This Article is written by Bhumika Meena of B.A.LLB of 5th Semester of Dharmashastra National Law University, Jabalpur, an intern under Legal Vidhiya
ABSTRACT
Cloud computing will be the foundation of the future generation of computer systems worldwide. Cloud computing challenges the traditional legal protections for the safety of business capital and knowledge-based assets. We refer to the legal framework and regulations that govern the use of cloud computing services as “cloud computing law.” This study introduces readers to cloud computing law.
Cloud computing, which offers small and medium-sized businesses potential benefits like quick access to flexible and affordable IT resources, payment on consumption, and increased productivity for accounting services, customer support, and communication, emerged as a result of a lack of resources to manage an expensive and complex internal IT infrastructure (local storage computing). It provides simple ways of accessing databases, servers, and a variety of internet applications. Distributed computing, virtualization, grid computing, and databases are all used in the “cloud computing” technology paradigm to provide computer services.
The article’s objective is to examine the legal protections available to secure SMEs who use cloud computing. This presentation will address the security risks that cloud computing presents to local storage computing and possible remedies.
KEYWORDS
Cloud computing, local storage computing, databases, privacy, PRISM, and international standards.
INTRODUCTION
Cloud computing is one type of outsourcing that allows computers and other devices to access pooled data and processing resources whenever they need to. This innovative technology system provides a simple way to store and access servers, data, applications, and a variety of application services over the internet. The numerous benefits of cloud computing have made it popular among small and medium-sized enterprises.
Cloud-hosted servers provide for large-scale processing capacity and reduce the need for IT and physical storage, which leads to considerable cost savings. This new business and technology trend benefits small businesses by increasing their flexibility and integration.
Small and medium-sized enterprises (SMEs) and other cloud users confront serious privacy and regulatory concerns that hinder the rapid adoption of this new technology system, despite its many benefits. Only the cloud service provider (CSP) can guarantee the security of users who outsource their data and apps in a cloud environment. Many fears stem from a fear of the unknown. Everyone is thought to have a basic right to privacy (Movius and Krup, 2009). This has led to the creation of a sizable number of privacy-related legislation across the globe. Nearly all national governments have enforced local privacy laws.
A number of US states have enacted their own privacy legislation. To maintain a realistic breadth, this text exclusively addresses federal U.S. statutes and European Union laws. Furthermore, some US industry (self) laws are considered.
The concept of cloud computing refers to a strategy that facilitates simple on-demand network access to a shared pool of reconfigurable computing resources (including networks, servers, storage, apps, and services) that can be swiftly supplied and released with minimal administration effort or customer service. Due to the global nature of cloud services, the adoption of cloud computing by the US government poses serious jurisdictional issues. There are concerns about whether country’s laws regulate data access, privacy, and security because cloud data storage frequently crosses borders. The main concern is the extraterritorial reach of US laws, such the CLOUD Act and the PATRIOT Act, which, under some circumstances, provide US authorities access to data kept abroad. Conflicts with foreign data protection legislation, such as the General Data Protection Regulation (GDPR) of the European Union, which limits cross-border data transfers, may result from this. As they negotiate competing regulatory frameworks, these jurisdictional conflicts make it more difficult for government organizations and cloud service providers to comply with the law. It is still difficult to strike a balance between worldwide privacy rights and national security requirements; doing so calls for international collaboration, well-defined policy guidelines, and strong legal frameworks to reduce risks and preserve cybersecurity.[1]
LEGAL AND REGULATORY CHALLENGES IN CLOUD COMPUTING
We can readily get excited by the benefits of cloud computing, but we also need to consider certain legal issues. International law, which is composed of the rules governing international interactions, includes legal issues pertaining to cloud computing.
It consists of the following parts:
1. A general or specific international agreement that establishes guidelines that disputing governments specifically acknowledge
2. As proof of a widespread practice recognized as law, international custom
3. The fundamental legal precepts accepted by civilized countries
4. As a secondary, judicial rulings and the advice of the most accomplished publicists in each country serve as a basis for establishing legal norms.
