Niti Aayog CEO Amitabh Kant has said that the “Decision to set up data centers in the country (India) cannot be mandatory and it will be not be conducive for the eco-system.” Kant said, while releasing the IAMAI’s Make In India report on incentivizing data center infrastructure in India, that he will “initiate a dialogue with departments like IT, Telecom and Energy to create the best possible infrastructure for data centers.”
For long, it has been a demand from the Indian government that companies should compulsorily host their data in India, especially from a security perspective. This was a demand put forth by Vinit Goenka, the national co-convener of the BJPs IT Cell, a couple of years ago, a month before the BJP came to power. The points he had made then were largely around national security concerns: that the police cannot track people, that ecommerce companies often store data of Indian users outside the country, and location information “gathered by companies like Google” is stored outside India. In June 2013, several Indian ISPs had reportedly asked the Indian Government to insist foreign Internet companies like Facebook and Google setup local servers in India. Microsoft is among the few that have.
Apart from security, another issue is that of jurisdiction: can the Indian courts, or the Indian government order sharing of user data when legitimately required, if datacenters are outside India’s territorial boundaries?
The position taken by Kant and the IAMAI is pragmatic and welcome: India needs to incentivize hosting of websites in the country. The added advantage of this is, apart from encouraging Indian data center businesses, is that it will help reduce bandwidth costs for ISPs, and keep India to India data within India, instead of having to route it halfway across the world and back. What is still needed, though, is allowing datacenters to interconnect with India’s Internet Exchange NIXI, wherein, only ISPs can connect directly.
The data centre IT infrastructure investments, including total spending on servers, storage, networking, security and virtualization stood at $2.2 billion (2015) and is expected to reach $2.29 billion by the year 20188 . Within the Indian IT infrastructure market, server growth reached $658 million in 2015 a marginal increase over 2014 levels. Enterprise networking and Storage are the biggest segments with revenue reaching $944 million and $426 Million in 2015, a 5.5% and 10% growth over 2014 respectively. Data center consolidation and virtualization, cloud and mobility, are the key trends influencing network purchases.
Some notes from the IAMAI report:
– Data location will harm Indian companies: Indian companies rely on International data centers: Zoho operates data centers in California and New Jersey. Myntra, Redbus and others host their servers with cloud based service providers like Amazon AWS. Flipkart initially relied on data centers in Canada for its initial operations. “Fortis Healthcare has migrated from its own corporate data centre to the cloud service provided by Windows Azure, leading to significant cost savings, and it intends to use the cloud for remote healthcare monitoring and remote healthcare delivery (Telemedicine)”. Thus, restricting data flow via data localization requirements would harm the next generation of start-ups from incubating in India, and will have an adverse impact on the investment climate.
– Indian data traffic: “Digital data in India was around 40,000 petabytes in 2010 and this number is projected to shoot up to 2.3 million petabytes by 2020, twice as fast as the worldwide rate.”
– Indian data center capacity: “India had a data centre capacity of 1.3 million square feet in 2007 and is expected to go up to 6.6 million sq ft by the end of 2016 at a CAGR of 19.8% (excluding the data centres in less than 1000 sft area). Data centre space constructed between 2008 and 2010 was 1.7 million square feet, more than in last 15 years. The primary drivers of the data centre industry in India would be the availability of abundant real estate and competitive policies, along with ICT-capable human resources, and market factors such as the continuing growth in India’s mobile market and internet penetration.
– Need tax incentives for data centers to incentivise local hosting: “Where to locate the assets and the people associated with delivering global data content and services is a defining tax consideration — in terms of both direct corporate tax rates and indirect sales taxes. Friendly tax jurisdictions play a big factor in choosing a place for establishing a data centre and complex tax jurisdictions do just the opposite.”
Licensing terms for data centers:
- Data centers currently need an ‘Other Service Provider’ (OSP) license from the government.
- OSPs need to mandatorily register for every data centre at every location, even if the data centre is a part of the same single network or offering.
- OSPs are required to provide the call data records of all the specified calls handled by the system at specified periodicity, as and when required by the security agencies.
- The term ‘security agencies’ has not been defined, leaving it open to interpretation, which is an impediment for a data centre operator.
- “DOT and the local TERM Cell granting the registration, reserve the right to modify at any time the terms and conditions of the registration, if, in its opinion, it is necessary or expedient to do so in public interest or in the interest of the security of the State or for the proper conduct of the telegraphs. Precedents with respect to enforcement of these broad conditions (such as in the Blackberry matter) have resulted in a loss of confidence for industry.
- Data centres also need access to broadband through ISPs in order to link-up data centres inter-se or to the outside world. Currently, there appears to be a lack of clarity on data centres being able to receive broadband connectivity without an ISP license or some other telecom license apart from the OSP registration.
- Need clarity on VoIP: On one hand the regulation says “OSP may have Internet connectivity from the Authorized Internet Service Provider” and on the other “The company shall take internet connection from the authorized service provider only and it will use internet telephony only to the extent it is permitted by the ISP or authorized service provider” as detailed in clause 1.14 of the licence agreement of “Internet with telephony”. Hence, there needs to be clarity around the voice and VOIP usage and licensing regime as telecos are licensed who pay for revenues earned on usage of spectrum, not separately for voice, Internet and VAS.
- Need to not be treated as telecom entities: While specific categorization such as those for the OSP appears to be the ideal aproach for data centres, greater clarity needs to be provided and rigorous telecom-centric conditions need to be relaxed on the registration requirements for Application Services Providers
– NIXI policies need to change: The quantum of traffic exchange is presently only 17 Gbps through NIXI. The IAMAI pushes for allowing NIXI to connect all operational ISPs, data centres and content providers, and not just ISPs. This, it says, will save foreign exchange by reducing usage of international bandwidth, improve quality of services for users of data sits on local exchange, and reduce latency.
– Law Enforcement, Privacy Demand and Data protection:
– “Indian law enforcement access provisions, at present, suffer from no or limited Parliamentary oversight and procedural safeguards to protect the privacy rights of the person in question and data acquired through such interceptions.
– The Privacy Bill– yet to be passed by Parliament, has several broadly worded exceptions that are susceptible to misuse or misinterpretation by the country’s diverse law enforcement agencies.
– There is an impending need to provide for judicial oversight on law enforcement access. There is a need to reform the legal framework for law enforcement access that will in turn leave room for innovation, privacy, and long-term investment in the data centre industry in India.
– There is uncertainty because while India does not have any specific restrictions on the transfer of data offshore or strong data privacy laws, the national security laws, regulations and guidelines specific to financial institutions and telecommunications, operate to prevent the disclosure or transfer of particular types of data.
– The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 cover a subset of personal data (referred to as sensitive personal data, but, unhelpfully, the meaning of this term differs from that used in the Data Projection Directive) and lay down security practices and procedures that must be followed by organizations dealing with them. The 2011 Rules are broad in scope but ambiguously drafted and their impact on the outsourcing sector is as yet unclear.
– India, at present, lacks a uniform and credible encryption policy.
Download the entire report here:
IAMAI Data Center report