflicts. Contractual terms of an outsourcing contract, the mandates between an employer-employee and also third party benefits where the main company could be called the ‘outsourcer’, the company to which the work has been outsourced to is the ‘service provider’, are the disputed areas attracting legal concern. Most companies attempt to camouflage their individual identities to evade legal liability and remitting benefits and obligations arising out of the ‘outsourcing contracts’ towards their employees where the court must pierce such corporate veil and pull of the facade to meet justice.

The Outsourcing Contract and assessing the liabilities of the parties

An outsourcing contract is of an international nature and must be drafted safeguarding the interests of both the parties. In going down the outsourcing route the outsourcer company concludes an implied management and control of the IP involved in the outsourced activity and shift the liability to the service provider who is the one managing the outsourcing activity. Most organizations that prepare the outsourcing contracts are of the mistaken belief that its terms, conditions and obligations arising out of it are similar to that of any in-house contract. They have limited or non-existent protection clauses on security and confidentiality, extent of control, auditing rights and dispute resolution mechanisms. The non inclusion of these important clauses gives rise to a conflict with the customer who is in direct terms with the service provider and is familiar with its own nations IP laws. That would also ultimately branch out a conflict between the outsourcer and the service provider, which in case of absence of clear contractual terms, will end in complicated and prolonged litigation. The parties must outline the choice of law governing such contract and also the dispute resolution mechanism. There are generally three forms for an outsourcing arrangement [1] 

The WOS or the wholly owned subsidiary model where the parent company owns 100% of the stock of the subsidiary company, where the client and the service provider are directly related. This can be seen mostly in R&D where the company outsources most of its core functions, however retains complete control over the activities of the service provider [2] . In case of labour issue, this will leave the non-resident company subject to Indian Labour Laws. Further, transfer pricing regulations would be relevant when the companies are associated, in which case they are deemed to be associated when their contractual agreement provide for

The manufacture or processing of goods by the contractor is wholly dependent upon the use of the Intellectual Property of the client;

One enterprise or any person specified by it, supplies and influences the prices and

other conditions relating to 90% or more of the raw materials and consumables required for the manufacture or processing of goods or articles carried out by the contractor; or

When the goods or articles manufactured or processed by the contractor are sold to the client at the prices and conditions that are influenced by the client.

In such cases the income generated through such international transaction is computed through methods of arms length pricing. [3] 

The third party model is where the company outsources only non-core functions unlike WOS and this model raises greater concern for protection of intellectual property rights since the Indian Patent Law does not provide for automatic assignment protection and since under Indian Copyright Law, assignment is not automatic in case of an independent contractor [4] one of the main issues under this model is data security, choice of law and enforcement of judgments.

The BOT model limits the tax incentive enjoyed by an Indian company. Also, stamp duty is applied upon any transfer of assets. Also in such cases, for the substantive part, the provisions of Indian Contract Law, 1872 will be applicable. Also, this model attracts issues on data security and confidentiality wherein it is incumbent upon the parties to address it in the contract as issues of data security is protected in Indian law through the contract entered into between the parties. If the contract provides for clear provisions on data security, it instils confidence in the parties leaving limited scope for any dispute arising out of breach of trust.

The fourth model is joint venture outsourcing where the outsourcer and the service provider have joint control over the mechanisms of the country. Here, the structure gives both the parties some sort of control and management wherein the micro non-core functions are carried out by the service provider and the daily activities are controlled by the outsourcer who is physically present in the country where the joint venture is established. Here the entry cost is assumed to be very high while the exit costs are difficult to ascertain as both the companies have an equal share in the company. [5] 

Data Security and Privacy

The outsourcing industry is an emerging and ever growing competitive foreign market where the contracts given by the US companies to the Indian service providers include transfer of personal data for insurance claims, credit card transactions, and transcription of medical files [6] . The IT sector is expected to exceed $36 billion in annual revenue, an increase of 28%, and contribute to 4.8% of GDP [7] . The sector is on target to achieve $60 billion in export revenue by 2010. [8] In cases of legal process outsourcing or knowledge process outsourcing, it includes the privileged information shared between the attorney and his client where the legal issue involves waiver of privilege. Critics have contended that the use of third party involvement to review and analyze documents in litigation creates a breach of attorney client privilege pertaining to documents attached [9] . They say that the offshore legal staff employed to handle such research and expertise on a temporary basis are considered to be third parties to the dispute and are not licensed to practice law in the US and thus the privilege between attorney client relationship is at risk. [10] 

