Cross-Border Data Flows Debate Hits India as TRAI Issues Paper on Cloud Services

Clocking in at a whopping 119 pages and a little over 20 questions, this is one of TRAI’s most broadly-focused and comprehensive consultations in recent times.

New Delhi: With a new consultation paper on cloud computing, the Telecom Regulatory Authority of India (TRAI) is looking to continue its trend of tackling the biggest and most burning digital issues that face India’s government.

This time around, the telecom regulator is looking to kick-start debate over the challenges that arise in regulating the flow of data through the numerous cloud-based platforms that underpin our digital life.

Questions of cross-border flow of data, licensing of cloud-based services and best practices on how to successfully carry out law-enforcement requests are a few examples. Clocking in at a whopping 119 pages and a little over 20 questions, this is one of TRAI’s most broadly-focused and comprehensive consultations in recent times.

While the paper addresses everything from how to increase implementation of government cloud services to interoperability and security issues, the portion concerning the legal and regulatory framework for domestic and foreign cloud services is likely to be the focus of debate and discussion in the coming weeks.

“Regulations should be put in place to protect the interests of both cloud services providers and the consumers. Regulations are also required for standardisation of technical parameters associated with cloud computing networks. Legal framework under which the cloud operates becomes very important..,” the regulator says in the paper’s introductory section.

The rest of the paper is divided into six broad sections: cloud security, quality of service, interoperability, legal framework for jurisdictions, cost benefit analysis and incentivising the implementation of cloud services in governments. The Wire breaks down the most crucial portions below, with examples of the problems that India is currently undergoing…

Security and cross-border – where, when and why?

In a sub-section on ‘Cross Border or Data Location Security Issues’, TRAI implicitly references the global debate on what restrictions should be applied to the free flow of data by detailing how various European Union States have dealt with the issue.

“One of the top security concerns… is the physical location of the data especially if they are located in another country because the laws of the host country apply to the machine and data residing on it…As an example, the data protection laws of the European Union member states are extremely complex. The transfer of personal data outside these regions needs to be handled in very specific way,” the paper states.

The problem that confronts and concerns the privacy of India’s residents, that TRAI is looking to gain more information on, is this: Should Internet services be, at minimum, required to inform you that your data is being sent and processed outside India?  Building on this principle, in a more extreme measure, if data is sent outside India should a data controller in India ensure that specific conditions surrounding the privacy and security of that data are met?

The issues surrounding the security of every jurisdiction that is part of the cross-border data flow process are addressed in questions 10 and 11 of the consultation paper:

Question 10: Enumerate in detail with justification, the provisions that need to be put in place to ensure that the cloud services being offered are secure.

Question 11: What are the termination or exit provisions that need to be defined for ensuring security of data or information over cloud?

Whither regulatory framework?

In the opening parts of the section on what legal and regulatory frameworks could be applied to cloud computing and data sovereignty in India, TRAI examines currently existing legislation and how it could be applied to the problem at hand.

The regulator starts from the Indian Telegraph Act of 1885 and goes up to the much-criticised Information Technology Act – 2000 & Information Technology Rules 2011. Most significantly, TRAI notes that the “wide-reaching jurisdiction conferred by the IT Act” with regard to “data ownership/privacy/security” could lay the groundwork for imposing  Indian jurisdiction on issues “arising from the use of cloud services by Indian persons”.

While the idea of using Indian jurisdiction and legal justification for Indian users of foreign services isn’t new in other industries, this is the first proper articulation of a similar approach for the digital sphere. Ultimately, however, TRAI dismisses existing legislation as “they don’t contemplate the scope of cloud computing services and the resultant magnification of the issues..”. Consequently, it calls for the birth of new and “specific regulation whereby any emergent issues can be dealt with directly and effectively.”

What should this regulatory framework deal with? The consultation paper points in a few directions, all of which are hotly contested in legal-technology-policy circles and even amongst various Western governments.

