Introduction
The current state of chaos in the cyber world is that of ‘data’. As technology progresses, it creates avenues for the conception of larger data which requires its protection too. And protection coupled with preservation of data is the most vital concern for all, dealing with the same in the ever-evolving technological world. Every nation-state has tried to come up with their own data protection regime for withstanding the challenges that are associated with data vulnerability and facilitate a membrane of protection through which the personal data of individuals and corporations could be safeguarded. However, with the development of technology, many companies started running their business through technology, but to run their business most of the companies had to spend enormous amount of capital to set up infrastructure, which included buying hardware and equipments used for running their business. Therefore, the advancement of technology made it possible to access the servers virtually with the help of Internet and this paved the path for the creation of ‘clouds’ i.e. a virtual space where generated data could be stored for future access of a generator or receiver of such data with the help of ‘Internet’. This resulted in the creation of more data which made the situation all the more complex to be monitored and managed.
Although many definitions exist with regard to the ‘cloud’, but there is no standard form of definition, which can define it Clouds are vast pool of easily usable and accessible virtual resources.[1] They can be re-arranged in accordance with variable load, for optimum utilization. To put it in the simplest sense “it is a model which enables a convenient, on demand network with an access to a shared pool of configurable computer resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”[2] It is a form of outsourcing the contract,[3] which is used to define a virtual platform that would allow, to store and process the data, run applications and deliver services and many other things with the help of internet.
In general, cloud offers three types of services which are ‘software’ as service (hereinafter ‘SaaS’), ‘platform’ as service (hereinafter ‘PaaS’) and ‘infrastructure’ as service (hereinafter ‘IaaS’);[4] because of which many organizations have selected for the services of cloud computing; as in this the organizations has to pay only for the services they are provided. Also that can meet the demands of the customers easily, in a rapidly changing market. Currently, this service is provided by many service providers which include Amazon, Google, Apple, Microsoft etc. The clients who are struggling to store their data in a safer space select the cloud vide rent in accordance to their needs, while the user is not required to have knowledge of the working of cloud, they only requires the services of internet through computers and even with portable devices like mobile laptop. While the cloud service providers often ask the users to enter into an agreement which they need to accept to use the services of the cloud; often the consumer negligently waves the onus to go through the content of the agreement, and accepts the terms of the agreement than understanding the content and concerns of having legal consequences. This, in turn affects the future course of customer; service provider relationship.[5]
While it may seem that Cloud Computing is a phenomenal concept, the elements of the same have been around for many years. It is neither a new concept nor a new technology nor a new shift in a technology. It covers several practices which existed long before the concept became popular, because of which it is safe to say that all of us are using the services of cloud in one way or other e.g. email like Gmail, Yahoomail etc. However, be that as it may, it is increasingly labeled as a new mode of supplying, consuming and generating IT assets via the Internet in which, for no cost, we access a server hosted by a third party which could be located anywhere in the world, in regard to which we would not be having any knowledge.[6] Since in cloud computing the data which is provided by the client is stored in an unknown location with other data which is also provided by different clients because of which there is a constant fear regarding the protection of data provided by the user. Although in this technology has many more issues, but the present research paper would only deal with the issues regarding to data protection. Enormous opportunities exist in the cloud that could be exploited through its adoption, but at the same time various new challenges and issues have emerged that threaten its adoption. These issues may range from the technology to legal to public policy.
