The growth of cloud computing services in the past decade has transformed the way governments, enterprises and consumers store and process their data and manage their resources. India’s cloud computing market is poised for growth, and the technology is increasingly being embraced across businesses as well as by retail consumers.
Complementing the ecosystem are futuristic technologies such as artificial intelligence (AI), machine learning, advanced analytics and immersive media, which aid in the seamless adoption of software as-a-service (SaaS), infrastructure as-a-service (IaaS) and platform as-a-service (PaaS) offerings. Cloud is becoming an integral part of the new and existing technologies. New business models may help drive the adoption of cloud in the future, such as the consumption-based model and everything as-a-service model. The National Digital Communications Policy (NDCP), 2018 also envisages strategies for the growth and development of cloud services in India.
The Telecom Regulatory Authority of India (TRAI) had first issued recommendations on cloud services in 2017, which included recommendations on the legal and regulatory framework for cloud services and interoperability, as well as the legal framework for cloud service providers (CSPs) operating in multiple jurisdictions. As part of the recommendations, TRAI noted that only when the government accepts recommendations on the legal and regulatory framework, recommendations on other aspects such as the terms and conditions of the registration of the industry body, eligibility, entry fee, period of registration, and governance structure will be made. The government accepted the aforesaid recommendations in May 2019 and subsequently, in October 2019, TRAI issued a consultation paper to solicit stakeholder views on issues such as capping required on the number of industry bodies, requirements for an industry body to get registered with the Department of Telecommunications (DoT), requirements for any CSP to become a member of the industry body, fees to be paid by the members to the industry body, governance structure of the industry body, and how to seed an industry body.
TRAI, in February 2020, conducted an open house discussion where stakeholders participated and deliberated on the issues, based on which the regulator has now come out with its recommendations on the subject.
During the consultation, the industry broadly opposed establishing a regulatory framework for CSPs, on the grounds that they are already subjected to various existing Indian laws, namely, the Information Technology Act, 2000, the Consumer Protection Act, 2019, and the proposed Personal Data Protection Bill, 2019. The stakeholders further claimed that while cloud computing is provided using the infrastructure of telecom licensees, it is not a telecom service per say, but an IT service. Consequently, the governance of CSPs in any form should fall within the jurisdiction of the Ministry of Electronics and Information Technology and should not be subject to regulation by DoT or TRAI.
The CSPs and their associations also opined that the registration of CSPs under the industry body is not a light-touch regulatory approach, and can be seen as a contradiction to the NDCP, 2018, which envisaged a light-touch regulation. A registered industry body would be required to impose a mandatory code of conduct on CSP members, comply with orders and directions issued by DoT and furnish information to DoT/TRAI on demand, which, instead of promoting cloud services, will negatively impact the growth of the cloud service industry.
TRAI reviewed the stakeholder opinions and came up with an analysis before making further recommendations to the government. As per the regulator, with the evolution of telecom and IT, the line segregating telecom infrastructure from IT infrastructure is impossible to define. End customers, while using cloud services are heavily dependent on the performance of telecom networks through which these services are accessed. Meanwhile, services offered by telcos to end customers are heavily dependent on the performance of CSPs’ infrastructure. With the introduction of 4G and 5G, telcos are also using cloud infrastructure for their own purposes, to build and operate their core and radio networks/ functionalities. Convergence is happening not only at the infrastructure level, but also at the level of protocols used in the IT and the telecom world.
While telecom is monitored for its performance as part of the regulations, cloud services are not subjected to the same or similar regulations. It must be noted that service delivery is a mix of performance of the infrastructure deployed by CSPs and telcos. Thus, there is a need to have an institutional mechanism that oversees the latest developments in the cloud and telecom space, and can continually take adequate and timely measures to protect the interests of customers. The industry expressed that while CSPs are already being regulated under the provisions of the Information Technology Act, 2000, the provisions do not address the concerns of end customers. Other than privacy and data protection, there are many issues and concerns faced by cloud services, similar to those faced by users of traditional telecom services. TRAI can make recommendations to the government on cloud services as per the TRAI Act and the Indian Telegraph Act.
Setting up an industry body and its governance
The stakeholders suggested that there can be a single industry body or multiple industry bodies with a cap of three at the initial stage. In the case of multiple bodies, these may be classified based on the type of cloud services such as SaaS, PaaS and IaaS, or sectors such as banking and healthcare. To comply with the regulatory requirements, CSPs would be required to get a membership with the concerned body and get registered with DoT. In this regard, the government may establish a framework for the formation of the first industry body at the initial stage, and later allow multiple industry bodies to register with DoT.
To this end, TRAI has proposed that the first industry body may be set up by DoT as a non-profit body under the Societies Registration Act, 1860, in a three-step process. The first step is the enrolment of CSPs operating in India. To this end, DoT would release a public notification for all CSPs operating in the country to get enrolled on DoT’s web portal in an online process and submit relevant details about their company or organisations, and contact details for further communication. A six-month time should be given for enrolment from the date of issue of the notification. DoT may also inform CSPs about the consequences of their failure to enrol in terms of continuation of their services in India.
The second step relates to the formation of an ad hoc body by DoT, which may be formed by selecting officials from the government’s side and nominating leading experts from the industry’s side to steer it. The enrolled CSPs would automatically become members of the general assembly of the ad hoc body, and would be considered for electoral purposes. The ad hoc body may be established under the aegis of the TEC and DoT as done in the case of M2M. The purpose of the body will be to draw up the memorandum of association, broad rules, an initial framework for the regular industry-led body; to conduct the first election for the formation of an industry-led body; and to steer it by a combination of the government and industry experts. The second step will end with DoT’s approval of the initial set of documents and the election of office bearers. The third step involves the registration of the body under the act and the takeover of its regular functioning by the elected office bearers.
TRAI is of the belief that the formation of a registered industry body, working in conjunction with DoT/TRAI, constitutes light-touch regulation. As per the regulator, DoT may initiate setting up of the first industry-led body and all CSPs must become its members. This body would lay down broad principles and procedures to aid its functioning. The industry body may review its experience and further deliberate upon the need to form multiple bodies for different purposes, such as to address the requirements of different market segments. The scope of CSPs may be initially limited to providers offering IaaS and PaaS to customers in India. SaaS providers may voluntarily enrol for membership. The channel partners of various CSPs will not be required to take membership of the industry body if their principals are already members. The recommendations have been submitted to DoT for its final approval.
By Akanksha Mahajan Marwah