TRAI has put 21 questions and is seeking feedback from stakeholders on the cloud computing law
Telecom Regulatory Authority of India (TRAI) is planning to enforce law on Cloud Computing in India. Earlier, Department of Telecom (DoT) through sought recommendations from TRAI on Cloud based services. Now, TRAI is asking stakeholders to send their written comments, preferably in electronic form, by 8th of July 2016 and counter-comments by 22nd July 2016 to A. Robert J. Ravi, Advisor (QoS) TRAI on the email address firstname.lastname@example.org. Comments and counter-comments will be posted on TRAI’s website as well. TRAI has also mentioned 21 questions in a document released on it websites (mentioned at the end of the article)
There is no particular cloud computing law in India and intellectual property issues in the cloud continue to be one of the "cloudiest" legal areas for customers and suppliers alike because IPR and data protection laws vary from country to country. India however, governs cloud computing by various laws, namely,
Indian Telegraph Act, 1885 where telegraph is defined as “any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electromagnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means”, The Civil Procedure Code 1908, ‘telecommunication service’ under Section 2(k) of the Telecom Regulatory Authority of India Act, 1997 which covers “service of any description”, Information Technology Act of 2000, specifically sections 43, 65, 66 and 72, of the act that deal with penalizing against breach and misuse of data in India.
As per TRAI, The Government of India proposes to bring out legislation namely “The Right to Privacy Bill” which aims to provide for the ‘right to privacy’ to the citizens of India.
TRAI in its document also suggests that regulations need to be evolved for cloud computing in India for Regulation of Investigatory Powers, Regulation on Stored Communication, Mandatory guidelines for National Security for cloud operation and Lawful interception and monitoring by Law Enforcement Agencies, State Privacy Laws and Fair Credit Reporting Act etc. A major regulatory parameter will be fostering and developing competitions in the cloud computing market.
TRAI recognized technology industry, users of cloud services, service providers, bandwidth/connectivity providers and government as stake holders and dought a cooperated effort for clarity and predictability for individuals, customers and cloud providers.
To have feedback from stakeholders TRAI has put the following questions on its website –
Question 1. What are the paradigms of cost benefit analysis especially in terms of:
a. accelerating the design and roll out of services
b. Promotion of social networking, participative governance and e-commerce.
c. Expansion of new services.
d. Any other items or technologies.
Please support your views with relevant data.
Question 2. Please indicate with details how the economies of scale in the cloud will help cost reduction in the IT budget of an organisation?
Question 3. What parameters do the business enterprises focus on while selecting type of cloud service deployment model? How does a decision on such parameters differ for large business setups and SMEs?
Question 4. How can a secure migration path may be prescribed so that migration and deployment from one cloud to another is facilitated without any glitches?
Question 5. What regulatory provisions may be mandated so that a customer is able to have control over his data while moving it in and out of the cloud?
Question 6. What regulatory framework and standards should be put in place for ensuring interoperability of cloud services at various levels of implementation viz. abstraction, programming and orchestration layer?
Question 7. What shall be the QoS parameters based on which the performance of different cloud service providers could be measured for different service models? The parameters essential and desirable and their respective benchmarks may be suggested.
Question 8. What provisions are required in order to facilitate billing and metering re-verification by the client of Cloud services? In case of any dispute, how is it proposed to be addressed/ resolved? Question 9. What mechanism should be in place for handling customer complaints and grievances in Cloud services? Please comment with justification.
Question 10. Enumerate in detail with justification, the provisions that need to be put in place to ensure that the cloud services being offered are secure.
Question 11. What are the termination or exit provisions that need to be defined for ensuring security of data or information over cloud?
Question 12. What security provisions are needed for live migration to cloud and for migration from one cloud service provider to another?
Question 13. What should be the roles and responsibilities in terms of security of
(a) Cloud Service Provider(CSP);
(b) End users?
Question 14. The law of the user’s country may restrict cross-border transfer/disclosure of certain information. How can the client be protected in case the Cloud service provider moves data from one jurisdiction to another and a violation takes place? What disclosure guidelines need to be prescribed to avoid such incidents?
Question 15. What polices, systems and processes are required to be defined for information governance framework in Cloud, from lawful interception point of view and particularly if it is hosted in a different country?
Question 16. What shall be the scope of cloud computing services in law? What is your view on providing license or registration to Cloud service providers so as to subject them to the obligations there under? Please comment with justification.
Question 17. What should be the protocol for cloud service providers to submit to the territorial jurisdiction of India for the purpose of lawful access of information? What should be the effective guidelines for and actions against those CSPs that are identified to be in possession of information related to the commission of a breach of National security of India?
Question 18. What are the steps that can be taken by the government for:
(a) promoting cloud computing in e-governance projects.
(b) promoting establishment of data centres in India.
(c) encouraging business and private organizations utilize cloud services
(d) to boost Digital India and Smart Cities incentive using cloud.
Question 19. Should there be a dedicated cloud for government applications? To what extent should it support a multi-tenant environment and what should be the rules regulating such an environment?
Question 20. What infrastructure challenges does India face towards development and deployment of state data centres in India? What should be the protocol for information sharing between states and between state and central?
Question 21. What tax subsidies should be proposed to incentivise the promotion of Cloud Services in India? Give your comments with justification. What are the other incentives that can be given to private sector for the creation of data centres and cloud services platforms in India?