Author:- Anupam Singh Sengar
In the fast paced, development oriented 21st century our technological growth has exceeded any limits. We had invented countless technologies to expedite our difficulties. One of these is cyber technology, the ever growing and innovative technology that has provided enormous advantages to us. Whether it’s about reducing distances, effective communication, information, trade, entertainment etc., it has been a big aid. The very fascinating fact about it is its dynamic nature. It keeps on improving and enhancing itself. And a very latest update in this technology is cloud computing which has made it more effective, reliable, efficient, and time saving. Today most of the people are attached to it whether it is a powerhouse company or an individual user, it is beneficial to all.
What is cloud computing?
As a cloud is a collective form of many water vapor molecules and is not a stationary body as it keeps on changing its position, this technology is somewhat similar. It is formed out of many different networks or users and is not a stationary body it is accessible at different places by different people. Thus it is named as cloud computing. It’s the on-demand transfer of IT resources through internet.
In place of buying and maintain high priced and fancy physical resources such as data servers it helps in providing technological services such as storage, database etc. on an on- demand basis through a cloud provider. Services such as Google Dox, Adobe Creative Cloud, Gmail etc… Are all cloud computing services, that has become an important part of our society that are very advantageous on one hand and on another carries many difficulties with them too
Legal issues arising out of cloud computing
Even though cloud computing is very beneficial in the modern world, but as we all know that there is both positive and negative aspect to everything, similarly cloud computing has also resulted in emergence of several legal issues that are as follows:-
- Data breaches: – It refers to unwanted discloser of personal or sensitive information of a user or individual. This phenomenon is very likely to happen in cloud computing as it provides on need services and many users are connected to it as well as their data too and the service provider has access to it at will. As there are many users in a cloud and it is possible that the cloud provider is not using a good security tool, so the data of the user can be misused by many people. Hacking, cracking, cyber-attacks etc… Are very common in today’s world and due to such situations personal data such as bank details, personal messages, address etc… can be disclosed and privacy of an individual can be breeched easily.
- Privacy& security: – Privacy is one of the main concerns regarding cloud computing. There is no guarantee that the personal data of the user is secured or not. Not only users but nations are also worried as Asia and Europe are concerned as there data is stored in U.S and can be accessed easily by U.S by USA Patriot Act. Another example would be of Odense Municipality of Denmark which denied to use the cloud service “Google Apps” to store data in relation to its public schools.
- IPR matters: – As cloud services allow access to tons of data to be stored similarly this data can be accessed by anyone as cloud is open to all. There is no promise that your data are secure and people cannot copy it. In matters relating to intellectual property such as copyright, trademark, patent this situation can be very dangerous as these are registered and protected at the national level only so there is no protection at the international level. As even observed in the case Tiffany (NJ) Inc. v. eBay Inc. the cloud service provider aided in the infringement but still was not made liable.
- Jurisdiction: – As cloud computing is all about linking world at the global level. It allows using resources beyond sea. But at the same time when there is breach of laws or legal issues it becomes certainly difficult to access jurisdiction under which the trail would be conducted as many providers are from different countries they would wish to be tried under their laws and vice versa. It would also be difficult to access data that is stored in a different country.
Indian cyber laws regarding cloud computing:-
It is a very astonishing fact that India does not have specific policy or laws towards protection of loopholes arising out of cloud computing. India is still lagging behind in intact and efficient infrastructure of cyber laws. Still some laws in India which relates to cloud computing are as follows:-
- Integrated Goods and Service Act 2017:- The clause 17 of section 2 of this act talks about the “online information and database access or retrieval services”. It basically deals with the services that are delivered using cyber platform or information technology using internet. It explicitly mentions in its (ii) sub clause about providing cloud services.