In Advanced Technology Associates, Inc. v. Herley Industries [11] , the court elaborately discussed the issue and clarified on the point by cautioning that the privilege was not protected simply because access to privileged communication had been given to a third party “for the purpose of obtaining legal advice from a legal advisor." In the contrary “disclosure of confi dential information to a non-lawyer third party for the purpose of obtaining that party’s advice on a legal matter is not protected unless the third party is a subordinate working for the attorney.

Thus, the case suggests that any such review or observation done towards the documents would not be considered a breach of privilege so long the client or legal assistant is authorised for the preparation of the case. The assistance of stenographs and agents being indispensible to an attorneys work in the preparation of the case is to be considered to be guarded under the privilege rule. Thus the protocol assumes that any such temporary legal assistance which could result in adverse consequences is a breach of privilege determination.

With the upsurge in the outsourcing market and as its growth continues to swell, it breeds innumerable legal issues with very poor Indian laws to appropriate the situation. The ambiguous Indian laws for data security, breach of confidentiality and choice of appropriate jurisdiction for these international contracts have come under greater scrutiny. The absence of appropriate measures and specific legal parameters has marked a setback for Indian service providers compelling them to be subjected to foreign jurisdiction.

The US companies have yielded in high production gains and unimaginable profits by shouldering off most of their work to the Indian companies creating a large market of offshore outsourcing. These major contracts involve extensive returns with very less to invest in the best of the Indian expertise. However such large business cycle involving monetary inflow comes with a price, that is, the risk factor. Recently the US companies feel threatened as they believe that they have a duty to armour their customers against the possibility that their personal data might be misused by the employees of the Foreign Service providers. People who live in the U.S. have become more cognizant (and fearful) about breaches in data privacy that have resulted in identity theft because of broad newspaper and television coverage of several incidents, including hackers tapping into 40 million credit cards at Atlanta-based CardSystems, Inc. [12] So far no certain laws ensuring data security exist in India, and there has been an unanimous urge by the major service providing companies to draft an exclusive legislation to govern outsourcing contracts. Data privacy has been covered under the Information Technology Act, 2000 which has limited discussion on protection of personal sensitive information. In the IT Act much of the emphasis is placed on cyber crimes and unauthorised access of the computers. Where the civil liability includes unauthorized access and misuse of information of computer network by a foreign entity [13] , the criminal liability advocates against a more serious offence of breach of confidentiality and misrepresentation. [14] It is left to the interpreters to make a reasonable understanding of the law and apply it towards their own case analysis [15] . Although the Indian Ministry of Information Technology and the National Association of Software and Service Companies (NASSCOM) proposed amendments in 2004 that cover data privacy, the laws continue to remain unaltered with regard to outsourcing contracts. They proposed through their own scheme of regime a Self Regulatory Organization (SRO). The SRO is an independent entity entrusted with the responsibility of formulating principles to monitor the standards of privacy and security for its member companies. [16] Not only are the legal issues harbouring as a conflict in data security laws, there is also a marked cultural difference in the practice of laws in the US and Europe with India. The lack of any comprehensive laws on data privacy and security has entitled investors to sought options amongst offshore outsourcing destinations. There still remains a question as to once the Indian data protection laws are made, will it pave the way for choice of forum as well [17] . With the heightened sensitivity and its unlawful manoeuvring, there have major security defaults in cases of Choicepoint INC [18] ., the bank of America [19] and the loss of 3.9 million Citigroup customers by United Parcel Service. [20] 

