Data centres, or companies that are working in conjunction with them, face three kinds of challenges. The fi­rst are reputational risks related to custo­mer trust. These are tied up with the comp­li­ance posture of the company with re­spect to regulatory and statutory requ­ire­ments. The second is compliance, whi­ch affects mo­­st data centre players. The third is do­w­n­time. The industry wants it to be minimi­sed to as low as four seconds in a year. Ho­w­ever, this is not possible. Be­cau­se of these cha­ll­en­ges, in 2022, the Ministry of Elec­tronics and Information Technology is still coming up with draft legislations regarding privacy, as well as the Digital India Act.

Since 2012, data privacy has been a key focus area globally. Since the launch of the General Data Protection Regulation in Eu­rope, there has been a lot of focus on ke­ep­ing information private and secure. A number of compliance requirements have been introduced in India this year for virtual private network (VPN) service provi­ders and data centres, such as having robu­st in­fra­structure and measures for the ex­tension of record keeping. These measures are so in­trusive that they require companies to ke­ep data, records and logs of when a subscri­ber is logging on to their platform, and more.

Service providers that are reliant on data centres have three areas of focus: continuity, downtime and security. In terms of security, one of the issues is that while th­ere is a lot of emphasis on making infrastructure security robust from an IT point of view, physical security is more complex. The physical security of data centres is a major area of concern. Further, there is no clarity regarding the monitoring of virtual ac­cess controls shared with data centre clients. Data centre companies should verify the reasons behind a client requesting mu­ltiple access, whether it is role-based access or authorisation-based access, etc.

Because there is a lot of discrepancy between the different levels of access granted within an organisation to its own information, there is always the potential for un­warranted exposure. This is something th­at is beyond the control of data ce­ntre pl­a­y­ers, but they should still be concerned with this as they need to secure their data ac­cor­dingly. Another key issue is that the le­vel of vetting by companies while on­bo­a­r­ding service providers or vendors or subcontractors is not stringent enough. This sh­ould not be the case, as they create that fi­rst level of defence for data centre operators.

Finally, there has to be network seg­me­ntation from a data centre’s point of view. As data resides in silos and multiple compartments are created even for the same client, if data centre operators are a­ble to create that segmentation depending on the end-point identity, then one would be aware if an entity is snooping on the sy­stems. This would call for an additional ba­rrier for security.

In terms of initiatives that the government needs to take, three aspects need to be considered. First is privacy, which is a burning issue right now. Recently, the go­vernment released the draft Digital Per­so­nal Data Protection Bill, 2022. Seen from the implementation point of view, it is not a good draft. For data centre operators, a lot of investments focus on the cost of the data residing on a server. The draft does not talk about the right to be forgotten, or erasure, or deletion in a proper manner. The government thus needs to come up with more robust data privacy legislation.

The second aspect is that law enforcement agencies are seldom aware of what a ransomware attack is. In such scenarios, they usually consider that fraud has been in­i­tiated on the service provider’s network – perhaps even facilitated by the service pro­vider themselves. They forget about pay­me­nt gateways, payment aggregators, ban­ks, etc. and only consider the victim. As such, law enforcement agencies need to be made aware of data localisation, data sovereignty and data residency in order to enable smooth implementation. Therefore, the go­vernment, as well as other stakeholders, need to collectively start creating awareness among law enforcement agencies.

The third aspect is ensuring uniformity of law, so that it is suitable for clients in India as well as globally. While we are creating a robust atmosphere for data centres in India, these data centres do not just service Indian clients. They also service Indian organisations offering services outside the country. To this end, it is essential that laws for the sector are tailor-made to suit everyone’s needs.

Based on remarks by Bagmisikha Puhan, Associate Partner, TMT Law Practice