India is fast becoming one of the world’s most attractive places to do business and invest. Telecommunications, pension investments, private equity partnerships, and markets for natural resources abound in the world’s largest democracy.
In 2008, exports from Canada to India were $2.4 billion, creating a trade surplus of $200 million, according to Foreign Affairs and International Trade Canada. Canadian foreign direct investment stock in India rose nearly 25 per cent in 2008, to $801 million, while Indian investment in Canada was slightly more than $1 billion. Conversely in 2008, Canadians invested just under $1.8 billion in China, with $616 million being invested back into Canada. Canada also has a trade deficit with China of more than $32 billion.
Brazil, Russia, India, and China are known as fast-growing, emerging economies. Canada has a trade deficit with all but India, with China making up 92 per cent of the combined trade deficit in 2007. Despite exports from Canada to India rising by 35 per cent in 2008, trade with the country is far below that of other Asian superpowers and a minute fraction compared to trade with the United States.
While the 2008 numbers may seem positive, there are those who believe Canada has been slow off the mark to invest in the world’s second most populous country. Canadian companies and investors lag behind other developed nations including the U.S., the U.K., and Australia in accessing the Indian market.
Natalie Ochrym is the vice president and chief compliance officer with Sun Life Financial Inc., which has a joint venture in India and is looking at other opportunities including pensions. Speaking from experience, she says the difference in regulatory regimes may be a reason why Canada lags behind other countries doing business in India. “For example what might be regarded as a pension product clearly to a Canadian person, a Canadian participant would have a different flavour than one based in India.”
Pension investments are seen as one of the emerging markets in India. If the rules and descriptions of pension products are not clear and easily understandable to potential foreign investors, those rules may end up stunting investment. But simply writing new rules may not be enough. “India is moving itself into trying to be as transparently regulated as the other jurisdictions, because it is trying to attract foreign investment,” says Ochrym, who served as Sun Life’s general counsel in Hong Kong prior to moving into her current position in Toronto. “It is one thing putting the law on the books and it is another thing enforcing it. I think that is the challenge Indian regulators face, I mean, that is a legitimate challenge when you are governing one billion some odd people.” Part of the problem is the perception that laws are applied differently in India depending on which part of the country you are in. “It is tough to get a clear view of the laws and how they are applied because sometimes one gets the opinion that the laws are applied differently in different jurisdictions,” says Ochrym.
One of the concerns for Canadian investors is the lack of an Indian counterpart to Canada’s Personal Information Protection and Electronic Documents Act. PIPEDA provisions cover organizations and companies that collect, use, and/or disclose personal information about Canadians. The Office of the Privacy Commissioner issues guidelines for companies working within the act. So far the office has issued guidelines for methods of identifying and authenticating customers in ways that respect PIPEDA for recording of customer telephone calls, for overt video surveillance in the private sector, for surveillance of public places by police and law enforcement authorities, and for responding to privacy breaches.
In a March address to the Joint Forum for Financial Market Regulators in Toronto, assistant Privacy Commissioner Elizabeth Denham told the conference, “PIPEDA does not prohibit trans-border data flows. But it does require companies to protect the personal information in their care, even if the use of the information has been outsourced beyond Canada’s borders. PIPEDA also requires companies to inform customers that their personal information may be sent out of the country, and that while such information is out of the country, it is subject to the local laws.”
There are no specific privacy and data protection laws in India. However, various other laws exist intending to safeguard information. The Indian Information Technology Act, 2000 and Credit Information Companies Regulation Act, 2005 are two laws that seek to safeguard data.
Manjula Chawla, a corporate lawyer in India and author of the report “Overview of Data Protection Laws in India” wrote, “the lack of a comprehensive legislation pertaining to privacy and data protection has been a matter of concern. This concern has been particularly expressed by foreign companies that are doing business in India and are transmitting confidential data into the country.”
Chawla’s report also says the Indian penal code does not specifically address breaches of data piracy. However, under s. 403 of the penal code there are penalties for “misappropriation or conversion of ‘movable property’ for one’s own use.” Movable property in this context refers to “property which is not attached to anything and is not land.”
