Home | Feedback | Contact Us
Legal Articles  
 
Cloud Computing in India: The current Legal regime and the main Issues and Challenges

Vanya Rakesh opines on the legal challenges that arise in the cloud computing framework in India, the legal regime and how the problem needs to be tackled by bringing in comprehensive changes in the legal environment.
 
Introduction:

Cloud Computing is said to be a new paradigm in the evolution of Information Technology in India. It enables people and organizations connect to information, data and various resources anywhere in the world and anytime. over a period of time, the adoption of cloud has been on a rise since it provides a great platform to scale the reach of education, healthcare, financial services, entrepreneurship, governance and several other areas due to its cost-effective benefits, mobility and infinite storage capacity, to name a few.

Having said that, one needs to pay attention to several issues and challenges (several regulatory and security concerns) that cloud over the cloud computing environment in the country since the main challenge is to formulate the right policies enabling cloud computing in India, and amend the present regulations along with creating a regulatory framework to deal with the problems posed by this new technological revolution. It is believed that in spite of having numerous

1. Kasturika Sen, India: Privacy Issues In Cloud Computing With Reference To India, MONDAQ, available at:
http://www.mondaq.com/india/x/279070/Data+Protection+Privacy/Privacy+Issues+In+
Cloud+Computing+With+Reference+To+India
(last updated Dec. 4,2013).
2. The Indian Cloud Revolution, CONFEDERATION OF INDIAN INDUSTRY, available at: http://www.cii.in/cloudreport
advantages of Cloud computing such as efficiency, flexibility, easy set up and overall reduction in IT cost, it can raise serious privacy and confidentiality risks as well.

The sole piece of legislation which contains provisions (as it can be so interpreted) to deal with the problems of cloud computing is the Information Technology Act, 2000 which was enacted to regulate such atmosphere for data security concerns and privacy of the information. Also, the IT Rules amended consequently states that a close examination of various models/transactions containing sensitive information is needed to determine the various compliances under these Rules, as any breach shall be subject to penalties and or damages as prescribed under the ITA.

Issue and Challenges:

  1. Jurisdictional issues

    The global influence of Cloud computing and the lure to conduct global operations through computers has led to a number of legislative issues, arising primarily over governance and/or jurisdiction.

    The question of jurisdiction becomes problematic because the location of data in cloud services is usually not certain and the data-owners usually remain unaware of the location where the data is actually stored and this raises the question of jurisdiction. Even the presence and involvement

    3. Dr. Mohammed A. T. Al Sudiari & Dr. TGK Vasista, Cloud Computing and Privacy Regulations: An exploratory study on issues and implications, 3(2) ADVANCED COMPUTING: AN INTERNATIONAL JOURNAL (March 2012), available at: http://airccse.org/journal/acij/papers/0312acij16.pdf
    4. Supra note 3
    5. Giverny Dannatt, How Cloud Computing Complicates the Jurisdiction of State Law, E-INTERNATIONAL RELATIONS STUDENTS, available at: http://www.e-ir.info/2012/09/14/how-cloud-computing-complicates-the-jurisdiction-of-state-law/ (last updated Sept. 14, 2012).
    6. Supra note 3
    of multiple parties in various parts of the world who have only a virtual nexus with each other contributes to the contradictions that plague judicial decisions in this regard.

    For example, the owner is based at India and cloud service provider is based in the US. The vendor would prefer jurisdiction of American Court. But can the owner afford to contest the matter in American court. Also, free personal email, such as Yahoo! Mail or Gmail, are accessed at absolutely no cost from a third party server that may be hosted anywhere in the world without us having any knowledge of where those servers are located.

    Hence, one can say that Cloud computing builds a layer of risk especially where sensitive data resides such as wide distribution of information across different jurisdictions, with different legal frameworks regarding data security and privacy, making it more difficult to govern and regulate the information. Analysts have offered a solution that cyberspace must have its own set of jurisdictional rules thus extinguishing geographical borders. In India, the Civil Procedure Code 1908 bases the territorial jurisdiction on two principles. First being the place of residence of the defendant or the second the place where the cause of action arises. However, no clear guidelines have been provided as to how this would be determined, especially in cases involving cyber-crimes, which took place over the internet.

    The Information Technology Act 2000 is an illustrative example regarding the confusion in the area of jurisdiction in the context of internet and cloud computation. Section 75 (2) states that this Act shall apply in offence or contravention committed outside India by any person if the act or conduct constituting the offence involves a computer, computer system, computer network located in India. However, this provision does not seem to offer a comprehensive solution. This is because even if Indian Courts are to claim jurisdiction and pass judgments on the basis of this

    7. HEMANT GOEL, LAW & EMERGING TECHNOLOGY CYBER LAW 31 (2007).
    8. Invading privacy: Cyber-crimes on the rise, PWC, available at: http://www.pwc.in/en_IN/in/assets/pdfs/publications/2013/invading-privacy-cyber-crimes-on-the-rise.pdf
    9. Infra note 13.
    10. This Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.
    provision, it is unlikely that foreign courts will enforce these decisions. This will render the Act to be ineffective.

