Market overviewKinds of transaction
What kinds of cloud computing transactions take place in your jurisdiction?
The Indian cloud computing market is a very vibrant market, and there are all varieties of cloud computing transactions taking place, in consonance with newer concepts as well, such as machine learning, edge computing and anything-as-a-service (XaaS). The private sector is leading the way, but the central government and state governments are also actively considering and implementing various cloud-based computing initiatives, in addition to partnering with private players to set up necessary infrastructure.Active global providers
Who are the global international cloud providers active in your jurisdiction?
All of the major global cloud providers are active in India. Amazon and Microsoft are the leaders with their AWS and Azure offerings respectively, while Digital Ocean, Google, Cisco and IBM are also very active.Active local providers
Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?
There are a host of smaller cloud providers in India. Given the nature of cloud computing, it is somewhat difficult to identify India-based and India-centric cloud service providers. Some of the cloud providers outside of the large global players that are commonly referred to in computing circles are NetMagic, BlueHost, HostingRaja and SoftLayer. They provide numerous services, which include web hosting, infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), data security, fault tolerance, and disaster recovery. India’s burgeoning technology product ecosystem is largely cloud-centric. Notable examples that have a significant Indian heritage include Zoho, Freshdesk, Freshworks and CtrlS.Market size
How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?
The Indian cloud computing market is well established. India’s small and medium-sized enterprises are actively migrating to cloud-based applications and large enterprises are also following suit. As a case in point, the Reserve Bank of India (RBI) recently granted more than 20 new banking licences to banks with various target markets. These new banks are very actively leveraging cloud-based infrastructure and applications, including mission critical applications such as core banking solutions. According to a report by Gartner, and according to NASSCOM’s report ‘Cloud - Next Wave of Growth in India’ (www.nasscom.in/knowledge-center/publications/nasscom-cloud-next-wave-growth-india-2019), the current estimated spending as of 2018 on cloud services in India, is estimated at US$2.5 billion. This accounts for 6 per cent of India’s expenditure on information technology. This is further expected to grow at 30 per cent per annum, to reach US$7.2 billion in 2022, which is nearly a threefold increase. The growth rate of the Indian public cloud market is the second highest growth rate globally, after China (www.gartner.com/newsroom/id/3874299). This shows that India is a critical growth market for all types of cloud computing players.Impact studies
Are data and studies on the impact of cloud computing in your jurisdiction publicly available?
There are numerous studies that are carried out in the cloud computing ecosystem in India. Reports and studies are published by leading researchers such as Gartner, Forrester, IDC and Zinnov as well as trade bodies such as NASSCOM. Examples of such reports are Gartner’s and NASSCOM’s reports referred to above.
The government of India has made Digital India one of its core missions and it is leveraging open, scalable and cost-efficient computing models to make this mission a reality. Given the cost-sensitive nature of the Indian market, the cost efficiencies offered by cloud computing will be core to making the Digital India mission successful.
PolicyEncouragement of cloud computing
Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?
Currently, the government of India is considering a separate policy to create a separate legal framework for cloud computing. The Telecom Regulatory Authority of India released a consultation paper in 2016 on Cloud Computing in India and recommendations on cloud services in 2017 in furtherance of this.
The Ministry of Electronics and Information Technology (MEITY) addresses some aspects pertaining to cloud computing in its National Policy on Information Technology and the National Telecom Policy of 2012. One of the objectives of these policies is to develop an ecosystem to allow India to emerge as a global leader in the development and provision of cloud services. This focus is further enhanced in the National Digital Communications Policy 2018 released on 22 October 2018, which forms the overarching policy framework for all aspects of digital technologies in India over the next few years. The draft policy envisages establishing India as a global hub for cloud computing, inter alia, through: (i) promoting the establishment of International Data Centres, Content Delivery Networks and independent interconnect exchanges in India; (ii) establishing a light-touch regulatory approach to cloud computing; and (iii) establishing captive fibre networks. Hence, it seems reasonable to expect a growing and beneficial policy focus on cloud computing in India over the next few years.Incentives
Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?
Currently, there are no government schemes or policies that provide incentives or grants specifically to enterprises in the cloud computing sector. Fiscal incentives are extended to enterprises in certain categories such as:
- export-oriented enterprises set up inside special economic zones as notified by the government; and
- start-up ventures that are engaged in innovation and development of products, processes or services through use of intellectual property and technology, or that have a scalable business model with a high potential of employment generation or wealth creation. (A start-up is an entity incorporated or registered as a company or registered partnership or limited liability partnership less than seven years from the date of its incorporation or registration, that has a turnover less than 250 million rupees).