The maximum data protection concerns abounds in the US accounting firms that outsource work of tax returns to the India and also medical institutions that sends its hospital records for audit work and transcription. These are intricate account details that need to be identified carefully. [21] One of the major threats to the American clients and customers in case BPO is the theft and misuse of their personal credit cards and accessibility to their credit card details, in which case the Indian service provider can make all the required changes and sweep large amount of money in a span of fifteen hours time within which the American client would not be aware of it also. When the investors in the US started the outsourcing business and the Indian companies took up such, they did not contemplate the undercurrent of legal issues that could arise in case of misuse and breach. Till now most of the outsourcing contracts are poorly drafted with no clear clauses to fall back on. There is hardly any proper statutory or institutional recourse in law and the affected party is left to its distress. There are several events where the US companies wish to exercise and retain complete control over the Indian service provider and sometimes in case of invention and patent, for example, R&D companies which falls under the WOS model, the burden of any such liability arising out of breach is shifted to the Indian service providers, whereas, all or any such benefits are exclusively enjoyed by them. One can concede to the ambiguity of Indian laws in the present context, however, it cannot be denied that in cases where the Indian company takes up some outsourcing contract to manufacture a new product or develop some existing product, they have to lose their IP rights to the US outsourcers, which is unjustified. In this way the US companies not only benefit through investing in low cost labour but also use the Indian expertise and retain all credentials in their favour.

Proposed Guidelines for formulating Indian Data Protection Laws

The data security issue has become an inescapable danger as the American federal laws do not apply to the Indian companies and the customers are from overseas. It is however believed by the critics of outsourcing business that even if India had any form of outlined statutory law ensuring data protection, it would be difficult for the American customers and American companies to sue them in Indian courts, so they would rather formulate explicit dispute resolution clauses in the contract itself defining the choice of law [22] . However, if India were to formulate data protection laws, then the guiding principle is rooted with the doctrine of right to privacy. [23] 

With the advent of automated computerized system of doing business in the early 1970’s, the companies had the option of storing and disseminating a large amount of information which was subjected to data insecurity. What India has already established is its Self Regulatory Organization(SRO) as has been discussed earlier, which promises to provide for a prompt, efficient responses to industry requirements and market developments. Looking at the advantages that SRO can bring to the Indian IT and BPO industry, NASSCOM is currently in the process of establishing the DSCI [24] .SRO’s first initiative, the National Skills Registry (NSR), was launched in January 2006 at the India-US Information Security Summit, a joint venture between NASSCOM and the Information Technology Association of America (ITAA), which is currently in its second year [25] There is no other organization similar to DSCI around the world. It is to generate a much more comprehensive, exclusive and accurate set of regulations for the BPO and KPO industry in India. The entire structure has been modelled under three phases where as of 2007 the first phase has been initialized and the board of directors have been set up. [26] In Mumbai the “Suraksha Setu: Know Your BPO" program was

implemented, bringing Mumbai police officers to BPO operation centers in their jurisdiction. [27] NASSCOM has exposed police officers to these new formulated policies and the importance of data security which is the thin silver lining to the dark clouds of previous inactive data protection laws. Very recently, NASSCOM has acknowledged the need for better laws in the light of the previous ‘sensitive data breach issues’ and alleged misuse of information of by the Indian employees, thus, working in close nexus with the government of India towards enacting a legislation for protection of the victims. Although there haven’t been too many incidents of Indian companies misusing or breaching the trust of its outsourcers and customers, however, the few since 2005 have tarnished the image of those companies with hardly any laws to defend themselves. For instance, in June 2005, American business outsourcers and their Indian counterparts were extremely concerned when Interpol was asked to investigate allegations that a 24-year-old worker at Infinity eSearch, a web marketing company in New Delhi, had sold information that he obtained from call centre workers at a BPO company. [28] It was further on report made by an undercover British reporter from a London tabloid newspaper, The Sun, claiming that the Infinity e-Search employee sold him Barclay Bank account details for 1,000 U.K. customers. The account holders' secret passwords, addresses, phone numbers, and passport details were allegedly sold for 350,000 rupees (INR 350,000), which is the equivalent of around U.S. $8,000. This appalling piece of information was not only alarming for the entire outsourcing market but shook some of the great investors to the extent that they brought the Indian data protection and security laws under thorough scrutiny. The expertise of the Indian service providers and their efficiency was overshadowed and marred by such reviews. To all of this spilling the bad beans and mud shovelling , Saurav Adhikari, Corporate Vice-President (Strategy) at HCL Technologies in India, has argued that "given the strong credentials of the Indian industry, this incident would be a blip on the BPO radar at best, and will result in the industry raising the bar. [29] 