Since controversial debates about who owns and maintains public data are growing more common, the 21st century is considered to be the data privacy era. Privacy rights have often been evolved more slowly by the common law. Any local legislation pertaining to data privacy must be in line with the generally accepted international norms.[2]
IT organizations will first be impacted by the majority of these problems. If businesses are forced to keep data locally in order to avoid jurisdictional issues, the cost of investment and innovation in cloud computing will increase. The performance and efficiency benefits of cloud computing may be lost as a result, and its benefits for businesses, governments, and consumers would decline. However, this may be the only short-term solution available to the majority of cloud providers until an appropriate global framework is created in collaboration with different national governments. The International Telecommunication Union (ITU) can play a major role in this area by creating a general security and privacy framework that encompasses several countries and applying pressure on them to align their national laws in this direction to enable cloud computing. Until then, cloud service providers might need to construct local data centers and make sure that national data remains inside national borders.
MAJOR CHALLENGES –
In recent years, the use of cloud computing to increase file access has increased dramatically. Even though cloud computing offers a plethora of benefits, there are significant legal concerns for both individuals and companies. Since our laws are based mostly on concepts of territoriality, they struggle to keep up with a modern world in which map lines are practically useless.
One of the primary barriers to using data stored on the cloud is privacy concerns.
Virtualization is one of the essential elements of cloud computing. In addition to the anonymity of the Internet, it allows virtual servers and makes it hard to track the location of the data held on numerous servers worldwide.[3]
LAWS IN INDIA RELATING TO CLOUD COMPUTING
The Indian legal community has faced a number of challenges in adjusting to technological developments, including the rapid expansion of the internet and its global impact. Technology has repeatedly reduced the need for face-to-face interaction in the development of significant legal relationships between the parties. Therefore, it is up to the legal community to decide on the code of conduct that these parties must adhere to in order to maintain these legal relationships. There was no legislation in India pertaining to the use of computers, computer networks, and computer systems, as well as data and information in an electronic format, prior to the passage of the Information Technology Act, 2000. The primary objectives of the Information Technology Act of 2000 are to facilitate the electronic filing of documents with government agencies and to legalize e-commerce, which uses electronic channels for communication and information storage. The Act also covers offenses committed outside of India because it has extraterritorial jurisdiction.
However, the Act also contains many ambiguities, such as the lack of protection against copyright infringement, domain name defence. [4]e-transaction taxation, payable stamp duty, and the jurisdictional element of e-contracts. Nonetheless, several adjustments are being proposed in an attempt to eliminate the ambiguity.
In terms of information security, businesses are expected to ensure that they implement “Reasonable Security Practices and Procedures” to safeguard the information. This indicates that the Indian government has embraced the International Standard on “Information Technology – Security Techniques – Information Security Management System – Requirements.” In terms of actual security policies and processes, any corporate entity that implements such requirements is considered to have complied with the aforementioned statute. The law additionally mandates a comprehensive information security program, standard information security plans that include the operational, technical, and managerial charge of security, and physical measures that are appropriate for the isolated information assets and that adhere to reasonable security standards and exercises.
Building confidence in the Cloud Model –
Large data centers under service-level agreements that have 99.99% or higher uptime provide most of today’s cloud computing infrastructure, which is time-tested and highly reliable services based on servers of varying degrees of virtualized technology. Commercial services, which usually provide these service-level agreements to clients, have evolved to their quality-of-service demands. The cloud is presented to users as one point of access to all their computing needs. Assuming there is an Internet connection, these cloud-based services can be accessed anywhere in the world.
Reliability is usually enhanced in these setups because cloud computing service providers have many redundant locations for disaster recovery. Companies are attracted to this due to catastrophe recovery and business continuity needs. But the drawback is that when a failure happens, IT managers have limited control. The ability of cloud services to dynamically scale according to varying user needs is another benefit that adds to their reliability. Security is usually greatly enhanced because the service provider maintains the needed infrastructure. Centralization of data has resulted in increased focus on protecting client assets that are maintained up-to-date by the service provider.
Status of privacy in the Indian Constitution –
One of the main barriers to the growth and adoption of cloud computing in India is the absence of explicit data protection and privacy laws. In 1950, the Indian constitution went into force. Before the constitution was ratified, the criminal law, tort law, and libel and slander law all contained clauses protecting individual privacy. Even after the constitution went into force, no fundamental right to privacy was specifically guaranteed, despite the fact that the right is protected in the constitutions of countries like Argentina and South Africa. Court decisions in India established the right to privacy based on the rights specified in Article 19(1)(a) of the constitution (the fundamental right to freedom of speech and expression).
