Abstract
Cloud computing simply means storing data on the internet and the protection of such data is done by the service provider. The risk is high because it involves the privacy issue of the consumer, but the efficiency is more. This paper deals with different models of cloud computing and examples of the service providers. It also deals with the legislations in India which protects the consumers and providers in the area of cloud computing. The paper observes few laws which are prevalent in other countries as well. The main theme of this paper is to suggest measures which can enhance the use of cloud computing mechanism and can also ensure the privacy protection of the data stored by the customers. Various issues such as transfer of data, processing of data, international agreements of customers and providers, government interception, jurisdictional matters and culpability of the providers are discussed in this paper.
The concept of cloud computing technique is on demand and various agencies/companies/individuals are using it in their official capacity. Therefore, the researcher is of the view that more information about this subject and dissemination of this information among the consumers by conducting awareness programs, seminars, webinars or workshops is important. The researcher has made an attempt to bring this issue into light by writing this paper.
1. INTRODUCTION
The delivery of services on computer which includes servers, storage, intelligence, databases, software, networking, analytics on the web also referred as the “the Cloud” which basically provides for faster and inventive resources is called as cloud computing.[1]
There are two meanings associated with cloud computing. It helps to run work pressure over the large area in a commercial sphere of the provider who has a data centre which is also known as the Public Cloud model. Few examples of public cloud providers are Amazon Web Services, Microsoft Azure, CRM system, etc.[2]
The other meaning talks about the work performance of cloud computing, it is a pool of virtual resources which has been acquired from raw power to apply on the functions of application, generally the availability of which is dependent of the demand. The customer who are in need of cloud services contact the providers who use the method of advanced automation and not the manual help.[3]
So to understand what is cloud computing, the simplest definition is that cloud computing provides the technological developers and IT Departments to segregate the data which is valuable and prevent other tiresome work related to procuring, maintaining and capacitating those matters. This concept has been appreciated lately and various models have been developed to qualify the specific standards required for different customers.[4]
- TYPES OF CLOUD COMPUTING MODELS
- Infrastructure as a Service
Infrastructure as a Service is abbreviated as IaaS which means that it contains the basic structural pattern for cloud services and to be precise it helps in providingthe customers with the networking specifications. It also providing in acquiring access to computers whether virtual any hardware setup, and it gives a provision for storing the data as well. Infrastructure as a Service also ensures that the customers are flexible with their workload and the needful control is maintained over their IT resources. It is significant to know that it is in consonance with the current IT resources in the market and many Departments of Information Technology and Developers across the globe are having the knowledge of this Cloud Model.[5]
- Platform as a Service
Platforms as a service helps in focusing on the management of the customer’s Applications and also to eradicate the requirement for organizers to manage the control over infrastructure. This is a more effective kind of model where the customer need not think about how they are going to access the resources, the capacity of such resources to be stored, maintaining of the software developed or procured, patching or any other job which requires heavy load in running the technological applications.[6]
- Software as a Service
Software as a Service means that you are provided with a completed product which is run and controlled by the service provider.Commonly in large area of cases, people refer to this model (Software as a Service) as end-user applications. The maintenance of infrastructure is done automatically and the customers are free from such management. The only thing which needs to be seen is that software.[7]
- INDIAN LEGAL REGIME AND CLOUD COMPUTING
The agencies dealing with intelligence in India should be carefully controlled by theParliament and other Constitutional Bodies including the Legislation of the Right to Information Act, 2005 apart from the matters of corruption.
The laws which deals with collection and disseminating data for which they are criminally liable are the following:
- Section 69 of the Information Technology Act, 2000 read with the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009
The Review Committee as mentioned in the below provision of the Telegraph Act checks upon the requirement of decryption, monitoring and interception which is enshrined in the Information Technology Act, 2000.[8] The main concern here in the Act is about the independence of the body of the committee because majorly the members in the Committee belong to the executive organ of the Government. So therefore it increases a high chance of biased approach towards managing the mentioned issues.
