India: Telecom Regulatory Authority In India Issues Recommendations On Cloud Services

Last Updated: 21 September 2017
Article by Arvind Ravindranath, Aaron Kamath and Gowree Gokhale
  • 'Light touch regulatory' approach adopted rather than stringent regulation of the industry.
  • Industry bodies comprising cloud service providers to drive market practices, standards and code of conduct.
  • Mutual Legal Assistance Treaties to be drawn up / amended with jurisdictions where cloud service providers host their services, to enable interception / access to data by law enforcement agencies.

Introduction

Cloud computing has been on the Government radar since 2012, when the National Telecom Policy, 2012 made a reference to cloud computing as a means to improve the delivery of services, participative governance, e-commerce at globally competitive prices.1

TRAI Consultation Paper

In December 2012, the Ministry of Communications & Information Technology made a reference to The Telecom Regulatory Authority of India ("TRAI") asking for recommendations in relation to various aspects of cloud based services. The reference was made under Section 11(1) of the Telecom Regulatory Authority of India Act, 1997.

In the meantime Ministry of Electronics and Information Technology ("MEITY").has started implementation strategies of cloud services in Central and State Government organizations through its MeghRaj initiative2 .

Somewhat belatedly after the reference, on June 10, 2016 TRAI issued a Consultation Paper on Cloud Computing ("CP") to identify and analyze industry issues in the cloud computing sector. The CP sought inputs from the public and industry stakeholders on the proliferation of cloud computing services and the requirement (if any) for regulation in the industry. The TRAI also sought inputs on specific issues including issues relating to quality of service requirements, data security in the cloud, data portability, location of data, billing and metering concerns etc.3

One of the writers of this Hotline, had written an op-ed in relation to the CP, which can be found here.

TRAI Jurisdiction

The Department of Telecommunications ("DoT") has the authority to establishing, maintaining and working "telegraphs" and to grant licenses for the same. The TRAI has the power to regulate 'telecommunication services'.

The Telegraph Act 1885 defines 'Telegraph' as any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, radio waves or Hertzian waves, galvanic, electric or magnetic means.

The Telecom Regulatory Authority of India Act 1997 defines 'Telecommunication Service' as services of any description (including electronic mail, voice mail, data service, audio tax service, video tax service, radio paging and cellular mobile telephone services) which is made available to users by means of any transmission or reception of signs, signals, writing images, sounds or intelligence of any nature, by wire, radio visual or other electromagnetic fields but shall not include broadcasting services.

The TRAI may not have the power to regulate cloud computing services and its jurisdiction may be restricted to the telecom infrastructure that is connected to cloud computing service providers. TRAI/DoT may however require CSPs to obtain an 'Other Service Provider' registration and abide by the terms and conditions for the 'OSP Category' as issued by the DoT4.

In our view, a cloud service is really an Over The Top ("OTT") service which utilizes a telecom resource (such as internet) and there is no reason to treat cloud services any different from other OTT services such as e-commerce platforms, video on demand platforms and messaging apps. OTT services are not regulated as telecom services, nor are these services compulsorily required to get an OSP registration (unless they fall within the definition of 'Application Services'). Hence, TRAI may not have jurisdiction to regulate all aspects of cloud service.

TRAI Open House Discussions

On April 3, 2017 the TRAI conducted an open house discussion on the issues raised in CP ("OHD"). Industry representatives including some of the biggest technology and software companies globally and in India, including the likes of Microsoft, Amazon, Reliance Communications, Reliance Jio, Vodafone, AT&T, Oracle, etc. participated in the OHD. The participants were of a unanimous view that there was no requirement for regulatory framework for the cloud computing industry; and that excessive regulation and Government interference 'will kill the cloud in India'. Representatives of the industry suggested a 'light tough regulatory approach' consisting of broad guidelines.

MEITY Guidelines for Government Use of Cloud Services

The MEITY issued guidelines5 on March 31, 2017 for the setting up of IT infrastructure by Indian Government departments using cloud computing technology. The new guidelines come with a specific clause stating the service provider has to store data within the country. The guidelines note that since data could be located in one or more discrete sites in foreign countries, the conditions for data location has to be mentioned in the agreement with the service provider. The guidelines also require government departments to carefully consider aspects such as information security, exit management and transitioning. Under the terms of empanelment of cloud service providers ("CSPs"), the CSP also has to maintain a strict 99.5 percent uptime.

