The Telecom Regulatory Authority of India (TRAI) issued its
‘Recommendations on Cloud Services‘ on 14
September 2019 (Recommendations). The Recommendations are a
culmination of an extensive consultation process that has virtually
spanned over the last 8 years.

Cloud services have acquired a pivotal character in the delivery
of myriad services. Be it ‘software as a service’ (Saas),
‘platform as a service’, (PaaS) and ‘infrastructure as
a service (IaaS) offerings that are available in abundance in the
present day, or futuristic technologies such as artificial
intelligence, machine learning and advanced data analytics –
each of these services are heavily dependent on cloud
infrastructure.

Background

On 16 August 2017, TRAI had released its recommendations on
cloud services (Old Recommendations) for the first time. As part of
the Old Recommendations, TRAI, inter alia, held that a
light touch regulatory approach may be adopted to regulate cloud
services. Further, it was recommended that the Department of
Telecommunications (DoT) may prescribe a framework for registration
of one or more not-for-profit industry body (Industry Body) of
Cloud Service Providers (CSP). Such Industry Bodies would in turn
prescribe the code of conduct of their functioning. It was
suggested that the terms and condition of registration of the
Industry Body, eligibility, entry fee, period of registration,
governance structure, etc. be recommended by TRAI once the Old
Recommendations are accepted by the Government, in principle. In
view of the fact that the Government adopted the Old
Recommendations in May 2019, the present consultation process by
TRAI was aimed at covering these aspects.

Salient features of the Recommendations

The following sets out the key recommendations made by TRAI:

• Light touch regulatory
  framework – In keeping with its earlier recommendations,
  TRAI has reiterated that a light touch regulatory approach be
  adopted in respect of cloud services. To enable all stakeholders to
  determine the correct degree of regulatory oversight, a registered
  Industry Body working in conjunction with DoT/TRAI would be ideal.
  With regard to the industry body, TRAI has made the following
  recommendations:
  
  • TRAI has suggested that DoT may
    initiate setting up of the first industry-led body and require all
    CSPs to become its members. Such Industry Body would lay down broad
    principles and procedures to aid its functioning.

  
  

  • As time progresses, the Industry Body
    so created may further review and deliberate upon forming multiple
    bodies for different purposes, such as for addressing requirements
    of different market segments.

  
  

  • To begin with, only IaaS and PaaS
    providers who are in India or provide services to customers in
    India would be required to mandatorily enrol with the Industry
    Body, whereas SaaS providers may do so voluntarily. In due course,
    the scope of membership may be expanded.

  
  

  • For clarity, channel partners of CSPs
    are not required to take membership of the Industry Body if their
    principals are already members. Having said that, channel partners
    can become members voluntarily if they so wish.

  
  

  • Importantly, TRAI has noted that in
    the era of convergence, cloud infrastructure and services cannot be
    separated from the telecom infrastructure and services from a
    regulatory perspective. It is also noted that telecom service
    providers (TSP) may also be using cloud infrastructure for building
    and operating their core networks. Further, many TSPs have
    introduced Software Defined Networking (SDN), Network Function
    Virtualization (NFV), Mobile Edge Computing (MEC), etc. as part of
    their gamut of services. As such, TRAI has recommended that if CSPs
    intend to provide infrastructure, platform, switching, core
    network, NFV, SDN, etc. to TSPs, such CSPs should be mandatorily
    registered with an Industry Body.




• Formation of Industry Body
  and its governance structure – TRAI has recommended that
  the first Industry Body may be set up as a non-profit body under
  Societies Registration Act, 1860. For doing so, a three-step
  process has been suggested:
  
  • Step 1 – To invite
    membership/ enrolment of CSPs, DoT would make public notification
    for all CSPs operating in India to get enrolled on DoT’s web
    portal in an online process within a period of 6 months from such
    notification. DoT has also been suggested to inform the
    consequences that a CSP may have to face in case it fails to enrol
    and the impact it may have on continuation of their services in
    India.

  
  

  • Step 2 – To steer
    the Industry Body, DoT has been suggested to form an ad-hoc body.
    Such ad-hoc body would comprise government officials as well as
    leading experts from the industry. The ad-hoc body would also be
    entrusted with drawing up the charter documents and conducting the
    first election for the formation of the first Industry Body.

  
  

  • Step 3 – The final
    step would involve obtaining registration under Societies
    Registration Act, 1860 and taking over regular functioning
    thereafter.




• Eligibility, entry fee, and
  period of registration – For the time being, TRAI has
  recommended that there is no need to define any eligibility
  criteria or entry fee to be paid to DoT, or period of registration
  with DoT.




• Non-exclusive nature of first
  Industry Body – While the first Industry Body will be
  formed by DoT, it has been clarified by TRAI that such body would
  not have exclusive rights for performing such functions. In other
  words, if required, DoT can register other similar Industry Bodies
  that may undertake similar functions.

Comment

The global surge in the use and deployment of cloud-based
solutions has in turn culminated in a situation where regulation of
cloud, to a certain extent, has become inevitable and cannot be
ignored. Most countries have adopted a light touch regulatory
approach and in keeping with the global trend, it would be apt for
India to follow suit.

Having said that, there are divergent views on whether cloud
services warrant a separate legal and regulatory framework. There
are various factions in the industry that believe that the existing
provisions of the Information Technology Act, 2000 are adequate to
cover issues emanating from the provisioning and use of cloud
services. In fact, other stakeholders have also commented that TRAI
and DoT have exceeded their jurisdiction by foraying into the
domain of cloud services in the first place.

Considering that the Recommendations have been released, it will
have to be seen to what extent DoT would adopt and implement them.
Going by precedence, the DoT had adopted the Old Recommendations in
entirety and therefore, the possibility of adoption of the
Recommendations cannot be ruled out. That being said, the adoption
of Recommendations would bring another set of challenges. Many
quarters are of the view that it would be difficult to
compartmentalise cloud services between regulated and un-regulated
domains and this ambiguity would hamper effective enforcement of
the regulatory framework.

The content of this document do not necessarily reflect the
views/position of Khaitan & Co but remain solely those of the
author(s). For any further queries or follow up please contact
Khaitan & Co at legalalerts@khaitanco.com