- Section 5 of the Indian Telegraph Act, 1885, along with Rule 419A of the Indian Telegraph Rules, 1951
The Rules provided in the Telegraph Act ensures the establishment of various committees for reviewing purposed in the state level and also in the central level. The responsibility of the review committee is to see the problems faced by the users and requests for interception which is given under the Act. The members of the Review Committee includes the Secretaries serving in the Department of Legal Affairs and also the dignitaries of Telecommunication Department.
- Section 91 of the Code of Criminal Procedure, 1973.
The Review Committee as mentioned in the above said provisions do take care of the requirements of the Telegraph Act and the Information Technology Act but it does not have the authority to have a view on matters related to Section 91 of the Criminal Procedure Code. This section talks about the powers of the Police officer in charge of a case to conduct the investigation by ordering the production of information required for the case. It is difficult to have an oversight over the process involved in Section 91 of the Code as there are no Governmental agencies to question the procedure followed by such Police officer except the Judiciary. The Judiciary is already overburdened with various matters to put its energy and valuable time in monitoring the officers.
- IMPLEMENTATION OF THE PROCEDURES
Due to the lack of awareness among the public with respect to the implementation of these procedures and it is difficult to explain the aggrieved victims about their rights given in the Rules and Sections in the Indian Telegraph Act as well as the Information Technology Act. These Acts have formulated a process whereby they have mentioned the ways of collection, retention, sharing and usage of the data concerned.
As for an example it is pertinent for the users and customers to know that the Information Technology Act do not allow the sharing of the intercepted data as per the Privacy policy under Article 21 [9]of the Constitution, but it has few exceptions. Whenever such data is required for any police investigation generally related to criminal matters and the judicial organ has ordered to produce such information, then the Act has to allow the data to be produced in the competent court. As per the Evidence Act, the evidence which has been used to duly prove a certain fact can also be used in any other matter related to the accused and it is followed in our country practically.[10]As we Indians do not follow the doctrine of fruit from the poisonous tree.[11]
The surveillance and work related to interception as situated in the legal frames of India is looked after by the executive authority and after proper authorization by the independent body who can supervise efficiently. But there have been so many researches which has proved to be contrary because the surveillance has been conducted not following the proper protocol.[12] The proposed Central Monitoring System is an example of such project which has been criticised for not following the privacy code.[13]
- INTERNATIONAL LAWS RELATED TO CLOUD COMPUTING
- European Union
The protection of the citizens with their data and dissemination of the private storage is protected by theDirective 95/46/EC issued by the European Parliament and of the Council of the European Union. Now the question is whether these laws also apply on the system of cloud computing, so the answer is that even they do not have any specific legislation with respect to cloud computing and therefore it is application on them as well. The Directive, when it was made, included 72 sections and it covers almost a large area with respect to data protection but still it has a lose end over few topics. The provisions do not talk about as to who will be assigned as the controller of these data, who are sub-processors and what are their authority in the process of data protection. It fails to answer even a very simple question that if the data is circulated outside the European Union then what will be done next. Cloud computing majorly focusses on reducing the customer’s direct attention and control over data and to make their work easy but the laws made by the European Union emphasizes about how to control the data.[14]
- United Kingdom
Theprovisions of the Data Protection Act, 1984 is used to secure protection and privacy to individual’s personal data.The Regulation of Investigatory Powers Act, 2000 comes into picturewhile addressing the issue related to the changes happening technologically which affects the growth of the Internet and securing the National privacy and also for safeguarding the economy. [15]
- United States of America
TheElectronic Communications Privacy Act, 1986 and specifically the Stored Communication Act is basically a legislation which deals with providing a complete disclosure of the stored wire and electronic communications and also the transactional records which is held by the different third party service providers or the ISPs. The Health Insurance Probability and Accountability Act, (HIPPA) of 1996 enacted in the United States of America ensures that there is a ‘privacy rule’ which regulates the use and disclosure of Protected Health Information (PHI) and compels that some effective steps should taken to protect the privacy of information between the people. The Financial Privacy Rule of Gramm–Leach–Bliley Act of 1999, was passed for financial institutions to provide customers with a privacy notice which gives the data of the information collected about that customer and from where such information is circulated, how to protect and use that information.[16]