One area where defined penalties do exist is for breach of intellectual property laws under the Indian Copyright Act. The laws allow for a maximum penalty of three years in jail and fines up to $5,000 depending on the severity of the piracy.
Soma Choudhury, a lawyer with the Ogilvy Renault LLP India practice group in Toronto, says while one of the complaints about doing business in India is a lack of laws, in reality the opposite may be true.
“Some of it is also not being aware of the market. The laws exist, it is a highly-regulated regime, so it is a myth that some of the laws just don’t exist, but you’ve got to know the laws,” she says. “That’s when you partner up with the proper Indian law firms and with counsel here [in Canada] who actually understand what the foreign investment regime is. . . . Having laws in India actually isn’t a problem. The situation is there are too many laws.”
Sunny Handa, a partner at Blakes Cassels & Graydon LLP in Montreal, is co-head of both the firm’s information technology group and its India practice group. He says concerns over whether India has laws or not protecting privacy may be a bit overblown. “India is no different than other countries,” he says. “Generally you don’t want the information out, whether there are or aren’t laws. Canada has had to deal with the fact that it does live in a globalized world, and that information does move around and gets shipped offshore for processing and storage.”
Canadian Privacy Commissioner’s guidelines on protection of personal information flowing across international borders is a place counsel should start, Handa says. Those rules say there needs to be effective legal protections in place wherever the personal and private information may be shipped. “Often that is done by contracts. With anyone who is receiving the information to make sure that they fully respect the consents that have been given and, effectively the same regime that the Canadian sender of the information is respecting, but also you are going to want to make sure you do some additional diligence.”
Ochrym also believes it is important having local people in India to help guide your business. “There is a great value to being on the ground there, to get the information from your local law firm, from local people on the ground who understand the environment, and great value to talking with your partners, or talking with your counterparts over there.”
Corporate research, knowing who you are dealing with, and making sure you are partnering up with reputable companies is important. “Is it a well-established, well-known company, one of the big outsourcing houses where they take this stuff very seriously, or no one is going to be doing business with them?” Handa asks. “The interesting thing I found touring some of those facilities, whether it is telecom companies, outsourcing companies et cetera, programming houses in India, is they take physical security at the local level extremely seriously. We don’t, by contrast, yes everyone has a key card here for the door right? But the reality is we don’t have guys with guns who are in a compound area and anyone who wants to go in or out from the facility walks through a little guard house, and they are liable to get searches. They are not allowed to take in certain instruments, cameras et cetera, and it doesn’t happen here.”
The secure atmosphere is something that goes beyond the facilities all the way to the bargaining table. “Do your due diligence with who you are doing business with there,” Handa says. “Then make sure you have got the appropriate contractual protections obligating them to take steps, don’t be scared to put those in there, and be aggressive about them. You’ll find that they are probably more easily met than you think.”
India’s business process outsourcing industry is already taking steps to minimize the chances of misuse of data.
A self-regulating organization has been created to establish, monitor, and enforce privacy and data protection standards. According to Chawla’s report, and consistent with Handa’s comments, business process outsourcing companies have adopted some stringent security measures.
They include armed guards, prohibiting phone calls with friends or families while at workstations, closed-circuit monitoring of employees, and computers in workstations having no printers or devices for removable storage.
Still the best protection may be a good contract and systems to back up the contract provisions, says Ravi Shukla, counsel at Lang Michener LLP.
Shukla specializes in structuring agreements relating to technology enterprises, technology development, licensing, and transfers. He says contracts should be developed with data protection in mind, regardless of the laws of the foreign country, and when extra protection is needed technology can play a role.
“You have to buttress the legal protections,” he says. “You can’t rely on Indian statutory protection, you bake it right into your contract, you audit right, and a lot of it has to do with technical security standards and what we call a controlled environment.”
Some of those protections could include access. One of the methods is allowing companies abroad to dial-in to access information. However, the information cannot be rendered or transferred in any way.
Many of these protections would be arrived at with technology and the law being hand in glove, Shukla says. “You architect the solution and the systems in a way which are protective of the interests you are concerned about.”