TRAI contemplating Cloud Computing regulation framework

August 2011


TRAI contemplating Cloud Computing regulation framework

Quite recently, the TRAI has called for papers on the proposed regulatory framework for cloud computing in India. TRAI, in announcing the call for papers, showed its awareness of the growing phenomenon and the practical issues surrounding the same. TRAI has enumerated and highlighted several key areas of focus while calling for suggestions such as Regulatory framework for Cloud Computing, Ensuring high availability levels, Data erasing in the Cloud, Data privacy at Service provider end, Data Security, Data Export Restrictions, Monitoring Data Handling regulations required for Regulated Industries (financial services healthcare), Multiple Jurisdictions/Areas when data is stored at different data centers, Enhanced security Cloud Computing services, Ensuring quality of the Cloud service, Exit strategies and switching suppliers, Cloud Television/cloud computing on TV – levels of QoS, Inter-operable between Cloud Service Providers (common protocols), etc.

PSA view – Cloud computing is a recent phenomenon in India and considering the tremendous opportunities for growth in this area, regulation is lacking. There are severe threats in cloud computing which are not limited to data security or privacy. Effective regulations which are based on industry requirements are the need of the hour, and the initiative by TRAI is a step in the right direction. It would be interesting to see how the cloud computing regulations in India are formulated and implemented, given the stark lack of judicial precedents on information technology related issues in India.

Some crucial developments

  • Communications and IT Ministry is working on a full policy prescription to spur hardware and electronics manufacturing in India. A modified Special Incentive Package Scheme which will focus on incentives mainly for electronics and telecom equipment manufacturing (or electronics ecosystem) has already been drafted and approval process initiated. The modified SIPS will also cover newer product categories, besides stipulating different threshold investment slabs for different product types.
  • Government has formed a high-level committee of central security agencies and telecom department to look into the issue of imported SIM cards in view of the security threat posed by them. The committee will submit its report to the home ministry after a “joint technical assessment” of existing SIM cards.
  • The government is for the first time working on a policy on the use of operating systems and device drivers in all new e-governance projects for having open source based systems. The new draft Policy On Device Drivers For Procurement Of Hardware for e-governance says, “Government of India (GOI) endeavors to provide e-governance services, which are technology-neutral, cost effective, interoperable and vendor-neutral. GOI Policy on open standards is a step towards meeting this objective in the development of e-governance applications.” The policy shall apply to all the new e-governance projects as well as the existing ones.
  • India is reportedly working with US to emulate existing global best practices in the realm of data security and privacy and the government, in all likelihood, will tighten the provisions linked to data privacy and data protection in the Information Technology Act, 2000, and will also shortly impose big penalties on business process outsourcing (BPO) firms that compromise on the data privacy of individual customers.
  • To strengthen electronic manufacturing capabilities in India, government is mulling over making “Made in India” or Indian electronic products mandatory for 30% value terms for all government procurement. The draft proposal suggests that this will extend to tenders of all government ministries, PSUs, government-controlled institutions, PPP-funded projects and projects under institutional funding from the World Bank and Asian Development Bank.
  • Internet Corporation for Assigned Names and Numbers (“ICANN”) has approved plans to launch a potentially unlimited number of new generic top-level domains (“gTLDs”) which will expand the number of generic  domains from the current set of 22 domains (including .com, .org, and .net) to as many as 1,000. Pursuant to this new beginning, companies and other organizations will be able to create their own domains with their brand names like .apple or .nokia and will have broad implications for them. Interestingly, industry designations will also become a possibility like .pharma, .technology. Finally, domain for terms like .red, .tender, or .fiction is also possible. The new gTLDs will change the way people find information on the internet and how businesses plan and structure their online presence, quoted ICANN in its press release on its website. An applicant guidebook has also been released on May 30 which is still being discussed by stakeholders and may undergo revision. Applications for new domains will be accepted from January 12, 2012 until April 12, 2012 and the first gTLD is expected to be launched in 2013. These domains can be in any character like devanagiri, Kanji or Russian, for instance. Technically, any word can be used in domain names. It has the potential to change the complete face of internet.
  • The US Department of Homeland Security (“DHS”) and the Indian Department of Information Technology have signed a MOU for increasing the inter agency co-operation between the computer emergency response teams in both countries. This MOU will establish the best practices and basic protocols for sharing information between the US-CERT, which is the operational arm of the DHS’s national cyber security division, and India’s CERT-In, the Indian nodal agency for responding to cyber security incidents. The MOU has been signed keeping in mind the US-India strategic talks held in 2009 for promoting global security and countering terrorism.

Neeraj Dubey
Ashutosh Chandola