In India, a data protection bill is currently being considered by the ministry of electronics and information technology which broadly looks at ensuring privacy of individuals and how personal data is stored and retrieved. Photo: iStock
Bengaluru: Policy advisors, lawyers and cloud service providers (CSPs) voiced concern over the regulations being enforced on CSPs by regulators like the Telecom Regulatory Authority of India (Trai) and bigger governing bodies like the European Council.
With multiple regulations from different sectors and governments, CSPs feel that some amount of self-regulation is required to ease the cost of compliance.
At the 14th annual international conference held by ITechLaw, Microsoft’s director and legal counsel (corporate and external affairs) Aditi Chopra said that CSPs are increasingly dealing with regulations from multiple sectoral regulators and governments leading to complications.
For example, regulations enforced on the banking sector will also be enforced on CSPs when they work with clients in the banking sector, in addition to other IT laws enforced on CSPs by central governing authorities.
Regulations enforced on CPSs broadly cover three key important areas including data protection laws, data and storage standards, and regulations that allow law enforcement authorities to access user data stored by CSPs.
In India, a data protection bill is currently being considered by the ministry of electronics and information technology which broadly looks at ensuring privacy of individuals and how personal data is stored and retrieved. The ministry had put out a consultation paper on this topic last November.
In addition to this, telecom regulator Trai and the Reserve Bank of India (RBI) are also consulting on data protection regulations for their respective sectors. Trai also put out recommendations under a different consultation paper involving CSPs which also touched upon data protection.
Regulations also affect contractual agreements between CSPs and customers purchasing the cloud service.
Namita Viswanath, principal associate at IndusLaw, said that contracts between a CSP and a company are usually finalized on the basis of the governing law that the company operates under. In any case, the company buying the cloud product has very little bargaining power, since most contract papers are prepared by the CSP. This is because cloud providers have to deal with multiple regulations and compliance laws leave little room for contract negotiations.
For example, a company may argue that it is more feasible for it to store data on servers abroad, but certain laws prevent it from doing so.
In April last year, the ministry of electronics and information technology issued guidelines which said that all government-related data stored on the cloud should be located in servers in India and not in foreign countries.
Additionally, the ministry’s paper on data protection also looks at the need for storing cloud data locally in India. If the final regulation mandates that certain kinds of data be stored locally, then the consequence will be reflected in contractual agreements between CSPs and the company purchasing the service.
Sonia Baldia, partner at Baker McKenzie said during the conference that heavy regulations also elevate the complexity of the contract. “When we helped close a contract between a cloud provider and a client company, the transaction involved 5 different stakeholders, resulting in 5 different contracts. There was a contract involving the re-seller, there was a contract involving the CSP itself, there was a contract with the implementer, and there was a contract with the hosting company,” Baldi said.