TRAI's Recommendations on Cloud Services

The TRAI received considerable response on the issues and questions raised from various stakeholders. On August 16, 2017 TRAI published its recommendations on cloud services ("Recommendations").

The TRAI seems to have taken a considered approach. It has suggested a light touch approach, however, at places it still appears that its intervention may be excessive, as further discussed below.

Legal & Regulatory Framework

  1. A 'light touch' approach may be adopted to regulate cloud services.
  2. The DoT may prescribe a framework for registration of CSP industry bodies, which are not for profit. There is no limitation on the number of CSP that may be registered.
  3. All CSPs above a threshold value (as notified by the Government) should become a registered member of the registered industry body and accept the code of conduct prescribed by such industry body. The threshold may be based on either volume of business, revenue, number of customers etc. or a combination of all these.
  4. Industry bodies may determine a fair membership fee and code of conduct of their functioning.
  5. DoT may keep a watch on the functioning of the industry bodies and investigate the functioning of the body to ensure transparency and fair treatment of its members.
  6. A Cloud Service Advisory Group (CSAG) may be created to function as an oversight body to oversee cloud services in India and suggest action that the Government may need to take from time to time. The CSAG would consist of representatives of State information technology departments, micro, small & medium enterprise associations, consumer advocacy groups, industry experts and representatives from law enforcement authorities.
  7. DoT may issue directions, from time to time, to such industry body as and when needed to perform certain functions and procedures to be followed.
  8. DoT may also withdraw or cancel registration of an industry body, in case it finds the instances of breach or non-compliance of its directions / orders issued or non-adherence to code of practices notified by it.

Proposing a 'light touch' regulatory approach with a strong emphasis on self-regulation through industry bodies is a welcome move by the TRAI. It also good to note that TRAI is in favour of CSP industry bodies to lead the way in terms of prescribing codes of conduct for its members to follow.

Code of Conduct

The TRAI has suggested that all CSP industry bodies create a self-regulatory Code of Conduct to govern their members and which would contain the following provisions:

  1. A constitution which is fair and non-discriminatory, which facilitates the sharing of information with the Government and TRAI when required from time to time and which complies with the orders and guidelines of the Government which may be issued from time to time.
  2. Membership should be open to all CSPs.
  3. Voluntary creation of working groups which would deal with issues relating to standardisation of technical issues, customer grievance redressal, prescribing codes of conduct etc.
  4. Setting out codes of conduct and standards relating to quality of service (QoS) requirements, billing models, data security, dispute resolution frameworks, disclosure framework and model service level agreements.

Although a light touch regulatory approach is suggested, the manner in which TRAI proposes to prescribe requirements pertaining to QoS, billing, SLAs etc. in the garb of self-regulation may still be considered to be excessive.

Data Protection

TRAI has suggested that the Government may consider enacting an overarching and comprehensive data protection law covering all sectors. Such new law should incorporate adequate protection for sensitive personal information, adopt globally accepted data protection principles as re-iterated by the Planning Commission's Report of Group of Experts in Privacy in 2012, as well as provisions relating to cross-border transfer of data.

Issues relating to access and cross-border data transfers are likely to be addressed in the new data privacy legal regime that the MEITY is currently working on introducing towards the latter part of this year. Incidentally, a nine-judge bench of the Supreme Court of India has only a few days ago directed the Government to legislate on a data privacy framework protecting the rights of individuals' vis-à-vis non-State players.6 Many issues illustrated by the judges are likely to be considered by the MEITY when deliberating on the new law, including relating to collection of big data and anonymized data in the data analytics sector.

A nine judge bench of the Supreme Court of India has indeed declare the right to privacy as a fundamental right guaranteed under the Constitution of India, and has also directed the Government to frame legislative framework for data protection wherein the right to privacy can be enforced against non-state parties as well.

Our detailed analysis of this judgment can be found here.

Interoperability and Portability

  1. No regulatory intervention is necessary for interoperability and portability in cloud services at this stage. These aspects may be left to market forces. The industry body set up should be tasked to promote interoperability in the cloud services industry.
  2. The industry body should also mandate a disclosure mechanism that promotes transparency regarding interoperability standards followed by CSPs.
  3. The Telecommunication Standards Development Society, India ("TSDSI") should develop cloud services interoperability standards in India.

It seems to be a positive approach by TRAI to leave issues such as interoperability and portability to market forces and industry practices, while choosing the road of minimal intervention.