MEITY has, by way of the Public Procurement (Preference to make in India) Order 2017 (Order), stated that purchase preference (amounting to 50 per cent of total procurement) should be provided to local suppliers in all procurements to be undertaken by procurement entities in India as part of government of India’s ‘Make in India’ policy with a view to enhance income and employment in India. Therefore, public sector procurement will favour domestic cloud computing providers.
Other than fiscal incentives, start-up ventures are allowed exemption from compliances under specific environmental and labour laws. Cloud computing providers that meet the aforesaid parameters will be eligible for these benefits.
Legislation and regulationRecognition of concept
Is cloud computing specifically recognised and provided for in your legal system? If so, how?
There is no legislation in India that specifically recognises cloud computing. However, cloud computing services would fall under the ambit of the following:
- ‘Cloud services’ have been specifically recognised under the Integrated Goods and Services Tax Act 2017 (the GST Act) under ‘online information and database access or retrieval services’ and therefore the services rendered by cloud services providers would be subject to goods and services tax.
- Section 43A of the Information Technology Act 2000 (the IT Act) read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the Privacy Rules) provide guidelines for the collection, use and protection of any sensitive personal data or information of natural persons by a body corporate that possesses, deals with or handles such data. The IT Act and the Privacy Rules together set out the regulatory framework for creation, collection, storage, processing and use of electronic data (including personal and sensitive personal information recorded in electronic form) in India. Cloud computing services that deal with personal or sensitive personal information need to comply with the requirements set out under the Privacy Rules relating to security, encryption, access to data subject, disclosure, international transfer and publication of policy statements. Cloud service providers in India may also be required to comply with the Information Technology (Intermediaries Guidelines) Rules 2011 (Intermediary Guidelines) prescribed under the IT Act.
- The government has a published a Personal Data Protection Bill 2018 (the Bill), which if notified will overhaul the existing privacy and data protection framework in India. The Bill is in many respects similar to the EU’s General Data Protection Regulation and it, inter alia, enhances the stringency of obligations and corresponding penalties governing data protection from a customer perspective. The Bill has also set high standards for the processing of personal data within India and abroad and is expected to replace or amend the IT Act and the Privacy Rules in these respects. Data sovereignty has lately become one of the primary areas of concern of the Indian government, as national security could be compromised to threats in digital space. In pursuance of safeguarding data sovereignty, Indian legislature has proposed norms on data localisation in the Bill. Furthermore, the RBI, has mandated all payment system providers to store payment related data in systems in India. This data may include full end-to-end transaction details or information collected, carried or processed as part of the message or payment instruction. These norms have been introduced for the benefit of the local players in the cloud computing market. However, the draft e-commerce policy deviates from the relatively conservative position adopted in the Bill on data localisation insofar as it inter alia permits cross-border transfer of technology related data as long as it has no personal or community implications.
Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
As specified in question 8, there is no regulation in India that specifically prohibits, restricts or governs cloud computing. Question 8 describes the principal legislation that indirectly governs cloud computing services in India.
Other than the above, the use of cloud services by banks and insurance providers is separately regulated under sector-specific regulations.
What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
Cloud computing services are primarily regulated (though indirectly) by the IT Act and Privacy Rules (see question 8).
In addition to the IT Act and Privacy Rules, the use of cloud computing in the banking and insurance sectors is subject to specific restrictions.
The RBI’s guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks read along with the Report of Working Group of RBI on Electronic Banking set out specific requirements to be complied with by banks while engaging cloud service providers. These requirements, inter alia, relate to vendor selection, data security, form of agreement, business continuity and disaster recovery or management practices.
The Insurance Regulatory and Development Authority of India’s Guidelines on Information and Cyber Security for Insurers require insurers to comply with requirements, inter alia, in relation to data, application and network security, incident management, and information security audit while using services from a cloud service provider.
The government retains the authority to intercept any information transmitted through a computer system, network, database or software for the prevention of serious crimes or under grave circumstances affecting public order and national security.
See also the paragraph pertaining to the Bill (see question 8) and its proposed impact on obligations of entities with respect to privacy and data protection in India.Breach of laws
What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?
