Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

There is no legislation in India that specifically recognises cloud computing. However, cloud computing services would fall under the ambit of the following:

  • ‘Cloud services’ have been specifically recognised under the Integrated Goods and Services Tax Act 2017 (the GST Act) under ‘online information and database access or retrieval services’ and therefore the services rendered by cloud services providers would be subject to goods and services tax.
  • Section 43A of the Information Technology Act 2000 (the IT Act) read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the Privacy Rules) provide guidelines for the collection, use and protection of any sensitive personal data or information of natural persons by a body corporate that possesses, deals with or handles such data. The IT Act and the Privacy Rules together set out the regulatory framework for creation, collection, storage, processing and use of electronic data (including personal and sensitive personal information recorded in electronic form) in India. Cloud computing services that deal with personal or sensitive personal information need to comply with the requirements set out under the Privacy Rules relating to security, encryption, access to data subject, disclosure, international transfer and publication of policy statements. Cloud service providers in India may also be required to comply with the Information Technology (Intermediaries Guidelines) Rules 2011 (Intermediary Guidelines) prescribed under the IT Act.
  • The government has a published a Personal Data Protection Bill 2018 (the Bill), which if notified will overhaul the existing privacy and data protection framework in India. The Bill is in many respects similar to the EU’s General Data Protection Regulation and it, inter alia, enhances the stringency of obligations and corresponding penalties governing data protection from a customer perspective. The Bill has also set high standards for the processing of personal data within India and abroad and is expected to replace or amend the IT Act and the Privacy Rules in these respects. Data sovereignty has lately become one of the primary areas of concern of the Indian government, as national security could be compromised to threats in digital space. In pursuance of safeguarding data sovereignty, Indian legislature has proposed norms on data localisation in the Bill. Furthermore, the RBI, has mandated all payment system providers to store payment related data in systems in India. This data may include full end-to-end transaction details or information collected, carried or processed as part of the message or payment instruction. These norms have been introduced for the benefit of the local players in the cloud computing market. However, the draft e-commerce policy deviates from the relatively conservative position adopted in the Bill on data localisation insofar as it inter alia permits cross-border transfer of technology related data as long as it has no personal or community implications.
Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

As specified in question 8, there is no regulation in India that specifically prohibits, restricts or governs cloud computing. Question 8 describes the principal legislation that indirectly governs cloud computing services in India.

Other than the above, the use of cloud services by banks and insurance providers is separately regulated under sector-specific regulations.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Cloud computing services are primarily regulated (though indirectly) by the IT Act and Privacy Rules (see question 8).

In addition to the IT Act and Privacy Rules, the use of cloud computing in the banking and insurance sectors is subject to specific restrictions.

The RBI’s guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks read along with the Report of Working Group of RBI on Electronic Banking set out specific requirements to be complied with by banks while engaging cloud service providers. These requirements, inter alia, relate to vendor selection, data security, form of agreement, business continuity and disaster recovery or management practices.

The Insurance Regulatory and Development Authority of India’s Guidelines on Information and Cyber Security for Insurers require insurers to comply with requirements, inter alia, in relation to data, application and network security, incident management, and information security audit while using services from a cloud service provider.

The government retains the authority to intercept any information transmitted through a computer system, network, database or software for the prevention of serious crimes or under grave circumstances affecting public order and national security.

See also the paragraph pertaining to the Bill (see question 8) and its proposed impact on obligations of entities with respect to privacy and data protection in India.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

The IT Act and Privacy Rules prescribe payment of damages on account of failure to or in case of negligence in implementing or maintaining reasonable security practices to protect any sensitive personal information. The non-compliant entity is required to pay damages to the aggrieved party to the extent of wrongful loss or damage suffered by the aggrieved party. Further, any person who has received any personal or sensitive personal information for performing any services, and discloses it with a mala fide intent is liable to a fine of up to 500,000 rupees or imprisonment of up to three years, or both.

The sector-specific regulations (see question 10) set out sanctions by regulators in case of non-compliance with them, which could range from fines to suspension or revocation of the licence to carry on business.

It is important to note that the Bill proposes to impose heavy monetary sanctions involving a percentage of total worldwide turnover, for non-compliance with the privacy and data protection measures laid down by it. There is good reason to believe that this position will prevail when the law comes into force.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

The IT Act provides for the following consumer protection measures:

  • the IT Act (and therefore the penal consequences of the Act) covers offences committed outside of India if the offence involves a computer, computer system or computer network located in India. This would protect consumers within India who procure cloud computing services from service providers located outside India;
  • the Privacy Rules protect consumers by casting obligations on cloud computing providers with regard to the collection and storage of personal information. These include broadly:
    • disclosures to be made to such users or consumers regarding the fact that the information is being collected or stored;
    • the purpose of collection;
    • the manner in which such information can be transferred; and
    • the minimum-security practices and procedures to be implemented by cloud service providers when processing personal information.

The Consumer Protection Act 2019 (which is yet to come into force) grants the right to the central government to make rules for measures to be taken to prevent unfair trade practices in e-commerce, direct selling and also to protect the interest and rights of consumers in this regard.

Indian regulators are increasingly focused on all aspects relating to data protection and data localisation. The RBI recently mandated that all providers of payment systems must ensure that all data relating to payment systems operated by them are only stored in systems within India. The new Bill also proposes to enhance consumer protection measures by introducing data localisation requirements wherein in respect of cross-border transactions, a data controller is required to maintain at least one copy of personal data on a server or a data centre in India. This in turn would, inter alia, have the effect of relative ease in enforcement of claims by customers under consumer protection laws.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

See questions 8 and 10.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

There is no specific law in India that determines what happens to any data of the customer once the cloud service provider becomes insolvent and this would ideally be governed by the contract between the service provider and the customer.

The Companies Act 2013, as amended by the Insolvency and Bankruptcy Code 2016, governs procedure to be followed when a company becomes insolvent. In the absence of any contractual understanding regarding the treatment of customer data in case of insolvency of the service provider, the liquidator of the company will decide how such data would be treated.