Building Blocks of Cloud Computing:
Different service models of Cloud Computing: There are different types of cloud computing service models which the users could avail in accordance to their needs, they are:
- Software as a Service (SaaS): In this model the user of cloud can have access to the service provider’s software which are hosted by him, by which it eliminates the need to install and operate the software on his own computer and also makes it easy for the user to maintain the software. In this, the service provider takes the responsibility to manage and deploy the infrastructure requires to manage and run the software. Example: Google Apps, Salesforce.com.[7]
- Platform as a Service (PaaS): In this model, the users of cloud could avail the services to develop various applications without the help of installing and downloading any software on their personal computers. The users in this model do not manage the infrastructure, but have the control over the application which is made in this. Example Facebook, etc.[8]
- Infrastructure as a Service (IaaS): In this model, the resources are shared through the virtual technology. The main objective of this model is to provide resources like servers, network, storage etc. which are easily accessible by operating system, by a third party service provider. Example: Amazon Web Services.[9]
Cloud computing Deployment models:
There are four different types of cloud deployment model system which could be availed by the user, they are:
- Private Cloud: This type of cloud could be owned, leased or managed by a third party while existing on premises of the user or off-premises. This cloud is more secure than Public clouds. In these types of cloud, there is no need for additional requirements like security regulations, restrictions of bandwidth, legal regulations which are present in public cloud. Since the number of network used by the user is restricted, the user and the service provider only have the complete control over the cloud.[10]
- Public Cloud: In this type of cloud, the service is provided by the third party to many customers on the same cloud, which is regulated by the user’s or organization’s firewall. Public Clouds are hosted completely by the service provider and the whole responsibility to maintain, install, manage, is undertaken by the service provider. Multiple users could work at the same time by utilizing the resources hosted optimally. In this the users are only charged for the resources they use, because of which the issue regarding underutilization of resources is removed. The drawbacks of Public Cloud is that there could be no restrictions on the access of cloud neither could any authentication measures be taken by the company, because of which there is always an issue regarding the security of data over the cloud.[11]
- Hybrid Clouds: It is a composition of two or more deployment models which is linked in such a way that the transfer of data takes place without affecting one another. These types of clouds are useful for two types of functions such as receiving customer payments and the secondary function regarding the business like employee payroll. One of the major drawbacks of hybrid cloud rests in creating such a cloud effectively and governing it. The information which is obtained by different sources is stored in a single location which could make it difficult for the public and private information.[12]
- Community Cloud: When the infrastructure is shared by many organizations for a common cause which is managed by them or by third party is known as community cloud. In this only the members which are agreed could have access to the cloud. This model is generally based on the agreement which is entered between the related business organizations. This cloud could exist remotely or locally.[13]
Properties of Cloud:
There are two principal standards organizations that have developed the expression and meaning for “cloud computing”—first one being the US government-based National Institute of Standards and Technology (NIST) [14] and the non-governmental International Organization for Standardization (ISO). The recognized definition from ISO/IEC 17788:2014[15] is hereinafter stated:
“Cloud computing: Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources (examples of resources include servers, operating systems, networks, software, applications, and storage equipment) with self-service provisioning and administration on-demand”.
The NIST defined “cloud computing” as Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The NIST went a step further and identified five essential characteristics of Cloud Computing, which are necessary to be fulfilled for service rendered which are termed as cloud.[16] They are:
- On Demand Self Service: A consumer should be able to use the services of cloud, such as storage or server time, without the help or interaction of other human or service provider
- Broad Network Access: The services could be available through the network and could be accessed through any standard mechanism that promotes the thin or thin client platform.
- Resource Pooling: The service provider’s resources are pooled to several customers by using a multi tenant model, which has a different physical and virtual location which keeps on assigning and reassigning differently according to consumer’s demand. The consumer in cloud has no exact knowledge of the location form where the services or resources like storage facility, network bandwidths, Etc. are provided. In a private cloud, the customers, or tenants, may be different individuals or groups within a single company, while in a public cloud, entirely different organizations may safely share their server space. Most public cloud providers use the multi-tenancy model. It allows them to run servers with single instances, which is less expensive and helps to streamline updates.
- Rapid elasticity: The capabilities can be increased in an instant and released, in some cases automatically, to meet the demand of consumers because of which it is often felt by the consumer that the capabilities of cloud is unlimited.
- Measured Service: Cloud services automatically control and optimize the use of resource through leveraging a metering capability which is present at some level of abstraction according to the type of service provided.