    As a remedial measure, the Government may exert pressure in the form of licensing or operational restrictions on intermediate service providers. Complying with new rules under the amended Information Technology Act, 2000 requires providers of sensitive information to verify the information which can become onerous given that data may be held in fragmented corners of the cloud. Hence, it can be said that in absence of any clear statutory clarifications, courts are bound to follow several precedents involving similar issue. For this, the Laws need to be reviewed and new policies should be introduced to effectively and efficiently deal with matters involving confusion with respect to the basic and highly important issue of jurisdiction.
  2. Privacy And Security

    Data privacy, security and confidentiality seem to be the topmost concerns when it comes to adoption of cloud computing. Thanks to the technological advancement, economic development and socio-cultural transformation, India’s data privacy and security environment is evolving at a phenomenal pace due to which there is a need of such a legal framework which is capable of protecting privacy of the data of the individuals and does not make it prone to any form of cybercrimes. The advocates of data privacy have criticized the model of cloud computation since it gives the host company a much easier control to monitor information at will. Here, data breach becomes a big concern as a compromised server can cause significant harm and a variety

    11. Atin Kumar Das, A Problem of Jurisdiction under the Cyber Laws: A Bird’s Eye, LAWYERS CLUB INDIA, available at: http://www.lawyersclubindia.com/articles/print_this_page.asp?article_id=3064
    12. Sudha Nagaraj Bharadwaj, India's Cloud Policy Needs New Jurisdiction & Security Regulations, ENTERPRISE EFFICIENCY, available at: http://www.enterpriseefficiency.com/author.asp?section_id=2405&doc_id=264659
    13. Reasonable Security Practices - IT (Amendment) Act, 2008, A Study Report by Data Security Council of India, DSCI (2010), available at: http://www.dsci.in/sites/default/files/Reasonable%20Security%20Practice
    s%20Under%20IT%20(Amendment)%20Act,%202008.pdf

    14. Reasonable Security Practices - IT (Amendment) Act, 2008, A Study Report by Data Security Council of India, DSCI (2010), available at: http://www.dsci.in/sites/default/files/Reasonable%2
    0Security%20Practices%20Under%20IT%20(Amendment)%20Act,%202008.pdf
    of crucial personal information can be easily stolen like credit card and social security numbers, addresses, and personal messages.

    Usage of services like Google Docs and Gmail on a massive scale has pressed these concerns. Protecting one’s privacy means protection of right to control how personal information is collected and promulgated. The Information Technology Act, 2000 does not deal with the issue of privacy directly but a few provisions have bearing on the right to privacy. It deals with unauthorized access, breach of privacy and confidentiality and hacking. For example, section 72 of the Act directly deals with ‘confidentiality’ and ‘privacy’ of individuals.

    However, this provision seems to be insufficient in addressing the larger issues of violation of privacy due to its narrow scope and application. The varied advantages of cloud computing seem to attract cyber criminals as well, making way for a hoard of cybercrimes like hacking, spamming, etc. For example, concentration of a large amount of data in one place by cloud services tends to become a vulnerable target for such criminal acts. Hackers worldwide make an attempt to garner unauthorized access into the system of an individual and get control over it (including the data). Spamming is another area of concern where cyber privacy is at stake and has become a major problem.

    However, the IT Act has made hacking a punishable offence since it results in violation of an individuals’ privacy. The emphasis for committing hacking under section 66 and 70 of the

    15. Penalty for breach of confidentiality and privacy: Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
    16. S.K. VERMA & RAMAN MITTAL, LEGAL DIMENSIONS OF CYBERSPACE (2004).
    17. Goel, supra note 7, at 16.
    18. Hacking with computer system: (1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes is value or utility or affects it injuriously by any means, commits hacking.
    Act is on the effect on the information residing in the computer and any subsequent wrongful loss due to it.

    However, this piece of legislation does not seem to suffice in controlling such crimes since cyber-crimes are happening at the drop of the hat and are on a rise, rapidly. The amendments made have resulted in a loss of deterrent affect as offences which where punishable with 5 years’ in the original Act have been reduced to 3 years’ by way of amendment. Plus, Except for major crimes like cyber terrorism, breach of protected systems and child pornography, all other offences have been made bailable offences, adversely affecting the credibility of the Act.

    To deal with these issues, India has enacted the IT (Amendment) Act, 2008 which has played a significant role in strengthening the data protection regime in India. Since India has no specific regulation pertaining to protection of data privacy of an individual, section 43A is considered to be a right step taken to protect the privacy rights of the individuals in the digital economy. However, the Government is expected to issue rules to define ‘sensitive personal information’,

    (2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
    19. Protected system:(1) The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system.
    (2) The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems notified under sub-section (1).
    (3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be l able to fine.
    20. Supra note 16, at 220.
    21. Pavan Duggal, "Cyber crimes are happening at the drop of a hat", THE HINDU, Oct. 28, 2012, available at: http://www.thehindu.com/todays-paper/tp-national/tp-newdelhi/cyber-crimes-are-
    happening-at-the-drop-of-a-hat/article4039910.ece
    22. Section 43A of ITAA 2008 mandates ‘body corporates’ to implement ‘reasonable security practices’ for protecting the ‘sensitive personal information’ of any individual, failing which they are liable to pay damages to the aggrieved person.
    since considering the evolution of data privacy and security ecosystem of India has become of utmost importance.

