India: Telecom Regulatory Authority In India Issues Recommendations On Cloud Services

  • 'Light touch regulatory' approach adopted rather than stringent regulation of the industry.
  • Industry bodies comprising cloud service providers to drive market practices, standards and code of conduct.
  • Mutual Legal Assistance Treaties to be drawn up / amended with jurisdictions where cloud service providers host their services, to enable interception / access to data by law enforcement agencies.

Introduction

Cloud computing has been on the Government radar since 2012, when the National Telecom Policy, 2012 made a reference to cloud computing as a means to improve the delivery of services, participative governance, e-commerce at globally competitive prices.1

TRAI Consultation Paper

In December 2012, the Ministry of Communications & Information Technology made a reference to The Telecom Regulatory Authority of India ("TRAI") asking for recommendations in relation to various aspects of cloud based services. The reference was made under Section 11(1) of the Telecom Regulatory Authority of India Act, 1997.

In the meantime Ministry of Electronics and Information Technology ("MEITY").has started implementation strategies of cloud services in Central and State Government organizations through its MeghRaj initiative2 .

Somewhat belatedly after the reference, on June 10, 2016 TRAI issued a Consultation Paper on Cloud Computing ("CP") to identify and analyze industry issues in the cloud computing sector. The CP sought inputs from the public and industry stakeholders on the proliferation of cloud computing services and the requirement (if any) for regulation in the industry. The TRAI also sought inputs on specific issues including issues relating to quality of service requirements, data security in the cloud, data portability, location of data, billing and metering concerns etc.3

One of the writers of this Hotline, had written an op-ed in relation to the CP, which can be found here.

TRAI Jurisdiction

The Department of Telecommunications ("DoT") has the authority to establishing, maintaining and working "telegraphs" and to grant licenses for the same. The TRAI has the power to regulate 'telecommunication services'.

The Telegraph Act 1885 defines 'Telegraph' as any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, radio waves or Hertzian waves, galvanic, electric or magnetic means.

The Telecom Regulatory Authority of India Act 1997 defines 'Telecommunication Service' as services of any description (including electronic mail, voice mail, data service, audio tax service, video tax service, radio paging and cellular mobile telephone services) which is made available to users by means of any transmission or reception of signs, signals, writing images, sounds or intelligence of any nature, by wire, radio visual or other electromagnetic fields but shall not include broadcasting services.

The TRAI may not have the power to regulate cloud computing services and its jurisdiction may be restricted to the telecom infrastructure that is connected to cloud computing service providers. TRAI/DoT may however require CSPs to obtain an 'Other Service Provider' registration and abide by the terms and conditions for the 'OSP Category' as issued by the DoT4.

In our view, a cloud service is really an Over The Top ("OTT") service which utilizes a telecom resource (such as internet) and there is no reason to treat cloud services any different from other OTT services such as e-commerce platforms, video on demand platforms and messaging apps. OTT services are not regulated as telecom services, nor are these services compulsorily required to get an OSP registration (unless they fall within the definition of 'Application Services'). Hence, TRAI may not have jurisdiction to regulate all aspects of cloud service.

TRAI Open House Discussions

On April 3, 2017 the TRAI conducted an open house discussion on the issues raised in CP ("OHD"). Industry representatives including some of the biggest technology and software companies globally and in India, including the likes of Microsoft, Amazon, Reliance Communications, Reliance Jio, Vodafone, AT&T, Oracle, etc. participated in the OHD. The participants were of a unanimous view that there was no requirement for regulatory framework for the cloud computing industry; and that excessive regulation and Government interference 'will kill the cloud in India'. Representatives of the industry suggested a 'light tough regulatory approach' consisting of broad guidelines.

MEITY Guidelines for Government Use of Cloud Services

The MEITY issued guidelines5 on March 31, 2017 for the setting up of IT infrastructure by Indian Government departments using cloud computing technology. The new guidelines come with a specific clause stating the service provider has to store data within the country. The guidelines note that since data could be located in one or more discrete sites in foreign countries, the conditions for data location has to be mentioned in the agreement with the service provider. The guidelines also require government departments to carefully consider aspects such as information security, exit management and transitioning. Under the terms of empanelment of cloud service providers ("CSPs"), the CSP also has to maintain a strict 99.5 percent uptime.