LANDMARK JUDGMENTS IN INDIA
Kharak Singh vs. the State of Uttar Pradesh (UP)[5]
The appellant was being harassed by the police in this case, in accordance with Regulation 236(b) of the UP police regulations, which permits overnight domiciliary visits. The Supreme Court declared Regulation 236 to be unconstitutional due to its violation of Article 21. Despite not being explicitly mentioned as a fundamental right in the Indian constitution, the court found that Article 21 of the document includes the “right to privacy” as part of the “protection of life and personal liberty.”
R. Rajagopal vs. the State of Tamil Nadu[6]
In this decision, the court ruled that “among other things, a citizen has the right to protect his privacy, the privacy of his family, marriage, procreation, motherhood, childbearing, and education.” No one may publish anything on the aforementioned subjects without his consent, regardless of whether it is factual or not, critical or commendable. If he did, he would be sued for damages because it would be against the person’s individual right to privacy.
People’s Union for Civil Liberties (PUCL) vs. Union of India[7]
The Supreme Court ruled that Article 21 of the Indian Constitution is violated by the government’s use of telephone tapping in line with Telegraph Act 5(2) of 1885. The right to “life” and “personal liberty,” which includes the right to privacy, are guaranteed under Article 21 of the constitution. It is forbidden to restrict the aforementioned right “other than in accordance with the procedure established by law.” The court attempted to clarify the right to privacy under Article 21 of the International Covenant on Civil and Political Rights in compliance with Article 17.
BENEFITS OF CLOUD COMPUTING-
Cloud computing allows for centralized storage of data and distributed processing of data. This method eliminates the need to transport storage devices along with the computer. This brings down digital devices to much lower prices and lowers computing hardware costs considerably. Cloud computing offers five appealing advantages that can be leveraged by companies to offer low-cost, long-term services. Among them are the following:(i) Users can access services without the intervention of a third party because of on-demand self-service. (ii) A big cloud network offers real-time, global access to all users everywhere in the world. (iii) Resource pooling allows the Cloud Service Provider (CSP) to offer low-cost cloud services and benefit from economies of scale. (iv) The consumer can access the cloud data whenever they need to because of rapid elasticity as need.[8]
RECOMMENDATIONS
- Businesses that use cloud computing services, like SMEs, should carefully read the terms of service of the cloud provider and make sure that the personal data they entrust to them will be handled in a way that complies with their privacy duties under applicable privacy laws. To put it briefly, SMEs should use contracts or other methods to make sure that the cloud provider handles and protects personal information appropriately. Better yet, if they are uncomfortable with what a cloud provider is offering, they should not give the provider the personal information that their customers have entrusted to them.
- Examine the policy on internal security. SMEs using cloud computing must thoroughly assess their internal processes in accordance with the findings of the risk analysis. Actually, there are additional risks associated with using mobile terminals or transmission over the internet while using the cloud. A service that complies with these security criteria needs to be provided with extra care.
- Track changes throughout time. In keeping with the idea of continuous development, CNL advises SMEs to evaluate cloud computing services on a regular basis, taking into account factors including legislation, risks, market solutions, and context changes. In order to adjust the measures or solutions as quickly as needed, the suggested risk analysis needs to be updated as soon as a major change in the service occurs. The product’s features or the technical delivery of the service (new data center, altered security policy, customer-initiated processing changes, etc.) may be affected by these modifications.[9]
RECENT DEVELOPMENTS
Recent advancements in the regulation of cloud computing have made a major contribution to jurisdiction, privacy, and data storage. This is consistent with the global trend towards increased data protection and sovereignty.
Data Sovereignty and Jurisdiction: The concept that data is governed by the rules and law of the nation where data is collected or processed is known as data sovereignty. The imposition of data localization practices and increased scrutiny of cross-border data transfer are the implications of the concept. For example, to prevent foreign jurisdiction and regulatory risk, Australian authorities are increasing efforts to keep critical data local, particularly in the health sector.
Privacy Legislation in the United States: In the US, a number of states have passed bills granting citizens certain rights over personal data. These are the Iowa Consumer Data Protection Act (IA CDPA), the Delaware Personal Data Privacy Act (DPDPA), the Connecticut Data Privacy Act (CDPA), and the Colorado Privacy Act (CPA). Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia are some other states with similar acts. All the acts provide varying protection of personal data, which is consistent with an emerging trend of increased state-level rights to privacy.
International Data Access and the CLOUD Act
Wherever it is stored, either in the United States or elsewhere, the federal law enforcement agencies can force U.S.-based tech companies to surrender targeted data stored on U.S.-based servers through the use of the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act. This has far-reaching implications on cloud providers-stored data, notably on cross-border data access and whether data stored outside the United States falls under U.S. law.
CONCLUSION
Cloud computing provides consumers and businesses with more choices, flexibility, and cost savings. Consumers need categorical guarantees from cloud providers for the security and privacy of their personal information so that they can enjoy these benefits. By defining the legal, jurisdictional, and public policy ambiguities of cloud services, regulators and legislators across the globe can achieve the promise of cloud computing. Multinational businesses operating in more than one nation and having to manage multiple laws and regulations can collaborate with governments, consumer organizations, and industry organizations to create globally harmonized models of privacy that maximize the financial and social gains of cloud computing.
Since cloud computing stores data on the Web, there is no chance of losing data or corrupting it, which is the main reason why companies use it over other devices for storage. Cloud computing also has many disadvantages that have to be overcome. For instance, there are certain security and privacy challenges with online storage of data. Moreover, there is always a chance of losing internet connectivity, which can hamper a business’s operation.
Over a network, often the Internet, cloud computing provides computer resources as a view of service that can be scaled up or scaled down in accordance with the needs of customers. It will be stationary. Legislators and regulatory organizations across the world are continuously revising and updating legal frameworks to address new challenges and protect the rights and interests of cloud service providers and consumers as cloud computing continues to evolve.
Harmonizing jurisdictional laws of different nations for cloud computing services can even be a step towards eliminating any conflict of the interests of parties in different nations. But it is a gradual process, and the maturity of the process also depends on the experiences of emerging industries. On the basis of past e-commerce experiences, this needs national action to standardize cloud computing service contracts simultaneously attempting to develop an international legal framework that is well-balanced.
Cloud computing is rapidly being adopted and implemented throughout society. But the legal community is behind these developments. The current theories and law regulating jurisdictional and choice-of-law analyses urgently need upgrading because they are, at best, clumsy and sometimes unworkable. Careful choice and implementation of the above principles and reforms can avoid many of the mistakes made in the previous Internet environment, although no one policy proposal could possibly be a panacea for all the challenges Courts will confront in this section.
REFERENCES
- Gray, “Conflict of laws and the cloud,” Computer Law & Security Review vol. 29, no.1, February 2013, pp. 58- 65(last visited Jan. 29, 2025)
- Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, Gazette of India, part II section 3(1), R. 6 (Apr. 11, 2011),(last visited Jan. 29, 2025).
- J. S. Saini et al., “[Retracted] cloud computing: Legal issues and provision,” Security and Communication Networks, vol. 2022,https://www.hindawi.com/journals/scn/2022/2288961/(last visited Feb. 5, 2025)
- CNIL “Recommendations for companies planning to use Cloud computing services” https://www.cnil.fr/sites/default/files/typo/document/Recommendations_for_companies planning_to_u se_Cloud_computing_services.pdf, ( last visited Feb. 5, 2025)
- Giuseppe Vaciago, Cloud Computing and Data Jurisdiction: A New Challenge for Digital Forensics, https://www.website.com (last visited Feb. 7, 2025).
[1] Sasha Segall, Jurisdictional Challenges in the United States Government’s Move to Cloud Computing Technology, 23 Fordham Intell. Prop. Media & Ent. L.J. 1105 (2012).
[2] A. Gray, “Conflict of laws and the cloud,” Computer Law & Security Review vol. 29, no.1, February 2013, pp. 58- 65
[3] Giuseppe Vaciago, Cloud Computing and Data Jurisdiction: A New Challenge for Digital Forensics, (last visited Feb. 7, 2025).
[4] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, Gazette of India, part II section 3(1), R. 6 (Apr. 11, 2011).
[5] Kharak Singh vs. the State of Uttar Pradesh, AIR 1963 SC 1295.
[6] R. Rajagopal vs. the State of Tamil Nadu, (1997) 1 SCC 301.
[7] People’s Union for Civil Liberties (PUCL) vs. Union of India, AIR 1995 SC 264.
[8] J. S. Saini et al., “[Retracted] cloud computing: Legal issues and provision,” Security and Communication Networks, vol. 2022, https://www.hindawi.com/journals/scn/2022/2288961/
[9]CNIL “Recommendations for companies planning to use Cloud computing services” Internet: https://www.cnil.fr/sites/default/files/typo/document/Recommendations_for_companies_planning_to_u se_Cloud_computing_services.pdf, Jan 2017, [Aug. 25, 2017]
Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or the materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.
0 Comments