Law enforcement

The framework, as TRAI spells out, should ideally deal with “regulation of investigatory powers, regulation on stored communication, mandatory guidelines for national security, state privacy laws”.

However, the paper itself devotes good chunk of attention towards law enforcement. TRAI starts from a basic assumption, that the Internet and digital ICTs has hobbled the practice of law enforcement; a phenomenon that most recently manifested in the showdown between Apple and the FBI.

The consultation paper helpfully points out that “machines and data are no longer physically in one place or national boundary” and that today’s “encryption and security of data are far stronger and of industrial grade.” Consequently, Question 15 asks: “What polices [sic], systems and processes are required to be defined for information governance framework in cloud, from lawful interception point of view and particularly if it is hosted in a different country?”

One solution that TRAI offers to the problem of law enforcement is a rather blatant reference to the concept of data localisation — where the data of Indian users would remain on Indian soil. “To overcome the problem of multiple jurisdictions, one of the possibilities may be to mandate the cloud service providers to host the data centres only in India,” the paper says.

Other less controversial examples include bringing about a US regime on data, where critical information such as health records, financial transactions and tax returns would come with specific restrictions if transferred across different countries. For instance, in this case, the medical or health data of Indian residents would not be sent to countries that India deems unsafe or lacking in data protection laws.

Unfortunately, it appears that in order to strictly regulate foreign and domestic cloud companies, TRAI falls back on a much-criticised example: a licence regime. Question 16 of the consultation paper asks: “What shall be the scope of cloud computing services in law? What is your view on providing licence or registration to cloud service providers so as to subject them to the obligations thereunder?”

The idea of a licence regime for technology companies is not new: China, and to a lesser extent Russia, have perfected this model. If companies like Uber for instance wish to operate in either China or Russia they are required to open local data centres where the data of the company’s Russian and Chinese users must be stored. Closer to home, TRAI’s last consultation paper on OTT (over-the-top) applications also hinted at whether a licence regime would be necessary to help regulate instant messaging companies such as WhatsApp.

On the other hand, TRAI still appears to be open to other solutions to how to more effectively enforce law-enforcement in the time of Facebook and Google. The issue of prodding Silicon Valley-based companies into helping out Indian security agencies such as CBI assumed centre-stage during Prime Minister Modi’s recent to the US. Both governments released a “framework for US-India Cyber Relationship”, one point in which expresses “ a commitment to promote closer cooperation among law enforcement agencies to combat cybercrime”.

TRAI, and consequently the Department of Telecommunications, appear to be interested in this as well. Question 17 of the paper asks the public “what protocol for cloud service providers to submit to the territorial jurisdiction of India for the purpose of lawful access of information?”

Carrot and the stick

The final section of the TRAI consultation paper, mostly because in addition to the stick of forcing companies to open data centres in India, it also seems open to receiving feedback on how market incentives can accelerate cloud adoption in government services and encourage domestic cloud services.

The regulator correctly notes that in countries such as India (and even Brazil to a lesser extent) physical factors such as the lack of a reliable power supply, road infrastructure as well as network stability have resulted in an environment that doesn’t encourage local or domestic data centres.

It also notes that in order to make up for these disadvantages, it’s possible that a new tax regime is necessary. “It is to be considered as to what tax regime should be employed for cloud service providers in india and whether tax benefits shall be given to them, for promoting the adoption of cloud services in the country,” the paper says.

Questions 18-21 address this: Should tax subsidies be given? What steps can be taken to promote establishment centres of data centres in India? Should there be a dedicated cloud for government applications?

Simply put, TRAI, who after this round of consultations will submit a set of recommendations to the Department of Telecommunications, is looking to tame the wild West that is cloud services in India today. How should data that is created by Indians, in India, on foreign technology platforms be governed? How should that data be treated? Is it even possible without national privacy and data protection legislation? How can the long arm of law enforcement be restored?

TRAI hopes to answer these questions and in the process, shape the digital future of India.