JO U R N A L O F

INTERNET LAW
EDITED BY DLA PIPER

VOLUME 15 NUMBER 4

O C TO B E R 2 0 1 1

Regulation of the Cloud in India

By Patrick S. Ryan, Ronak Merchant, and Sarah Falvey

t is popular to make claims that the new movement of data to the cloud requires heightened attention from lawmakers and regulators. These calls for attention are based on beliefs that people are entrusting their information to third parties in ways that were never previously contemplated, and that new laws must be enacted in order to protect everyones privacy. The theory is often stated this way: without swift action, cloud computing will result in significant privacy breaches that will harm consumers. While it is reasonable for regulators to be wary of the increased reliance on third parties as the world becomes more digital, it is a mistake for regulators to assume that cloud computing (and its privacy and security challenges) are new. It also is a mistake to assume that cloud computing is inherently less secure than data stored on individual computers. In fact, cloud computing has been the aspiration of leading thinkers since the 1950s, and the development of the cloud has taken a similarly

progressive path as the development of the Internet itself. It is risky to attempt to regulate the cloud separately as well as to assume that the cloud can be controlled in a different manner from the flow of data on the Internet. Because computation in the cloud is no different from use of the Internet itself, it is not readily feasible or practical to cage and confine data flows within the cloud in a way that is substantially different from the flow of worldwide information generally. For this reason, regulatory frameworks should not be sui generis or custom tailored for the cloud and, instead, should leverage or update existing laws that are already in place. This article proposes a regulatory model for the cloud and shows how this model can be applied to India. Continued on page 7
REGULATION OF THE CLOUD IN INDIA . . . . . . . . . 1 By Patrick S. Ryan, Ronak Merchant, and Sarah Falvey PROTECT IP ACT: ONE APPROACH TO DEALING WITH INTERNET PIRACY . . . . . . . . . . . .3 By Michelle Sherman VARIOUS COURT RULINGS ON INTERNET COMMERCE TAXATION. . . . . . . . . . . . . . . . . . . . . . . . . . 18 By James G. S. Yang

Patrick S. Ryan, PhD, is Policy Counsel, Open Internet at Google Inc. and Adjunct Professor in the Interdisciplinary Telecommunications Program at the University of Colorado at Boulder, CO. Ronak Merchant is a research assistant at the Interdisciplinary Telecommunications Program at the University of Colorado at Boulder, CO and holds a B.E. from the University of Mumbai, and an MS from the University of Colorado at Boulder. Sarah Falvey is Senior Policy Analyst at Google Inc, and holds a BA from Hamilton College and an MA in International Relations and an MPA from Syracuse University. The authors are grateful for comments and input to earlier versions of this draft from Venkatesh Hariharan, Raman Jit Singh Chima, Pradeep Agarwal, and Nicklas Lundblad.

Electronic copy available at: http://ssrn.com/abstract=1941494

JO U R N A L O F

Internet Law
EDITORIAL BOARD Constance Bagley Associate Professor of Business Administration, Harvard Business School Robert G. Ballen Schwartz & Ballen Washington, DC Ian C. Ballon Greenberg Traurig, LLP Santa Monica Henry V. Barry Wilson, Sonsini, Goodrich & Rosati Palo Alto, CA Jon A. Baumgarten Proskauer Rose Washington, DC Michel Bjot Bernard, Hertz & Bjot Paris, France Stephen J. Davidson Leonard, Street and Deinard Minneapolis, MN G. Gervaise Davis III Davis & Schroeder, P.C. Monterey, CA Edmund Fish General Counsel Intertrust, Sunnyvale, CA Prof. Michael Geist U. of Ottawa Law School Goodman Phillips & Vineberg, Toronto, CA Morton David Goldberg Schwab Goldberg Price & Dannay New York, NY Allen R. Grogan General Counsel, Viacore, Inc. Orange, CA Prof. Trotter Hardy School of Law The College of William & Mary Peter Harter Security, Inc. Mountain View, CA David L. Hayes Fenwick & West LLP Palo Alto, CA Ronald S. Katz Manatt, Phelps & Phillips Palo Alto, CA Ronald S. Laurie Skadden, Arps, Slate, Meagher & Flom, LLP Palo Alto, CA Jeffrey S. Linder Wiley, Rein & Fielding Washington, DC Charles R. Merrill McCarter & English Newark, NJ Christopher Millard Clifford Chance London, England Prof. Ray T. Nimmer Univ. of Houston Law Center Lee Patch General Counsel Sun Microsystems JavaSoft Division Mountain View, CA Hilary Pearson Bird & Bird London, England MaryBeth Peters U.S. Register of Copyrights Washington, DC David Phillips CEO, iCrunch Ltd. London, England Michael Pollack General Counsel Elektra Entertainment New York, NY Thomas Raab Wessing Berenberg-Gossler Zimmerman Lange Munich, Germany Lewis Rose Collier Shannon Scott PLLC Washington, D.C. Judith M. Saffer Asst. General Counsel Broadcast Music, Inc. New York, NY Prof. Pamela Samuelson Boalt Hall School of Law University of California at Berkeley William Schwartz Morrison & Foerster San Francisco, CA Eric J. Sinrod Duane, Morris & Hecksher LLP San Francisco, CA Katherine C. Spelman Steinhart & Falconer, LLP San Francisco, CA William A. Tanenbaum Kaye, Scholer, Fierman, Hays & Handler, LLP New York, NY Richard D. Thompson Bloom, Hergott, Cook, Diemer & Klein, LLP Beverly Hills, CA Roszel Thomsen, II Thomsen and Burke, LLP Washington, D.C. Dick C.J.A. van Engelen Stibbe Simont Monahan Duhot New York, NY Colette Vogele Microsoft Corp. Redmond, WA Joel R. Wolfson Assoc. General Counsel Blank Rome Comisky & McCauley LLP Washington, DC

