Indian outsourcing: Your data could be more at risk than your job

A top London lawyer has warned that the current trend of UK companies offshoring to locations outside the EU, such as India and China, does not absolve them from complying with their data protection obligations in the UK.

There are growing concerns that companies in Europe may be unaware that they cannot bypass their data protection obligations by sending personal data abroad, and that they should be careful to enter into proper arrangements with their offshore service partners. And David Naylor, partner at law firm Morrison & Foerster, believes these fears are not without foundation, despite rules which make it illegal.

Naylor said there are laws in place which mean companies generally cannot enter into outsourcing agreements where personal data is transferred outside Europe unless it is to a country which shares the same rigorous levels of data protection, or robust data export arrangements are in place or the individuals concerned have consented to the transfer of their data abroad. In addition, the company transferring the data must ensure that the outsourcing service provider meets other key criteria, such as guaranteeing levels of security and employee reliability.

However, he warned "if there are data controllers who think they can transfer personal data abroad and ignore UK law without potential liability, they would be entirely wrong".

Naylor is quick to point out that the blame does not lie with the governments or the workers in the countries where offshoring is taking place, such as India or China, but with companies here who think they can transfer data out of the EU purely for the purposes of escaping the laws which previously bound them.

The problem lies with detection. With so much data being transferred via so many transactions it is often difficult to spot the legitimate from the illegal. By moving operations offshore and adding a further level of complexity to this equation it is almost inevitable breaches, both deliberate and accidental, will occur.

Naylor said: "Data is flowing from country to country at incredible speeds in ever greater volumes and the ability of regulators to control that and to ensure rules are observed and laws are obeyed is far from limitless."

"It's like trying to plug a leaky dam with your fingers," he added.

And Naylor warned that fear of punishment is a poor deterrent.

"The sanctions available currently are unlikely to deter all data controllers from breaking the law," he said.