Companies are moving towards the cloud now in greater numbers than before. The current advantages of cloud computing significantly outweigh the existing and dominant model of data processing, namely on physical servers. As such, pharma companies are also moving towards data management through the cloud, specifically in areas of data management of clinical trials and due to shrinking delivery pipelines. With this move and considering the impact of the work pharma companies are engaged in, several unique issues are likely to come up. This is particularly relevant for the Indian region, where cloud computing poses a unique set of opportunities and challenges due to lesser understanding and development of law in this area.
The present bulletin discusses the reasons for the increasing interest of the pharma companies and clinical research organizations in cloud computing and the potential issues that they are facing and are most likely to face, in terms of the present information technology regulatory framework in India under the Information Technology Act, 2000 (“IT Act”).
1. Rationale for moving to the cloud
The primary rationale attracting pharma companies to move to the cloud is convenience, ease of operations and reduced cost which allows them accelerator to focus more on research and development of newer drugs as well as sales and marketing. As research and development in the pharma sector is an information intensive activity, cloud computing offers ease of access of information within an organization from its offices and research centers spread across the globe. One of the most important features of cloud computing is that companies that depend a lot on server accessibility and do not have to actually get physical servers and keep the same running. Particularly in the pharma sector, when research is commenced on new drug development, companies need to process and analyze a large volume of data, which requires preparation of a specialized program and creating & managing huge server space.
Additionally, hospitals are increasingly looking to reduce the time lag patients face due to lack of availability of their online medical history. While not in place presently in India, a virtual environment can possibly be created by cloud where hospitals can have access to several or customized applications useful for analyzing data and statistical input to get the desired information on patients with minimal time lag to improve the existing diagnosis and monitoring process. This will assist the medical practitioners to diagnose and recommend/initiate treatment effectively with more accuracy while having the medical history of the patient so easily accessible to them.
A similar virtual environment could also be created for clinical trials, which would not only help development of drugs under trial, but also assist in identifying appropriate
subjects for the trial and use the pharma companies’ existing digital assets to derive results without increasing effort substantially as the company will not have to re-invent the wheel and can take advantage of a pre-structured virtual environment. In addition to this, the cloud can be used for management of the entire volume of data generated in a clinical trial and reduce problems of internal access to information and data for analysis.
Another utility the cloud offers is the hosting that software requires for running processes and reduces the need for the physical servers to keep running. According to media reports, Eli Lily a pharmaceutical company had taken on Amazon Web Services to utilize the cloud computing service provider’s private cloud for carrying out processes and to make data available to its scientists. Before adopting the cloud computing services, setting up an internal server with the desired processed took as much as two months, whereas cloud computing reduced the time to merely three minutes. While the shift to the cloud is seemingly effortless, there are many practical issues which are likely to crop up and have corresponding legal ramifications vis-à-vis indemnity and costs for damages for users and service providers alike.
2. Potential issues vis-à-vis regulatory framework
The primary issue with cloud computing, which is making many pharma companies and other potential and current users of the cloud wary, is data portability. While it is very easy to create and migrate information to the cloud, it is equally, if not more, difficult to take data off from the cloud. This issue could arise if and when companies decide to move away from a cloud and back to their physical servers, for any reason. The chief concern companies have here is not only that of cost, but also of loss of data, which may be due to backend issues of the service provider, network outages or any other external reason. As recent example of this is the outage of the Blackberry services in October 2011 due to the internal issues with Research in Motions servers.
In addition, there is also a potential threat to loss of privacy and breach of confidentiality which is very inherent in the nature of cloud computing services. The owner of the information cannot know with complete satisfaction whether the information is safe and not being accessed by third parties, either by hacking or otherwise. Further, as a cloud can be hosted anywhere, at any given precise moment, it is impossible to determine whether the information in the cloud is on a server located in a hostile jurisdiction. This may also expose the user to liabilities under its home nation’s laws.
In India, the underlined issues mentioned above get compounded under the IT Act. Herein, under section 67C, an “intermediary” is under an obligation to “preserve and retain” information and for “such duration” as specified by the central government. An intermediary is defined1 to include persons (including companies) that provide services relating to transmission, storage, web-hosting, network and internet access etc., and in general cover cloud computing service providers. With a statutory obligation to retain information, many users and potential users are wary of using cloud services in India. In case of contravention of the statutory obligations, the intermediary is liable to be punished with imprisonment for up to three years and fine.2
While there are obligations on a service provider to maintain privacy3 and follow reasonable security procedures to ensure data protection,4 the effect of these obligations is negated by the general exemption from liabilities under the IT Act under section 79. This provision provides that a service provider is not liable for any third party information that is hosted by it. Considering pharma research is quite sensitive and carried out in secrecy, the provisions of the IT Act do not raise much confidence in the efficacy with which such violations will be punished. While most cloud computing service providers do follow international standards of safety and data maintenance, and there has not been a serious or major threat to data security in India, even then users feel the obligations of the service provider do not protect their interest adequately. To this end, the provisions of the IT act need to change drastically and not wait for an adverse event to take place.
As mentioned above, Eli Lilly refused to further its use of Amazons Web Services over legal indemnification issues. The user wanted to increase its use of the cloud service and wanted the service provider to assume greater responsibility and liability in case of network outages and data loss, corresponding to its increase in usage of the services. The service provider refused to increase its liability and ultimately the user decided against using cloud computing. Since India is an emerging market, having statutory provisions which reasonably protect the users’ interests and data as well as provide only exceptional situations for exempting service providers from liability is a necessity.
The opportunity for pharma companies and cloud service providers is immense and still unexplored in its entirety. As an emerging market, Indian regulations need to evolve keeping global standards and business practices and also maintain a balance with protecting the rights and obligations of all parties involved. Favoring only the user or the service provider would be detrimental for development of cloud computing practices in India, not only for pharmaceuticals but for all sectors, since they are inter-dependent. Growth of one will lead to growth in the other, and the regulatory structure needs to evolve to synergize with the interests of the sector. Only then will India, as an emerging market, be successful and a destination for cloud computing for the pharma companies.
Authored by: Ashutosh Chandola
1 Section 2w of the IT Act
2 Section 67C of the IT Act which re-iterates the obligation of intermediaries to preserve and retain data and information
3 Section 66E of the IT Act
4 Section 43A of the IT Act