Copyright 2011 CCH Incorporated. All rights reserved.

BOARD OF EDITORS Founder David B. Rockower Editor-in-Chief Mark F. Radcliffe DLA Piper Palo Alto, CA Executive Managing Editor Robert V. Hale Executive Editor Maureen S. Dorney DLA Piper Associate Editors Gigi Cheah Elizabeth Eisner Ann Ford Thomas M. French Vicky Lee Peter Leal Jim Nelson Scott Pink Allyn Taylor Vincent Sanchez Patrick Van Eecke Jim Vickery DLA Piper Thomas Jansen Nils Arne Gronlie Kit Burden Mark O' Connor Hajime Iwaki Mark Crichard Director, Newsletters Susan Gruesser Managing Editor Jayne K. Lease EDITORIAL OFFICES 400 Hamilton Avenue Palo Alto, CA 94301 (650) 328-6561 76 Ninth Avenue New York, NY 10011 (212) 771-0600

JOURNAL OF INTERNET LAW (ISSN# 1094-2904) is published monthly by Aspen Publishers, 76 Ninth Avenue, New York, NY 10011. Telephone: 212-771-0600. One year subscription (12 issues) price: $552. Single issue price: $55. To subscribe, call 1-800-638-8437. For customer service, call 1-800-234-1660. Purchasing reprints: For customized article reprints, please contact Wrights Media at 1- 877-652-5295 or go to the Wrights Media Web site at www.wrightsmedia.com Postmaster: Send address changes to JOURNAL OF INTERNET LAW, Aspen Publishers, 7201 McKinney Circle, Frederick, MD 21704. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other professional assistance is required, the services of a competent professional person should be sought. From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations. The opinions expressed are for the purpose of fostering productive discussions of legal issues. In no event may these opinions be attributed to the authors firms or clients or to DLA Piper Rudnick, Gray Cary or its attorneys or clients.

Electronic copy available at: http://ssrn.com/abstract=1941494

October

2011

J O U R N A L O F I N T E R N E T L AW

Regulation of the Cloud in India Continued from page 1 G R O S C H S L AW The development of cloud computing is as old as computing itself.1 For nearly two decades, this theory was enshrined and endowed with the character of a law of nature in a concept known as Groschs Law. Herbert Grosch developed this law more than 60 years ago based on an assumption that computing increased by the square of its cost.2 Grosch expressed his theory as follows: I believe that there is a fundamental rulegiving added economy only as the square root of the increase in speedthat is to do a calculation ten times as cheaply you must do it one hundred times as fast.3 This argument has been interpreted to mean that the natural technological evolution would lead to supercomputing as a norm and, essentially, that migration to centralized computing would happen because of the need to leverage economies of scale coupled with the need to invest in massive data processing centers. As with any good thinker who is ahead of his time, Mr. Grosch was partially wrong, and partially right. His law held rein for nearly three decades.4 Those that claim that Grosch was wrong called for the repeal of Groschs Law as other more accurate cost models came to light. Indeed, while Groschs cost model was wrong (now replaced by Moores Law),5 his theory of supercomputing with dumb terminals, essentially, is the root of cloud computing. While Grosch was wrong about the cost model of cloud computing, he was correct in his assumption that significant economies of scale and efficiencies could be achieved by relying on massive, centralized data centers rather than an over-reliance on storage in end units. Groschs observations highlight that the debate around the theories of cloud computing have been taking place for more than 50 years. Indeed, the worlds leading thinkers within the area of cloud computing are just as old as the theories of computing themselves. So, while governments will always be faced with new issues and challenges, it is important that when contemplating any regulatory framework to step back and examine how the specific technology has evolved in relation to other industries.

