India Compliance Guidelines To Cloud Services
Created: 25 Apr 2013 | Updated: 30 Apr 2013
Cloud computing is a growing trend and has changed the landscape of information technology, shaping not just our work environment but also our personal lives. Many of us have been using cloud computing for years on a daily basis through web based email, social media and other applications. The rapid adoption of cloud computing especially by organizations and the fact that more, and more sensitive commercial and personal data is being stored on the cloud, has raised concerns about whether cloud computing platforms are sufficiently secure. Regulators and authorities around the world have responded to these concerns by introducing new laws, regulations and compliance requirements which attempt to mitigate the security and data privacy risks associated with the use of cloud computing platforms. The stringency of some of these requirements has led to some organizations shunning the adoption of cloud computing solutions, citing the web of legal and regulatory requirements and the costs associated with ensuring compliance as a prohibitive factor.
The Symantec.cloud offering provides a range of solutions that Customers can use to address their individual business requirements and regulatory frameworks, ranging from the filtering of data as it passes through the Services to the storage and management of long term records under the direction and control of the Customer. By utilising the Symantec.cloud Services Customers are able to leverage established and tested technologies and tools to empower the Customers own information technology staff to configure and control business data via a resilient and continually improving cloud platform. With these tools customers are able to best determine how to work within their existing policies and frameworks in managing the relevant privacy, confidentiality, and regulatory controls applicable to the Customers business.
This paper attempt to analyze, at a very high level, these concerns by highlighting the key legal and regulatory issues that impact the adoption of cloud computing within India and proposes that with the right guidance and partner, organizations need not avoid adopting cloud computing solutions. This paper is not intended as legal advice. Readers should be sure to take their own legal advice on any of the issues covered by this paper.
Use of cloud computing in India is still not clearly defined or accepted. This lack of clarity stems from a number of factors in the development of the cloud computing model but also because of the difficulty in keeping pace with the rapid developments in cloud computing, resulting in legislative or regulatory gaps in key areas of protection.
Cloud computing represents a "new set of opportunities and challenges for law enforcement agencies" as jurisdiction over data in the cloud has been a cause of concern for regulators globally. While we await the development of a defined cloud policy from the Indian Government, there are at present no laws in India that specifically prohibit the utilization or transfer of an organization’s data, including customer’s personal data, to be offshored to the cloud. This does not mean that there are no laws to take into consideration, but that Indian legal entities are provided some latitude in the use of technologies provided that the legal entity takes precautions over its handling of customer data and puts in place suitable controls and processes to protect its data. Some of the relevant Indian legislation(s) providing this guidance is summarized in the paper available for download.