One of the fundamentals of a good law is that it must lead to adequate compliance by the target citizenry that it seeks to govern. The prerequisite for such compliance includes, but is not limited to, the temporal relevance that it holds in the society. Unless the discourse of law adjusts itself organically to the ever increasing and changing needs of the society, it would be relegated as an anachronism. This holds much more relevance in a dynamic information technology driven society that we are a part of today.

The advent of modern technologies and services has brought to us comforts of life that most would not have dreamt of even a decade ago. It has also brought alongside accompanying issues which transcend the traditional notions of social institutions such as property, rights and so on that we have taken for granted until now. Unless the discourse of law restates and readjusts itself, the risk of losing the relevance always lingers above it. In a country with one of the fastest growing, consumption driven, economies like India the need to take adequate care of such regulatory requirements needs no specific emphasis. One such modern day development that requires this regulatory readjustment is ‘cloud computing’.

Cloud computing refers to internet based computing that allows organizations to access a pool or network of computing resources that are owned and maintained by a third party via the internet, on a use-and-pay basis. In other words, it is a model enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Enabled by information technologies and riding on the back of telecommunications network, the cloud can herald a myriad of solutions ranging from enabling tele-medicine, setting up remote-classrooms, creating national citizen health and skills databases and creating a new cloud based services industry for generating employment.

Juxtaposed in the Indian context, being one of the fastest growing economies of the world and being at the helm/ forefront of much technological advancement, cloud computing is no exception and is poised for a leap. Cloud based services, characterized by their fundamentally flexible nature, can be leveraged by the Government to launch new e-Governance initiatives quicker and with lower overhead costs. A common cloud platform can further enable local governments and it’s instrumentalities to adopt e-Governance for rendering better citizen services, without requiring the setting up of significant IT infrastructure. The Cloud also presents an opportunity for India’s Information Technology (IT) & IT Enabled Services sector by opening up a new avenue of providing Cloud based services to global organizations ranging from Software as a Service (SaaS) based application services, providing remote testing and prototyping services in addition to remote application hosting services such as Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).

However, on one hand where Cloud promises to change the way Indian businesses and Government leverage technology to their benefit, on the other hand owing to its global architecture and reliance on cross-border data hosting and outsourcing, cloud services have attracted multiple issues in myriad unexplored grey areas and present significant challenges relating to security and privacy of information.

Challenges and Legal Issues Involved in Cloud Computing

1. Cross border transfer of data

One of the foremost and fundamental concerns faced by an organization while migrating to cloud services is with respect to the security and privacy of its data. The global nature of cloud architecture coupled with the diversity of legal mechanisms, their application, and in some cases the absence thereof raises pertinent question with respect to the effective transmission and storage of data in cloud services. Although some progress in this respect has been made in the development of bi- and multi-lateral privacy frameworks, such as the Safe Harbor Framework developed by the European Union and the United States which governs the transfer and storage of data between them in compliance with the 1995 Data Protection Directive of the European Union on the protection of personal data. As per the said framework, only those entities in the US which receive an adequacy status from the EU are eligible for cross border transfer of data of users in EU. The Framework has recently been revised to what is now know to be the Privacy Shield and which has become a major compliance standard for company privacy policies in the United States and elsewhere. Notably, Privacy Shield lays down seven privacy principles which are worth mentioning and which should comprise the yardstick to which any cross border transfer of data should be subjected to:

a) Notice: Information to an end user/ consumer that their data is being collected and how it will be used;

b) Choice: Individual’s right to opt out of collection and forward transfer of data to third parties;

c) Safety: Safeguards to prevent loss of collected information;

d) Data Integrity and purpose limitation: Data must be relevant and reliable for the purpose it was collected;

e) Access: Individual’s right to access information held about him and to correct or delete it, if inaccurate;

f) Enforcement & Liability: Effective means to enforce these rules.

India currently lacks a comprehensive and overarching legal framework which can effectively tackle the issues pertaining to and offer adequate safeguards for efficient and secure cross border transfer of data while balancing the privacy and choice of the user.

