• ‘Light touch regulatory’ approach adopted rather than stringent regulation of the industry.
• Industry bodies comprising cloud service providers to drive market practices, standards and code of conduct.
• Mutual Legal Assistance Treaties to be drawn up / amended with jurisdictions where cloud service providers host their services, to enable interception / access to data by law enforcement agencies.

INTRODUCTION

Cloud computing has been on the Government radar since 2012, when the National Telecom Policy, 2012 made a reference to cloud computing as a means to improve the delivery of services, participative governance, e-commerce at globally competitive prices.¹

TRAI Consultation Paper

In December 2012, the Ministry of Communications & Information Technology made a reference to The Telecom Regulatory Authority of India (“TRAI”) asking for recommendations in relation to various aspects of cloud based services. The reference was made under Section 11(1) of the Telecom Regulatory Authority of India Act, 1997.

In the meantime Ministry of Electronics and Information Technology (“MEITY”).has started implementation strategies of cloud services in Central and State Government organizations through its MeghRaj initiative² .

Somewhat belatedly after the reference, on June 10, 2016 TRAI issued a Consultation Paper on Cloud Computing (“CP”) to identify and analyze industry issues in the cloud computing sector. The CP sought inputs from the public and industry stakeholders on the proliferation of cloud computing services and the requirement (if any) for regulation in the industry. The TRAI also sought inputs on specific issues including issues relating to quality of service requirements, data security in the cloud, data portability, location of data, billing and metering concerns etc.³

One of the writers of this Hotline, had written an op-ed in relation to the CP, which can be found here.

TRAI Jurisdiction

The Department of Telecommunications (“DoT”) has the authority to establishing, maintaining and working “telegraphs” and to grant licenses for the same. The TRAI has the power to regulate ‘telecommunication services’.

The Telegraph Act 1885 defines ‘Telegraph’ as any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, radio waves or Hertzian waves, galvanic, electric or magnetic means.

The Telecom Regulatory Authority of India Act 1997 defines ‘Telecommunication Service’ as services of any description (including electronic mail, voice mail, data service, audio tax service, video tax service, radio paging and cellular mobile telephone services) which is made available to users by means of any transmission or reception of signs, signals, writing images, sounds or intelligence of any nature, by wire, radio visual or other electromagnetic fields but shall not include broadcasting services.

The TRAI may not have the power to regulate cloud computing services and its jurisdiction may be restricted to the telecom infrastructure that is connected to cloud computing service providers. TRAI/DoT may however require CSPs to obtain an ‘Other Service Provider’ registration and abide by the terms and conditions for the ‘OSP Category’ as issued by the DoT⁴.

In our view, a cloud service is really an Over The Top (“OTT”) service which utilizes a telecom resource (such as internet) and there is no reason to treat cloud services any different from other OTT services such as e-commerce platforms, video on demand platforms and messaging apps. OTT services are not regulated as telecom services, nor are these services compulsorily required to get an OSP registration (unless they fall within the definition of ‘Application Services’). Hence, TRAI may not have jurisdiction to regulate all aspects of cloud service.

TRAI Open House Discussions

On April 3, 2017 the TRAI conducted an open house discussion on the issues raised in CP (“OHD”). Industry representatives including some of the biggest technology and software companies globally and in India, including the likes of Microsoft, Amazon, Reliance Communications, Reliance Jio, Vodafone, AT&T, Oracle, etc. participated in the OHD. The participants were of a unanimous view that there was no requirement for regulatory framework for the cloud computing industry; and that excessive regulation and Government interference ‘will kill the cloud in India’. Representatives of the industry suggested a ‘light tough regulatory approach’ consisting of broad guidelines.

MEITY Guidelines for Government Use of Cloud Services

The MEITY issued guidelines⁵ on March 31, 2017 for the setting up of IT infrastructure by Indian Government departments using cloud computing technology. The new guidelines come with a specific clause stating the service provider has to store data within the country. The guidelines note that since data could be located in one or more discrete sites in foreign countries, the conditions for data location has to be mentioned in the agreement with the service provider. The guidelines also require government departments to carefully consider aspects such as information security, exit management and transitioning. Under the terms of empanelment of cloud service providers (“CSPs”), the CSP also has to maintain a strict 99.5 percent uptime.

TRAI’S RECOMMENDATIONS ON CLOUD SERVICES

The TRAI received considerable response on the issues and questions raised from various stakeholders. On August 16, 2017 TRAI published its recommendations on cloud services (“Recommendations”).

The TRAI seems to have taken a considered approach. It has suggested a light touch approach, however, at places it still appears that its intervention may be excessive, as further discussed below.