Others, contrastingly, view the cloud very commonly as “a metaphor for the Internet.” [17] There are numerous definitions between these two connotations[18], but one can pick up the weighing scales and strike a good sense of balance by an explication that: cloud computing is the “on-demand delivery” of “resources and applications over the Internet.[19] Since in cloud computing the data which is provided by the client is stored in an unknown location with other data which is also provided by different clients of the same client because of which there is a constant fear regarding the protection of data provided by the user.
Issues regarding Data Protection in Cloud Computing:
Sharing or storing valuable information online with the help of cloud might present a number of security threats and risks like the protection of data. This is germane because a number of other issues might also arise by the falling of the information in wrong hands. These may range from issues pertaining to Intellectual property Rights, divulgence of trade secrets, dissemination of personal information etc. If the information has to be made available or shared, in a secure manner, on the Internet then the users and service providers have to take many steps in terms of fortifying the security controls and simultaneous monitoring of the access to information, so that the information is secure. One of the main concerns that is required to be highlighted is that of rising conflicts between the global nature of cloud and the Internet architecture, on the one hand, and the delivery and the local legal and regulatory requirements, on the other hand. A cloud service provider could have data centres, clients, end customers and resources for instituting and maintaining the services in different geographic locations. However, this geo-demographic spread may pose challenges in terms of compliance with the legal and regulatory requirements concerning national security, cyber security, privacy and content regulation. Essentially it becomes a daunting task for the cloud service providers to comply with the local requirements. In many instances, the compliance requirements could be such that they may dilute or attempt to dilute the very benefits of the global architecture and benefits of the cloud services.
When a consumer subscribes to the cloud services and saves their data on it, all the data would reside in the premises owned and operated by the provider, because of which the fundamental issue which arises is that whether the consumer could obtain any assurance that the provider is implementing the same security measures which the consumer would have maintained in case the data was stored in his premises.[20] Data which is stored in a public cloud and the applications which is hosted on it may have different security measures than that of a private cloud. For example cloud implementation’s quality, data stored, ‘attacker’s pool’ on the cloud wherein the attackers embrace the “as-a-service model”, giving unsophisticated cybercriminals a leg up in carrying out attacks; and experience level regarding to the system complexities and hackers of cloud administrators which poses a complex scenario for its managtement.[21]
One of the key concerns with regard to cloud computing is ‘Data Privacy’. The big question in cloud computing is whether the information shared is legally sharable. While some of the individuals might agree to share their data with some other companies, agencies might not want to share their information and are concerned about the privacy of their data on cloud.[22] [Recent initiatives of the Indian Government in constituting a Cloud Policy Panel and the draft report recommending a data localization regime- fostering easy access to data when stored locally and for conducting investigations; (eg. Cambridge Analytica) National Cloud Strategy being mooted. In some of the cases there are laws made for sharing of data which would allow, restrict or partially allow sharing of the data. For example, in India, the RBI has issued Guidelines[23] under which banks are not allowed to share the data of their customers in case they outsource their services to a third party. (Averting possible foreign surveillance)[24] Therefore, all the parties involved in cloud computing have to follow the laws of the country concerned. However, considering the complex nature of cloud, it might be impossible from user’s point of view. As many times the data on cloud could be very sensitive, because of which every measure has to be taken by the service provider to secure the data.[25]
Also, the possibilities of alteration in the data which is present on cloud is a major concern. The integrity of data which is present on cloud should be maintained and not have unauthorized alteration. The Service Level Agreement (SLA) by which the services are governed is usually in favour of service providers and is non-negotiable; only the bigger players in market could make the agreement at par but generally for small or medium players SLA is in favour of service provider.[26] These are some of the issues which are raised when a user uses the services of cloud.
A discussion on GDPR and the upcoming Chinese cloud computing law could be added; a bit on data sovereignty, in the light of National Digital Communications Policy in India.[27] The introduction of technology-neutral laws seems to be the way to dealing with the unpredictability of technological developments and thus ensuring that the legislation is effective in reacting to such-unpredictable-developments over a reasonably long period of time. A “sunset clause” has not been introduced by the GDPR, which would provide by default that the regulation will expire after a certain time, unless it is extended. In particular, GDPR rules and standards, such as the notion of the data subject’s identity, are sufficiently versatile to accommodate future technological developments and provide permanent security. However, we should not ignore the risk that the vagueness that characterizes some terms and notions may over the years result in large divergences in interpretation of the law and – consequently- legal uncertainty[28].