2. Lawful interception or information requests

Regulators and agencies round the globe, for law enforcement and investigation purposes, might every now and then seek access to information stored on the cloud. Much of the efficacy of such requests depends on the location of the provider and the authority and bargaining power enjoyed by local enforcement. While content for many applications providing platforms for public sharing of documents and social networking sites, remains largely unencrypted and available for immediate inspection, greater assistance is required in cases of data stored by usage of encryption technologies.

In cases of encrypted data, the Government/ law enforcement agency can either seek access to the encryption key or in the alternative force a service provider to build in vulnerability in their programming code (known as a ‘back door’) that allows government authorities to access the information—regardless of encryption—on demand. Further, the inherent nature of cloud architecture where data is frequently in transit gives an additional avenue to the law enforcement agencies to intercept data or to put pressure on intermediaries who transfer the said information.

Although in theory, such options are to be resorted to and utilized only after obtaining proper legal sanction, privacy advocates round the globe have been skeptical about such policies owing to their potential for abuse by government agencies and their vulnerability to exploitation by hackers. Much of these concerns stood re-affirmed in the light of recent instances of mass data surveillance that surfaced in the United States- a country with maximum concentration of data centers and through which most of the world’s internet traffic is routed through. In U.S, invasive access to data stored on company servers is provided by the Patriot Act of 2001 wherein the law enforcement agencies can compel production of information through National Security Letters. The letters are further accompanies by a ‘gag rule’ barring supply of information to the customers about any such wiretap or disclosure.

In India, the IT Act authorizes the law enforcement agencies to intercept, monitor and decrypt data travelling over domestic Internet networks. Section 69 and 69B of the Act and the allied rules mandates a person in-charge of a computer resource to extend all possible assistance to the law enforcement agencies when called upon to do so. Such lawful interception extends to ‘any information stored on a computer resource’ regardless of the attributes of the computer resource. However, law enforcement agencies may still face some practical difficulties in respect of retrieving data from overseas cloud service operators owing to the absence of binding obligations on them to submit to Indian jurisdiction.

3. Encryption and data security

Encryption is one of the key tools employed by an organization to ensure security and privacy of its data in a cloud architecture where the data is frequently in transit and in cases of a multi-tenant environment- where data is stored on a physical hardware that is often shared with third parties. However, despite the gains in encryption security, vulnerabilities still exists. One such vulnerability is the presence of a government- mandated ‘back door’ which can fall in the hands of hackers who are on the look-out for a weak link in the encryption key. Other sources comprise of the more traditional means, namely by gaining unauthorized access to encryption key through vulnerabilities in web browsers, personal computers, etc. at the user’s end.

4. Data Subject and jurisdiction

Service providers and regulators round the globe have been at loggerheads and have time and again locked horns on issues pertaining to sovereignty and jurisdiction over data in the cloud. The dynamic nature of cloud computing with fragmented data storage and processing spread across multiple jurisdictions often results in multi-jurisdictional claims on the same information.

Although the norm has been for the local law of the place of data storage to apply, governments may still be able to exert pressure, via licensing restrictions or operational restrictions, on the intermediate service providers. Some countries like Russia have in fact put in place, strict data localization laws to exercise greater control over their citizens’ data wherein the operators are obligated to collect, store and process Russian citizen’s personal data using databases located within Russia. Although such restrictions may seem to be in the interests of security and legal compliance, it has been argued by certain service providers that such mandatory localization of data might in fact prove to be counter-productive as it may affect competition and deter innovation and economic growth.

In India, although the IT Act provides for extra-territorial jurisdiction whereby the provisions of this Act shall apply also to any offence or contravention committed outside India by any person irrespective of his nationality insofar as the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India, it does not look to offer a comprehensive solution.

5. Ownership of Data

In the absence of a comprehensive regulatory framework minutely dealing with the issues pertaining to data propriety and ownership, the same are largely left to be governed by the contractual provisions contained in the cloud-provider’s service level agreement (SLA) and which renders the situation quite disquieting for numerous reasons. Barring sophisticated parties who have the ability and the means to negotiate more favorable terms, most SLAs limit user’s control over sensitive data by embodying provisions with respect to the right of service providers to disclose and use information and by limiting users’ ability to bring proprietary-based claims against the cloud provider. The SLA’s further, in most of the cases, fail to differentiate or sufficiently define non-personal, personal, sensitive, and proprietary information thereby unjustifiably subjecting them to the same ownership standards.

