Should you store in India?

Last week the Telecom Regulatory Authority of India (TRAI) came out with a comprehensive 120 pager consultation paper on 'Cloud Computing'. It sits right next to TRAI's paper on differential pricing of over the top (OTT) applications if one was to consider the number of issues that a single paper aims to address. This one covers everything from growth of cloud services in India, interoperability of data among various cloud platforms, quality of service, security of data on the cloud, government initiatives (or intervention) to promote implementation of cloud services and most importantly the legal and regulatory framework for cloud services in India.

An entire chapter is dedicated to the legal and regulatory aspects of cloud computing in the country. It begins with defining the concerns that have been identified with cloud computing services worldwide.

Data Privacy and Data Protection: Currently we do not have any procedure in place to ensure that CSPs are compliant with any data protection standards. The level of data protection available to end users is dependent on whether the cloud service is free or paid and on what is the level of data protection legislation in the location that this data is stored. Such protection is entirely at the discretion of the CSP if specific laws mandating protection of user data on the cloud are not present.

Data Ownership: In an ideal scenario rights and ownership of the data rests with the creator of such data, irrespective of where that data is stored. However, CSPs can negotiate terms that can allow for some sort of ownership over the data. The data available with CSPs can be misused for marketing or data mining purposes. This is a potential security threat to end user data and often goes unaddressed in any contractual or legal agreement at present.

Multi-jurisdiction issues: Any information on the cloud will eventually end up on some physical machine owned by a person or organization, located in a particular country. CSPs can move this data from one country to another without necessarily informing the end users. Furthermore the CSP may even sub-contract such storage and the end user may not have any control over such movement of data.

Disclosure and Cross Border movement of Data: The laws of some countries prohibit the transfer of certain type of information across geographical boundaries, for example, the USA does not allow cross border movement of tax returns or health records. On the other hand, when such data is moved to the cloud it is difficult to enforce legislations on its movement across geographical boundaries. More worrisome is the fact that such data can be accessed by governments in the country where the data resides.

Current Legal/Regulatory Framework

The paper then deep dives into the current legal framework that touches upon various aspects of the cloud computing services in the country. It accepts upfront that there is no dedicated cloud computing regulation or legislation available in the country at present, and then goes on to list down all existing laws that apply completely or partially to CSPs.

Cloud computing services come under the ambit of a colonial era legislation called The Indian Telegraph Act, 1885 as such a service sends and receives data over a closed network or the Internet, similar to sending and receiving telegraphs, according to the paper. The question as to why the TRAI is interested in regulating CSPs is answered by stating that Cloud computing falls under the ambit of 'telecommunication service' of Section 2(k) of the Telecom Regulatory Authority of India Act, 1997.

Further, the paper states that the cloud computing and virtualization service providers in the country are required to comply with various provisions of the Information Technology Act, 2000 and the Internet Intermediary Liability Rules (2011) framed under this act. Sections 43, 65, 66 and 72 of the IT Act find a detailed mention in the paper, where Sec 43 and 43 (A) along with the Reasonable Security Practices and Procedures Rules (2011) puts the responsibility of securing personal data on the person or organization handling such data. The paper interprets this as an obligation on the data intermediary to ensure that effective data protection measures are in place to prevent wrongful loss or wrongful gain by breach of data from a cloud platform. Section 72 (A) deals with penal provisions for disclosure of information by a person or organization in possession of data without the consent of the owner of this data. Sections 65 and 66 have penal provisions for tampering 'source code' and fraudulent data breach respectively. India's IT Act also has extra-territorial jurisdiction, which means that it applies to acts committed out of India by non-Indians as well. Considering the wide swath of the IT Act combined with the cross-border nature of cloud computing the paper proposes a framework that would define the new legislation and regulation for CSPs in future.

Proposed Legal and Regulatory Framework for Cloud Computing

The paper states up front that the current legislations in India may not be able to address the present and future issues arising in cloud computing services comprehensively. It maintains that the new legislation would primarily be focused on fostering and developing competition in the cloud computing market. Following measures have been proposed in the new legal/regulatory framework

Lawful Interception: Government would need to ensure that strict and vigilant lawful interception systems for law enforcement agencies are in place over the cloud computing services. These would be needed for protecting boundaries, integrity and sovereignty of the country as well as addressing national security issues. The paper however does not mention the type of law enforcement agencies that would have access to such interception abilities.

Customized Agreements for Data: CSPs would need to get into customized agreements with end users that inform them of the risks involved and mitigation measures in place for trans-border movement of data.

Data Ownership Legal Framework: CSP should safeguard the integrity of data as well as provide for easy migration of data and information to another cloud platform if needed for enhancing performance. This would also mandate the need to ensure complete deletion of user data in the existing cloud service

Cross Border movement Legal Framework: A proposed solution is to evolve a separate set of rules for cyberspace that does not cater to geographical borders

Multi-Jurisdiction Issue Legal Framework: One of the possibilities to address the issue of multiple jurisdictions is to mandate that CSPs locate their data centers within Indian geographical boundaries. Another alternative is to impose strong restriction on cross border movement of critical data like tax returns, financial transactions or health records.

The long term solution recommended is the adoption of a set of self-regulating measures by CSPs like the 'Binding Safe Processor Rules (BSPR)' based on the European Privacy Standards. The paper also recommends that the penal provisions in the present legislations need to be made more stringent with a steep rise in the fines imposed and introduction of clauses that allow of revocation of service license for organizations that repeatedly fail to prevent breach of sensitive data. The Government may also introduce licensing or operational restrictions on intermediate service providers who are involved in collection of sensitive information and transmitting it across multiple cloud platforms.

One of the positive mentions in the paper is that of a proposed 'Right to Privacy Bill' that the government plans to bring in order to give Indian citizens an entitlement-based safeguard over the privacy of their data. The chapter in question is clearly advocating for a location centric legislation and regulatory framework around the geographically dispersed cloud computing environment. Based on the responses received from the public consultation, TRAI will submit its recommendations to the Department of Telecommunications (DoT).

Will this lead to a legal/regulatory framework that provides for a conducive environment to the growth of India's Data Infrastructure or does it end up coercing multinational companies looking to tap into the tremendous growth of cloud services in India to set up physical data centers in India is the thing to watch out for in coming days.

(The author is a policy analyst in the information security and data privacy domain. The views expressed are personal.)