State Of Data Protection In Top Outsourcing Locations

By Srishti Aishwarya Shrivastava

India still occupies the top spot amongst all outsourcing locations, based on a a recent research by SourcingLine – a Washington, DC-based research firm. In its top 10 list, the South Asian nation is followed by Indonesia, Estonia, Singapore, China, Bulgaria, the Philippines, Thailand, Lithuania and Malaysia. Interestingly, out of these outsourcing locations – only India, Estonia, Singapore, Bulgaria, the Philippines, Lithunia and Malaysia have data protection law.

What is data protection law? In sum and substance, data protection law takes care of the following issues:


As far as consent is concerned, most of these countries have boiler plate provision providing for explicit consent of the individuals providing the information and a list of information that can be collected.

The theme that runs through the information that needs to be collected includes information that can be identified with an individual. The sensitive information generally includes financial information and information related to physical and biological condition of the individual.

Accuracy Of Data

Different countries have different provision with regard to correction of information. Singapore, the Philippines and Malaysia provides for correction of inaccurate, modified data as soon as possible at the request of the owner of the information. India too provides the same provision but with an added feature – ensuring a timeline of one month for the correction of information by the grievance officer, making it a more effective process.

The Philippines Data Protection has an additional provision of providing indemnity to the information provider in case of loss caused due to incorrect information.

Retention Of The Data

While all the other Acts prescribes destruction of the information after usage – the Singapore Data Protection Act provides for retention of the personal information for a year.

Data Theft

All these countries limit the operation of the law to their country – showcasing a country-centric approach:


Preventive Measure

NASSCOM in India launched a National Skills Registry for IT professionals. This is intended to help employers conduct better background checks on employees by tracking certain information about employees, such as employment history.

Service providers in India are also increasingly adopting compliance programmes and comprehensive security audits, including personnel and equipment audits, to put specific checks in place to prevent misuse of sensitive information and data.

Compliance programmes include training of employees to enhance awareness of confidentiality and training for computer system managers with regard to securing computer systems, common threats to information security, access control techniques, risk assessment and management, intrusion detection, authentication and other similar issues.

Enforcement agencies in India also work with BPOs to conduct workshops to enable employees to improve knowledge and skills to prevent and prosecute misuse of data. Also, it is to be noted, that Data Protection Act prescribes that corporations dealing with personal data should have reasonable security standards in place. What would happen if an employee of a service provider commits data theft?

Under Indian Law, it is a punishable crime under the Information Technology Act.

What Constitutes Data Theft?

According to the Information Technology (Amendment) Act, 2008, crime of data theft under Section 43 (b) is stated as - If any person without permission of the owner or any other person, who is in charge of a computer, computer system of computer network - downloads, copies or extracts any data, computer data base or information from such computer, including information or data held or stored in any removable storage medium, then it is data theft.


Punishment For Data Theft

Under the Act, Section 43(b) read with Section 66 is applicable and Section 379, 405 & 420 of the Indian Penal Code, 1860 are also applicable. Data Theft offence is cognisable, bailable, compoundable with permission of the court before which the prosecution of such offence is pending and triable by any magistrate.

Also, you can initiate civil proceedings for copyright infringement under the provisions of the Copyright Act, 1957 (“CA”) and the Specific Relief Act, 1963 (“SRA”) to prevent the misuse and dissemination of data. The penalties under these Acts can range from hefty fines and damages to temporary and permanent injunctions.

















How To Enforce It?

If you’re in a company that needs to deal with an incident of data misuse or theft in India, you’d start by filing a criminal complaint with the police station that has jurisdiction over the area where the data security breach occurred.

Or you can make a criminal complaint to Cyber-Crime Cells set up by the State Police Departments. These Cyber-Crime Cells have been established specifically to investigate and prosecute cases of data theft and copyright infringement, as well as other cybercrime cases.

The employee can be made personally liable under these  law, however, the employer too can be held vicariously liable by the customer.


Malaysia does not have any data protection regulation per se. Generally, news related to acquisitions of personal data that belongs to others, identity theft incidents are reported in the Malaysian media on a regular basis. 

Now, all the hopes with regard to data protection is hooked to its new data protection law.

Other than that, Section 378 of the Malaysian Penal Code covers theft of movable property that can be used to cover data theft.  Also, one can look into Section 381 that deals with theft committed by employee.


The country does not have any specific data protection regulation. Nonetheless, the Data Protection impose obligations on organisations to act responsibly in the collection, use and disclosure of individual’s personal data.

Also, theft is punishable under Section 378 and 379 of the Singapore Penal Code.


The Philippines

The Philippines too does not have a law on data theft. The general definition of theft in the penal code does not seem to be wide enough to cover data theft. Again, the hope hinges on the Privacy Act. The Act creates a National Privacy Commission. The Commission is empowered to approve codes of conduct and recommend the Department of Justice to prosecute cases and impose penalties, which could include up to six years in prison for the unauthorised processing of sensitive personal information.

Other Outsourcing Hub

The other major outsourcing hubs such as China, Indonesia, and Thailand have not passed a data protection law yet.

These countries do not have a comprehensive legal framework to regulate the use and disclosure of personal data nor a national-level law that delineates how a company can legally collect, process and retain data together with legal remedies for specific violations. The relevant rules are scattered in diverse laws, regulations and local ordinances.