The terms of the GDPR, Article 4a refers to the processing of personal data in connection with the activities of a controller institution in the Union, irrespective of whether the processing takes place within the Union itself. Extending the applicability to processors is also an innovation, providing a framework for separate processor-related obligations. Regardless of the location of the institution, the GDPR indicates that in the future, even non-EU-based controllers and processors will be subject to EU law rules and conditions, whether they carry out activities related to the delivery of goods or services to data subjects in the Union or to the monitoring of the behavior of data subjects insofar as their behavior takes place within the Union.
As far as “monitoring” is concerned, the European legislator sheds light on this notion by referring to “potential subsequent use of techniques for processing personal data consisting of profiling a natural person.” The GDPR does not apply if, during a purely personal or household operation, the data processing is carried out by a natural person. The underlying reason for this exception is that there would be perceived as unjustified and excessive an intrusion of the law into the “private sphere and space,” in practice into the daily activities of individuals.
Laws for Protection of Data in India:
In context of Privacy:
Privacy is key issue in relation to cloud computing. The Constitution of India does not directly provide privacy as a fundamental right. But the Hon’ble Supreme Court of India has derived, that right to privacy is a fundamental right, from rights which are enumerated in Article 19(1)(a)[29] and Article 21[30] of The Constitution of India.
Recently, in the case of Justice K.S Puttaswamy and Anr. V. Union of India,[31] it was said by SC that right to privacy is constitutional core of human dignity which emerges primarily from right to life and personal liberty provided in article 21 of the Constitution of India. The same has also been upheld by SC in other cases, but this right to privacy is in context of government, there is no law which says that a person has right to privacy with respect of other person or citizen and no person could violate a person’s privacy. The Information Technology laws with respect to privacy are not developed till this context yet.
Existing laws for data protection:
Under the Indian Telegraph Act, 1885 telegraph includes “any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electromagnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means”.[32] The same could be used to construct the definition of cloud, as the cloud is a means by which a person is able to send and receive data which is operated through a closed network.[33] While in this Act, privacy is recognized as a right, but the government has the power[34] to intercept the communication in matters relating to national security.[35]
The Information Technology Act, 2000 explicitly provides the penalties for the breach of data and privacy of private individuals in the domain of computers and technology. This Act focuses on cyber crime and e-commerce in general but data protection and data privacy are covered under it. Ss. 43, 65, 66 and 72 specifically provides the rules for data protection.
Section 43 of the Act deals with the civil liability in case of harm to computer, computer system, data protection and data tampering while section 66[36] deals with criminal liability. Section 72 provides a fine of one lakh rupees and two years imprisonment, in case of breach of privacy and confidentiality of an individual’s material.[37]
With the enactment of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules 2011, the scope of Section 43A is increased, as it provides the way to regulate the disclosure, collection and transfer of private information,[38] wherein the rules has defined Sensitive and Personal information.
Further, IT Privacy Rules, 2011 provides that the body corporate that a person acting on behalf of corporate entity or any corporate entity, which is collecting sensitive and personal information has to obtain written consent of that individual.[39] And that the information could only be revealed to a third party only by the prior approval of the individual.[40] Section 8 of the act provides “Reasonable Security Practices and Procedures” which are considered to be satisfied “a body corporate has implemented security practices and standards which has to be comprehensively documented information security programmes and policies that are commensurate with the information assets being protected.”[41]
Information Technology Act, 2000 has provided when conditions under which an intermediary could be held liable. An intermediary would not be held liable, if it could be proved that it has not originated the information, has target the audience or has altered the information and is merely transmitting the information. Further is, there is any violation of data and it has informed to the intermediary, it has to take down the information and if it fails to take down the information or has abetted, aided or conspired for the commission of an unlawful act the intermediary could be held liable.[42] Also, Information Technology (Intermediaries guidelines) Rules, 2011 has also been notified by the government regarding the due diligence while discharging the duty. The principles have ever been taken into consideration by various forums in Indian judiciary for the sake of placing the liability for any contingent factors. Embracing the limits of S.79 of the Informationa Technology Act, 2000 it has now been adduced that; the intermediaries are liable for any no feasible elements wherein the, there has been a loss occurred to any person or entity which is an outcome of the indulgence of the intermediary by any chance.
