Trai’s cloudy cloud computing paper
This is the third instance in recent months where Trai is inquiring into aspects which should be left to market forces or dealt with by other regulators
- Opinion | Atal Bihari Vajpayee exuded unusual warmth, comfort
- Opinion | Turkey flashes warning sign to Asia
- Opinion | What the shrinking trend of urban households tells about us Indians
- Opinion | The growth outlook and the investment potential of states
- Opinion | We still don’t know whether Uber is a real business
I am rather disappointed with the 119-page consultation paper on cloud computing from the Telecom Regulatory Authority of India (Trai). This is the third instance in recent months where Trai is inquiring into aspects which should be left to market forces or dealt with by other regulators. The first two instances being its suggestion to control content providers and aggregators in its paper on free data, and then confusing issues of privacy and security with Net neutrality in its pre-consultation paper on Net neutrality.
The mandate of the current government is “ease of doing business” and “liberalize”/“deregulate” what ought not to be regulated. Most of the issues raised in the cloud computing paper, however, seek to do exactly the opposite!
“Digital India” needs the creation of a robust IT infrastructure and cloud is its integral part. For micro, small and medium enterprises, especially the start-up community, it is extremely important to have access to affordable cloud infrastructure. Any policy that the government adopts ought to augment establishment of cloud services that reach rural India. The cloud computing consultation paper seems to almost suggest licence raj, which in fact may throttle growth.
In view of the National Telecom Policy 2012, the department of telecommunications requested Trai to examine adoption of cloud computing services by government departments. Therefore, questions with respect to (i) government’s adoption of cloud services (including requirement of a separate cloud for the government); (ii) steps for enhancement of cloud infrastructure in India; (iii) cost-benefit analysis of adoption of cloud services; and (iv) infrastructure challenges for establishment of data centres seem relevant for the government. In fact, I am happy to see that Trai is considering tax subsidies to promote cloud services in India. However, the department of electronics and information technology (DeitY) may be the appropriate department to examine these issues.
Now let me deal with controversial issues and aspects that appear out of scope for the cloud computing paper.
First, the paper seems to suggest a legal regime for cloud computing services; in fact, a licensing regime. This will amount to over-regulation. On the one hand, the paper says that cloud service providers (CSPs) may behave monopolistically and on the other hand it seeks to create entry barriers by introducing a licensing system. Cloud services are rendered through the infrastructure created by the private companies. It rides on the infrastructure of telecom operators and Internet service providers, who are already regulated. I see no reason why CSPs should be subjected to additional licensing requirements. In fact, such requirements may be counterproductive and may keep CSPs away from India.
Second, the paper deals with questions with respect to data—control of data, data transfer (including cross-border transfer), security against breaches and the like. However, these issues are not unique only to the cloud environment but are applicable to all digitized data. The Information Technology Act, 2000 (IT Act) deals with personal as well as non-personal data. For personal data, there is a separate Right to Privacy Bill already being discussed. With this background, I see no reason to discuss these issues as part of the cloud computing consultation process. Interestingly, in the Net neutrality pre-consultation paper, Trai had raised queries relating to customer privacy! While I can appreciate Trai’s obsession with data protection issues, DeitY (and not Trai) can take up these issues separately—and more holistically. There is scope for making the provisions of the IT Act broader and its enforcement stronger. India should also consider collaboration with other governments for quick information exchange for investigation of data breach crimes.
Third, the paper discusses aspects of quality of services, standards to be adopted by CSPs and interoperability between CSPs. Honestly, these should be left to be determined by the industry, either through commercial negotiations or through
self-regulation. Law is seldom able to catch up with technological developments. Standards prescribed by law in no time become obsolete and it takes ages for laws to be amended. The standards for encryption of data and the definitions of electronic signature under the IT Act are suffering from this lag. (Readers may remember the fate of the encryption policy consultation paper last year.) We can at best consider adoption of relevant international standards. There is one more reason that I suggest this. India cannot think about these issues in isolation. The cloud infrastructure is not located in a single country. If each country starts imposing its own requirement, the cloud computing model cannot work. International standards are already developing as discussed in the paper. India should actively contribute to that process. The government may include such international standards as part of eligibility criteria for tendering process for engaging CSPs.
Last but not the least, in the zest for discussing all these issues, the consultation paper has gone beyond this mandate and raised questions that purely deal with the relationship between two private parties (CSPs and customer); for example, billing and metering arrangement, data control and migration, mandatory interoperability between two CSPs, and dispute resolution mechanisms.
To summarize, Trai should substantially narrow down its consultation paper to limit itself to questions relating to (i) adoption of cloud by government departments; and (ii) enhancement of cloud infrastructure in India. DeitY may separately deal with security of digital data. India should participate in development of international standards. Private parties should be left alone for all other matters.
One final comment. The current government has taken on several challenges and has a lot on its plate. Government departments should focus on their specific mandates and avoid overlaps. It will help all stakeholders to contribute effectively to the consultation processes.
We all look forward to bridging the digital divide and establishing a digitally smart India.
The author heads the IP, technology, media and entertainment law practice at law firm Nishith Desai Associates.