The growing adoption of cloud computing is transforming the way governments, enterprises and consumers store, process and manage data across the world. The global cloud IT market revenue is predicted to grow at a compound annual growth rate of 17.9 per cent, from $180 billion in 2015 to $390 billion in 2020. The growth in these services in India is equally promising. An analysis by Gartner suggests that the market for public cloud services in the country is projected to reach $1.81 billion in 2017 from $1.31 billion in 2016.
While the adoption and growth numbers for cloud services have been encouraging, the rapid evolution of technology and the mode of delivery of such services raise certain concerns, including legal and policy issues. The cloud market suffers from a problem of information asymmetry, as customers do not know what systems are in place to protect their stored data. Any misuse of data or security breach at the service provider’s end can lead to massive financial and reputational losses. Therefore, it is imperative to identify and address concerns regarding the protection of consumers using cloud services, especially smaller users like retail customers and micro, small and medium enterprises (MSMEs).
In India, the concept and benefits of cloud computing have been acknowledged in the National Telecom Policy, 2012. In end-2012, the Department of Telecommunications (DoT) had sought recommendations from the Telecom Regulatory Authority of India (TRAI) on various licensing and regulatory issues arising from cloud services. Following this, TRAI issued a consultation paper in June 2016, seeking detailed inputs on various issues raised by stakeholders. Most of the stakeholders have raised concerns related to the implementation of quality of service (QoS) standards, prescription and enforcement of service level agreements (SLAs), transparent billing and metering of cloud services, data protection, security and the framework for the redressal of grievances of cloud users. Some of them are of the opinion that the licensing/registration of service providers is not required at this stage as it may be counterproductive and restrict inventions. Further, they have emphasised that the adoption of light-touch regulations with a minimum regulatory burden would address the concerns of cloud users. It would also provide policy clarity and certainty, and create a conducive investment climate, thereby boosting cloud adoption. Further, they have highlighted the need for a mechanism to address consumer concerns without compromising on the flexibility of the cloud industry to grow and evolve.
After taking into consideration the views of the stakeholders, analysing various approaches adopted by different countries, and considering the state and growth of the cloud services market in India, TRAI is of the view that a light-touch regulatory approach should be adopted to regulate cloud services.
tele.net takes a look at the key recommendations submitted by the regulatory authority to the government for perusal…
Regulatory framework for cloud services
Most of the stakeholders have submitted that TRAI should adopt a light-touch regulatory approach that minimises the regulatory burden, provides policy clarity and certainty, creates a climate that maximises infrastructure investment and recognises the global nature of cloud technology. Most of the stakeholders were of the opinion that the licensing/registration of service providers is not required at this stage as cloud services are provided over telecom infrastructure, which is already licensed and regulated.
In line with these views, TRAI has recommended a light-touch approach to regulate cloud services. It has suggested that DoT could prescribe a framework for the registration of cloud service provider (CSP) industry bodies that are not for profit. The terms and conditions of registration, the eligibility criteria, entry fee, period of registration, governance structure, etc. would be recommended by TRAI once the government accepts its recommendations in principle. Further, all CSPs above a threshold value (based on either the volume of business, revenue, number of customers, etc., or a combination of all these) notified by the government would have to become members of one of the registered industry bodies for cloud services and accept the code of conduct prescribed by the body. The registered industry body may charge a fee from its members that is fair, reasonable and non-discriminatory. Further, no restrictions on the number of such industry bodies should be imposed in order to avoid instances of monopolisation. A cloud service advisory group should be created to periodically review the progress of the CSPs.
Legal framework for data protection
While responding to TRAI’s consultation paper, most stakeholders felt that the existing laws and policies were sufficient to ensure data protection during migration and no legal framework was required. In fact, the majority of the stakeholders stated that rather than attempting to prescribe a secure migration path, the government should encourage the adoption of voluntary disclosures and transparent industry-led international standards.
Therefore, TRAI has recommended that the government may consider establishing an overarching and comprehensive data protection law covering all sectors. This data protection framework could be based on globally accepted data protection principles as reiterated by the Planning Commission’s Report of Group of Experts on Privacy 2012.
Interoperability and portability
Some stakeholders were of the view that the technical standards for interoperability are within the domain of the cloud computing industry and any regulatory intervention should be avoided on this issue. Others suggested that the best way to ensure interoperability in cloud computing services was to follow industry best practices and international standards.
Hence, TRAI has recommended that no regulatory intervention is necessary for interoperability and portability in cloud services at present; these aspects should be left to the market forces. However, the industry body for cloud services should be mandated to incorporate a disclosure mechanism that promotes transparency regarding interoperability standards. In addition, the Telecommunications Standards Development Society, India should be tasked with the development of cloud services interoperability standards in the country.
Legal framework for service providers operating in multiple jurisdictions
Most of the stakeholders were of the opinion that to enhance lawful access to information, the government should enter into mutual legal assistance treaties (MLATs) with more international partners. To this end, TRAI has recommended that robust MLATs should be drawn up with multiple jurisdictions. Further, existing MLATs should be amended to include provisions for lawful interception or access to data on the cloud.
Most of the stakeholders agreed that the benefits of cloud deployment far outweigh its costs owing to advantages such as low capex requirements, scalability, multitenancy and low maintenance costs. They noted that cloud computing offers distinct advantages for social networking and e-commerce websites where internet traffic can be highly unpredictable and the demand for computing and storage can increase rapidly. In addition, with cloud computing, businesses and government agencies can focus on their strategy and service delivery as the requirement of building, owning and maintaining IT resources is reduced.
In terms of factors that businesses consider while selecting the type of cloud service deployment, the stakeholders noted that the cost of deployment is one of the most critical factors, particularly for small and medium enterprises. The pay-as-you-go model of cloud pricing works particularly well for MSMEs. However, large organisations may give higher priority to data security and compliance than to cost of deployment. Other factors that businesses consider while selecting a cloud service are the reporting of overall QoS, SLA fulfilment, flexibility and elasticity of cloud service access.
In this backdrop, TRAI has stated that there is no need to undertake a cost-benefit analysis of cloud services as the progress made so far clearly demonstrates the benefits associated with its use.
Apart from the above recommendations, TRAI has suggested that the government should continue its policy of promoting cloud services through cloud infrastructure initiatives, such as GI Cloud MeghRaj, NIC Cloud Computing and the National eGov App Store. At this stage, there is no need to give any additional incentives to large customers and CSPs. TRAI believes that these recommendations will unlock the potential of cloud computing in India, thereby boosting adoption and strengthening the trust in this technology.
Akanksha Mahajan Marwah