TRAI's Recommendations on Cloud Services

The TRAI received considerable response on the issues and questions raised from various stakeholders. On August 16, 2017 TRAI published its recommendations on cloud services ("Recommendations").

The TRAI seems to have taken a considered approach. It has suggested a light touch approach, however, at places it still appears that its intervention may be excessive, as further discussed below.

Legal & Regulatory Framework

  1. A 'light touch' approach may be adopted to regulate cloud services.
  2. The DoT may prescribe a framework for registration of CSP industry bodies, which are not for profit. There is no limitation on the number of CSP that may be registered.
  3. All CSPs above a threshold value (as notified by the Government) should become a registered member of the registered industry body and accept the code of conduct prescribed by such industry body. The threshold may be based on either volume of business, revenue, number of customers etc. or a combination of all these.
  4. Industry bodies may determine a fair membership fee and code of conduct of their functioning.
  5. DoT may keep a watch on the functioning of the industry bodies and investigate the functioning of the body to ensure transparency and fair treatment of its members.
  6. A Cloud Service Advisory Group (CSAG) may be created to function as an oversight body to oversee cloud services in India and suggest action that the Government may need to take from time to time. The CSAG would consist of representatives of State information technology departments, micro, small & medium enterprise associations, consumer advocacy groups, industry experts and representatives from law enforcement authorities.
  7. DoT may issue directions, from time to time, to such industry body as and when needed to perform certain functions and procedures to be followed.
  8. DoT may also withdraw or cancel registration of an industry body, in case it finds the instances of breach or non-compliance of its directions / orders issued or non-adherence to code of practices notified by it.

Proposing a 'light touch' regulatory approach with a strong emphasis on self-regulation through industry bodies is a welcome move by the TRAI. It also good to note that TRAI is in favour of CSP industry bodies to lead the way in terms of prescribing codes of conduct for its members to follow.

Code of Conduct

The TRAI has suggested that all CSP industry bodies create a self-regulatory Code of Conduct to govern their members and which would contain the following provisions:

  1. A constitution which is fair and non-discriminatory, which facilitates the sharing of information with the Government and TRAI when required from time to time and which complies with the orders and guidelines of the Government which may be issued from time to time.
  2. Membership should be open to all CSPs.
  3. Voluntary creation of working groups which would deal with issues relating to standardisation of technical issues, customer grievance redressal, prescribing codes of conduct etc.
  4. Setting out codes of conduct and standards relating to quality of service (QoS) requirements, billing models, data security, dispute resolution frameworks, disclosure framework and model service level agreements.

Although a light touch regulatory approach is suggested, the manner in which TRAI proposes to prescribe requirements pertaining to QoS, billing, SLAs etc. in the garb of self-regulation may still be considered to be excessive.

Data Protection

TRAI has suggested that the Government may consider enacting an overarching and comprehensive data protection law covering all sectors. Such new law should incorporate adequate protection for sensitive personal information, adopt globally accepted data protection principles as re-iterated by the Planning Commission's Report of Group of Experts in Privacy in 2012, as well as provisions relating to cross-border transfer of data.

Issues relating to access and cross-border data transfers are likely to be addressed in the new data privacy legal regime that the MEITY is currently working on introducing towards the latter part of this year. Incidentally, a nine-judge bench of the Supreme Court of India has only a few days ago directed the Government to legislate on a data privacy framework protecting the rights of individuals' vis-ŕ-vis non-State players.6 Many issues illustrated by the judges are likely to be considered by the MEITY when deliberating on the new law, including relating to collection of big data and anonymized data in the data analytics sector.

A nine judge bench of the Supreme Court of India has indeed declare the right to privacy as a fundamental right guaranteed under the Constitution of India, and has also directed the Government to frame legislative framework for data protection wherein the right to privacy can be enforced against non-state parties as well.

Our detailed analysis of this judgment can be found here.

Interoperability and Portability

  1. No regulatory intervention is necessary for interoperability and portability in cloud services at this stage. These aspects may be left to market forces. The industry body set up should be tasked to promote interoperability in the cloud services industry.
  2. The industry body should also mandate a disclosure mechanism that promotes transparency regarding interoperability standards followed by CSPs.
  3. The Telecommunication Standards Development Society, India ("TSDSI") should develop cloud services interoperability standards in India.