Legal & Regulatory Framework

1. A ‘light touch’ approach may be adopted to regulate cloud services.
2. The DoT may prescribe a framework for registration of CSP industry bodies, which are not for profit. There is no limitation on the number of CSP that may be registered.
3. All CSPs above a threshold value (as notified by the Government) should become a registered member of the registered industry body and accept the code of conduct prescribed by such industry body. The threshold may be based on either volume of business, revenue, number of customers etc. or a combination of all these.
4. Industry bodies may determine a fair membership fee and code of conduct of their functioning.
5. DoT may keep a watch on the functioning of the industry bodies and investigate the functioning of the body to ensure transparency and fair treatment of its members.
6. A Cloud Service Advisory Group (CSAG) may be created to function as an oversight body to oversee cloud services in India and suggest action that the Government may need to take from time to time. The CSAG would consist of representatives of State information technology departments, micro, small & medium enterprise associations, consumer advocacy groups, industry experts and representatives from law enforcement authorities.
7. DoT may issue directions, from time to time, to such industry body as and when needed to perform certain functions and procedures to be followed.
8. DoT may also withdraw or cancel registration of an industry body, in case it finds the instances of breach or non-compliance of its directions / orders issued or non-adherence to code of practices notified by it.

Proposing a ‘light touch’ regulatory approach with a strong emphasis on self-regulation through industry bodies is a welcome move by the TRAI. It also good to note that TRAI is in favour of CSP industry bodies to lead the way in terms of prescribing codes of conduct for its members to follow.

Code of Conduct

The TRAI has suggested that all CSP industry bodies create a self-regulatory Code of Conduct to govern their members and which would contain the following provisions:

1. A constitution which is fair and non-discriminatory, which facilitates the sharing of information with the Government and TRAI when required from time to time and which complies with the orders and guidelines of the Government which may be issued from time to time.
2. Membership should be open to all CSPs.
3. Voluntary creation of working groups which would deal with issues relating to standardisation of technical issues, customer grievance redressal, prescribing codes of conduct etc.
4. Setting out codes of conduct and standards relating to quality of service (QoS) requirements, billing models, data security, dispute resolution frameworks, disclosure framework and model service level agreements.

Although a light touch regulatory approach is suggested, the manner in which TRAI proposes to prescribe requirements pertaining to QoS, billing, SLAs etc. in the garb of self-regulation may still be considered to be excessive.

Data Protection

TRAI has suggested that the Government may consider enacting an overarching and comprehensive data protection law covering all sectors. Such new law should incorporate adequate protection for sensitive personal information, adopt globally accepted data protection principles as re-iterated by the Planning Commission’s Report of Group of Experts in Privacy in 2012, as well as provisions relating to cross-border transfer of data.

Issues relating to access and cross-border data transfers are likely to be addressed in the new data privacy legal regime that the MEITY is currently working on introducing towards the latter part of this year. Incidentally, a nine-judge bench of the Supreme Court of India has only a few days ago directed the Government to legislate on a data privacy framework protecting the rights of individuals’ vis-à-vis non-State players.⁶ Many issues illustrated by the judges are likely to be considered by the MEITY when deliberating on the new law, including relating to collection of big data and anonymized data in the data analytics sector.

A nine judge bench of the Supreme Court of India has indeed declare the right to privacy as a fundamental right guaranteed under the Constitution of India, and has also directed the Government to frame legislative framework for data protection wherein the right to privacy can be enforced against non-state parties as well.

Our detailed analysis of this judgment can be found here.

Interoperability and Portability

1. No regulatory intervention is necessary for interoperability and portability in cloud services at this stage. These aspects may be left to market forces. The industry body set up should be tasked to promote interoperability in the cloud services industry.
2. The industry body should also mandate a disclosure mechanism that promotes transparency regarding interoperability standards followed by CSPs.
3. The Telecommunication Standards Development Society, India (“TSDSI”) should develop cloud services interoperability standards in India.

It seems to be a positive approach by TRAI to leave issues such as interoperability and portability to market forces and industry practices, while choosing the road of minimal intervention.

Legal Framework for CSPs operating in multiple jurisdictions

To address the issue of access to data hosted by CSPs in different jurisdictions, by law enforcement agencies:

1. Robust Mutual Legal Assistance Treaties (MLATs) should be drawn up with jurisdictions where CSPs usually host their services, enabling access to data by law enforcement agencies.
2. Existing MLATs should be amended to include provisions for lawful interception or access to data on the cloud.

Jurisdiction and enforcement issues have been one of the main concerns of industry players wherein CSPs host data on cloud located outside India. The Indian Government should follow suit and draw up / revise MLATs as the case maybe, as a step of boosting confidence of Indian users availing of cloud services in which the data is located on clouds overseas.

Incentives for use of cloud network in government services

1. The Government should continue its policy to promote cloud services through cloud infrastructure projects, such as GI Cloud Meghraj, NIC cloud computing and the National eGov App Store.
2. Ministry of Micro, Small & Medium Enterprises should continue to promote adoption of information and communication technologies in this sector, including the subsidies as being done at present.⁷

This too seems to be a positive recommendation by TRAI. Whilst it seems that TRAI has taken a back seat in terms of regulating the industry, it still appears to be proactive in encouraging innovation by incentivising private players. TRAI has also taken cognizance of the challenges of interoperability and competition among cloud computing service providers. However, suggesting the creation of another interoperability standard by the TSDSI may have been unnecessary in light of several competing international standards already in existence⁸. It is good that the TRAI has recommended self-regulation of the industry as opposed to a ‘licensing’ regime which was being considered earlier.