The IT Act and Privacy Rules prescribe payment of damages on account of failure to or in case of negligence in implementing or maintaining reasonable security practices to protect any sensitive personal information. The non-compliant entity is required to pay damages to the aggrieved party to the extent of wrongful loss or damage suffered by the aggrieved party. Further, any person who has received any personal or sensitive personal information for performing any services, and discloses it with a mala fide intent is liable to a fine of up to 500,000 rupees or imprisonment of up to three years, or both.
The sector-specific regulations (see question 10) set out sanctions by regulators in case of non-compliance with them, which could range from fines to suspension or revocation of the licence to carry on business.
It is important to note that the Bill proposes to impose heavy monetary sanctions involving a percentage of total worldwide turnover, for non-compliance with the privacy and data protection measures laid down by it. There is good reason to believe that this position will prevail when the law comes into force.Consumer protection measures
What consumer protection measures apply to cloud computing in your jurisdiction?
The IT Act provides for the following consumer protection measures:
- the IT Act (and therefore the penal consequences of the Act) covers offences committed outside of India if the offence involves a computer, computer system or computer network located in India. This would protect consumers within India who procure cloud computing services from service providers located outside India;
- the Privacy Rules protect consumers by casting obligations on cloud computing providers with regard to the collection and storage of personal information. These include broadly:
- disclosures to be made to such users or consumers regarding the fact that the information is being collected or stored;
- the purpose of collection;
- the manner in which such information can be transferred; and
- the minimum-security practices and procedures to be implemented by cloud service providers when processing personal information.
The Consumer Protection Act 2019 (which is yet to come into force) grants the right to the central government to make rules for measures to be taken to prevent unfair trade practices in e-commerce, direct selling and also to protect the interest and rights of consumers in this regard.
Indian regulators are increasingly focused on all aspects relating to data protection and data localisation. The RBI recently mandated that all providers of payment systems must ensure that all data relating to payment systems operated by them are only stored in systems within India. The new Bill also proposes to enhance consumer protection measures by introducing data localisation requirements wherein in respect of cross-border transactions, a data controller is required to maintain at least one copy of personal data on a server or a data centre in India. This in turn would, inter alia, have the effect of relative ease in enforcement of claims by customers under consumer protection laws.Sector-specific legislation
Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.
See questions 8 and 10.Insolvency laws
Outline the insolvency laws that apply generally or specifically in relation to cloud computing.
There is no specific law in India that determines what happens to any data of the customer once the cloud service provider becomes insolvent and this would ideally be governed by the contract between the service provider and the customer.
The Companies Act 2013, as amended by the Insolvency and Bankruptcy Code 2016, governs procedure to be followed when a company becomes insolvent. In the absence of any contractual understanding regarding the treatment of customer data in case of insolvency of the service provider, the liquidator of the company will decide how such data would be treated.
Data protection/privacy legislation and regulationPrincipal applicable legislation
Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.
The IT Act and Privacy Rules (see question 8) is currently the primary legislation governing data protection and privacy with respect to cloud computing in India. However, on 24 August 2017, a nine-judge bench of the Supreme Court of India conclusively held that the right to privacy is a fundamental right guaranteed to the citizens of India (subject to reasonable restrictions) and such right would also be exercisable against the state. See question 8 for more details on the proposed changes in the privacy and data protection framework in India that resulted from this decision of the Supreme Court.
Cloud computing contractsTypes of contract
What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?
The most common form of cloud computing contracts in India are international standard form contracts with fixed terms and are in most instances non-negotiable, with certain exceptions. However, if the cloud service provider is a small service provider the user may have more room to negotiate terms. The terms of the contract will also depend on the service delivery model (ie, whether it is IaaS, SaaS or PaaS).Typical terms for governing law
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?
Under Indian laws, parties to a contract have the right to choose the governing law. However, in the event of a dispute, the courts will not only take into consideration the governing law as included in the contract but also its link with the contract. Usually, parties agree to the exclusive jurisdiction of the courts in the same country as the governing law.
Under section 44A of the Indian Code of Civil Procedure 1908, a decree of any superior court of a reciprocating territory that is so declared by the government, will be executed in India similar to any decree passed by a district court in India. All other judgments or decrees will face extensive re-adjudication in Indian courts.
Arbitration is a fairly commonly accepted method of dispute resolution. Parties should ideally also include an escalation clause for dispute resolution.Typical terms of service
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?