THE MINITEL The Minitel was designed in the 1970s and allowed the public in France to use their telephone network to access a number of interactive databases.6 Because the Minitel was a pay for use cloud-based system, it enabled France to be wired much earlier than the rest of the world. The terminals were inexpensive to manufacture and maintain and so consumers shared these costs among themselves and therefore were given to consumers for little or no capital expense.7 It is one of the first examples of mass deployments of cloud services (also called utility computing, in this case because of its link to France Telecomthe telephone utility.) Although the Minitel largely has been replaced by the Internet, a number of dumb Minitel terminals are still available for installation and use in France.8 As late as 1995, there was considerable debate as to whether the Internet (a decentralized cloud-based system) or the Minitel (a centralized, government-controlled cloud) would prevail.9 Thus, for the past 30 years, the French consumer has been involved in significant use of cloud services that included bank transactions, chat fora, interactive databases, and broad exchanges of information in large data centers.10 The French adoption of the Minitel is illustrative for modern cloud-computing, because rather than passing new laws to control or contain the type of information that was exchanged on the Minitel cloud, the French chose to leverage existing laws. For example, the French had laws and codes that governed publications in the press and certain audio-visual communications, and the cases that dealt with civil and criminal liability issues within the Minitel cloud relied on these rules to ensure consumer protection while at the same time allowing the service to flourish.11 Naturally, there were some hiccups when the exchange of certain kinds of information became controversial, because the unanticipated killer app for the Minitel was erotic chats (which made the government uncomfortable as the systems sponsor).12 However, like modern cloud computing, the Minitel cloud brought tremendous value to the French economy due to the ability for small and medium-sized businesses to exchange information, and to provide offers, directions, and other details. The Minitel was widely adopted and used, and there was no accompanying 7

J O U R N A L O F I N T E R N E T L AW

October

2011

set of cloud-based regulations that accompanied that use. T H E C L O U D I S E V E RY W H E R E Governments, users, and regulators often think of cloud computing in a very narrow way. Literature and papers on cloud often go to great lengths to describe, segregate, and compartmentalize the three relatively abstract concepts of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) that make up the cannon of cloud computing offerings. While these concepts once served the purpose of providing a framework for thought, the cloud computing space is too dynamic to divide into three neat categories. Computer programmers and entrepreneurs have turned the cloud into a vast offering of very real products, often integrating unique and novel combinations of IaaS, PaaS, SaaS along with other categories not yet defined. Most services that businesses and consumers use cut across all categories to some extent, thus making these distinctions essentially irrelevant. As the Software & Information Industry Association has recently described in its White Paper for Policymakers (SIIA Cloud White Paper), because of these varying models and platforms, and contrary to the common term, cloud computing resists practical definition for common treatment by law and regulation. Simply stated, cloud computing is not a single, unitary thing. There is no the cloud.13 So, while the concept of the cloud has been blurred with the Internet for some time (arguably long before the concept of the Internet even existed), the term is still used because it is entrenched in the common of the technology. Yet, it is worth exploring the various manifestations of offerings to show how widespread the adoption has been. For purposes of elucidation, it is useful to provide a brief illustrative survey of cloud offerings in order to illustrate width and depth of the ecosystem in the discussions below. CLOUD EMAIL There are thousandsif not millionsof companies that provide separately branded cloudbased email services. There is currently a very low 8

