After not addressing the flak for years from governments across the globe, the Department of Information Technology (DIT), Government of India (GoI) has introduced new rules earlier this year. Coined as the Information Technology (IT) Rules, 2011, the notification is freely available to download from the DIT website ( With more than handful new additions, I believe this move does well to address long pending issues.

Data Protection Act likely to put few BPOs out of business; help address Data Privacy concerns of cloud users

I was impressed to read through the broad list of information the act included as part of sensitive data. The DIT has also been mindful to include the clause on access of data being only restricted to what is “freely available or accessible in public domain or furnished under the Right to Information Act, 2005."

This is a brilliant move to curb illegal trafficking of data in the BPOs (both domestic and international). Given the nonchalant attitude towards data protection by many Indian BPOs and the nature of business being based on the loop holes that have traditionally existed, I believe (in theory) the rule on data protection can be limiting for many, and a few might even go out of business. This will particularly be true for the BPOs catering to the domestic business in India. This rule will also provide additional confidence for those willing to use cloud offerings but have had concerns around data privacy.

Having said the above, I would like to call out the need for stringent enforcement policies – something that has been a sticky issue for us in India – to ensure Indian citizens can make the most from this.

There are real reasons for the organizations to join

While DIT has not mandated orgs to adopt the ISO 27001, it has made it increasingly difficult for organizations to survive without it. As the clause has been designed, if an organization is found guilty of any wrong doing and does not have an ISO certification, it is liable to be prosecuted heavily. I believe DIT’s efforts to promote adoption of ISO 27001 will not only ensure the organizations are made accountable for the information security procedures they follow internally, but will also help to establish credibility with clients who understand (and respect) this certification. Having said that, this might not be a prominent point for the large Indian IT service providers who have already adopted a range of ISO certifications years ago.

Censorship or regulation?

An excerpt from the notification:

“websites shall inform users not to publish any material that is “blasphemous, would incite hatred, is ethnically objectionable, would infringe on patents, or threaten India’s unity or public order.”

The Internet community has called this censorship of Internet in the country but I’m afraid I disagree. The above clause is adequate in light of the likely issues that any irresponsible commentary can arise – particularly true for a country with so much diversity in its population! The move is largely inclined towards self-regulation and ensuring the website owner is ethically responsible for the content.

Definitions are still not crystallized, details still missing

The notification stresses that website owners must remove content if reported objectionable by any user. While this is a step in the right direction, it does poorly while offering depth on what can be defined as objectionable. By plain definition, it can also include end user reviews that many of us usually post on multiple websites. And, if the government was to get serious on this, use of tools like Twitter can also be put under strict scrutiny!

What do you think? Feel free to post below with comments, suggestions, and even criticism!