Though “Cloud Computing” has been on discussion for the last 4 to 5 years, the rate of adoption is considered slower than expected. One of the main reasons is that during this period while there are new developments in the cloud computing arena, the cyber law regime has also made progress and is becoming more and more stringent. This has put spanner in the growth of Cloud computing by raising increased Information Assurance barriers.
In a recent survey of 2,000 CIOs, a Gartner report has reportedly revealed that the execs’ top tech priorities for 2013 include cloud computing in general, as well as its specific types: software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). No surprise there. (Infoworld)
In this context we can look at the Indian scenario and examine the legal structure to understand whether it is supportive of Cloud Computing either for Indian corporates to use or to offer as service.
The legal background for cloud computing in India is provided by ITA 2008 (Information Technology Act 2000 as amended in 2008). There are also administrative policies of the Government of India issued from time to time as when the controversy over the Blackberry service broke out.
ITA 2008 incorporates some data protection aspects and under Sections 43A and 72 A provide for contractual bindings to be placed between contracting parties who may share sensitive and other data, failure of which could lead to civil and criminal liabilities. However the “Deterrence impact” of these sections is low. Section 43A has been diluted by the April 11, 2011 notification on “reasonable Security Practice” since holding an ISO 27001 audit certificate has been equated to sufficient security. Such security is completely unreliable for Cloud users.
Additionally, the department of IT has increased the confusion on cloud security by the ISP guideline which restricts the encryption of data transmitted over the ISP network to 40 bits. Naavi has been of the opinion that this is only an ISP guideline and hence affects the intra ISP data transfer and does not impose legal restriction on client to ISP transmission. While this could be the legal reality, the Government can always push its own interpretation if necessary through a retrospective legislation and hence remains a Damocles sword for the Cloud users intending to use higher levels of encryption.
Some times Government of India tries to bypass the law with administrative guidelines with legal backing drawn out of “need to protect the interest of sovereignty and integrity of the country” etc. Such arguments have been used by the Government on many occasions including for protection of politically powerful personalities as was evident in the Section 66A related controversies in the country in recent days. As a result the “National Interest” clause has been significantly diluted. Irresponsible utterances of the Home Minister of the country in the recent days on terrorism has also further diluted the concept of “National Interest” and subordinated it to the interests of the ruling political party.
We therefore face a grim situation where international users of Cloud services are unable to trust the Indian legal system.
If India has to adopt Cloud Computing either as a tool of more efficient and economical deployment for Companies or for enabling it as a “Service” and harness the growing global opportunities, there is therefore a need to create a “Trusted Data Management Regime” in India. According to some estimates, by 2020, one-third of the global data will move to the cloud. Such a development would mean that India’s pre-eminent position in the IT industry cannot be sustained unless we make significant progress towards setting up Cloud supporting data centers in India which inter-alia depends on what assurances we can provide for data security under law and how we can create a trust for non political interference in the legal regime.
In our opinion, this is a huge opportunity in IT dependent on developing a trusted secure data management regime and in the interest of our economic development we need to do whatever is required to develop such “Trusted Secure Data management Regime” in India. This may ideally be achieved through a new law or a major amendment to ITA 2008.
I invite discussions from the public on this aspect.
Naavi