27 April 2017
The Ministry of Electronics and Information Technology (‘MeitY’) released, on 20 April 2017, Guidelines for Government Departments on Contractual Terms Related to Cloud Services (‘the Guidelines’). The Guidelines highlight key issues government departments should consider when engaging cloud services providers, including with respect to data protection and localisation. In particular, the Guidelines state that such contracts must contain a localisation clause mandating that all government data handled will be guaranteed to reside in India. In addition, government bodies may include, for example, clauses that cloud services providers notify them of any data breach incidents pertaining to the data.
Mathew Chacko, Partner at Spice Route Legal, told DataGuidance, “There is a general trend in Asia to insist on data localisation. [I]n fact, this policy is far more permissive than I expected […] we have also observed increased pressure from larger Indian corporates that entities that provide cloud services store data in India. From my perspective, cloud service providers seem happy to ensure that databases are located in India. [I]t might increase costs in the short term, but that increase seems minor compared to the opportunity.”
Localisation of government data in India is not in itself a new development and existing frameworks under Indian law require localisation of government data. For example, Section 4 of the Public Records Act 1993 (No. 69 of 1993) states that no person shall take or cause to be taken public records out of India without the prior approval of the Central Government, except if done for any official purpose. In addition, MeitY has only issued guidelines, rather than regulation, so the extent to which the requirement is binding remains open.
If one stitches together many of the Government’s statements, it is clear that they recognise the need for higher levels of data security and for a more comprehensive privacy law.
Stephen Mathias, Partner at Kochhar & Co., highlighted, “In my view, this would be binding on all Central Government departments but not on state government departments. The states may choose to follow this or not. In practice, most states will follow this. We have to be philosophical in accepting that a government is not going to accept that its data reside outside India. This is after all government data. It [only] has effect on the private sector to the extent the private sector wishes to be a service provider of the Government.”
Also reflected in the Guidelines is an emphasis on data security and privacy with respect to such data, noting it to be one of the most critical issues to be addressed by a cloud service agreement. In cases where the data is considered highly sensitive, departments may ensure appropriate encryption is applied, along with appropriate cryptographic algorithms to evaluate security.
“There is significant pressure on the Government to ensure data security,” Chacko explained. “We have seen multiple data breaches of some fairly sensitive nature from various government databases including the now famous Aadhaar database. There is a fair amount of civil society pressure too. Even the Supreme Court has observed, in open court though not in a judgment, that the Government ought to consider more stringent protocols for the protection of data. If one stitches together many of the Government’s statements, it is clear that they recognise the need for higher levels of data security and for a more comprehensive privacy law. In fact, there was a statement to this effect by a minister, a while ago […] After the latest data breach and the controversy involving WhatsApp, Inc., I think the Government is keenly looking at a new law on privacy and data protection.”
Hernán Romero-Dutschmann | Privacy Analyst