(by Nikhil Pahwa and Salman SH)
Telecom regulator TRAI has issued recommendations which addressed issues like governance and legal framework for cloud services in India, data protection, moving government data to cloud, among other things. Note that these are recommendations, and will be implemented if accepted by DoT, which may also choose to take a different approach.
1. Light touch regulation, but not quite hands-off.
- The TRAI has recommended a light touch regulation approach when it comes to cloud service providers: this means that regulations governing the cloud service providers will not be detailed, onerous and prescriptive, but will define broad principles, and take a wait-and-watch approach. Note that in this instance, a “light touch” approach doesn’t mean that the DoT will not be able to exercise significant control on the cloud service provider, but that doesn’t mean that the convoluted structure doesn’t give it control. We’ve explained this below.
2. Cloud providers will have to register with industry bodies:
- DoT to regulate cloud specific industry bodies: TRAI has suggested that the Department of Telecom create a framework for registration of not-for-profit Cloud Service Provider industry bodies. The industry body, may charge fee from its members, which is fair, reasonable and non-discriminatory. The TRAI has said that they’ll recommend the terms and conditions for the registration, eligibility, entry fee, period of registration, and governance structure etc. of the industry body, once the recommendations are accepted by the government.
- All cloud providers above a threshold value will have to become a part of at least one industry body, and accept the code of conduct (CoC) prescribed by such body. The threshold may be based on either volume of business, revenue, number of customers, etc. or combination of all these.
- There’s no limit on the number of cloud industry bodies, to represent the interests of cloud players. Reminds us of…
3. Interoperability standards:
- No regulations for interoperability and portability as of now, but the industry body should promote it: “These aspects may be left to the market forces for the time being,” the regulator said, though it added that industry bodies should promote interoperability, and create a disclosure mechanism which promotes transparency regarding interoperability standards. Telecommunications Standards Development Society, India (TSDSI) maybe tasked with developing Cloud Services interoperability standards in India.
4. DoT exercising control over cloud providers through industry bodies
- The TRAI has suggested that the DoT may issue directions to the industry body, to perform certain function and procedures (surveillance?). The DoT will have the powers to withdraw or cancel the registration of such industry bodies, in case of “instances of breach or non-compliance of the directions/ orders issued by it” or “non adherence to code of practices notified by it.” DoT may keep close watch on the functioning of industry body and investigate functioning of the body to ensure transparency and fair treatment to all its members.
5. Cloud Service Advisory Group (CSAG) for maintaining quality and standards
- The CSAG will function as an “oversight body to periodically review the progress of Cloud services” and suggest changes in regulations, legal frameworks etc. Here TRAI is talking about creating a ‘standards’ regulator which can only suggest changes to the central authority, whose recommendations are not binding on cloud operators. The CSAP will have MSME industry members, consumer advocacy groups (activists), Industry experts, representatives of law enforcement agencies in India and representatives of state IT departments.
6. Data protection law covering all sectors
TRAI added that the central government must “consider enacting, an overarching and comprehensive data protection law covering all sectors” along with adequate regulations for protecting private/sensitive user data, and a uniform policy for cross-border transfer of sensitive/private user data, the regulator said. Note that TRAI already has an ongoing data protection consultation which looks into these issues, but nonetheless, the TRAI recommends that the government adopt “globally accepted data protection principles as reiterated by Planning Commission’s report of Group of Experts on Privacy in 2012… even though the current data protection consultation is looking into the exact same thing.
7. Legal framework for cloud providers working in multiple jurisdictions
- Mutual Legal Assistance Treaties: To allow lawful access or interception of information on cloud services outside India, the government of India could enter into Mutual Legal Assistance Treaties (MLATs) with foreign countries, the TRAI said. MLATs can be used for obtaining evidence for criminal investigation in India, but at times, data required might be stored in a cloud server outside the country.
- Existing MLATs to be amended with provision for lawful interception: Existing MLATs between India and other countries “should be amended to include provisions for lawful interception or access to data on the cloud” TRAI said. India should consider negotiating new MLATs with countries where cloud data is usually hosted, TRAI added.
The structure suggested (below) by the TRAI is, to put it mildly, convoluted, and not quite light touch: Large cloud providers will have to register with industry bodies, which will have to register with DoT, and follow code of conduct of the industry body. DoT will govern the cloud providers through the industry body, whose registration will be canceled if the cloud provider doesn’t follow the directions given to it via the industry body. So the industry body becomes a quasi, private (but non-profit) regulator of cloud services, but the cloud service provider can join any industry body it wants to. Huh?