The issue of jurisdiction is also an issue under cloud computing, as because of the involvement of multiple countries, the laws of multiple countries would be in conflict in case of any issue. According to Code of Civil Procedure, there could be two places where a case could be initiated, on at the place of residence of defendant another where the cause of action arises.[43] But this does not define that how the same would be applied in case of cyber crimes, where there is no physical place of crime. In India, if any act is committed is in contravention of Information Technology Act, 2000 by a person which is not a resident of India but involves a computer, computer system, computer network located in India the act is applicable on that person[44] The government of India has recently introduced Personal Data Protection Bill, which also will not regulate entities outside India that process information of Indian citizens outside India, as the Committee felt this will encroach on the jurisdiction of other States.[45]
Reflections:
There is a large scope for development in the laws relating to technology in India, by which data protection laws could be made more secure and reliable. In a recent judgement[46] the United States Supreme Court has observed that;
“A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States”.[47]
The matter came out of a question that has arose before the court of the second circuit; where the question was asked for having access to the stored e-mail contents of one accused; who happened to have alleged in the offence of drug dealings. Wherein, the magistrate issues an 2703 warrant asking the Microsoft corporation to disclose to the government the contents of a specified e-mail account and all other information related to the account concerned. To reply this warrant of the court, Microsoft was of the reply that; the content that have been sought by the court is stored at the servers placed in Dublin, Ireland and not is under possession, custody or control of the company for the time being.
Thus, discussing the relevant provisions of the The Clarifying Lawful Overseas Use of Data Act, 2018; the court made express opinion that; being a service provider it is the responsibility of the service provider to make such facilitation of data when necessitates by the adjudication machinery[48]. But, mapping this analogy of the court of second circuit of United States to that of Indian circumstance; it is highly unanswered under the IT Act, 2000. The responsibility of intermediaries even though settled in India for the time being, it is highly improbable for obtaining the relevant data from the cloud in lieu of the existing contractual agreement that subsist between the service provider and the customer. Further, the decision of the Indian Supreme Court in Justice K S Puttuswamy plays a predominant role while making respect to privacy a concern of the state being part of the fundamental right regime.
Therefore, in lieu of the prevailing circumstances and ambiguity for the regulation of the clouds under the existing legislative domain, the following concerns may be looked into i.e.
- Imposing strict liability on Service Provider’s: The laws regulating information although governs how should be information be taken form an individual, ways to keep it, transmit it or provide the same to third party. But more strict liability should be imposed in case of breach of any law be the service provider. Also, more strict standards should be imposed on the service provider while taking the information and securing it.
- Agreements: The agreements under which the usually agrees to avail the service of service provider is generally a standard form of contract, in which the user has to agree to the terms and conditions of the service provider and does not have any bargaining power. The user’s should be provided with some kind of bargaining power, under which they could regulate the terms and conditions or the agreements should have some consideration for user and not be always be service provider friendly.
- Awareness: There should be awareness among the people regarding the use of cloud and how to make their data secure in the cloud. Because of the sudden rise in technology, there should be awareness among the people regarding the security of their data and ways to keep the data safe. The user should also read the terms and conditions of the service provider before agreeing to avail the services of the service provider.
- Amendment in laws: The laws should be amended in order to regulate the data available on virtual world. All the previous laws should be amended in light of the recent advancement of technology. The jurisdiction in case of crime in virtual world should be made clear, as there are no clear laws regarding to the jurisdiction. Also, the current IT laws should be amended on order to make more consumers friendly and to make more penal liabilities on service provider.