Therefore it is the need of the hour to put in place a regulation sufficiently addressing such issues pertaining to data propriety and ownership in cloud computing as well as for a closer scrutiny of the standard contractual provisions comprising these SLAs. Furthermore, the existing data ownership and privacy laws also need to be revisited and reinterpreted so as to sufficiently reflect the realities of modern computing.

6. Data Privacy

The inherent fluid nature of a cloud architecture and its vulnerabilities expose user’s to myriad risks with respect to breach of data privacy. These vulnerabilities are further compounded by issues pertaining to data ownership, lacking regulatory frameworks coupled with mismatches in privacy laws in force in various jurisdictions and the overarching potential threat of access by government authorities due to the potentially dispersed nature of cloud services. Users, however, often tend to be ignorant of these risks which is further augmented by the service provider’s reluctance to disclose their policies and the routes taken.

Under the IT Act, a corporate entity in possession of sensitive personal information has the obligation to maintain a privacy policy and make available to the provider such privacy policy on its website. Further it is obligated to protect the sensitive personal information of the user through ‘reasonable security practices and procedures’ as specified under the Rules. In the event the parties do not contractually agree to reasonable security practices and procedures, then the minimum standard to be followed for protection would be IS/ ISO /IEC / 27001. Further, the body corporate is obligated not to disclose the sensitive personal information without the prior approval of the provider of the information unless otherwise agreed under a contract. It should also be noted, while transferring the information to a third party, the body corporate needs to ensure that the transferee is maintaining the same level of ‘reasonable security practices’ as maintained by the body corporate.

The Act further makes Internet Intermediaries liable for breach of security practices or a breach of contract barring cases where an intermediary can show that it was merely acting as a conduit and was not in a position to exercise control over any material or information and that it had duly exercised due diligence as prescribed by the Government.

7. Content Regulation

Another pertinent issue which surfaces with respect to cloud computing services and which raises interesting questions is one pertaining to content regulation. Governments, albeit to varying degrees, have put in place regulations to regulate the content on the internet to some extent and for holding companies and individuals liable for any violations thereof. However, this might pose several challenges in respect of a cloud computing service. The challenge posed by the Cloud relates to the dispersion of data and the possibility that a regulator may take the view that content regulation may be applicable to Cloud-hosted VPN clients, which can hide the location of the computer and make enforcement more difficult. Furthermore, questions pertaining to the extent to which a Cloud provider, client and end user shall be individually liable for data transferred to and from the Cloud and classification of a cloud provider, whether as an intermediary or otherwise, are questions that need to be addressed.

Way forward

Cloud computing owing to its fluid nature and multi-jurisdictional character poses a unique mix of challenges and opportunities. Regulators around the globe are grappling with regulatory implications of cloud computing and the flexibility, geographic dispersion and the loss of governance that it entails. Even the international governance in this respect is a mishmash of governmental and industry research groups, bilateral standards and agreements between the private MNCs and sovereign governments. Given the wide disparity in regulatory schemes and competing national interests, it is the need of the hour to come up with an international treaty or policy that sufficiently addresses the issues pertaining to cloud computing, particularly aspects pertaining to sovereignty and jurisdiction over regulatory violations and crimes and lays down the model standards for the nations to uniformly align their cloud computing policies with the said norms. Alternatively, in the absence of such an international code, nations can come together to agree on a bi or multi-lateral framework on the lines of the safe harbour framework between the EU and the US to effectively combat issues arising out of cloud computing. Another viable option which would curtail the frequent instances of conflict on issues pertaining to data ownership, security, privacy etc. is the possibility of private-public MOUs between large data centre operators and national governments.

