Navigating the ambiguity: Cloud services regulation in India

With the latest episode in the TRAI-DoT debate over cloud services regulation, clarity remains elusive, but self-regulation can resolve the matter

The debate between the Telecom Authority of India (TRAI) and the Department of Telecommunications (DoT) regarding the regulation of cloud services has resurfaced recently, creating an ambiguous situation.

In May 2023, the DoT expressed its opinion that cloud services are in the domain of the Ministry of Electronics and Information Technology (MeitY) and any further regulation under the telecom framework might impede the sector’s growth. However, TRAI, in August 2023, stood by its view that cloud services are within its domain and a “light touch” regulation is essential.

Harmonising legal frameworks, fostering self-regulation and ensuring global alignment are pivotal for unleashing the full potential of cloud services.

HISTORICAL CONTEXT

The TRAI initially submitted its recommendations on the regulatory framework for cloud services in 2017. Further, based on additional terms of reference provided by the DoT, the TRAI issued a consultation paper in 2019 and sought views from stakeholders.

The industry opposed fresh regulations stating that cloud service providers (CSPs) are already regulated by a set of IT and privacy regulations. Besides, they stated that cloud computing is not a telecom service, hence beyond the direct jurisdiction of the TRAI.

Despite the industry opposition, the TRAI recommended a light-touch regulatory regime (in 2020), including the establishment of non-profit industry-led bodies in conjunction with DoT/TRAI. However, DoT declined these recommendations, leading to the existing standoff. This disagreement has persisted since then.

GROWTH OF CLOUD SERVICES MARKET

Cloud computing has transformed data management globally and is witnessing rapid growth in India. The cloud services market in India is forecast to grow at a CAGR of more than 23% to reach around USD 17 billion by 2027, as per research reports.

The global cloud services market reached USD 454 billion in 2022 and is projected to reach USD 2.2 trillion by 2032. This enormous growth potential has turned cloud services into a battleground for technological and geopolitical dominance, with companies such as Amazon, Microsoft, Google, Alibaba, Tencent and Baidu vying for supremacy.

CLOUD SERVICES REGULATIONS WORLDWIDE

Many countries are grappling with the question of cloud service regulation. Australia is developing a regulatory framework for CSPs. The European Union implemented the General Data Protection Regulation (GDPR) in 2018, emphasising data protection while ensuring global data flows. The UK follows the EU regulations and is working on its cloud computing regulations.

While a federal cloud services law is yet to be established in the US, laws like the Cloud Act (2018) allow access to data stored abroad.

While a federal cloud services law is yet to be established in the US, laws like the Cloud Act (2018) allow access to data stored abroad. Besides there are sectoral regulations around health, financial services, etc.

Chinese CSPs are subject to greater state control. An important regulation is the Cybersecurity Law of 2017, requiring CSPs to store data within China. CSPs are required to obtain government approvals and licences, making it practically it is difficult for foreign CSPs to operate in China. Cloud computing regulation is still evolving worldwide and we will likely see more cloud computing regulations being developed in the coming years.

REGULATIONS AMIDST BLURRING INDUSTRY BOUNDARIES

Technological advancements have blurred traditional industry boundaries, requiring a new regulatory vision. Companies like Alibaba and Amazon started as online shopping providers but have diversified into fintech, logistics, cloud services and so on, necessitating flexible regulations without compromising growth and compliance. A well-designed, multi-disciplinary and globally aligned regulatory framework is essential for emerging technologies like cloud services.

PROPOSED REGULATORY FRAMEWORK

FOR CSPs IN INDIA

India is in the process of establishing or updating several technology-related regulations, including the Digital Personal Data Privacy Act, the Digital India Act and the Telecommunications Bill.

In the context of the TRAI and DoT’s differing views, segregating telecom and IT infrastructure is challenging. However, while telecom operators adhere to strict regulations, cloud services lack similar oversight.

A balanced view needs to be taken to regulate high-growth technology services, such as cloud services.

Cloud services are a rapidly evolving technology, and it is important to avoid over-regulation that could stifle innovation. Further, cloud services are already subject to certain information technology and privacy regulations, such as the Information Technology Act, of 2000 and the GDPR.

The cloud services market in India is forecast to grow at a CAGR of more than 23% to reach around USD 17 billion by 2027, as per research reports.

Self-regulation, akin to fintech businesses, by CSPs can be an effective way to ensure compliance with these regulations. This could be termed as “light-touch” regulation, but significantly relying on participants voluntarily complying with various regulations, thereby simplifying regulatory efforts.

This approach could involve the following:

• Establishing a set of core principles for the regulation of cloud services, such as data security, privacy, and transparency.

• Allowing CSPs to self-regulate per these principles through an industry-led body to oversee compliance with the principles.

• Requiring CSPs to report to the government on their compliance with the principles. This would allow the government to monitor the cloud services market and identify any areas where further regulation may be needed.

Harmonising legal frameworks, fostering self-regulation, and ensuring global alignment are pivotal for unleashing the full potential of cloud services in the country.

In conclusion, India’s cloud services sector stands at a crossroads. Early resolution of the TRAI-DoT impasse is essential to shaping India’s digital future.

By Jaideep Ghosh

The author is the former COO of Shardul Amarchand Mangaldas & Co.

Views are personal.

feedbackvnd@cybermedia.co.in