Conclusion:
With the development of technology the status of ‘data’ is continuously changing and because of Cloud Computing, ‘data’ is gradually becoming a subject of “property, economic and privacy” rights for every individual, for which steps should be takes to protect the data not only in technological world but also in legal society. Because of the advantages provided through cloud computing, many individuals are shifting their data and valuable information in virtual world. For this the appropriate steps should be taken by government and technology industry to make the information secure, and to punish the individual in case of trespassing on data.
The concept of privacy differs from one country to another country, but technology affects in same manner to every individual irrespective of country. In India, there is no such explicit enumeration of ‘privacy’ as a concept under any of the legislative frameworks, however it has been derived by judicial decisions in different cases and has finally been stated that the same is enshrined under Article 21 of The Constitution of India, under the head of right to life and personal liberty and is thus being recognized as a fundamental right creating an onus on the state to protect and preserve the same. As the dissemination of Data is not restricted to one country, the difference of privacy laws in different countries may affect in the entire process and therefore, in the era of technology, there is requirement of standard form of laws relating to privacy.
Further, the laws which are enacted in India does not consider technological advancements and needs to be amended in that context, the Code of Civil Procedure which deals with the jurisdiction of a case does not consider cyber crimes, in case the data of a person is tampered with, the Code of Civil Procedure requires a physical place of occurrence while it is difficult to ascertain the physical place of occurrence in data tampering which happens on a cyber space and even if the place is ascertained it need not be in every case that the place ascertained has any connection to the crime committed. The Information Technology laws of India, does not deals with every aspect of data protection because of which they needs to be updated too, and also more strict liability should be fixed on service provider or having security measures.
This Article has been written by Dr. Bishwa Kallyan Dash working as an Assistant Professor of Law at Institute of Law, Nirma University Ahmedabad.
References:
[1] Karim Djemame, Benno Barnitzke, Marcelo Corrales, Mariam Kiran, Ming Jiang,Django Armstrong, Nikolaus Forgó and Iheanyi Nwankwo, Legal issues in clouds: towards a risk inventory, Philosophical Transactions: Mathematical, Physical and Engineering Sciences, Vol.371, No. 1983, e-Science-towards the cloud: infrastructures, applications and research (28 January 2013), pp. 1-17.
[2] Arockiam, Parthasarathy and Monikandan, Privacy in Cloud Computing: A Survey, Stable URL: http://airccj.org/CSCP/vol2/csit2331.pdf, (last accessed 03 October , 2018 at 09:14 hours IST).
[3] C.T. Ungureanu, Cloud Computing Contract: Competent Authority for Disputes Resolution, 2015 Conf. Int’l Dr. 298, 305 (2015).
[4] Supra Note 3
[5] J. Gibson et.al., Benefits and Challenges of Three Cloud Computing Service Models, Fourth International Conference on Computational Aspects of Social Networks (CASoN), pp. 198-205.
[6] Nishit Desai Associates, Cloud Computing Risks/ChallengesLegal & Tax Issues, Stable Url http://www.nishithdesai.com/fileadmin/user_upload/pdfs/Cloud_Computing.pdf, (last accessed October 08, 2018 at 07: 00 hours IST)
[7] Rabi Prasad Padhy, Manas Ranjan Patra and Suresh Chandra Satapathy, Cloud Computing: Security Issues and Research Challenges, IRACST – International Journal of Computer Science and Information Technology & Security (IJCSITS) Vol. 1, No. 2, December 2011, Stable Url: http://www.ijcsits.org/papers/Vol1no22011/13vol1no2.pdf, (last accessed October 10, 2018 at 08:40 hours IST).
[8] Ibid
[9] Ibid
[10] Aparna Viswanathan, Cyber Law Indian and International perspectives, First Edition 2012.
[11] Ibid.
[12] Chetan M Bulla, Satish S Bhojannavar and Vishal M Danawade, Cloud Computing: Research Activities and Challenges, Stable URL: http://www.ijettcs.org/Volume2Issue5/IJETTCS-2013-10-25-081.pdf, (last accessed October 10, 2018 at 14:33 hours IST).