barrier-to-entry for this market because web-based email is now available as an open-source platform, which means that the core software to run an enterprise-class Web-mail server can be obtained for no cost.14 All a company needs to do is to purchase a simple Linux computer and an Internet connectionand that company is now a cloud-based email provider. Still, there are economies of scope that can apply to large email hosting companies, and this is why several global providers are popular, including Gmail, Hotmail, Lycos Mail, AOL, Rediff Mail, etc. While it is of course still possible for companies and consumers to place their email on their laptops or desktops, today this is often done as a complement to the storage of the same email in the cloud. With so many offerings available, users can sign up for multiple email accounts from any email service around the world. Therefore regulations (such as those in Europe) that require data be stored within certain geographical boundaries are not practically enforceable.15 For example, even if a large cloud-based email provider, such as Hotmail, Gmail, or AOL, were to comply by hosting some of its servers in a given country, there is simply no way to impose such a requirement on the thousands of other cloud-based email providers. In other words, there is no effective way to require, across-the-board, that all the worlds cloud services store their data in any given country; that is not the way that the architecture of the Internet was developed, and it is not the way that email and other cloud-based services work. CLOUD-BASED BUSINESS AND PERSONAL ORGANIZATIONAL TOOLS Thousands of cloud-based opportunities are available in order to help individuals and businesses aggregate their use of the Web, to make business plans, to make vacation plans, parties, weddings, and such. For example, the small-business collaborative suite, 37Signals,16 offers project-management software, contacts, sharing, and real-time collaboration tools for small businesses. The methodology that 37Signals employs (espousing cloud-based tools to empower businesses) has lead to two best-selling business books, Getting Real and ReWork.17 Similarly, Evernote is a service that allows users to capture anything, remember everything, and access anywhere.18 This service aggregates information from

October

2011

J O U R N A L O F I N T E R N E T L AW

users and businesses, including photos, plane tickets, notes, research, and other materials, all on Evernotes servers. One of the best known invitation-services, Evite, allows people to plan parties, weddings, social gatherings of all kinds, and boasts more than 25,000 invitations sent each hour.19 One of the most popular travel/organization tools is Tripit, which helps travelers organize and track travel.20 Finally, there are several more excellent cloud-based collaboration suites that offer the opportunity for companies to share their most important data with each other and with customers, such as Huddle, with virtual opportunities for file sharing, discussion boards, work spaces and other collaborative tools.21 If it appears that the lines are blurred between cloud-based services as those described above and the Internet itselfthats because there are no lines! The Web 2.0 services that empower people to compute from any device, anywhere, and to interact with any business and with each other bring tremendous value to businesses and individuals.22 SOCIAL NETWORKING, PHOTOS, AND STORAGE Social networking is big business. Recent market valuations of the well-known site Facebook have cited the value of the upcoming IPO as high as $100 Billion.23 The rationale for this valuation is not just based on consumer usage its the vast amount of information contained within the Facebook cloudand the value that businesses and users place on it. Additionally, through services such as Yelp, users and businesses collaborate in the cloud to rate and share information on businesses. The most valuable family photos are no longer stored away in an album or shoe box, they are in the cloud, stored on sites such as Picasa, Flickr, Apples iCloud, Snapfish and many other locations. In addition to the value-added services, there are a number of services that offer hard-drive replacement in the cloud, for example, Dropbox, JungleDisk, Amazon S3, Egnyte, and many others. BANKING AND MONEY MANAGEMENT Most banking happens in the cloud. Almost all banks offer users the opportunity to complete online payment transfers, pay bills, purchase and sell

stocks, and other activities, and in many cases, it has completely replaced the need to either visit a physical bank branch or to keep paper-based transactionsin many countries, there simply isnt a need to maintain paper banking records at all. Additionally, there are several suites of cloud-based services that help individuals and businesses manage their money, in a trend that has been called Banking 2.0. Cloud-based banking products include Quicken, Mint, Wesabe, Geezeo, Expensr, MoneyStrands, Xero, and others. Many of these suites either integrate data with or share data in some way with other cloud-based suites that can help with tax preparation and filing, such as TurboTax. In sum, the banking and financial ecosystem has completely moved to the cloud, such that individuals and businesses can practically maintain all of their recordsdaily transactions, financial planning, taxes, stock tradesall via the cloud. OFFICE SOFTWARE TOOLS Companies such as Google offer a broad base of business productivity tools and office-software replacements in the cloud. Google Apps, for example, is an enterprise-ready suite of applications that includes Gmail, Google Calendar (shared calendaring), Google Docs and Spreadsheets (online document hosting and collaboration), Google Sites (team site creation and publishing), and Google Video (easy, secure sharing of video content). These Web-based services can be securely accessed from any browser, work on mobile devices such as BlackBerry and iPhone, and integrate with other popular email systems such as Microsoft Outlook, Apple Mail, and more. E-COMMERCE The cloud can enable businesses to set up a completely virtual business presence without the need for any infrastructure. Amazon and Ebay offer virtual storefronts that enable cloud-based presentation, advertising, search, and payment processing and delivery. Products such as Google Apps have powered companies such as OpenEntry, which offers free e-commerce catalogs (software, hosting, user support) to artisans and Small and Medium Enterprises (SMEs) worldwide that includes catalogs managed by Google spreadsheets, images stored on Picasa Web Albums and payments by Google Checkout.24 9

