/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsThese are just red and yellow bulbs that can hold you on a Cloud signal for long. More of the legal connotations of all the hesitance and concerns that Cloud adoptors harbour, were unearthed in a recent report by Gartner.
We catch up with Biswajeet Mahapatra, Research Director at Gartner to turn more of these pages and understand the legal Aspects of cloud adoption in India.
Legal implications of letting the Cloud in your doors? How stark are they?
When it comes to dealing with sensitive information, one has to understand that who is the owner of data and who’s liable for data security. Is it the one who stores? Or a third party who applies it? One has to ensure that there is no misuse of data. ISO 27001 implies that service providers should have adequate security standards. But their roles and various legal angles are still vague in Indian context.
What are the main gap areas in our laws?
Well, IT laws in India were not made for Cloud Computing. They are still very rudimentary in that sense. IT Act came in force in response to the needs of an e-commerce era, with various amendments in 2008 etc for incorporating the new force of digital signatures. This year too, the government came with three notifications. One of them outlines reasonable security procedures regarding what is defined as personal information (Clause 43 A) and who can store and control that kind of data. But it is still nascent and business aspects of information are still not covered properly. Second notification is about intermediary guidelines and role of network service providers, which might have some implications on cloud computing.
Section 79 also talks of limitations of data transfer. This Act says that one can put data at any place provided that place has adequate security in line with your security policy. But if we see US laws, the government has the right to pull out and access information. Does India have that kind of regulatory power or practical access? That’s a big question. As per the Indian Information Technology (Amendment) Act, there are no approved data transfer standards that allow both end users and cloud service providers to use any acceptable, reasonably secure standards.
The moot point then is that law is relatively weak?
If there is any breach, then many things are vague. IT Act is rudimentary as I said. It is very basic and nascent and not geared up for Cloud Computing scenarios. It needs a major overhaul.
Do you see any progress to fix this?
With respect to information I have, and interactions I had, the government is working on our IT policy. But not much is expected till a couple of years.
What if we compare India to International counterparts?
Well, on the area of Cloud computing, the definitions are still very vague as of now. Who is responsible? For what kind of role? Who’s liable in the event of a misuse or leakage? Many questions are blank. We need clear guidelines on aspects of data selection, its storage, and process. What it means for an end user, a cloud service provider and a network service provider etc, should be clear. For instance, in the case of the UID project, the biometric scans are being handled by a third party, though it is the government that owns the data. What if it is being misused some years from now, specially when technologically these options are much widespread and well penetrated in usage? Who will be responsible?
So what should a customer do? How can a cloud contract be still made strong enough to safeguard a customer’s interest?
Your contract should be full-proof because you might not be able to fall upon the IT Act so from a Contract Act view; you should ensure it’s watertight. Make clear as to what kind of data access s allowed, to what people and where is it stored.
Is there any recourse in terms of SLAs and outages?
One’s exit clause should be robust. That is very important. Because so much data has been given over already even if one decides to end the contract. What happens to the back-up data once a customer says bye? Or who will be responsible of it is misappropriated after the deal ends?
What happened with RIM’s ‘Black’out or Amazon throws a new light on service providers’ mandates too, right?
Yes. In such cases, giving credit points or premium applications has no meaning. If someone is stuck in a critical situation due to such outage, a freebie or $100 app won’t mean anything. Contracts should have no vagueness. When we talk of 99.9 availability in SLAs, we should be clear that if a breach happens, who would be responsible?
What were your report’s spotlights for Cloud users?
India is seeing a big increase in interest in the adoption of cloud offerings. Without clarity regarding the technical, economic and legal aspects, companies will be hesitant to adopt cloud – especially the public cloud model. In this research, looked at some of the clauses in the Indian Information Technology (Amendment) Act that could impact cloud adoption in India.
Your advice with those constraints in mind would be?
As to key recommendations: Ensure that your cloud service provider has IS/International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 certification because this is an accepted standard by the government of India per rule 8, section 43A, of the Indian Information Technology (Amendment) Act, 2008. Ensure that cloud service providers have their processes audited regularly and submit them to the central government. Ensure that the cloud service provider specifies clearly where the data would be hosted and who has access to the data.When dealing with sensitive personal information, ensure that you have the written consent of the data subject before moving the data to an external cloud provider.