“For any cloud service provider, data flows and predictability of a regulation, in terms of transferring, storing, and retaining data, along with the redundancy that they need to build in for the resilience, is important. But, there are a lot of ambiguous provisions in the Personal Data Protection Bill, 2019, which would worry any cloud service provider,” said Rama Vedashree, CEO of the Data Security Council of India. She also said that the Bill, in its current form, has several ambiguities in terms of definitions, and lacks a certain amount of predictability. She was also critical of the data localisation mandate in the Bill, calling it a “big problem” for cloud service providers.

Vedashree was speaking at MediaNama’s discussion on the impact of the PDP Bill on cloud and telecom services, held on June 26. This discussion was supported by Microsoft, and Google. Comments have been edited for brevity and clarity.

Problems with classification of data, data localisation, the inclusion of non-personal data in the Bill

Vague definitions, and classification: “The biggest challenge in the Bill is the way the entire data taxonomy and classification is defined and the ambiguity thereon,” Vedashree said. “New classifications can be made not just by the data protection authority, but by the government itself, and anything can be declared as critical personal data,” she added. This can be a big challenge when a service provider has to migrate a workload to the cloud, according to her. “Six months down the line, one year down the line, if what classifies as sensitive personal data and what classifies as critical personal data keeps changing without predictability in terms of timelines or the parameters on which these decisions are going to be made, it’s going to be a problem, not just for the cloud provider, but for all their customers,” she said.

Vedashree said that even though the Bill hasn’t been enacted yet, there is also a slowdown in cloud procurement decisions and related request for proposals, because of the ambiguities. “Companies are waiting for the Bill to have enough clarity before they can decide on cloud service procurement,” she remarked.

“It would be a pity if the Bill, instead of accelerating and enabling a trusted milieu for consumers to move to a solution on the cloud, actually slows it down, because I believe that unless we drive cloud adoption in some laggard sectors, small and medium, micro small enterprises, healthcare, education are all going to be significantly impacted.” — Rama Vedashree

The classification of health and financial data under sensitive personal data will significantly impact cloud adoption by the health and financial sector, Vedashree noted. “While there was a very good uptake of a cloud momentum in India with several businesses moving to the cloud across verticals, some regulations from regulators like RBI have put a halt on cloud RFP decisions to look at some workloads moving to the cloud in the banking sector,” she said.

Data localisation, and challenges in developing disaster recovery mechanisms: “Typically a cloud provider will not look at where the data is, the location of the data. They will decide where their data centres are based on quality of power, talent requirement, market and business decisions,” she said.

“So many of our data centre providers have had this challenge where they have had data centres or security operation centres in two locations in India and both of them have had very severe containment restrictions during COVID. So, it is going to impact them, and ideally we should not have this constraint of localisation at all.” — Rama Vedashree

The data localisation mandate in the current draft Bill also makes it extremely difficult to implement true disaster recovery, she said, in response to a question raised by Arijit Sengupta, a telecom and policy professional. “One of the biggest challenges is to implement true disaster recovery, and business continuity planning because sometimes it could just be a breach to the power lines of a country which could bring down the entire infrastructure at a country level, such as a natural disaster. Even if a business has chosen a couple of locations within India, there could also be a cyber-emergency situation,” she said.

Non-personal data provision should be removed: “Non-personal data should not be the remit of this bill,” Vedashree said. This Bill was supposed to be only about personal data, but right now we have a provision on non-personal data sharing where it obliges a data processor to share such data, she said. “If this provision goes live, every data processor whether it’s cloud or a regular services company is going to contravene in most of the contracts they sign because there is no cloud provider or a processor that can just share the data and  with anybody unless there are checks and balances and there is a law enforcement regime,” she said.

“Having a blanket provision that the government can ask for any data including non-personal data is a very worrying clause [91(2)]. It’s an even bigger worry for cloud service providers, because most of them don’t really have access to the data. I do hope that some wisdom will prevail and this provision gets taken down.” — Rama Vedashree

Lack of clear carving out of the data controller and data processor: Differentiating the obligations of a data controller and data processor is going to be a big challenge, Vedashree said while responding to a question raised by Soumya Tiwari, a student at Rajiv Gandhi National University of Law. “At any point in time, cloud service providers are servicing hundreds of customers, and unless the data controller and the processor obligations and roles are ring fenced and earmarked, there is going to be a big problem because there could be a tendency for a data fiduciary to transition lot of the obligations of the Bill to the cloud provider, which would be a big disaster for them,” she added. “When there is a breach notification, what are the obligations on the processor and the cloud service provider versus the data fiduciary, needs a lot more clarity because otherwise, it would be an intimidating burden for any cloud service operator to operate in India,” she added.

Right to erasure very difficult to implement: According to Vedashree, implementing right to erasure will be a big problem for a cloud service provider. The GDPR has the right to be forgotten, and in a survey we did of our members, it was called as the most difficult provision to implement, and “I’m not even talking about right to erasure,” she added. “Typically when you say right to be forgotten, it almost involves that you don’t do further processing of that data, and that is the obligation that you have to your consumer. But the moment you say right to deletion, getting all instances of where that data resides, and making sure that it gets deleted is a problem for the cloud provider. So, right to erasure has taken most of the industry by surprise,” she remarked.

‘Need a regime which enables cloud adoption’ said Vedashree

“I think it’s a no brainer, that cloud has significantly enabled the digitisation journey of several enterprises, government agencies, small and medium businesses, start-ups, SaaS (Software as a service), who are not only able to serve the market in which they work from, but they are able to serve global markets because they are offering their service or their start-up is enabling their product on a cloud platform,” Vedashree said. “I think the overall cloud adoption is going to get accelerated in the post-COVID world because a lot of new verticals who were traditionally laggards in adopting emerging technologies, are now going the whole of virtual mode,” she added.

When any entity, including businesses and governments, look at implementing a cloud platform, they are actually looking at a business solution or a workload moving to the cloud, she said. “They don’t really get bogged down by what elements of data they’re putting on the cloud, because that is secondary to a cloud migration process. It’s always a workload that is being decided whether it is mission critical, whether it can move to the cloud, should it be on a public cloud, should it be hybrid. So, it’s important to remember that a solution provider ecosystem and the business user is going the cloud way based on some fundamental business reasons,” she added.

It is not to say that a strong data protection legislation will hinder cloud adoption in the country, in fact, it will increase a consumer‘s trust in cloud services, and also drive investments in the sector, Vedashree noted. A strong data protection legislation and a strong data protection authority who is going to define the codes of practices and make sure that businesses are more responsible in respecting the privacy of their consumers and protecting their data is something that is needed even for the overall digital India journey or harnessing the potential of the digital economy,” Vedashree said. “A strong data protection legislation will reinforce trust of the consumers that the enterprise with whom or the service provider to whom they are offering their personal sensitive data is going to use it more responsibly, is not going to misuse or unreasonably monetise, or unreasonably share it with third parties,” she said.

“It will also ensure that businesses are investing in enforcing security, data protection and privacy. Compliance always drives a certain enterprise’s business behaviour, and initially the compliance itself will ensure the maturity of the business,” she added.

The entire discussion is available on our YouTube channel, and you can also watch it here: 

Read our complete coverage of the discussion here.

*Update on July 4: We misunderstood a point Vedashree made about GDPR and the Bill’s adequacy with it, and have removed it from the article. Error is regretted.