J O U R N A L O F I N T E R N E T L AW

October

2011

L E G I S L AT I V E A P P R OAC H Legislators and regulators have myriad concerns, ranging from desires to control the environment, often citing national security, consumer protection, and matters of privacy. However, as described previously, the cloud ecosystem is a complex one that features many new players and opportunities for the market. Any legislation should treat cloud computing as any other form of computing and not specifically regulate it based on the premise that cloud computing is something new or threatening. Some companies have worked actively to develop principles that would single out cloud computing as a unique area within broader Internet legislation. One example in the United States of potentially prescriptive legislation is the proposed Cloud Computing Act of 2011, which seeks to set specific security and privacy measures, definitions, and transparency mandates that would apply only to a cloud environment and not to other forms of computing. It also provides for patent and copyright protections that disproportionately benefit software-based products, which could impede competition in this area.25 For this reason, these authors support the increasing consensus from industry that existing legislation should be leveraged rather than enacting new, specific legislation that purports to cover the cloud.26 The problem with new legislation is that it tries to ascribe a one-size fits all approach to cloud and Internet regulation. This often leads to vendor lockin for large companies; in other words, legislation typically prescribes a type of technology (such as encryption) rather than a particular end (protection of data), resulting in favoring proprietary standards.27 Vendor lock-in quells competition and enables a system, for example, where government procurement contracts favor legacy software providers, and focuses efforts on developing or deploying at the standards level in order to disadvantage cloud services. In order to avoid these problems, cloud legislation should have the following characteristics: Technology Neutrality. Ensuring that any legislation remains technology neutral is essential to ensure the continued development of any burgeoning technology space or market and there are many examples of situations where a counter approach actually quells the evolution of the technological space. One striking example is the

adoption of important eBusiness applications in the United States which was greatly hampered in the European Union due to their desire to introduce technology-specific mandates, which caused the eSignatures market in Europe to flat line for close to a decade, while the U.S. market continued to grow and innovate. Interoperability. The interoperability of the Internet itself has allowed for its growth and evolution to be global and ubiquitous and cloud computing is no different. Interoperability, the ability to exchange and use information between cloud computing products and services, is necessary for the development of unfettered competition between vendors and unrestricted choice for users. This can only be achieved through the development and implementation of open standards. Data Portability. Legislation should not allow for the creation of private and/or isolated clouds where user data cannot be moved to another platform. Cloud computing services should make use of open standard protocols and formats such that users have unfettered access to their data and meta-data, thus ensuring portability, interoperability, and freedom from vendor lock-in. Cybersecurity Standards. Governments should embrace a global approach to cybersecruity that seeks international consensus on standards and that recognize that data can be protected and safe regardless of where it is located.

Additionally, legislation should avoid: Localization Requirements. Governments should avoid requirements for in-country servers. The genius of the Internet has always been its open infrastructure, which allows anyone with a connection to communicate with anyone else on the network. Measures that force Internet companies to choose between taking actions that harm the open web, or reducing the quality of their services, hurt users and risk creating multiple bifurcated Internets.28

I M P O RTA N C E O F T H E CLOUD FOR INDIA As one of the fastest growing economies in the world, India seems to be at the forefront of most

