Cloud computing allows users to access and work with data stored on remote networks. The client side front end infrastructure (laptops/desktops, etc.), connect to backend cloud storage, applications, and services that may be hosted in cloud farms or server farms across the world. The growth of high speed Internet access and advances in data storage and retrieval technologies has led to cloud computing becoming the service model of choice for both business critical services, like banking and payments, as well as non-critical ones like online gaming.
Since late 2019 Indian regulators are, once again, examining the need to regulate the cloud. This State of Play update examines the regulations currently applicable to cloud service providers in India, and how the local regulatory landscape is evolving.
A. STANDARDS APPLY, BUT NO LICENSE NEEDED
There is no overarching law at present on providing cloud services in India. No local license is needed to provide cloud services, specifically. Cloud services can be provided in India on a cross-border basis. A foreign cloud service provider is not required to incorporate a local entity, procure any operational licenses, appoint local employees, etc., to offer cloud services to customers in India. There is also no restriction or foreign investment for setting up cloud operations in India.
A locally incorporated cloud service provider, would be subject to compliances under Indian law pertaining to corporate matters, tax, labour, etc. These licenses/ compliances are linked to the day-to-day operations of Indian companies and not specifically to the provision of cloud services. In addition, even an offshore cloud services provider is subject to data privacy and access compliances, as shown below.
B. DATA PRIVACY AND GOVERNMENT ACCESS ISSUES
Indian and foreign cloud service providers are subject to compliances under the Information Technology Act, 2000 (“IT Act”) and corresponding rules on data privacy and law enforcement access.
Data Privacy Regulations: The IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Indian Privacy Laws”) apply to cloud services being offered in India. Indian Privacy Laws regulate the collection, receipt, possession, storage, handling and transfer of personal information and sensitive personal data or information of natural persons within India. These laws apply to any entity collecting data, and any entity to whom such data is being transferred by the Data Collector for processing. A cloud service provider usually processes information passed on to it by its clients and users. To the extent the cloud service provider processes information of natural persons located within India, certain compliances will apply, including ensuring data security.
Government Access: The IT Act and the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 allow the Indian government to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer resource. The Government can do this for reasons connected to (inter alia) state security and law enforcement matters.
Online Intermediary Guidelines: Cloud service providers in India may be protected as ‘intermediaries’ under the IT Act and Information Technology (Intermediaries Guidelines) Rules 2011 (“Intermediary Guidelines”). An intermediary is a person who on behalf of others receives, stores or transmits records or provides any service with respect to that record. The general understanding is that intermediaries facilitate the use of Internet and/ or grant access to third party content over public facing services. While cloud service providers do not offer such services, in certain circumstances they may be argued to be intermediaries given the broad definition. Intermediaries enjoy safe harbor protection for third party information or data hosted by them, but also have several compliance requirements.
IT Act and Other Indian Laws: Even though there is no specific law governing cloud services, general Indian laws will continue to apply to services offered to Indian clients or users in India. For instance, cloud services violating the prohibition on public gambling may be problematic. Note also, that the IT Act has extra-territorial application and its provisions also apply to offences or contraventions committed outside India by any person. This act penalizes, for instance, online obscenity. Penalties (i.e., fines and/ or imprisonment) under the IT Act and penal laws may get triggered for any non-compliance in the course of providing cloud services.
Mission Creep on licensed activities: Cloud services are sometimes a direct replacement for existing technologies, for instance solutions based on telecom resources and payment networks. You should be careful that your cloud solution does not bleed into a licensed activity. Indian licenses laws are drafted and interpreted widely – and providing a ‘virtual call center’ or payment guarantee services may lead to a requirement to obtain a telecom license or a payment system approval from Indian regulators.
C. RISKS IN CLOUD COMPUTING
Data Privacy and Security: Privacy can be a major bottleneck in a cloud environment. Since cloud service providers are usually data processors, it is very important for them to implement safeguards (contractual provisions, security measures, organization SOPs, etc.) to ensure that data has been lawfully shared with them and is secure. Remember that the more valuable the data, the more likely it faces cyber-attacks, illegal access attempts, etc. Click HERE to read BTG’s cybersecurity update.
Data Localization Challenges: India, like many APAC countries, is debating data localization policies, and has already enacted them in use cases like payment data. Data storage on the cloud may run afoul of current or future data localization measures. Cloud providers are already thinking of and moving to new storage protocols, with methods like the ‘hybrid cloud’ gaining popularity. You can access BTG’s Data Localization Tracker HERE.
Lawful Interception and Schrems II: The Schrems II decision has raised the risk of data transfers to other jurisdictions (including India) being challenged/ scrutinised. This is not a new phenomenon. Regulators around the world seek access to information stored on the cloud, for law enforcement or investigation purposes. It becomes even more important for foreign entities processing personal data in India to ascertain risks arising from Indian surveillance regulations and its business impact. You can read more about the Schrems II decision and its impact on India HERE.
D. WHAT MAY CHANGE IN THE FUTURE
Future Cloud Regulations: The Telecom Regulatory Authority of India (“TRAI”) released a consultation paper back in 2016 on cloud computing. Subsequently, it issued recommendations on cloud services in 2017 and 2019, proposing ‘light touch’ regulations. The TRAI’s recommendations call for separate industry bodies for cloud service providers, industry codes for QoS parameters, prescribing model SLAs, dispute resolution framework, requirements for billing, etc. These policy documents can be accessed HERE. In September, 2020, TRAI made additional recommendations to suggest a not-for-profit organization be set up to work in conjunction with TRAI or the Indian Government’s Department of Telecommunications to run and enforce a ‘light touch’ regulatory regime for cloud service providers. You can read the new 2019 recommendations HERE. These recommendations do not have the force of law as yet, and no draft law has been released.
Draft Privacy Bill: The Indian government has proposed to replace Indian Privacy Laws with the Data Protection Bill, 2019 (“Draft Privacy Bill”) in the near future. The Draft Privacy Bill requires data processors to implement certain security standards, transparency and accountability measures, enter into a contract with data fiduciaries, etc. The Draft Bill is currently being reviewed by a parliamentary committee, and may see the light of day in early 2021.
Proposed Law on Non-Personal Data: In 2019, the Indian government set up an expert committee to determine whether a law is required to regulate non-personal data, i.e., any data that is not related to an identified or identifiable natural person or is personal data that has been anonymised. The committee recently released its report and has recommended that a separate legislation to govern non-personal data and a new regulatory body be set up for it. No draft law has been proposed as yet. You can read more NPD regulation HERE.
Draft Intermediary Guidelines: In 2018, an amendment to the Intermediary Guidelines was proposed. Under the draft guidelines, intermediaries have to proactively monitor unlawful information and remove/ disable it, and those intermediaries having more than 50 lakh (5 million) users in India will have to have an on-soil presence in India. These do not have the force of law as yet.