- SUGGESTIONS
- Improving Data Security
Whenever a consumer is giving its data to be secured and protected by a cloud computing mechanism, it is important to ensure that the data is stored in a secure environment where there will be no infringement. Such laws should be made which ensures that data which is sensitive and personal should be shared in a place where cybersecurity standards are met. This technique lacks a regulation with respect to data security and the Parliament by the help of cyber cell and experts can form legislation which will address the issue as well as the remedy if any cheating or illegal sharing happens on such platforms.[17]
- Less Government Interception
We have a landmark judgment in the issue of Right to Privacy under Article 21[18]of the Constitution i.e. K.S. Puttuswamy v. Union of India[19]which lays down the issue of giving unnecessary data to the government in the form of Aadhar Card. It is important for us to understand that data can be stored in two ways- either in encrypted form or in an unencrypted form. Data encryption is in demand today as it is the most secured form of ensuring the privacy of customers and the providers of cloud computing have this feature for their customers. But it is also important for us to understand that Government do have a way to reach out to the data which is encrypted because laws are made such which gives them this authority, reasons may be national security and sovereignty but still the encrypted data is not protected from the government. It is hereby suggested that a law should be made which makes an exhaustive list of the kinds of data which can be recovered by the Government for any security purposes. The interference from the Government has to be reduced to gain the trust of the consumers. The AWS also provides for such a gateway to the government to seek the information of the people if the Governmental agencies requires so.[20]
- Ensuring Data Recovery
The data in cloud computing is not stored somewhere in physical hard drive but the loss of such data will feel like it. So it is important to make sure that the providers are reputed and the data will be safe with them. Even if the data is lost, there has to be a mechanism which can help in recovering the data lost. The question also arises as to who is responsible for such data loss? Generally, the providers do not take the responsibility for such data loss. They only make themselves liable for the security of the data and hence it is difficult to find out as to who will compensate for the loss of data. So, the researcher is of the view that laws should be made such that it also lays down the culpability of the person who has caused the loss of data and also formulate guidelines which will help in asking for compensation.[21]
- Multiple Jurisdictions
Now if the customer faces any problem with the services provided by the cloud computing companies, the issue comes up with respect to the place of jurisdiction. As the data is stored in so many different places, it is hard to determine as to which court will take the cognizance of the matter. Sometimes the cloud service provider contracts with the sub-agents to provide the data protection services and this creates a more difficult jurisdictional situation. [22]
- Customised Agreements
The customers of cloud services and the providers can sought for legitimising the data transfer internationally but for the short time which is on the basis of new model clauses version. This kind of new agreement should always maintain the same level of protection as was in the case old contractual agreement. It should also provide for the similar security measures and the breach of such contract should be dealt as strictly as possible. In the cases where parties are of two different countries, the Private international law comes into picture. Now this will also encourage the consumers and the providers to have an agreement with more efficient clauses and which will make them understand the duties and rights related to such a contract. The clauses which uphold the Data Privacy rules should prevail and not the contrary.[23]
- Sufficient culpability
If the law lays down a strict provision that the service providers should take adequate precautions while dealing with the data of the customers and other relevant duties like data processing, data security, data recovery, data transfer etc.and if they do not comply with the same then a strict culpability should be confronted to them for such violation. The punishment and the fine should not be excessive but in an ample amount so that they understand the value of privacy. The sensitive content have to be protected and the trust of the customers have to gained by compiling the data with confidentiality. The laws should be made categorising various offences and their term of punishment in the form of imprisonment to make the providers liable for contraventions. The other civil liabilities can include cancellation of their license for temporary period and if the matter is serious and needs utmost deterrence then a heavy criminal liability can be imposed on the offender.[24]
- Conclusion
Cloud computing can be risky but again it is also required in today’s competitive world where consumers have so much in their schedule to perform that cloud computing would help them to assort and manage their data efficiently. The concern of the customers with respect to data protection and security is genuine and to overcome this issue various agencies and researchers are putting their effort to recommend suggestions in order to have a better law in the area of cloud computing.
