Technology Law Analysis
September 14, 2017
Telecom Regulatory Authority in India issues Recommendations on Cloud Services
Cloud computing has been on the Government radar since 2012, when the National Telecom Policy, 2012 made a reference to cloud computing as a means to improve the delivery of services, participative governance, e-commerce at globally competitive prices.1
TRAI Consultation Paper
In December 2012, the Ministry of Communications & Information Technology made a reference to The Telecom Regulatory Authority of India (“TRAI”) asking for recommendations in relation to various aspects of cloud based services. The reference was made under Section 11(1) of the Telecom Regulatory Authority of India Act, 1997.
In the meantime Ministry of Electronics and Information Technology (“MEITY”).has started implementation strategies of cloud services in Central and State Government organizations through its MeghRaj initiative2 .
Somewhat belatedly after the reference, on June 10, 2016 TRAI issued a Consultation Paper on Cloud Computing (“CP”) to identify and analyze industry issues in the cloud computing sector. The CP sought inputs from the public and industry stakeholders on the proliferation of cloud computing services and the requirement (if any) for regulation in the industry. The TRAI also sought inputs on specific issues including issues relating to quality of service requirements, data security in the cloud, data portability, location of data, billing and metering concerns etc.3
One of the writers of this Hotline, had written an op-ed in relation to the CP, which can be found here.
The Department of Telecommunications (“DoT”) has the authority to establishing, maintaining and working “telegraphs” and to grant licenses for the same. The TRAI has the power to regulate ‘telecommunication services’.
The Telegraph Act 1885 defines ‘Telegraph’ as any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, radio waves or Hertzian waves, galvanic, electric or magnetic means.
The Telecom Regulatory Authority of India Act 1997 defines ‘Telecommunication Service’ as services of any description (including electronic mail, voice mail, data service, audio tax service, video tax service, radio paging and cellular mobile telephone services) which is made available to users by means of any transmission or reception of signs, signals, writing images, sounds or intelligence of any nature, by wire, radio visual or other electromagnetic fields but shall not include broadcasting services.
The TRAI may not have the power to regulate cloud computing services and its jurisdiction may be restricted to the telecom infrastructure that is connected to cloud computing service providers. TRAI/DoT may however require CSPs to obtain an ‘Other Service Provider’ registration and abide by the terms and conditions for the ‘OSP Category’ as issued by the DoT4.
In our view, a cloud service is really an Over The Top (“OTT”) service which utilizes a telecom resource (such as internet) and there is no reason to treat cloud services any different from other OTT services such as e-commerce platforms, video on demand platforms and messaging apps. OTT services are not regulated as telecom services, nor are these services compulsorily required to get an OSP registration (unless they fall within the definition of ‘Application Services’). Hence, TRAI may not have jurisdiction to regulate all aspects of cloud service.
TRAI Open House Discussions
On April 3, 2017 the TRAI conducted an open house discussion on the issues raised in CP (“OHD”). Industry representatives including some of the biggest technology and software companies globally and in India, including the likes of Microsoft, Amazon, Reliance Communications, Reliance Jio, Vodafone, AT&T, Oracle, etc. participated in the OHD. The participants were of a unanimous view that there was no requirement for regulatory framework for the cloud computing industry; and that excessive regulation and Government interference ‘will kill the cloud in India’. Representatives of the industry suggested a ‘light tough regulatory approach’ consisting of broad guidelines.
MEITY Guidelines for Government Use of Cloud Services
The MEITY issued guidelines5 on March 31, 2017 for the setting up of IT infrastructure by Indian Government departments using cloud computing technology. The new guidelines come with a specific clause stating the service provider has to store data within the country. The guidelines note that since data could be located in one or more discrete sites in foreign countries, the conditions for data location has to be mentioned in the agreement with the service provider. The guidelines also require government departments to carefully consider aspects such as information security, exit management and transitioning. Under the terms of empanelment of cloud service providers (“CSPs”), the CSP also has to maintain a strict 99.5 percent uptime.
TRAI’S RECOMMENDATIONS ON CLOUD SERVICES
The TRAI received considerable response on the issues and questions raised from various stakeholders. On August 16, 2017 TRAI published its recommendations on cloud services (“Recommendations”).
The TRAI seems to have taken a considered approach. It has suggested a light touch approach, however, at places it still appears that its intervention may be excessive, as further discussed below.
Legal & Regulatory Framework
Proposing a ‘light touch’ regulatory approach with a strong emphasis on self-regulation through industry bodies is a welcome move by the TRAI. It also good to note that TRAI is in favour of CSP industry bodies to lead the way in terms of prescribing codes of conduct for its members to follow.
Code of Conduct
The TRAI has suggested that all CSP industry bodies create a self-regulatory Code of Conduct to govern their members and which would contain the following provisions:
Although a light touch regulatory approach is suggested, the manner in which TRAI proposes to prescribe requirements pertaining to QoS, billing, SLAs etc. in the garb of self-regulation may still be considered to be excessive.