However, despite the lack of clarity, most developed countries including EU, UK and the United States are at different stages of creating a legal framework for cloud-based services. The UK’s Cloud Industry Forum has formulated a code of practice for Cloud service providers. Similarly, New Zealand has a Cloud Computing code of practice. In the US there is proposal to enact a Cloud Computing Act. In the EU, a Cloud Computing Information Assurance Framework has been proposed. This is a set of assurance criteria designed to assess the risk of adopting cloud services, compare different Cloud based service providers, obtain assurance from the selected cloud providers, and also reduce the assurance burden on cloud providers.

Coming to India, it currently lacks an overarching law on data protection and privacy to effectively deal with issues pertaining to cloud computing.

Although the IT Act seeks to govern certain aspect pertaining to data security and privacy, its limited scope of application to cloud computing services leaves much to be desired. With the government rolling out initiatives like Digital India to promote digital culture and its proliferation in the country, the digital footprint of every user in rural and urban areas is expanding substantially thereby accentuating the need of an overarching regulatory framework on privacy and data protection to avoid unwanted disputes and business losses and to adequately govern service conformity, loss of services, data tampering, data theft, infrastructure failures etc. which are the typical areas of dispute that could arise. In this respect, two areas which particularly need focus are privacy, especially owing to public’s relative unfamiliarity with the mechanics of Cloud computing, and the obligations imposed on cloud service providers.

The latter shall necessarily entail a review of existing laws and regulations to determine if the current categories of service providers and information reflect the realities of Cloud computing. To the extent that they do not, regulations can either attempt to force providers to shift their services or practices (similar to mandating back doors in encryption) or change or develop new categories to accommodate the unique characteristics of Cloud providers and services. One foremost consideration for the government while formulating any such policy should be to try and balance the need to regulate in the public interest with the freedom necessary for technological innovation and economic growth.

With the efforts towards drafting a privacy legislation being underway, the Government will have to play a pivotal role in ensuring that Indian entities can take advantage of the cloud revolution for economic growth without being encumbered by the challenges and risks arising from the cloud by effectively addressing the aspects pertaining to right of the users with respect to their data, security and encryption protocols, responsibility of data handlers and suitable transparency and accountability measures.

ABOUT THE AUTHORS

Krishnayan Sen

Partner, Verus

Krishnayan is a partner at Verus and heads the firm’s disputes practice. He has been a trusted adviser to a diverse range of clients, including international corporations, government undertakings, banks and statutory authorities. He is a versatile litigator, having regularly represented clients across different courts and tribunals. He is also an advocate-on-record at the Supreme Court of India and has appeared in several leading cases.

His recent cases include successfully representing United Bank of India against Kingfisher Airlines and Vijay Mallya at the Supreme Court of India in recovering its dues of $60 million (awarded deal of the year by the India Business Law Journal); successfully defending McDonald’s in relation to the accounting method of rounding-off followed in its chain of restaurants; advising Schlumberger in a public procurement tender involving about $35 million; advising UBER in actions for defamation against a regional media house; successfully representing Huntsman International in recovering its contractual claims against a vendor before the Delhi High Court; advising GE Healthcare in an arbitration involving a claim for personal damages; and, advising Kotak Mahindra Bank in defending secured creditor’s rights under the Securitisation Act before the Supreme Court.

His principal areas of practice include international arbitration, corporate-commercial disputes and banking litigation. He is fluent in English, Hindi and Bengali.

Ankit Jain

Associate, Verus

E:

Ankit Jain is an associate at Verus and is a part of the firm’s disputes practice group at New Delhi. A graduate from the University of Petroleum and Energy Studies, Dehradun, ankit focuses on civil and commercial litigation, oil & gas, competition, mining and arbitration. He regularly represents clients across different courts and tribunals and advises them on a wide array of legal issues.

His recent representations include advising and representing a leading global oilfield services provider in a dispute pertaining to award of an offshore oilfield services contract before the Supreme Court; advising and representing a leading public sector undertaking before the anti-trust regulator in a matter pertaining to bid rigging in a public procurement tender; representing a leading public sector bank before the Board for Industrial and Financial Reconstruction; representing a multi-national corporation in an international commercial arbitration pertaining to a services and supply contract.

Ankit is fluent in English and Hindi.

About the firm

Verus Advocates