    The Indian Ministry of Communications and Technology even published rules in the year 2011 to implement and give effect to certain provisions of the Information Technology (Amendment) Act 2008 (IT Amendment Act 2008) dealing with protection of sensitive personal data or information (Sensitive Data), and security practices and procedures that need to be followed by organizations dealing with Sensitive Data (Data Privacy Rules). But enforcement of these rules and policies does not seem to be easy due to the fragmented nature of data storage since the data is spread out to vast locations and needs to be reassembled for use. This calls for cooperation of the cloud provider in the reassembly and delivery of the usable data. This is just one aspect of the compliance issues. Along with this, challenges pertaining to Ownership of data, security of data during transmission, and retention and privacy also risk cloud computing.

    The Government has even initiated setting up of a working group in the Department of Electronics and Information Technology to look into the various matters. Also, the National Telecom Policy 2012 is another step in this direction that aims to "take new policy initiatives to ensure rapid expansion of new services and technologies by addressing the concerns of Cloud users and other stakeholders including specific steps that need to be taken for mitigating several risks posed by it." Here, the need of the hour becomes speeding up the policy making process in India and giving effect to those policies.
  3. Indemnity

    Most of the times, the customer becomes even more vulnerable since the service providers in the cloud, as well as the intermediaries disown the responsibility for any interruptions in the service and do not own up for any damages, which may be caused to the data of the customer. Here, the

    23. Supra note 21.
    24. Notification no GSR 313(E), 11 April 2011, Gazette of India, Extraordinary, pt II, s 3(i).
    25. Supra note 18.
    26. Supra note 2.
    27. Supra note 18.
    person concerned is literally stranded and cannot look up to the cloud for indemnification. This calls for serious steps to be undertaken to mitigate such risks to instil confidence in the users of cloud computing. To counter this problem, it is suggested that the parties involved must enter into agreements which would seek to legitimize the transfers and storage of the data. This would give both the parties an opportunity to incorporate different clauses for their protection and to help them understand implications of breach by either party.
  4. IPR Issues:

    It is said that intellectual property issues in the cloud continue to be one of the "cloudiest" legal areas for customers and suppliers alike because IPR laws vary from country to country. This makes the application of IPR laws difficult since the question of jurisdiction creates confusion in the cloud computing environment since there are plenty of different ways in which copyright-infringing content can be uploaded onto the cloud, given the vast number of services, which are provided, in the cloud. To deal with this problem, it needs to be ensured that every party involved is well aware of the regulations and the rights of the country in which the data/work is so stored and how potential infringements can be efficiently avoided.
Conclusion:

Hence it can be concluded that though implementation of the Information Technology Rules, 2011 and several amendments to the Information Technology Act 2000 is a welcome move, yet there is a need to improve deterrence and introduce constant amendments to keep pace with the rapidly transforming technological scenario of the country. The quantum of punishment needs to be increased and more forms of cyber-crimes must be covered. Organizations need to develop a

28. Supra note 4.
29. Intellectual property in the cloud, ALLEN & OVERY (2013), available at: http://www.allenovery.com/SiteCollectionDocuments/Intellectual_property_
in_the_cloud_May_2013.PDF
30. Rick Blaisdell, Legal Issues around Cloud Computing, RICKSCLOUD, available at: http://www.rickscloud.com/legal-issues-around-cloud-computing/
response mechanism that enables them to understand and embrace the risks and opportunities of the cyber world.

Investments by stakeholders must be encouraged to mitigate threats of cloud computing to ensure that the system encrypts to protect data, establishes trusted foundation to secure the platform and infrastructure, and builds higher assurance into auditing to strengthen compliance. Also, a company that uses cloud services must ensure that it retains ownership of its data in its authentic and original format, being a custodian of the personal data of its employees, clients and the intellectual property assets of the company. Along with this, the parties to a cloud service agreement should ensure that the agreement anticipates problems relating to recovery of the client’s data after their contractual relationship terminates. Adoption of such a holistic approach shall ensure a healthy cloud computing environment in the country and shall give a boost to this new form of technology to facilitate business operations across the country and reduce all forms of cyber-crimes effectively.

31. K. Valli Madhavi, R. Tamilkodi and K. Jaya Sudha, Cloud Computing: Security Threats and Counter Measures, 1(4) INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER AND COMMUNICATION TECHNOLOGY(2012).
32. Ritambhara Aggarwal, Legal issues in cloud computing, ENCRIBD, available at: http://encribd.net/read-file/legal-issues-in-cloud-computing-ritambhara-agrawal-intelligere-pdf-460313/
 
VANYA RAKESH is pursuing his B.A. LL.B (Hons.) from the Institute of Law, Nirma University at Ahmedabad, India. she may be reached at vanyarakesh14@gmail.com.
 
© 2007 India Law Journal   Permission and Rights | Disclaimer