by Suman Gupta
New Delhi, 6th December 2019: Broadband India Forum (BIF), the leading Think-Tank and Policy Forum for Digital Communications in the country, in its response to the TRAI Consultation paper on Cloud Services, has submitted that Cloud Service Providers should continue to conform to the rules and regulations set by Ministry of Electronics and Information Technology (“MeitY”), Govt. of India.
BIF stated that in the current regulatory environment, Cloud Service Providers are already sufficiently governed by the existing guidelines/rules of MeitY and operate under the existing laws. Further, the telecom infrastructure used for providing cloud services is already regulated. Customers access cloud services using network infrastructure, which is categorized as a communication service, and is already regulated by the DoT and the TRAI. Cloud Service Providers also use telecom infrastructure for connecting their data centres. Telecom/Digital infrastructure, and telecom service providers providing the same, are amply regulated by the DoT and TRAI in India. In doing so, these regulations adequately ensure protection of customers, maintenance of public network security and integrity, and enabling the Government to monitor and obtain information on transmission of data (e.g., for national security purposes). Moreover, there are no perceived market failures nor any consumer concerns, which would necessitate need for ex-ante intervention from the Authority. Hence, Cloud Service Providers need not be licensed/regulated separately through additional measures or brought under the ambit of an additional agency like DOT or TRAI.
Cloud services in India are forecasted to show a steep growth curve. As per a NASSCOM report, cloud spending in India is estimated to grow at 30% p.a. to reach USD 7.1-7.2 billion in 2022. In 2019 itself, the cloud services industry in India is expected to record the third highest growth rate in the cloud services sector globally.
Additional regulations and monitoring requirements are thus very likely to be detrimental to India’s goal of becoming a global hub for cloud computing, content hosting and delivery1. In the event that additional regulation is enacted, it may create overlapping or conflicting requirements, resulting in avoidable additional business costs for Cloud Service Providers. Therefore, in order to ensure unhindered growth and innovation in the cloud services market in India, Cloud Service Providers should not be subject to any further regulation from any industry body and not be subject to guidelines/rules from any other agency, other than MeitY.
Info Note: The multiple laws and regulations applicable on Cloud Service Providers presently-
S. No. |
Relevant authority/legislation |
Key provisions |
a. |
The Information Technology Act, 2000 (“IT Act”), including the various rules under the IT Act |
i. Cloud Service Providers are required to implement and maintain reasonable security practices and procedure, which govern collection, disclosure, retention, transfer, security and use of sensitive personal information, they are (Section 43A).ii. Cloud Service Providers can be asked to co-operate with authorised government agencies (by way of extending all facilities and technical assistance) to facilitate electronic surveillance (Section 69)iii. Under the IT Act, Cloud Service Providers are categorized under ‘intermediaries’ and are required to comply with a wide range of due diligence requirements. Failure to comply with these requirements will result in Cloud Service Providers losing safe harbour protection under the IT Act (Section 79). |
b. |
Ministry of Electronics and Information Technology, Government of India |
MeitY oversees the empanelment of Cloud Service Providers with the government under its ‘MeghRaj’ cloud computing initiative. To meet standards of empanelment, Cloud Service Providers must evince compliance with standards on security, interoperability, data portability, service level agreements, and contractual terms and conditions. Such compliance by Cloud Service Providers is also thoroughly verified by way of a rigorous audit conducted by the MeitY’s Standardisation Testing and Quality Certification Directorate. As the nodal government agency responsible for cloud services, MeitY will step in to govern other aspects related to cloud services as and when needed. |
c. |
Indian Contract Act, 1872 |
The e-contracts entered into by Cloud Service Providers with their users are subject to the provisions of the Indian Contract Act, 1872. |
d. |
Consumer Protection Act, 2019 (“CPA”) |
i. Cloud Service Providers would fall under the definition of an ‘electronic service provider’ under the CPA [Section 2(17)]ii. Buying or selling of cloud-based services would qualify as e-commerce under the CPA [Section 2(16)]iii. The central government is empowered to take measures for the purposes of preventing unfair trade practices in e-commerce. Such measures may relate to the trade practices of Cloud Service Providers (Section 94) |
e. |
Personal Data Protection Bill, 2018 (“PDP Bill”) |
Cloud Service Providers will be subject to a number of obligations as ‘data processors’ under the PDP Bill. These include:a. Processing data only as per instructions of data fiduciaries by whom the Cloud Service Providers has been engaged (Clause 37)b. Implementing appropriate security safeguards through use of methods such as encryption and de-identification of data (Clause 31)c. Possibly complying with ‘codes of practice’ issued by the Data Protection Authority under the PDP Bill (Clause 60) |