[13] Ibid.
[14] [14] The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories- https://www.nist.gov/about-nist ((last accessed October 07, 2018 at 10:11 hours IST).
[15] Available at “ISO/IEC 17788:2014,” ISO at http://www.iso.org/iso/catalogue_detail?csnumber=60544 (last accessed October 10, 2018 at 00:24 hours IST).
[16] Peter Mell and Timothy Grance, The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, Special Publication 800-145, Stable Url: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf , ((last accessed October 08, 2018 at 13:04 hours IST).
[17] See Sharon K. Sandeen, Lost in the Cloud: Information Flows and the Implications of Cloud Computing for Trade Secret Protection, 19 VA. J.L. & TECH. 1, 5–6 (2014)
[18] Ibid.
[19] Ray Rafaels, Cloud Computing: From Beginning To End 12 (2015).
[20] Lee Badger, Tim Grance, Robert Patt-Corner and Jeff Voas, Cloud Computing Synopsis and Recommendations, Recommendations of the National Institute of Standards and Technology, Stable URL: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-146.pdf, (last accessed October 09, 2018 at 11:12 hours IST).
[21] Ibid
[22] Supra Note 5
[23] Reserve Bank of India Privacy Policy, Available at : https://www.rbi.org.in/Scripts/PrivacyPolicy.aspx
[24] Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks Stable Url: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.pdf, (last accessed October 08, 2018 at 10:22 hours IST).
[25] Supra Note 2.
[26] Marlon Graf, Jakub Hlávka and Bonnie Triezenberg, A Change is in the Air Emerging Challenges for the Cloud Computing Industry, Stable URL: https://www.rand.org/content/dam/rand/pubs/working_papers/WR1100/WR1144/RAND_WR1144.pdf, (last accessed October 10, 2018 at 15:25 hours IST).
[27]Available at: https://www.vikaspedia.in/e-governance/digital-india/national-digital-communications-policy-2018
[28] Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety A Theory of Data-Breach Harms, 96 TEX. L. REV. 737, 741 (2018)
[29] Article 19(1)(a), The Constitution of India: Right to freedom of speech and expression.
[30] Article 21, The Constitution of India: Protection of life and personal liberty.
[31] 2017 SCC Online SC 762.
[32] Section 3 (1) (AA) Indian Telegraph Act, 1885
[33]Consultation Paper on Cloud Computing, Stable Url http://www.trai.gov.in/sites/default/files/Cloud_Computing_Consultation_paper_10_june_2016.pdf
[34] Section 5 of the Telegraph Act, 1885
[35] Reeta Sony A. L, Prof Sri Krishna Deva Rao, Bhukya Devi Prasad, Implications of cloud computing for personal data protection and privacy in the era of the Cloud: An Indian perspective, Stable URl https://www.researchgate.net/profile/Reeta_Sony/publication/262049549_Implications_of_cloud_computing_for_personal_data_protection_and_privacy_in_the_era_of_the_Cloud_An_Indian_perspective/links/0f31753b28664618d9000000/Implications-of-cloud-computing-for-personal-data-protection-and-privacy-in-the-era-of-the-Cloud-An-Indian-perspective.pdf, (last accessed October 10, 2018 at 16:30 hours IST).
[36] Section 66. Computer related offences.–If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
[37] Section 72. Penalty for Breach of confidentiality and privacy.–Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.
[38] Supra Note 22.
[39] Rule 5, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules 2011.
[40] Rule 6 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules 2011.
[41] Supra Note 22
[42] Section 79 of Information Technology Act, 2000.
[43] Supra Note 22.
[44] Section 75 of Information Technology Act, 2000.
[45] Paragraph A, Chapter 2, Pg. 15 of The report issued by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna on Personal Data Protection.
[46] United States v. Microsoft Corporation, 584 U. S. (2018).
[47] S. 103(a)(1), CLOUD ACT, 2018.
[48] United States vs. Microsoft; Available at: https://epic.org/amicus/ecpa/microsoft/, Last Accessed on 28.02.2020.