A light-touch regulatory approach for cloud services recommended by Telecom Regulatory Authority of India
In December 2012, the DOT sought recommendations from TRAI on eight categories, namely Regulatory framework, Security over the cloud, Cost benefit Analysis, Quality of Service, Inter-operability, Incentivisation, Legal framework and Implementation Strategies of Cloud Services in Government. In June 2015, DoT clarified that the recommendations from TRAI need not be very specific on implementation of cloud in government.
TRAI released a consultation paper on cloud computing on 10th June 2016 seeking comments from the stakeholders. An Open House Discussion was held in April 2017. Some of the recommendations are as below:
A light-touch regulatory approach
TRAI recommends a light-touch regulatory approach to regulate cloud services.
DOT may prescribe a framework for registration of industry bodies of not-for-profit cloud service providers (CSPs). The terms and condition of registration of Industry body, Eligibility, entry fee, period of registration, and governance structure etc. would be recommended by TRAI once the recommendations are accepted by the Government in principle.
All cloud service providers above a threshold value notified by the Government from time to time in previous financial year have to become member of one of the registered industry bodies for cloud services and accept the code of conduct (CoC) prescribed by such body. The threshold may be based on either volume of business, revenue, number of customers, etc. or combination of all these.
TRAI recommends that a Cloud Service Advisory Group (CSAG) be created to function as an oversight body to periodically review the progress of cloud services and suggest government actions required to be taken. This Advisory Group may consist of representatives of state IT departments, MSME associations, consumer advocacy groups, industry experts and representatives of law enforcement agencies.
Legal framework for data protection
The government may consider enacting an overarching and comprehensive data protection law covering all sectors. This framework should incorporate adequate protection to sensitive personal information; adoption of globally accepted data protection principles as reiterated by Planning Commission's Report of Group of Experts on Privacy 2012 and provisions governing the cross-border transfer of data.
Interoperability and Portability
According the document, TRAI believes that no regulatory intervention is necessary for interoperability and portability in cloud services at this stage and these aspects may be left to the market forces, for the time being. However, industry body or bodies should be tasked to promote interoperability in cloud services industry.
The industry body for cloud services should also be mandated to incorporate a disclosure mechanism that promotes transparency regarding interoperability standards followed by the service providers.
The Telecommunications Standards Development Society, India (TSDSI) may be tasked with the development of Cloud Services interoperability standards in India.
CSPs operating in multiple jurisdictions
To address the issue of access to data hosted by CSPs in different jurisdictions by law enforcement agencies, TRAI recommends that robust Mutual Legal Assistance Treaties (MLATs) should be drawn up with jurisdictions where CSPs usually host their services. Existing MLATs should be amended to include provisions for lawful interception or access to data on the cloud.
(In March, the Ministry of Information and Communications Technology (MeitY) issued Guidelines for Government Departments On Contractual Terms Related to Cloud Services, which states that the terms and conditions of the empanelment of the CSP must state that all services including data will be guaranteed to reside in India.)
TRAI believes that tere is no need to undertake cost benefit analysis of cloud services at this stage, as the progress made so far clearly demonstrate the benefit of its use.
The Government of India should continue its policy to promote cloud services through cloud infrastructure projects, such as GI Cloud, and National eGov App Store.
TRAI also says that there is no need to give any additional incentive to large customers and CSPs at this stage.
 Recently, MeitY constituted a committee to study and identify key data protection issues, recommend methods for addressing them and suggesting a draft Data Protection Bill and TRAI released a consultation paper on "Privacy, Security and Ownership of the Data in the Telecom Sector".