Introduction
“In today’s digital-first world, business outcomes and innovation are increasingly tied to the ability to develop and use innovative technologies and services anywhere, as quickly as possible. Cloud is the foundation for meeting this need,” said Rick Villars, group vice president, Worldwide Research at International Data Corporation which is a leading global provider of market data for IT telecommunications.
With 90.48 billion U.S. dollars in 2016, public IT cloud services market revenue worldwide increased to approximately 312.4 billion U.S. dollars in 2020 and IDC forecasts the whole expenditure on cloud services to skyrocket to approximately 1.3 trillion U.S. dollars by 2025. The history of cloud computing goes back to the history of how computers were made and the much-apprehended hope of an evolution of technology to “supercomputers”.
“I believe that there is a fundamental rule…giving added economy only as the square root of the increase in speed; that is to do a calculation ten times as cheaply you must do it one hundred times as fast.”
Young M. Kang in his article, “Comments on Grosch’s Law Re-Visited : CPU Power and the Cost of Computation”, talks about how Grosch related the need for data processing centers with the evolution to supercomputing. This has come a long way to the 21st-century meaning of cloud computing where the evolution from CDs to pen drives and to iCloud/Google Drive is what the GenZ understands by ‘Cloud Computing’.
Well, I am 100 percent sure that you are reading this on Cloud right now because all storage is mostly on Cloud. This isn’t the evaporating of water and then the formation of a ‘cloud’ but infrastructures and software models that act as servers for storing information. Microsoft describes it as “the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet (“the cloud”) to offer faster innovation, flexible resources, and economies of scale.” All your Instagram pictures are indeed stored on the cloud only. Shifting the focus to the grey areas behind cloud computing and how it affects the legal position of domestic laws on cybersecurity and privacy in India in relation to the existing international laws is discussed in the second part of this paper.
Jurisdiction
In India, one doesn’t need a license to provide cloud services. For example, Google or Amazon were not required to have local licenses for us to be able to use Google Drive or AWS. There is no reservation on any foreign entity to provide cloud computing services in India except for under some tax laws, labour laws, etc. None of that is in question right now.
Jurisdiction means the limit of the authority of the court to which extent it can exercise its power. For example, if I have committed a crime in X place, only the court of X place has the jurisdiction to try me. Y court doesn’t have the ‘jurisdiction’ to try me. In cloud computing though, an organization can be registered in A country but have servers located in B country, a vendor belonging to C country and selling its cloud computing services in country D; this makes the ABCD of jurisdiction questionable.
The Indian Arbitration and Conciliation Act, 1996 (Arbitration Act), is based on the UNCITRAL Model Law and facilitates both international and domestic commercial arbitration and conciliation. However, enforcing a foreign judgment or award in India can be a significant issue in both litigation and arbitration. Although India is a signatory to the New York Convention of 1960, it has notified only about 49 of these as reciprocating territories under Section 49 of the Arbitration Act. As a result, only awards delivered in those 49 countries can be enforced on a reciprocal basis in India. Similarly, India recognises about 12 countries for reciprocal judgment enforcement. Thus, a judgment or award from a reciprocal jurisdiction will be enforced in India as if it were a decree of the Indian courts. A judgment or award from a non-reciprocal jurisdiction, on the other hand, cannot be directly enforced as a decree in India.
According to Section 2 of the Information Technology Act, 2000 (IT Act), an intermediary means,
“…with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.”
If network and internet service providers are included in the definition of intermediary, then the arena of cloud computing will surely come under the ambit of the IT Act. If companies like Google and Amazon are processing the personal data of Indian citizens in India or outside India, then they will be held liable under the IT Act. However, the dilemma of conflicting jurisdictions arises when data is stored outside India. The US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) allows US law enforcement to access data stored in the servers of US companies. Under the Sensitive Personal Data or Information Rules, 2011 (SPDI), cross-border data transfer is permissible on the condition that the receiving country has an equivalent data privacy framework as of India and cross-transfer is necessary for a contract or the user has explicitly consented to the said data transfer. The above-mentioned legislations are in direct contradiction with each other.
If Google is providing cloud services to its users in India, then law officials in the US can demand Indian citizens’ data for any purpose. The SPDI guidelines will restrict such data transfer on the ground of non-consented data transfer if data is stored locally. Additionally, the Reserve Bank of India (RBI) mandates all digital payment data to be stored locally within the boundaries of India, however in an interview of RBI with industry representatives, RBI is of the view that companies can opt for cloud computing in the worst case scenarios but these companies must host their data locally. This situation is extremely problematic because if companies are to host data locally then what will be the purpose of cloud computing? Secondly, if data is stored locally and simultaneously processed on Cloud, then this would mean that the RBI is not aware of the consequences of the said setup. Conflict of jurisdictions is a common phenomenon that is evident in every field of law, be it domestically or internationally.
Contractual Issues: Click Wrap Agreements
Cloud computing isn’t limited to just issues of jurisdiction but extends to contractual issues. They have service agreements since it is between cloud “service” providers and the clients which differ significantly from licensing agreements. The major issue with Cloud Service agreements is the ‘contract of adhesion’ where the contract is drafted by one party only without any interference by the other party. Owing to the limited expansion of Cloud Services in India, vendors usually have ‘Click-wrap agreements’ resulting in the contract being the contract of adhesion. These non-negotiable agreements do not give any warranties of data security or have any liability whatsoever for any data breach. For example, buying an airplane ticket or signing up on Instagram, is a click-wrap agreement. Since it is only a matter of a click, it is non-negotiable and only concerns the vendor of these services. It is the users or clients who are at the backdrop.
In India, contracts are governed by the basic principles governing contracts under Indian law, as outlined in the Indian Contract Act, 1872 but it doesn’t contain the definition of “e-contracts”. In India, we have the Information Technology Act, 2000, which recognises e-contracts by section 10-A (effective 27-11-2009) which strengthens the validity of e-contracts such as click-wrap agreements. Even the United Nations Commission on International Trade Law (UNCITRAL) Model on Electronic Commerce, 1996, validates electronic signatures but does not cover terms such as “I agree, I accept, or Ok”. As a result, click-wrap contracts cannot be described as “electronically signed” in the Indian context. In the recent case of DDIT(lT) Mumbai v. Gujarat Pipavav Port Ltd (2017), it was held by the Income Tax Appellate Tribunal that, “contract adhesion in mass contracts like Shrinkwrap and Clickwraps makes them unenforceable even though they have all the components of a valid contract.”
However, there is still some uncertainty about whether e-contracts must be stamped. This is not addressed in the Income Tax Act, 1961 or the stamp laws. Furthermore, traditional software licensing models grant perpetual licenses to use the software/application on the customer’s own premises, whereas, in the cloud computing model, a limited license right is granted for a limited period of time to use the application that is stored on the vendor’s premises. This paves the way for certain contractual implications which makes negotiating contracts with vendors a must.
Privacy and Data Protection: Is Anyone Liable?
The former Director of the Federal Bureau of Investigation Mr. Louis Freeh once said, “Ask the American public if they want an FBI wiretap and they’ll say, “No”. If you ask them do they want a feature on their phone that helps the FBI find their missing child they’ll say, “Yes”.”
Pondering upon the current Indian framework, it is not strident enough to protect citizens efficaciously. The Personal Data Protection Bill, 2022 (PDP Bill) is very impressive for the single reason that it is based on the European Union General Data Protection Regulations (EU GDPR). The said bill imposes a hefty penalty on corporations for non-compliance, however, it still has some major flaws. The dilution of the Data Protection Board and the exemption of the Government from complying with some pre-conditions of the Bill are inter alia, the two major drawbacks of the said Act.
Passing and implementing the PDP Bill will be very effective. Under the said Bill, a ‘data processor’ is a person/entity that processes personal data for a ‘data fiduciary.’ The latter is someone who determines the purpose of processing collected personal data. The Bill also imposes certain strict compliances on both the above-mentioned entities. Mostly, companies like Google and Amazon will be data processors for other companies by providing them with cloud services. ‘Processing’ means several activities including storage, retrieval, etc. The implementation of the PDP Bill will ensure that cloud computing will come under the Indian jurisdiction unambiguously. Many countries are adopting their versions of the EU GDPR which will benefit each of them during cross-border transfer. Data transfer requires some pre-conditions to be followed before the transfer is done. One such condition is that before transferring data to a third country, the processor must ensure that the receiving country has adequate data privacy safeguards that are similar to the frameworks of the domestic country. If several countries are drafting privacy laws based on the EU GDPR, then this condition will be automatically fulfilled.
Conclusion
The basic principle of cloud computing is that everything is done over the internet. If data is not to be stored physically anywhere, then how can these data privacy laws apply to cloud companies like Amazon AWS, etc. The simple answer could be that governments make it mandatory to store personal data on virtual servers to be stored locally in physical servers just to make these companies liable under various data privacy laws. However, this will be a sheer waste of resources and money. Governments can issue guidelines for cloud computing companies that are based on data privacy laws. One major problem pertaining to the virtual storage of data is that no one knows which country can claim privacy infringement on the activities carried out by such companies in normal discourse. For this, countries can enter into treaties just for the smooth functioning of cloud computing with a privacy aspect. This is important because cloud computing is beneficial for both the consumer and supplier. The risk of data loss is extremely minimised in the arena of cloud computing as compared to traditional data storage. Back in 2016, the Telecom Regulatory Authority of India released a consultation paper on cloud computing, in which it spoke about the EU GDPR at length.
In the Indian context, there is ambiguity related to the jurisdiction and relevant law in cloud computing. If the Personal Data Protection Bill is to be passed in some time, then one can perceive it as the primary legislation for cloud computing in India. Firstly, cloud computing services must be defined in the new law, and privacy safeguards must be applied to such services. The dilemma of implementation would still exist because of the whereabouts of the virtual data. The data game which is common in the modern world would be a very big hurdle in incorporating cloud computing in the Indian legal framework. Companies tend to sell huge amounts of personal data, and this is very different from ‘data leaks.’ Ensuring privacy in such a complicated situation will be a tough task to carry out, however, it is not impossible. The author is of the view that imposing extremely strident provisions are not effective because prioritising user privacy over the ease of doing business is not feasible in the long run. The Indian Government should consult the European Commission’s several opinions on cloud computing to understand this jurisprudence before enacting a new law.
Sejal Gupta is a third year law student at Nirma University.
Jindal Forum for International and Economic Laws 