10

October

2011

J O U R N A L O F I N T E R N E T L AW

technological developments and cloud computing is no exception. Indian Enterprises have been faced with ebbs and flows in workflow for the past few years and this trend is expected to continue for the foreseeable future. For this reason, cloud computing has a particular advantage for a growing economy like India. First, it balances the ebbs and flows in the workflow without significant impacts to the companys bottom line. Second, the cloud allows an enterprise to focus on its core competencies by allowing the cloud provider to deal with all of the hassles involved with the development, maintenance, storage, and upgrades of business applications. For these reasons, experts predict that the cloud computing market in India will grow at a compound annual growth rate of 40 percent by 2014.29 The adoption rates of cloud computing technologies in India are fast, and are based on much of the good work that the Telecom Regulatory Authority of India (TRAI) has completed by promoting strong broadband policies.30 One recent article in Dataquest hailed cloud computing as one of the most significant and important areas for investment in India, citing a Gartner study that states that cloud computing will account for 5 percent of the total investments in India by 2015.31 ADOPTION OF CLOUD BY THE INDIAN PUBLIC SECTOR One of the striking features about cloud computing is that it presents benefits to every aspect of Indias economy including but not limited to SMEs, the education system (such as schools and universities), and the Government of India. Although there has been very limited adoption of the cloud technology in the Indian public sector, the trend is on the rise. The landscape is a competitive one and many companies are competing for the business. There are a few notable adoptions of cloud systems from various entities that are worth mentioning. State of Jammu & Kashmir The State Government of Jammu & Kashmir has adopted cloud computing for its e-governance services.32 These services include cloud based ration cards, birth/death certificates, and recruitment services for citizens. In order to roll out these services, the spare infrastructure from the data centers in Madhya Pradesh was used. The use of this cloud computing

model allowed the Government to actually implement these services in the extremely small time frame of just 60 days. In addition, there were practically zero initial costs incurred. Implementations such as the one in Jammu and Kashmir are indicative of adoptions in the future. The Government of India estimates that the use of the private cloud model by two or more states could result in savings of up to 50 percent in the 1,378 crore rupees allocated for state data center projects. Indian Youth Congress The Indian Youth Congress (IYC) is the official youth wing of the Indian National Congress and one of the largest youth organizations in the world. After evaluating a number of solutions for email and collaboration, IYC opted to move its more than 28,000 elected officials and volunteers to Google Apps for Business.33 The IYC plans to use this service to replace customized messaging solutions in its 300 locations across the country. Going forward the organization will integrate its existing proprietary applications with Google Apps along with using it for routine reporting and communication.34 The collaborative capabilities of Google Apps will help IYC deliver on its mission of transparent and democratic participation and empower its members to work for local development in India using technology. Delhi Public School One of oldest schools in the country, the Delhi Public School has over five thousand students and three hundred staff members, and the cost of deploying a school wide messaging solution seemed to be a distant goal.35 However, this was accomplished when the school started using Microsofts Live@edu service. The use of this cloud service has not only enabled easier and faster intra-school communication but also improved parent teacher interaction. Broadcasting Another example of the use of cloud computing in India is by UTV Software Communications, a broadcasting company in India that combines television and game content.36 In January, 2010, UTV signed a five year deal with IBM wherein IBM would provide various business transformation initiatives to UTV, a major part of which was the iNotes cloud email service. 11

J O U R N A L O F I N T E R N E T L AW

October

2011

A compelling explanation for why cloud based services are a boon for the public sector in India is that it is a pay as you use model.37 It also is advantageous for organizations, governments, and companies with multiple locations to use cloud based services as employees can then operate from the main office, any remote offices, or even their homes. Additionally, as noted above, the ecosystem is both wide and deep: there are many different providers of cloud-based services, thus offering the public sector opportunities to put proposals out for competitive bids in order to obtain the best value for taxpayers. ADOPTION OF CLOUD BY SMES SMEs play a very important role in developing the overall industrial economy of a country. The Fourth Census of the SME Sector indicates that this sector employs 59.7 million persons over 26.1 million enterprises. SMEs contribute towards 45 percent of the manufacturing output and 40 percent of the total export of the country.38 SMEs in India are now using online portals such as eBay and Amazon to sell their products domestically and abroad.39 One of the chief reasons that SMEs look at e-commerce offerings through such portals is because of business convenience. According to the 2009 eBay census guide, which was designed to shed light on the online selling and buying behavior in India, the eBay platform enables product availability to anywhere. These online platforms have allowed Indian SMEs to tap International customers in an extremely convenient, cost-effective, and profitable way. For example, craftsmen in Ludhiana regularly export golf clubs to international eBayers in the United States, Germany, and France. SMEs are one of the most aggressive segments in India to adopt cloud computing.40 SMEs IT requirements are oftentimes not as complicated and extensive as those of large enterprises, meaning that they are more flexible enhancing their ability to leverage emerging technologies more readily than larger enterprises. Because of this, SMEs usually find it easier to outsource these functions to a cloud provider and focus on their core business. The low barrier to entry, minimum risk, lower capital expenditure on hardware and software make cloud computing an extremely viable option for most SMEs. 12