Legal Framework for CSPs operating in multiple jurisdictions

To address the issue of access to data hosted by CSPs in different jurisdictions, by law enforcement agencies:

  1. Robust Mutual Legal Assistance Treaties (MLATs) should be drawn up with jurisdictions where CSPs usually host their services, enabling access to data by law enforcement agencies.
  2. Existing MLATs should be amended to include provisions for lawful interception or access to data on the cloud.

Jurisdiction and enforcement issues have been one of the main concerns of industry players wherein CSPs host data on cloud located outside India. The Indian Government should follow suit and draw up / revise MLATs as the case maybe, as a step of boosting confidence of Indian users availing of cloud services in which the data is located on clouds overseas.

Incentives for use of cloud network in government services

  1. The Government should continue its policy to promote cloud services through cloud infrastructure projects, such as GI Cloud Meghraj, NIC cloud computing and the National eGov App Store.
  2. Ministry of Micro, Small & Medium Enterprises should continue to promote adoption of information and communication technologies in this sector, including the subsidies as being done at present.7

This too seems to be a positive recommendation by TRAI. Whilst it seems that TRAI has taken a back seat in terms of regulating the industry, it still appears to be proactive in encouraging innovation by incentivising private players. TRAI has also taken cognizance of the challenges of interoperability and competition among cloud computing service providers. However, suggesting the creation of another interoperability standard by the TSDSI may have been unnecessary in light of several competing international standards already in existence8. It is good that the TRAI has recommended self-regulation of the industry as opposed to a 'licensing' regime which was being considered earlier.

Footnotes

1 http://www.dot.gov.in/cloud-computing. Last accessed: August 25, 2017

2 http://meity.gov.in/writereaddata/files/GI-Cloud%20Adoption%20and%20Implementation%20Roadmap(1).pdf Last accessed: September 11, 2017

3 Nishith Desai Associates had published an article in the Live Mint with its initial views, available here: http://www.livemint.com/Opinion/cXjxkc31g9rzkCJT0lH8yM/Trais-cloudy-cloud-computing-paper.html. Last accessed: August 28, 2017

4 The 'Terms and Conditions – Other Service Provider (OSP) Category" are guidelines which have been issued by the DoT requiring a company providing 'Application Services' over telecom networks to obtain a registration certificate from the department. 'Application Services' have been defined to mean "providing services like tele-banking, tele-medicine, tele-education, tele-trading, e-commerce, call centre, network operation center and other IT Enabled Services, by using Telecom Resources provided by Authorised Telecom Service Providers"

5 http://meity.gov.in/writereaddata/files/Guidelines-Contractual_Terms.pdf and http://meity.gov.in/content/guidelines-government-departments-adoption-procurement-cloud-services. Last accessed: August 25, 2017

6 Retd. Justice Puttaswamy & Anr. v. Union of India & Ors., WP (Civil) No. 494 of 2012, decided on August 24, 2017

7 In 2014, the Ministry of Micro Small and Medium Enterprises issued guidelines for the Promotion of Information and Communication Technology (ICT) in MSME Sector. These guidelines state that cloud computing has been found to be capable of providing the requisite ICT solutions to MSMEs at an affordable cost. To encourage MSMEs to use CC for ICT applications, the scheme proposed the following key steps:

1. To provide subsidy for user charges for a period of 3 years. Initially, cloud computing facilities will be made available to approximately 2300 MSMEs. Each MSME unit will be eligible to a maximum subsidy of Rs 3.0 lakh for 3 years, wherein the cost of usage services will be shared by the Gol and MSME.

2. MSMEs will be sensitized regarding the benefits of ICT including cloud computing application for business promotion at a cost of Rs.5 crore.

3. The cloud computing component of the scheme will be implemented by selected Specialized Institutions [like ECIL (Electronics Corporation of India Ltd. Department of Atomic Energy, Govt. of India), STPI (Software Technology Parks of India, Ministry of C&IT), etc.].

4. The Specialised Institutions are required to empanel various CSPs through service level agreement who will provide cloud services to the MSMEs.

8 https://insights.sei.cmu.edu/sei_blog/2013/03/standards-in-cloud-computing-interoperability.html

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Arvind Ravindranath
Aaron Kamath
Similar Articles
Relevancy Powered by MondaqAI
Singh & Associates
Nishith Desai Associates
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Singh & Associates
Nishith Desai Associates
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions