Globally, there has been an increasing uptake of cloud computing services. According to Forrester Research, the global cloud computing market is expected to grow to $241 billion in 2020, up from $40.7 billion in 2011. Increasingly, countries are recognising the benefits of adopting cloud computing services and are, therefore, shifting their critical functions to the cloud-based platform. One of the key benefits of cloud is to transform the current capex-based IT infrastructure model to a pay-as-you-go model. The US and a large number of European countries have emerged as the early adopters of cloud computing services. These services have helped both the government and the private sector in developed countries to achieve economies of scale, reduce costs and enhance business efficiencies.

Cloud computing is also beneficial for small, medium and large enterprises. However, the deployment of these services presents security and privacy challenges. Organisations shifting to the cloud also have to address issues related to data sovereignty and jurisdiction, licensing and registration terms and the conditions imposed on cloud service providers (CSPs), disruptions in the organisational set-up and partial loss of control over critical functions. Illustrating the inherent risks involved in the adoption of cloud computing, the Federal Risk and Authorization Management Program in the US states that the decision to embrace cloud computing technology is risk based, and not technology based.

However, given the role of cloud computing in significantly changing the way IT services are provided and used, many countries have adopted these services despite the inherent risks. Being early adopters of cloud computing services, the US and the UK and some Asian countries have made efforts to put in place policy frameworks to minimise these risks. For example, the US government has launched the Cloud First Policy, while the Australian government has developed a cloud computing strategy. The European Union (EU) is in talks with various stakeholders to formulate its own cloud policy.

The US’s Cloud First Policy mandates government agencies to evaluate cloud computing options before making any new investments. The US government has also set up the National Institute of Standards and Technology, a federal technology agency that works with industry stakeholders to develop and apply technology, measurements and standards to be used by private as well as government agencies.

Further, with increasing virtualisation across networks, one of the major concerns for governments is to determine the level of access to be given to security agencies while deciphering communication across traditional telecom networks and cloud-based platforms. For instance, in the US, the US National Security Administration (NSA) has been provided permanent access to the backbone infrastructure of a few service providers, which provides NSA the freedom to intercept communication that might be crucial for the country’s security.

The UK also lays significant emphasis on data protection. Although the country does not have a specific regulation for cloud computing, it has a strong IT policy that safeguards user privacy. The country’s Data Protection Act, 1984 ensures protection and privacy of personal data, and the Regulation of Investigatory Powers Act, 2000 is aimed to take into account any technological changes related to the growth of the internet and data encryption, which could be a threat to national security as well as personal and economic well-being.

As the adoption of cloud computing is at a nascent stage across countries, there are no comprehensive regulations addressing the issues of ownership and data retention. By and large, these issues are covered under the contractual provisions stated in service level agreements (SLAs). However, the SLAs are unable to differentiate between or sufficiently define non-personal, personal, sensitive and proprietary information. In evolved cloud computing markets such as the US and the UK, SLAs are structured to protect the rights of service providers. They can disclose and use information and restrict users’ ability to make proprietary-based claims against the cloud provider. However, in order to address ambiguities in the SLAs, the EU, under its strategy for unleashing the potential of cloud computing in Europe, has proposed a few amendments to the Common European Sales Law. These amendments are aimed at addressing various issues resulting from the different national sales laws in various countries and providing contractual parties with a uniform set of rules. The revised sales laws will also cover issues related to data preservation after termination of the contract, data disclosure and integrity, data location and transfer, ownership of data, direct and indirect transfer of liability arising out of any change of service, and subcontracting. The amendments are aimed at identifying and adopting the best practices in framing model contract terms, which would increase the trust of potential customers, thereby driving the uptake of cloud computing services. Further, in response to growing concerns regarding user privacy, a large number of countries have taken a firm view on data retention policies adopted by CSPs. In developed cloud markets, governments have recognised the consumers’ right to erase their personal information from the CSPs’ servers. As a result, several CSPs follow an 18-month data retention policy, after which user data is anonymised. However, global experience proves that the technologies underlying cloud computing make it difficult to track and ensure that user data has been neutralised or made untraceable. In such a scenario, countries are examining the merits of mandating a data retention policy as part of the sectoral regulations as opposed to having a standardised retention regulation for all data on cloud computing infrastructure.

The uptake of cloud-based services has also gained traction in developing countries including India. Globally, the Indian market has been recognised for spearheading data and knowledge process outsourcing for other developed economies. However, growing incidents of data theft and mishandling of private and personal information have resulted in increased apprehensions about business outsourcing. Further, the lack of a dedicated regulatory framework covering privacy laws, the absence of data protection laws, inadequate data security, inappropriate data erasing mechanisms, and licensing and jurisdictional issues are restricting the mass uptake of cloud computing services in India.

At present, India does not have an exclusive data protection law. In the absence of specific regulations, data protection is ensured through the enforcement of privacy rights (under the Indian Constitution and Information Technology Act, 2000) and property rights (under the Indian Contract Act, 1872; the Copyright Act, 1957; and the Indian Penal Code, 1860). Industry experts contend that a data protection law is required in order to ensure investor confidence and maintain India’s lead in the global outsourcing market. The Information Technology Act seeks to protect only sensitive data. However, this regulation proves to be inadequate in ensuring data protection and privacy as it does not specify any time frames for retaining sensitive data. Moreover, the Indian government is yet to formulate regulations for data retention. As a result, the nature of data that is to be preserved and the duration of retention are not known.

Going forward, given the benefits offered by cloud computing, it is imperative for India to examine the mechanisms and measures that may be taken up to pave the way for more liberal adoption of cloud computing. With organsations across verticals showing interest in deploying these services, the country is well placed to learn and implement the best global practices and models adopted by developed countries. It can formulate guidelines for data protection and retention on data stored on cloud infrastructure modelled on the US data protection laws. The US has enacted the Stored Communications Act, which ensures that internet service providers, CSPs or vendors do not tamper with personal data. Also, the cloud computing models adopted by other countries can be emulated to minimise risks associated with the adoption of these services. For example, the US has established Amazon Web Services (AWS) GovCloud, which allows government agencies and contractors to shift more sensitive workloads to the cloud. It offers the same security level as other AWS-supported cloud platforms. The AWS GovCloud also supports the existing AWS security controls and standard industry certifications such as FISMA, SAS-70, ISO 27001, FIPS 140-2-compliant end-points and PCI DSS.

The Indian government has been quick to recognise the potential of cloud computing to transform the delivery of IT-enabled welfare and community services by various government bodies. The National Telecom Policy, 2012 emphasises that cloud computing will significantly expedite design and roll-out of government services; and enable participative governance and e-commerce on a scale which cannot be achieved with traditional technology solutions.

Going forward, the Indian government can provide the required impetus for the growth of cloud computing by introducing a strong regulatory framework based on global data protection and privacy rules that will minimise the risks associated with these services.