- Section 43A of Information Technology Act 2000:- It enforces direct responsibility of any institution while handling data of its users. It says that when so ever a cooperative body handles sensitive or personal data and is unable to follow essential security protocols for protection of the data from being misused by someone, then the respective body will be liable for damages. Thus it can relate to the cloud by enforcing responsibility on cloud service provider.
- Section 72A of Information Technology Act 2000:- It enforces the responsibility of non-discloser of information in an agreement. In accordance to this provision there lies a criminal penalty on the service provider when he/she during the course of a contract, discloses personal data or information of a person with whom the contract is made, without his or her consent. Thus can aid in matters of contractual relations in cloud computing
- Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011:- These rules enacted by the Indian government aids in safeguard of sensitive or personal data gathered by an individual in course of a commercial activity as all of its obligations are effective on body corporates. It lays different rules regarding the same. Thus it can benefit in protection of data in cloud computing as it is a commercial activity nowadays.
Even though there are laws they are very shady and not clearly defined. It is unclear whether their jurisdiction is up to cases relating to cloud computing or not thus there is need of strong laws regarding this field such that no one’s rights are hindered
Comparative analysis: Cyber Laws in U.S.A regarding cloud computing
In this field America has its very own law for handling the whole cloud situation. The Clarifying Lawful Overseas Use of Data (CLOUD) Act is in force in America to view all kinds of conduct relating to cloud computing. The Act’s background lay into the dispute between Microsoft and the U.S government (United States v. Microsoft). In which Microsoft denied access of some of the credential information to FBI in respect to another case.
This act is indeed very beneficial in securing privacy. Highlights of the Act which makes it important are:-
- Access to national data with foreign countries: – this new Act has amended the U.S laws, such that the government can demand access to data from provider of electronic communication serviced even if it is stored outside the U.S. it basically permits the federal law enforcement to force the I.T companies, through warrant or subpoena to bring forth the requested data irrespective of where it is located, either in U.S itself or in any other country. It’s basically amends the Stored Communications Act (SCA) of 1986 of the U.S. It empowers the state to collect essential information for investigations via I.T companies’ data base even in the presence of international criticism.
- Access of data to foreign countries: – This Act further permits for a bilateral executive agreement between different countries and U.S. That will remove the restriction on access to data stored in U.S itself. It would help other nations to access relevant data from U.S to properly investigate different situations. It would enable foreign law enforcers to directly ask for relevant data from the service provider themselves instead of the U.S government. It has also formalized the process through which companies challenges law enforcement’s request.
U.S.A has already attained the ideal infrastructure for I.T laws other than this there are other data protection laws in U.S.A which highly protects the data from being misused. Whereas in India there is no certain legislation on this issue, India does not have the freedom to access the data of its citizens from the database of companies located in abroad in such situation investigation becomes extremely difficult. Furthermore it is not specified that whether the data of citizens stored on the cloud is secured or not or which countries jurisdiction will lie in matters of conflict between the user and service provider. Nothing is explicit compared to U.S.A, thus Indian laws are silent on the issue of cloud computing. U.S.A has created an ideal for other countries by implementing laws regarding cloud computing.
Comparative analysis: Cyber Laws in China regarding cloud computing
With the growth of cloud technology, every government is adopting required measures to regulate it similarly Chinas Ministry of Industry and Information Technology (MIIT) to cope up with the need issued the Circular, “Classified Catalogue of Telecommunications Services” 2015. Even though in this catalogue cloud computing is not defined specifically still it is generally viewed that the term “internet resource co-ordination services” (IRCS) in the catalogue refers to cloud services. As the MIIT has released a Notice on the Regulation of Cloud Service Market’s Business Conduct (Draft for Public Comment) (Draft Notice) in November 2016, which expressly states that “cloud service” is one type of IRCS mentioned in the 2015 Telecoms Catalogue (Article 1).
Internet resource co-ordination services according to the 2015 Telecoms Catalogue, IRCS means:
“the data storage, internet application development environment, internet application deployment and operation management and other services provided for users through internet or other networks in the manners of access at any time and on demand, expansion at any time and co-ordination and sharing, by using the equipment and resources built on database centers” (section B11).