TRAI has suggested that the Government may consider enacting an overarching and comprehensive data protection law covering all sectors. Such new law should incorporate adequate protection for sensitive personal information, adopt globally accepted data protection principles as re-iterated by the Planning Commission’s Report of Group of Experts in Privacy in 2012, as well as provisions relating to cross-border transfer of data.
Issues relating to access and cross-border data transfers are likely to be addressed in the new data privacy legal regime that the MEITY is currently working on introducing towards the latter part of this year. Incidentally, a nine-judge bench of the Supreme Court of India has only a few days ago directed the Government to legislate on a data privacy framework protecting the rights of individuals’ vis-à-vis non-State players.6 Many issues illustrated by the judges are likely to be considered by the MEITY when deliberating on the new law, including relating to collection of big data and anonymized data in the data analytics sector.
A nine judge bench of the Supreme Court of India has indeed declare the right to privacy as a fundamental right guaranteed under the Constitution of India, and has also directed the Government to frame legislative framework for data protection wherein the right to privacy can be enforced against non-state parties as well.
Our detailed analysis of this judgment can be found here.
Interoperability and Portability
It seems to be a positive approach by TRAI to leave issues such as interoperability and portability to market forces and industry practices, while choosing the road of minimal intervention.
Legal Framework for CSPs operating in multiple jurisdictions
To address the issue of access to data hosted by CSPs in different jurisdictions, by law enforcement agencies:
Jurisdiction and enforcement issues have been one of the main concerns of industry players wherein CSPs host data on cloud located outside India. The Indian Government should follow suit and draw up / revise MLATs as the case maybe, as a step of boosting confidence of Indian users availing of cloud services in which the data is located on clouds overseas.
Incentives for use of cloud network in government services
This too seems to be a positive recommendation by TRAI. Whilst it seems that TRAI has taken a back seat in terms of regulating the industry, it still appears to be proactive in encouraging innovation by incentivising private players. TRAI has also taken cognizance of the challenges of interoperability and competition among cloud computing service providers. However, suggesting the creation of another interoperability standard by the TSDSI may have been unnecessary in light of several competing international standards already in existence8. It is good that the TRAI has recommended self-regulation of the industry as opposed to a ‘licensing’ regime which was being considered earlier.
– Arvind Ravindranath, Aaron Kamath & Gowree Gokhale
You can direct your queries or comments to the authors
1 http://www.dot.gov.in/cloud-computing. Last accessed: August 25, 2017
2 http://meity.gov.in/writereaddata/files/GI-Cloud%20Adoption%20and%20Implementation%20Roadmap(1).pdf Last accessed: September 11, 2017
3 Nishith Desai Associates had published an article in the Live Mint with its initial views, available here: http://www.livemint.com/Opinion/cXjxkc31g9rzkCJT0lH8yM/Trais-cloudy-cloud-computing-paper.html. Last accessed: August 28, 2017
4 The ‘Terms and Conditions – Other Service Provider (OSP) Category” are guidelines which have been issued by the DoT requiring a company providing ‘Application Services’ over telecom networks to obtain a registration certificate from the department. ‘Application Services’ have been defined to mean “providing services like tele-banking, tele-medicine, tele-education, tele-trading, e-commerce, call centre, network operation center and other IT Enabled Services, by using Telecom Resources provided by Authorised Telecom Service Providers”
5 http://meity.gov.in/writereaddata/files/Guidelines-Contractual_Terms.pdf and http://meity.gov.in/content/guidelines-government-departments-adoption-procurement-cloud-services. Last accessed: August 25, 2017
6 Retd. Justice Puttaswamy & Anr. v. Union of India & Ors., WP (Civil) No. 494 of 2012, decided on August 24, 2017
7 In 2014, the Ministry of Micro Small and Medium Enterprises issued guidelines for the Promotion of Information and Communication Technology (ICT) in MSME Sector. These guidelines state that cloud computing has been found to be capable of providing the requisite ICT solutions to MSMEs at an affordable cost. To encourage MSMEs to use CC for ICT applications, the scheme proposed the following key steps:
1. To provide subsidy for user charges for a period of 3 years. Initially, cloud computing facilities will be made available to approximately 2300 MSMEs. Each MSME unit will be eligible to a maximum subsidy of Rs 3.0 lakh for 3 years, wherein the cost of usage services will be shared by the Gol and MSME.
2. MSMEs will be sensitized regarding the benefits of ICT including cloud computing application for business promotion at a cost of Rs.5 crore.
3. The cloud computing component of the scheme will be implemented by selected Specialized Institutions [like ECIL (Electronics Corporation of India Ltd. Department of Atomic Energy, Govt. of India), STPI (Software Technology Parks of India, Ministry of C&IT), etc.].
4. The Specialised Institutions are required to empanel various CSPs through service level agreement who will provide cloud services to the MSMEs.
The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.