ADOPTION OF CLOUD BY LARGE COMPANIES Sterlite Technologies is a leading global provider of transmission solutions for the power and telecom industries. Sterlite is not an SME rather it is quite large and is one of three global manufacturers of power conductors and among the top five global manufacturers of optical fiber and cables.41 Sterlite decided to move to a cloud service because manageability and cost value for an on premise messaging solution were a major concern. They had been using a non-cloud, on-premise solution for the majority of their employees. Sterilite moved more than 1000 employees to the Google cloud solution. There are many other large companies that have moved to Googles cloud, including several well-recognized names.42 The Indian call center market is another industry segment that has benefited from the use of cloudbased services.43 Such a model provides numerous advantages, such as low personnel costs, facilitation of teleworking for the local call center staff, and the handling of email, instant messaging, and fax queries using the same portal. With the development of India as the call center hub for some of the biggest US and European companies, cloud computing and its applications such as VoIP have a key role to play in this market. OTHER CLOUD EXAMPLES The cloud is ubiquitous and is not just limited to office-based applications or remote storage. A brief review of three applications of cloud computing outside of the office/productivity context will give a better understanding of how the regulatory framework in India has previously worked for cloud computing. These applications have become, or are in the process of becoming, integral ways to do business and communicate in India. These are Automated Teller Machines (ATMs), Credit Cards, and Voice over Internet Protocol (VoIP) telephony. To be clear, the cloud is not 100 percent safe. However, no industry, business, or person is completely safe from crime. A review of a few short cases in India in related contexts that involve cybercrime show that the investigative and judicial system has been quite effective at prosecuting criminals without the need for new laws.

October

2011

J O U R N A L O F I N T E R N E T L AW

Automated Teller Machines ATMs are an early version of cloud computing, and they enable people to withdraw money from banks without going to the bank (i.e., from the cloud). ATMs are miniature computers that connect to the cloud either by a dial-up connection or by a broadband connection. The first ATM was launched in India in 1987 by HSBC Bank.44 ATMs make banking much more convenient as consumers are no longer forced to deal with banks that are close to them. Banks, in turn can save on capital expenditure as they can just set up ATMs at convenient banking locations instead of opening new branches. Add to this the security of withdrawing money from accounts anytime and anywhere. Thus, for more than two decades, cloud computing in the form of ATMs has been part of the Indian economy. The following two cases of ATM theft indicate that no new regulations actually are needed for cloud computing crimes. The first case is that of an ATM robbery worth 7.3 lakh Indian Rupees in the state of Punjab.45 The three persons involved were the security guard and two of his friends. According to the Times of India, the Ludhiana Police arrested the three after close evaluation of the images from a CCTV installed inside the ATM. Not surprisingly, no new ATM law or cloud law was required, and instead, the thieves were found guilty under Section 407 of the Indian Penal Code.46 Similarly, in another ATM theft in the state of Chennai, which has been dubbed as one of the first major cybercrimes in India,47 was solved by the combined efforts of the Federal Bureau of Investigation (FBI) and the Central Bureau of Investigation (CBI). A Chennai based MBA graduate had used International contacts to develop 30 dummy cards that allowed him access to ATMs. The Chennai police believed that his arrest was the first step in solving the cybercrime ATM racket in Chennai.48 Again, the Indian police were able to make their arrests based on very old laws of theft; there was no need for any particular cloud-based legislation in order to solve these crimes. Credit Cards Credit cards are another form of cloud computing, and credit-card companies are, essentially, in the data transfer and information-sharing business. Credit card companies such as Visa, MasterCard, and American Express have allowed for convenient

business transactions within the Indian market.49 Credit cards rely on transnational data flows, like cloud computing, and have played a key role in the online shopping boom seen in India in the last decade. It also enables anytime, anywhere shopping and saves the consumer the hassles and security issues of carrying large amounts of cash. These advantages are reflected in statistics that indicate there were 18.3 million credit cards and 181.4 million debit cards in the Indian market in 20092010.50 Because of these distinct benefits, credit cards have an increased importance in the present Indian economy. Additionally, the Indian financial sector has aggressively moved to the cloud.51 Thus, the cloud is used both for the exchange of information between databases to enable the credit-based economy, and by leading financial institutions in India for their core services. Voice over Internet Protocol Voice over Internet Protocol (VoIP) is basically telephony over the Internet and because of the processing and switching required, via the cloud. It is an important way for Indians to keep in contact with loved ones in India and abroad, and has generally enabled the Indian outsourcing economy.52 This is especially true in Indian regions where high speed Internet connections are available. The use of cloud-based VoIP technology offers advantages of cost savings from avoiding long distance calls, ability to see each other, and the convenience of user-friendly Skype and Gmail portals. One reason for VoIPs astonishing uptake in India in the past decade is the affordable pricing. Anecdotally, loved ones can attest to the importance of using VoIP to keep in touch with their family while studying in foreign countries such as the United States and the United Kingdom. Like many other applications of cloud computing, VoIP has a hassle free process from setting up to actually using the service. The TRAI is one of the key players in the regulation of VoIP services and in assuring quality for Indian consumers. The TRAI has taken two major steps in the regulation of VoIP services. First, the TRAI issued a regulation on Quality of Service (QoS) for VOIP Based International Long Distance Service in 2002; setting values for QoS 13