Requirement of Licenses for cloud services
According to this Catalogue, IRCS is a type of Internet Data Centre Service (IDC) which is categorized as value-added telecoms services (VATS) in china. Providing VATS in China requires a telecoms license (VATS license) (see Practice note, Regulation of telecommunications sector in China: Telecoms licensing). Thus individuals or companies which are trying to open cloud services in china need a VATS license. Thus cloud services are easily regulated.
Non permission to VATS or IDC license
Foreign companies are not allowed to apply for IDC license; conclusively they cannot operate cloud servers under their name in china. They need to collaborate with the indigenous Chinese companies holding IDC license to establish cloud services. Mostly contractual agreements between foreign cloud service providers and relevant Chinese IDC license holders are established, such as technology licensing, brand licensing, etc. To ensure that foreign cloud service providers have access to relevant decision-making processes.
Security assessment measures for cloud computing platforms
On 2 July 2019, the MIIT together with other ministries jointly issued the Measures on Security Assessments for Cloud Computing Services 2019 (Measures), with effect from 1 September 2019. This is an incredible initiative according to which the cloud provider has to submit a declaration form, information relating to cloud security, security of related supply chain, feasibility of customer data migration and much information regarding the cloud services in the security assessment office.
In contrast to such measure Indian law which are silent on the subject matter of cloud computing has not recognized it under any specific category has the Chinese government has done and it falls within some wage categories such as online information and database access or retrieval services . Furthermore there is no regulatory authority or norms for cloud service providers as in china. There is no procedure of licensing for cloud under the Indian laws which makes the large public using these services very vulnerable on legal basis.
It’s an undeniable fact that Cloud technology is of rising importance in the sphere of I.T world. It aids the user in multiple ways and allows doing complicated work even with fewer resources. It aids the society and development in many ways. But it is also true that this technology is giving birth to, many new problems in the field. As it goes without saying that everything has positive as well as negative aspects. The reason for such difficulties is that we are not well prepared with our laws in concerned field.
Not only in cloud computing, India is lagging behind in a good framework of I.T laws and that is making things highly cumbersome. Like countries such as china and U.S.A, India need to frame new and regulatory policies that can keep a good check on cloud technology India is a developed country and we are highly trying to increase the pace of digitalization in our country to make it flourish but at the same time effective laws are required to guard the right of citizens. So the need of the hour is to enforce better laws in this field such that with the enjoyment of advanced technologies their rights are also not hindered.
About the author
The author is a student in university five years law college, university of Rajasthan. He is good in research, debate and drafting skills. He strongly contents that if there is something above talent then it is hard work.
Tiffany (NJ) Inc. v. eBay Inc , 600 F.3d 93 (2nd Cir. 2010)
 Integrated Goods and Service Act 2017, Act of union of India, https://www.cbic.gov.in/resources//htdocs-cbec/gst/igst-act.pdf;jsessionid=B2FB20DD159D9B5740811FB63BBAF128
 Information Technology Act, 2000, §43, Act of union of India, https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMjk4NzY=
 Information Technology Act, 2000, §72A, Act of union of India, https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMjk4NzY=
 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf
Clarifying Lawful Overseas Use of Data (CLOUD) Act, Act of America, https://www.justice.gov/opa/press-release/file/1153446/download
United States v. Microsoft, Nos. 00–5212 and 00–5213, United States Court of Appeals, District of Columbia Circuit. Argued Feb. 26 and 27, 2001. Decided June 28, 2001. Rehearing Denied Aug. 2, 2001.
Classified Catalogue of Telecommunications Services”, 2015, https://www.appinchina.co/government-documents/announcement-of-the-ministry-of-industry-and-information-technology-on-promulgating-the-classification-catalogue-of-telecommunications-services-version-2015/