Given the prevalence of international standard form contracts in the Indian market, the typical terms are similar to terms that are commonly used in large markets such as the US and the UK.Typical terms covering data protection
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?
Data security and confidentiality obligations are very important as users may upload confidential and proprietary information as well as personal data. The Privacy Rules prescribe that sensitive personal information should be stored in ISO 27001-compliant data centres. Clauses surrounding data privacy, confidentiality and data transfer, and preservation are largely similar to clauses found in international standard form contracts prevalent in the US and UK. Once the Bill becomes law, there will be significant changes on the data front.Typical terms covering liability
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?
Clauses around liability, warranties and provision of service are solely dependent on the contractual arrangement reached between the parties. Most service providers will have standard service availability and service levels specified in the agreement that they would not be willing to negotiate. Similarly, most service providers would have standard business continuity and disaster recovery processes in place.Typical terms covering IP rights
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?
Under a B2B public cloud computing contract, the service provider or its licensors will continue to hold all rights, title and interest in the cloud computing resources, while the user will continue to hold all rights, title and interest in the data it uploads as well as in any output that is generated through the use of such data.
Usually, a typical (and, in most instances, the only) indemnity that the service provider may be willing to provide is for indemnification for third-party intellectual property infringement claims and such indemnity is not capped.Typical terms covering termination
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?
Apart from termination rights set out in the agreement, a party has a statutory right to terminate in case of a breach by the other party. Other than that, a party whose consent to an agreement is obtained through coercion, fraud or misrepresentation can elect to terminate it. Most agreements may also contain a right for both parties to be able to terminate for convenience without incurring any liability.
In the instance the service provider is dependent on a third-party for essential services required to provide the cloud computing services, the services provider may retain the right to immediately terminate without incurring any liability if the service provider’s relationship with the third-party is affected in any manner.
Post-expiry or on termination of the agreement, the agreement will usually provide for payment of any fees due and payable as well as refund of fees for services not rendered (though this may not be something larger cloud service providers may agree with). Provisions regarding return of user data are also included, with the service provider specifying the duration that they are willing to retain such data post which the data may be irretrievably deleted. The parties should also agree on the format in which the data would be returned. Most service providers will not agree on any further post-termination obligations. However, if the agreement is negotiable the user can ask for data retrieval, transfer or migration services.Employment law considerations
Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.
There are no such labour or employment law considerations that would apply to a business customer.
TaxationApplicable tax rules
Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.
Providers of cloud computing services are subject to both direct and indirect taxes.
Direct taxes apply to the income of the cloud computing company and are collected on a combination of withholding at source and direct remittance by the cloud computing company.
As a consumer of goods and services, the company would mostly have a responsibility to bear the economic burden of tax specified under the GST Act. The provider of goods and services, generally, has the responsibility of collection and remittance of the goods and services tax.Indirect taxes
Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.
Provision of cloud computing services from within India to a recipient also within India will attract goods and services tax (currently, at a composite rate of 18 per cent) under the GST Act. Where cloud computing services are exported and, therefore, consumed outside of India, the rate of applicable goods and services tax is zero (subject to meeting certain requirements).
The GST Act replaces the earlier service tax regime. As per the GST Act, cloud service providers are now able to claim credit on the input hardware used for providing services.
Recent casesNotable cases
Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.
The government recently launched a National Cloud Initiative - GI Cloud - to optimise the government’s spending on internet and communications technology and to facilitate large-scale adoption of cloud computing and services within the governance mechanism. MEITY has provisionally accredited private cloud service providers for the development of cloud infrastructure. Currently, NIC Cloud (cloud.gov.in), a government website, offers service models such as PaaS, IaaS, SaaS and storage-as-a-service.
Further, given the pervasiveness of cloud computing today, a number of private and quasi-governmental organisations have formulated draft models for the development of cloud services in India. For example, the Cloud Computing Innovation Council published a white paper titled ‘A Framework and Roadmap on Cloud Computing Innovation in India’ that sets out a proposed roadmap for the development of cloud computing services in India through three phases:
- establishment of National Cloud Authority;
- setting up government clouds based on the certain interoperability standards emerged within India; and
- adoption of these interoperability standards by other Indian cloud companies on a large scale.
Update and trendsKey developments of the past year
What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?Key developments of the past year27 What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?
See questions 8 and 10.