The Telecom Regulatory Authority of India (TRAI) issued its 'Recommendations on Cloud Services' on 14 September 2019 (Recommendations). The Recommendations are a culmination of an extensive consultation process that has virtually spanned over the last 8 years.

Cloud services have acquired a pivotal character in the delivery of myriad services. Be it 'software as a service' (Saas), 'platform as a service', (PaaS) and 'infrastructure as a service (IaaS) offerings that are available in abundance in the present day, or futuristic technologies such as artificial intelligence, machine learning and advanced data analytics – each of these services are heavily dependent on cloud infrastructure.

Background

On 16 August 2017, TRAI had released its recommendations on cloud services (Old Recommendations) for the first time. As part of the Old Recommendations, TRAI, inter alia, held that a light touch regulatory approach may be adopted to regulate cloud services. Further, it was recommended that the Department of Telecommunications (DoT) may prescribe a framework for registration of one or more not-for-profit industry body (Industry Body) of Cloud Service Providers (CSP). Such Industry Bodies would in turn prescribe the code of conduct of their functioning. It was suggested that the terms and condition of registration of the Industry Body, eligibility, entry fee, period of registration, governance structure, etc. be recommended by TRAI once the Old Recommendations are accepted by the Government, in principle. In view of the fact that the Government adopted the Old Recommendations in May 2019, the present consultation process by TRAI was aimed at covering these aspects.

Salient features of the Recommendations

The following sets out the key recommendations made by TRAI:

  • Light touch regulatory framework - In keeping with its earlier recommendations, TRAI has reiterated that a light touch regulatory approach be adopted in respect of cloud services. To enable all stakeholders to determine the correct degree of regulatory oversight, a registered Industry Body working in conjunction with DoT/TRAI would be ideal. With regard to the industry body, TRAI has made the following recommendations:
    • TRAI has suggested that DoT may initiate setting up of the first industry-led body and require all CSPs to become its members. Such Industry Body would lay down broad principles and procedures to aid its functioning.
    • As time progresses, the Industry Body so created may further review and deliberate upon forming multiple bodies for different purposes, such as for addressing requirements of different market segments.
    • To begin with, only IaaS and PaaS providers who are in India or provide services to customers in India would be required to mandatorily enrol with the Industry Body, whereas SaaS providers may do so voluntarily. In due course, the scope of membership may be expanded.
    • For clarity, channel partners of CSPs are not required to take membership of the Industry Body if their principals are already members. Having said that, channel partners can become members voluntarily if they so wish.
    • Importantly, TRAI has noted that in the era of convergence, cloud infrastructure and services cannot be separated from the telecom infrastructure and services from a regulatory perspective. It is also noted that telecom service providers (TSP) may also be using cloud infrastructure for building and operating their core networks. Further, many TSPs have introduced Software Defined Networking (SDN), Network Function Virtualization (NFV), Mobile Edge Computing (MEC), etc. as part of their gamut of services. As such, TRAI has recommended that if CSPs intend to provide infrastructure, platform, switching, core network, NFV, SDN, etc. to TSPs, such CSPs should be mandatorily registered with an Industry Body.
  • Formation of Industry Body and its governance structure - TRAI has recommended that the first Industry Body may be set up as a non-profit body under Societies Registration Act, 1860. For doing so, a three-step process has been suggested:
    • Step 1 - To invite membership/ enrolment of CSPs, DoT would make public notification for all CSPs operating in India to get enrolled on DoT's web portal in an online process within a period of 6 months from such notification. DoT has also been suggested to inform the consequences that a CSP may have to face in case it fails to enrol and the impact it may have on continuation of their services in India.
    • Step 2 - To steer the Industry Body, DoT has been suggested to form an ad-hoc body. Such ad-hoc body would comprise government officials as well as leading experts from the industry. The ad-hoc body would also be entrusted with drawing up the charter documents and conducting the first election for the formation of the first Industry Body.
    • Step 3 - The final step would involve obtaining registration under Societies Registration Act, 1860 and taking over regular functioning thereafter.
  • Eligibility, entry fee, and period of registration - For the time being, TRAI has recommended that there is no need to define any eligibility criteria or entry fee to be paid to DoT, or period of registration with DoT.
  • Non-exclusive nature of first Industry Body - While the first Industry Body will be formed by DoT, it has been clarified by TRAI that such body would not have exclusive rights for performing such functions. In other words, if required, DoT can register other similar Industry Bodies that may undertake similar functions.

Comment

The global surge in the use and deployment of cloud-based solutions has in turn culminated in a situation where regulation of cloud, to a certain extent, has become inevitable and cannot be ignored. Most countries have adopted a light touch regulatory approach and in keeping with the global trend, it would be apt for India to follow suit.

Having said that, there are divergent views on whether cloud services warrant a separate legal and regulatory framework. There are various factions in the industry that believe that the existing provisions of the Information Technology Act, 2000 are adequate to cover issues emanating from the provisioning and use of cloud services. In fact, other stakeholders have also commented that TRAI and DoT have exceeded their jurisdiction by foraying into the domain of cloud services in the first place.

Considering that the Recommendations have been released, it will have to be seen to what extent DoT would adopt and implement them. Going by precedence, the DoT had adopted the Old Recommendations in entirety and therefore, the possibility of adoption of the Recommendations cannot be ruled out. That being said, the adoption of Recommendations would bring another set of challenges. Many quarters are of the view that it would be difficult to compartmentalise cloud services between regulated and un-regulated domains and this ambiguity would hamper effective enforcement of the regulatory framework.

The content of this document do not necessarily reflect the views/position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up please contact Khaitan & Co at legalalerts@khaitanco.com