There have been several alleged incidents of mishandling of confidential information by Indian service providers which had to undergo unending complicated litigation process. For example, April 2005, the Indian police arrested several men who had worked for a MphasiS call center for Citibank and number of their associates for misusing financial data and illegally withdrawing money from the Citibank accounts of New York customers. The MphasiS employees had obtained bank customers' PIN numbers and other account details, which allowed them to log into Citibank's online system and transfer approximately $350,000 - $425,000 out of the customers' accounts. [30] Further, in 2003, Indian employees, who were working on medical records for Ohio's Heartland Information Services, threatened to release confidential records unless they received a cash payoff from the company. [31] It has been painfully unfortunate for India to have their employees being involved in a series of theft scams and money laundering activities by misusing trusted information. 2003, 2004 and 2005 marked the shameful dark years of Indian outsourcing business where again in 2003, an Indian programmer working for India's Geometric Software Solutions Company tried to sell a source code from SolidWorks (its U.S. buyer) to another U.S.-based company [32] · In 2004, an Indian employee, who was working at a call center in Noida, India, used an American's credit card to buy extensive electronics equipment from Sony [33] and in 2005, a series of events similar to the incident with The Sun occurred with the alleged sale of sensitive personal data to undercover Australian Broadcasting Corporation reporters for the equivalent of less than U.S. $8 per person. [34] 

Since 2005 and until now many Indian companies have been alarmed and they have taken up measures to ensure that they need to built something of a ‘fortress’ as stated by TransWorks Information Services (a Mumbai-based BPO and call centre company), C.E.O. Prakash Gurbaxani. To the criticisms made and written all over the tabloids of US journals that when contracts are handed over to these offshore outsourcing developing countries, it is their irresistible temptation towards the vast amount of money, which drives them towards such misappropriation, the Indian law makers in co-operation with NASSCOM have raised their guards mandating companies to formulate strict policies, bring forth legal scholars from various jurisdictions to negotiate through every clause of the outsourcing contract.

India also faces the problem of having differences in its privacy laws with that of the EU directives and US laws. Thus, what stands as a breach of confidentiality and privacy according to these directives might not be the case in India. So, what India needs on a very fundamental level as the lawmakers is to formulate a set of comprehensive laws in conformity with the above directives, to make sure that it can get to the lawbreakers.

Existing differences between Indian Data Privacy laws, EU directives and US laws and guidelines

Scope and Difference between the Information Technology Act(IT), 2000 and EU Directives

