Anand Mehta, Soumyadri Chattopadhyaya & Shriyani Datta
The storage of data on cloud-based servers is the latest iteration in the digital revolution in India and has enabled organisations not only lower risks of loss of data but has also increased remote accessibility of such data. According to the latest IDC Asia Pacific excluding Japan (APEJ) Quarterly Server Tracker, in Q1 2017, the overall server market in India witnessed an increase of 14.2% in terms of revenue to reach $215.6 million as against $188.8 million dollars in the fourth quarter of 2016. This growing relevance of cloud technology has, however, raised a few issues—particularly, in relation to data privacy and the implications of localisation of data. Being a rapidly and constantly evolving area, regulators globally are grappling with ensuring that legal developments are in consonance with the technological advancement and industry-specific needs. Currently, there is no specific legislation in India that regulates cloud computing.
Consequently, general data protection frameworks under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (or SPDI Rules) and the Information Technology (Intermediaries Guidelines) Rules, 201, formulated pursuant to the Information Technology Act continue to be relevant in the cloud computing context, albeit in relation to personally identifiable information and sensitive personal data (such as financial information, physical and physiological information, medical records and history, passwords, etc.).
Globally, data localisation requirements mandate that certain categories of data must be stored within the geographical borders of the relevant jurisdiction. In relation to cloud computing, such requirements compel firms storing and processing data for clients from a given country to locate the data in that country. Presently, India does not have a specific legislation mandating data localisation requirements, although there are certain industry-specific regulations in this regard.
For Indian organisations looking to reap the benefits of cloud computing, it is imperative to understand the regulatory framework. The regulations applicable to digitisation and e-record retention are scattered across a multitude of legislations. This makes it important for entities to analyse the nature of data proposed to be transported into the cloud to understand the regulatory requirements that such transfer entails.
For example, the Companies Act, 2013 requires that records of books of accounts of an Indian entity are to be maintained in the registered office or any other offices. Further, periodic back-ups of the stored data must be maintained on servers located in India. This requirement extends to all regulatory data, books, records and registers. Importantly, there is no specific restriction on storage of such data abroad in servers in multiple jurisdictions, but merely imposes a requirement for mirroring such data in local servers. While this may seem innocuous, it could potentially drive up costs in the implementation of cloud migration plans.
Further, the Environmental (Protection) Act, 1986, and the various rules and regulations thereunder (EPA) mandates that records of generation and import of hazardous wastes, as specified under the EPA are to be maintained in such form mandated under the EPA and maintained within the facility of the occupier. Unfortunately, this leads to a lack of clarity as to whether such data can be stored electronically on servers located abroad and accessibility of such data is provided at the premises of the occupier through internet service providers. Given the legitimacy accorded to electronic records under the IT Act and the Indian Evidence Act 1872, such an argument seems tenable provided the integrity of such electronic records can be secured.
For organisations that collect sensitive personal data and information, under the SPDI Rules, there is an additional requirement of obtaining consent from the owner of such data before such data is transferred abroad to servers located in foreign jurisdictions. Specific consideration must be paid to the form of obtaining consents as valid consent is understood as consent obtained through written means and electronic modes of communication. Ordinarily, consent obtained through shrink-wrap agreements are considered as valid consent. However, at times, old contracts may need to be dusted and re-read to ensure that specific consents for such data transfer had indeed been obtained. In the absence of such specific consents, a fresh consent would need to be obtained which could pose challenges to even the most meticulously planned cloud transition plans.
There have been several legislative formulations in the pipeline such as the policy proposed by the National Security Council (NSC) in 2014, a consultation paper released by Telecom Regulatory Authority of India in June 2016 on cloud computing, and a task force constituted by the department of electronics and information technology under the ministry of communications and information technology for recommending a policy framework on cloud computing.
Further, given the inextricable connection with data protection, the Supreme Court’s view on the matter as well as the contours of the new data privacy bill that the Srikrishna Committee has been tasked to develop are likely to have a direct impact on the shape of any new regulatory initiative in cloud computing. However, until then, Indian entities have to continue to evaluate their current data retention and transfer mechanisms to comply with a fragmented regulatory framework.
Mehta is partner, Chattopadhyaya is senior associate and Datta is associate (corporate and commercial advisory), Khaitan & Co. Views are personal