wordpress blog stats
Connect with us

Hi, what are you looking for?

TRAI’s recco for governing cloud service providers in India is…odd

(by Nikhil Pahwa and Salman SH)

Telecom regulator TRAI has issued recommendations which addressed issues like governance and legal framework for cloud services in India, data protection, moving government data to cloud, among other things. Note that these are recommendations, and will be implemented if accepted by DoT, which may also choose to take a different approach.

1. Light touch regulation, but not quite hands-off.

  • The TRAI has recommended a light touch regulation approach when it comes to cloud service providers: this means that regulations governing the cloud service providers will not be detailed, onerous and prescriptive, but will define broad principles, and take a wait-and-watch approach. Note that in this instance, a “light touch” approach doesn’t mean that the DoT will not be able to exercise significant control on the cloud service provider, but that doesn’t mean that the convoluted structure doesn’t give it control. We’ve explained this below.

2. Cloud providers will have to register with industry bodies:

  • DoT to regulate cloud specific industry bodies: TRAI has suggested that the Department of Telecom create a framework for registration of not-for-profit Cloud Service Provider industry bodies. The industry body, may charge fee from its members, which is fair, reasonable and non-discriminatory. The TRAI has said that they’ll recommend the terms and conditions for the registration, eligibility, entry fee, period of registration, and governance structure etc. of the industry body, once the recommendations are accepted by the government.
  • All cloud providers above a threshold value will have to become a part of at least one industry body, and accept the code of conduct (CoC) prescribed by such body. The threshold may be based on either volume of business, revenue, number of customers, etc. or combination of all these.
  • There’s no limit on the number of cloud industry bodies, to represent the interests of cloud players. Reminds us of…

3. Interoperability standards:

  • No regulations for interoperability and portability as of now, but the industry body should promote it: “These aspects may be left to the market forces for the time being,” the regulator said, though it added that industry bodies should promote interoperability, and create a disclosure mechanism which promotes transparency regarding interoperability standards. Telecommunications Standards Development Society, India (TSDSI) maybe tasked with developing Cloud Services interoperability standards in India.

4. DoT exercising control over cloud providers through industry bodies

  • The TRAI has suggested that the DoT may issue directions to the industry body, to perform certain function and procedures (surveillance?). The DoT will have the powers to withdraw or cancel the registration of such industry bodies, in case of “instances of breach or non-compliance of the directions/ orders issued by it” or “non adherence to code of practices notified by it.” DoT may keep close watch on the functioning of industry body and investigate functioning of the body to ensure transparency and fair treatment to all its members.

5. Cloud Service Advisory Group (CSAG) for maintaining quality and standards

  • The CSAG will function as an “oversight body to periodically review the progress of Cloud services” and suggest changes in regulations, legal frameworks etc. Here TRAI is talking about creating a ‘standards’ regulator which can only suggest changes to the central authority, whose recommendations are not binding on cloud operators. The CSAP will have MSME industry members, consumer advocacy groups (activists), Industry experts, representatives of law enforcement agencies in India and representatives of state IT departments.

6. Data protection law covering all sectors

TRAI added that the central government must “consider enacting, an overarching and comprehensive data protection law covering all sectors” along with adequate regulations for protecting private/sensitive user data, and a uniform policy for cross-border transfer of sensitive/private user data, the regulator said. Note that TRAI already has an ongoing data protection consultation which looks into these issues, but nonetheless, the TRAI recommends that the government adopt “globally accepted data protection principles as reiterated by Planning Commission’s report of Group of Experts on Privacy in 2012… even though the current data protection consultation is looking into the exact same thing.

7. Legal framework for cloud providers working in multiple jurisdictions

  • Mutual Legal Assistance Treaties: To allow lawful access or interception of information on cloud services outside India, the government of India could enter into Mutual Legal Assistance Treaties (MLATs) with foreign countries, the TRAI said. MLATs can be used for obtaining evidence for criminal investigation in India, but at times, data required might be stored in a cloud server outside the country.
  • Existing MLATs to be amended with provision for lawful interception: Existing MLATs between India and other countries “should be amended to include provisions for lawful interception or access to data on the cloud” TRAI said.  India should consider negotiating new MLATs with countries where cloud data is usually hosted, TRAI added.

MediaNama’s take

The structure suggested (below) by the TRAI is, to put it mildly, convoluted, and not quite light touch: Large cloud providers will have to register with industry bodies, which will have to register with DoT, and follow code of conduct of the industry body. DoT will govern the cloud providers through the industry body, whose registration will be canceled if the cloud provider doesn’t follow the directions given to it via the industry body. So the industry body becomes a quasi, private (but non-profit) regulator of cloud services, but the cloud service provider can join any industry body it wants to. Huh?


Advertisement. Scroll to continue reading.
Written By

Founder @ MediaNama. TED Fellow. Asia21 Fellow @ Asia Society. Co-founder SaveTheInternet.in and Internet Freedom Foundation. Advisory board @ CyberBRICS

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



While the market reality of popular crypto-assets like Bitcoin may undergo little change, the same can't be said for stablecoins.


Bringing transactions related to crypto-assets within the tax net could make matters less fuzzy.


Loopholes in FEMA and the decentralised nature of crypto-assets point to a need for effective regulations.


The need of the hour is for lawmakers to understand the systems that are amplifying harmful content.


For drone delivery to become a reality, a permissive regulatory regime is a prerequisite.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