The global cloud service industry, predicted to cross $330 billion in revenues by 2022 (Gartner, 2019), is arguably also heading towards ‘data-largesse’. Digital services from across borders have become essential for users and already drives them to part with their data to cloud service providers (CSPs), which may become more intrusive and large-scale once 5G and ‘internet-of-things’ enable a myriad of unforeseen cloud-based ‘connected’ services.
Though the industry is growing at technology’s pace, existing Indian laws have struggled to balance business expansion with data safety and privacy. The ‘cross-border’ nature of cloud-only amplifies this gap, since foreign CSPs using non-Indian servers for providing services, such as email, data storage and social media platforms, may not be subject to Indian laws.
The Personal Data Protection Bill 2019 (PDP Bill) was introduced as a holistic data protection and privacy framework for all sectors including cross-border services, and to replace the existing framework under the Information Technology Act 2000 and its rules (IT Act). However, the PDP Bill is yet to be enacted, and cross-border cloud services pose issues even under the PDP Bill.
Key issues relating to cross-border cloud services
Data localisation. Cloud services, by their nature, envision unrestricted globalisation of digital service offerings. This, however, may risk the privacy and safety of user data and the security of the state, therefore, many jurisdictions mandate localisation (i.e. storage in domestic servers) of certain types of data. While the IT Act does not blanketly require localisation, certain sectoral regulators (e.g. Reserve Bank of India) bar the transfer of specific types of data outside India. The PDP Bill, taking cognizance of this issue, proposes that ‘sensitive’ personal data such as health and financial information, even if transferred outside must also be stored in India, whereas all ‘critical’ personal data (notified by the government from time to time) may be processed only within India.
Separately, an expert committee constituted by the government has recently proposed in its report that even ‘non-personal’ and ‘anonymised’ data should be categorised as ‘sensitive’ and ‘critical’, and similar transfer restrictions as applicable to personal data under the PDP Bill should be applied. Interestingly, various domestic stakeholders and industry associations have demanded that foreign CSPs providing services to Indian users must be mandated to establish servers within India, to promote competition. Such a step may, however, overthrow the global nature of cloud services.
In the global context, the European Court of Justice in a recent judgment popularly known as Schrems II, has held that data transfers from the European Union (EU) to a CSP outside the EU may be illegal if the CSP is unable to comply with EU data protection and privacy standards for any reason. This may prompt non-EU CSPs to either exit the EU market or be forced to invest in localising user data within the EU. If other countries adopt this stance as well, then it may trigger an unprecedented localisation of the cloud industry.
Governmental access. A contrary perspective in favour of localisation is that once the data is transferred to foreign jurisdictions, Indian authorities may not be able to access that data even for statutory purposes, such as prevention of crimes and intelligence activities. In such cases, even if the data relates to Indian users, Indian authorities may have to route their data access requests through complicated ‘mutual legal assistance treaties’ (if any) with the recipient country. Meanwhile, government agencies in the recipient country may freely access such data of Indian users, subject to its laws.
Extra-territoriality. In any case, given the absence of a global data protection framework, conflicts also arise over the extra-territorial applicability of Indian laws to a foreign CSP. The provisions of the IT Act are, at best, ambiguous on this aspect. Invariably, Indian users not only contractually consent to the cross-border transfer of their data but also to the processing of their data being subject to foreign laws. The PDP Bill does envisage the applicability of its provisions to processing of personal data by foreign CSPs if they provide services to users in India. However, in case of data breaches or non-compliance with Indian laws, enforcing remedies against a foreign CSP in Indian or foreign courts under the IT Act or the PDP Bill remains to be tested.
Data risks. Moreover, since foreign CSPs may not be required to comply with privacy and data protection safeguards under Indian laws, such as conditions relating to data retention and disclosure, the chances of unauthorised or unlawful access to data of Indian users remain. This is, of course, unless the transfer is to a country, which ensures adequate data protection and privacy of all data.
Given the above, while the government’s outlook towards privacy and safety of personal and non-personal data is evolving, initiatives must also be undertaken to sensitise Indian users towards the risks and remedies associated with providing their data to foreign CSPs. Such initiatives would enable users to provide informed consent for cross-border transfers. At the same time, data localisation requirements should not result in unreasonable hindrances to free market in this crucial sector.
By Harsh Walia (Partner) and Abhinav Chandan (Counsel), Khaitan & Co