So after going through the details of cloud computing, the types of cloud computing models, the laws relating to cloud computing of different countries and the legislations which protects cloud computing in India, the researcher is of the view that the above given suggestions should be implemented in the form of an Act. The concept of cloud computing is novel and the trend is spreading across various companies and individuals and sadly most of the consumers are not aware about the legal consequences of taking up the services from such providers. They are inconsiderate about the illegal actions which can be initiated by the providers in the matter of their data and its privacy. So in order to have a basic knowledge of cloud computing and also to understand the need of certain legislative measures to curb various offences relating to data privacy, the consumers will be benefitted by going through this paper. The area of cloud computing is also beneficial for the cyber law students to acquire information about the various facets of cyber crime and victimology.
[1] What is Cloud Computing? A Beginners guide, Microsoft Azure, https://azure.microsoft.com/en-us/overview/what-is-cloud-computing/,
[2]Eric Knorr, What is Cloud Computing? Everything you need to know now, Editor-in-chief, InfoWorld, https://www.infoworld.com/article/2683784/what-is-cloud-computing.html
[3]Ibid
[4] Amazon Web Services (AWS), https://aws.amazon.com/types-of-cloud-computing/
[5] Amazon Web Services (AWS), https://aws.amazon.com/types-of-cloud-computing/
[6]Ibid
[7]Ibid
[8] Vide Rule 2(q) of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
[9]Article 21, The Constitution of India, 1950
[10] Rule 25 (3).The Information Technology Act Rules (2000)
[11] Bharat Chugh ( 2013, January 05).Telephone Tapping Constitutionality ? Whether illegal telephonic recording is admissible as evidence ?. Retrieved from https://bharatchugh.wordpress.com/tag/fruits-of-thepoisonous-tree-india/
[12] Aggarwal L.,Analysis of News Items and Cases on Surveillance and Digital Evidence in India.Retrieved from https://cis-india.org/internet-governance/blog/analysis-of-news-items-and-cases-on-surveillance-anddigital-evidence-in-india.pdf
[13] Litton, Addison. “The State of Surveillance in India: The Central Monitoring System’s Chilling Effect on SelfExpression.” Wash. U. Global Stud. L. Rev. 14 (2015): 799.
[14] Official Journal of the European Communities, 23/11/1995, No. L. 281 (pg 31 to 39) accessed from http://ec.europa.eu/justice/policies/privacy/docs/95- 46-ce/dir1995-46_part1.
[15]Ian Brown, Government Access to Private-sector data in the United Kingdom, International Data Privacy Law, Oxford Academic, https://academic.oup.com/idpl/article/2/4/230/676870.
[16] Orin S. Kerr, 2004, ‘A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It’, George Washington Law Review, George Washington University – Law School
[17]OrujAashna, Calcutta University, Cloud computing Issues and Challenges, ipleaders, Cloud computing issues and challenges – iPleaders
[18]Article 21, The Constitution of India, 1950
[19]K.S. Puttuswamy v. Union of India, (2018) 1 SCC 80.
[20]Supra Note 16
[21]OrujAashna, Calcutta University, Cloud computing Issues and Challenges, ipleaders, Cloud computing issues and challenges – iPleaders
[22]Ibid
[23] Mrs. Gowri Menon, Regulatory Issues in Cloud Computing -An Indian Perspective, Journal of Engineering, Computers & Applied Sciences (JEC&AS), ISSN No: 2319‐5606, Volume 2, No.7, July 2013, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.403.2221&rep=rep1&type=pdf
[24]Supra Note 14