It seems to be a positive approach by TRAI to leave issues such as interoperability and portability to market forces and industry practices, while choosing the road of minimal intervention.

Legal Framework for CSPs operating in multiple jurisdictions

To address the issue of access to data hosted by CSPs in different jurisdictions, by law enforcement agencies:

  1. Robust Mutual Legal Assistance Treaties (MLATs) should be drawn up with jurisdictions where CSPs usually host their services, enabling access to data by law enforcement agencies.
  2. Existing MLATs should be amended to include provisions for lawful interception or access to data on the cloud.

Jurisdiction and enforcement issues have been one of the main concerns of industry players wherein CSPs host data on cloud located outside India. The Indian Government should follow suit and draw up / revise MLATs as the case maybe, as a step of boosting confidence of Indian users availing of cloud services in which the data is located on clouds overseas.

Incentives for use of cloud network in government services

  1. The Government should continue its policy to promote cloud services through cloud infrastructure projects, such as GI Cloud Meghraj, NIC cloud computing and the National eGov App Store.
  2. Ministry of Micro, Small & Medium Enterprises should continue to promote adoption of information and communication technologies in this sector, including the subsidies as being done at present.7

This too seems to be a positive recommendation by TRAI. Whilst it seems that TRAI has taken a back seat in terms of regulating the industry, it still appears to be proactive in encouraging innovation by incentivising private players. TRAI has also taken cognizance of the challenges of interoperability and competition among cloud computing service providers. However, suggesting the creation of another interoperability standard by the TSDSI may have been unnecessary in light of several competing international standards already in existence8. It is good that the TRAI has recommended self-regulation of the industry as opposed to a 'licensing' regime which was being considered earlier.

Footnotes

1 http://www.dot.gov.in/cloud-computing. Last accessed: August 25, 2017

2 http://meity.gov.in/writereaddata/files/GI-Cloud%20Adoption%20and%20Implementation%20Roadmap(1).pdf Last accessed: September 11, 2017

3 Nishith Desai Associates had published an article in the Live Mint with its initial views, available here: http://www.livemint.com/Opinion/cXjxkc31g9rzkCJT0lH8yM/Trais-cloudy-cloud-computing-paper.html. Last accessed: August 28, 2017

4 The 'Terms and Conditions – Other Service Provider (OSP) Category" are guidelines which have been issued by the DoT requiring a company providing 'Application Services' over telecom networks to obtain a registration certificate from the department. 'Application Services' have been defined to mean "providing services like tele-banking, tele-medicine, tele-education, tele-trading, e-commerce, call centre, network operation center and other IT Enabled Services, by using Telecom Resources provided by Authorised Telecom Service Providers"

5 http://meity.gov.in/writereaddata/files/Guidelines-Contractual_Terms.pdf and http://meity.gov.in/content/guidelines-government-departments-adoption-procurement-cloud-services. Last accessed: August 25, 2017

6 Retd. Justice Puttaswamy & Anr. v. Union of India & Ors., WP (Civil) No. 494 of 2012, decided on August 24, 2017

7 In 2014, the Ministry of Micro Small and Medium Enterprises issued guidelines for the Promotion of Information and Communication Technology (ICT) in MSME Sector. These guidelines state that cloud computing has been found to be capable of providing the requisite ICT solutions to MSMEs at an affordable cost. To encourage MSMEs to use CC for ICT applications, the scheme proposed the following key steps:

1. To provide subsidy for user charges for a period of 3 years. Initially, cloud computing facilities will be made available to approximately 2300 MSMEs. Each MSME unit will be eligible to a maximum subsidy of Rs 3.0 lakh for 3 years, wherein the cost of usage services will be shared by the Gol and MSME.

2. MSMEs will be sensitized regarding the benefits of ICT including cloud computing application for business promotion at a cost of Rs.5 crore.

3. The cloud computing component of the scheme will be implemented by selected Specialized Institutions [like ECIL (Electronics Corporation of India Ltd. Department of Atomic Energy, Govt. of India), STPI (Software Technology Parks of India, Ministry of C&IT), etc.].

4. The Specialised Institutions are required to empanel various CSPs through service level agreement who will provide cloud services to the MSMEs.

8 https://insights.sei.cmu.edu/sei_blog/2013/03/standards-in-cloud-computing-interoperability.html

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Aaron Kamath
 
In association with
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Emails

From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.