A majority of onshore outsourcing from offshore to India is by the US and Europe. For India to be on a level field and sustain it among the other nations in the competitive market, the Indian laws must be stabilized and amended uniformly with the federal laws of the US and the EU directives. Some of the guidelines must be adopted from the EU directives and made in conformity with the US federal laws on data privacy such that, for incorporating clauses on choice of law and enforcement of award in the outsourcing contract, the laws of the two nations on the same offence does not stand in contradiction with each other. The current data protection laws in India are strewn mainly in areas of intellectual property law, crimes, cyber laws, information technology laws, each of which governing different views in case of breach of privacy. The E.U. Directive is a comprehensive data protection law that makes it mandatory for its member states to establish a legal framework to protect the fundamental right to privacy with respect to processing personal data that has extraterritorial effect. [35] However, in India, there is yet no specific legislation to govern protection of data privacy issues or answer questions on breach unlike the EU directive which compels each participant within its chain of command, which in case of outsourcing contracts would include the Director of the service providing company to his employees, to be liable in case of breach of privacy or alteration in data. India’s existing laws have provisions limited only to computer systems in cases where one directly violates copyright laws [36] . Recently, another provision that was discussed but not yet enacted is ‘umbrella provision’ something similar to that of EU’s directives of comprehensive and expansive laws and USA’s sectoral arrangements. Section 43(b) of the IT Act 2000 limits the unlawful activity to the scope of unauthorised downloading of data, infringement in copyright unlike the EU directives that reach out to the depth and breadth of such offences [37] . Thus, there is a mere mention of the ‘scope’ of the section but nothing of ‘an expansive object’. Further, with regard to questions of liability the scope of section 79 of the IT Act, 2000 dilutes the liability of the offender subjected to words like ‘knowledge’ and ‘best efforts’ before considering it penal [38] . An intermediary like a network service provider is not considered to be offending if he provides third party information and is in breach if he can prove that it was without his knowledge or it had lack of intention and he had exercised due care and diligence towards protecting the same. [39] Section 85 [40] does extend liability to key employees like managers, directors, officers and other personnels of the company for intentional and negligent breach of any provisions of the IT Act 2000, however, on questions of damages and penalty, section 43(b) limits the scope to a meagre defined amount of $220,000 which could be presumed to be inadequate in case of breach resulting in extensive losses. Section 66 of the Act, does not clarify the position on breach and limits the penalty when personal data is lost, altered, deleted or destroyed. [41] Chapter XI provides for criminal penalties for a list of criminal offences and illegal acts, however, have no where mentioned anything specific as to ‘breach of sensitive and personal data’. The IT Act, 2000 under section 72 throws some light upon matters related to breach of privacy and confidentiality and offers protection for the same. [42] The few differences between the provisions of the IT Act 2000 and the EU directives are that the EU directives are much more precise and have clarified on all major penal provisions. For example, the directives clearly states that the purpose for the data collection be articulated and be precise. [43] 

The extraterritorial scope of EU directives provides for strict rules about whether and how a controller should transfer personal data from the E.U. to a non-E.U. country. [44] The EU directives even though does not provide for any defines ‘adequate’ level of protection but Article 25 requires E.U. Member States to prohibit the transfer of personal data that will undergo processing in a third country if that country fails to provide "an adequate level of protection [45] . It imposes the sense of supervision of the laws in force in the third country where such transfer is to be made as the required level for transfer. Thus, it presupposes that a private company of a member country of EU shall be prohibited from making any transfer of personal data and information to India. There must be a supervising authority in determining the transfer. [46] The EU directives are considered to be the best in determining the ‘adequacy’ protection requirement, whereas, the US federal laws have not yet been able to provide for any comprehensive provision to meet the EU directive on ‘adequacy’. [47] Its only after two years of prolonged discussion between the US and EU that the US formulated the Safe Harbor Principles in 2000. [48] Thus the only major shortcoming that the India law in reference to the IT Act, 2000 faces is the lack of a consistent ‘adequacy’ threshold which must be incorporated to meet the EU directives standards and bridge the gap between the two laws. [49] 

The Sector Approach in the US

The US unlike the EU has adopted something called the ‘sector’ approach which is believed to administer the ‘freedom of speech’ used synonymously with the ‘free flow of information’. [50] Although the government has limited views with regard to treating the flow of information, however, the ‘sector’ principle has gained prominence amongst private enterprises which is devoid of governmental interference. Thus, there is omnibus federal law as the Americans seem to distrust governmental interference in private affairs, instead, there are separate federal enactments in the form of legislations administering different issues. For instance: The Fair Credit Reporting Act [51] , The Gramm-Leach-Bliley Act [52] , The Health Insurance Portability and Accountability Act [53] , and The Sarbanes-Oxley Act [54] . Several authors have not completely accepted the US approach and have recommended the US to Adopt federal legislation in parallel to the California Mandatory Disclosure law, which requires setting up of an organization to inform its customers if any of their personal data are compromised as a result of a security breach [55] . Also, as a recommendation in the Bill introduced by Senator Clinton in 2004, he proposed that US must formulate its data privacy policies in similar lines of EU directives "if a company wishes to transfer personally identifiable data regarding a U.S. citizen to any foreign affiliate or subcontractor, it may only do so if the receiving company is located in a jurisdiction that provides adequate protection.’ Thus in accordance with the EU directives which as discussed earlier has the best provision ‘on adequacy of protection’ which has also been adopted by the US, India must adopt principles in the similar lines and incorporate clear definition on ‘adequacy of protection’ [56] .

The OECD Privacy guidelines