J O U R N A L O F I N T E R N E T L AW

October

2011

parameters and a testing procedure.53 Secondly, it issued a set of recommendations for regulation of VoIP services in August, 2008.54 These recommendations included the development of a level playing field for Internet Service Providers (ISPs), governance of interconnection agreements between the ISPs and National Long Distance (NLD) carriers by the TRAI, numbering scheme for ISPs providing Internet Telephony services, emergency numbers, and interoperability between providers. The Department of Telecommunications found these recommendations to be helpful but on February 20, 2009, the Government delayed the decision on regulations for VoIP services in the country.55 Importantly, the regulations that were adopted by TRAI took vital steps to facilitate and promote the technology and its adoption rather than to impede it. PRIVACY AND THE CLOUD IN INDIA Every country in the world individualizes privacy concepts to match history and culture. India has taken a sophisticated view toward privacy and has adopted regulations that are meant to protect a set of resources and to prevent its misuse. The regulations are primarily aimed at discouraging people from being involved in such behavior. A majority of Indians believe that the concept of privacy is about their own personal space rather than information privacy or identity theft. Although there is no right specifically focused on personal data protection in India, there are several primary sources of Indian legislation that refer to this right for Indian citizens. The sources are: 1. Article 21Article 21 of the Indian Constitution is about the general Right to Privacy.56 This right covers the first generation of rights for Indian Citizens. The Information Technology Act of 2000 is based on a resolution that was adopted by the United Nations on January 30, 1997. This act is focused on e-commerce and cybercrime in general. Indian Contract ActThe Indian Contract Act basically deals with requiring Indian importers to pay a duty if they are unable to protect data coming in from other countries. The Credit Information Act of 2005, on the other hand,

3.

imposes duties on credit information companies and credit institutions for any unauthorized sharing of an individuals credit information with external sources. Information Technology Act of 2000The Information Technology Act of 2000 has explicitly stated penalties for the breach of data and privacy, at least in the domain of computers and cybercrime. For instance, a person gaining access to or downloading/changing information from a computer system without prior permission from the owner is subject to civil liability. Intentional tampering with a computer systems source code is punishable by up to three years imprisonment or a fine of up to two lakh rupees. The same penalty is applicable to anyone who is involved with hacking a computer system to cause wrongful loss of property.

2.

Four sections of the Information Technology Act specifically deal with penalties against breach and misuse of data in India. These are Sections 43, 65, 66, and 72. Section 43 protects the consumer from damages to the computer or the computer system. It foresees civil liability for actions including but not limited to unauthorized copying, extraction, database theft, and digital profiling. Section 65 protects consumers against the tampering of computer source documents. It is applicable to intentional actions such as concealing, destroying, or altering of computer source code and is punishable by either or combination of a fine of up to two lakh rupees and imprisonment of up to three years. Section 66, quoted in India as a data protection provision, deals with computer hacking and protects data users from intentional alteration/misuse of data on their computers diminishing the value of the data in the process. The penalty is the same as that for Section 65. Section 72 imposes a fine of one lakh rupees and an imprisonment term of up to two years for any breach of confidentiality and privacy of a persons material. To be clear, the existing regulatory framework does not offer complete protection from data breaches; however it is comprehensive enough to resolve a majority of the concerns in the Indian market. The introduction of new regulations does not show any distinct benefits. On the other hand, new regulations could pose definite and serious challenges for cloud

14

October

2011

J O U R N A L O F I N T E R N E T L AW

computing and the functioning of the Internet itself. It will not only slow down the adoption rate for cloud computing and prolong the time to gain its benefits but also give rise to a feeling of confusion and panic in the Indian economy. For these reasons, we suggest a three-pronged approach: (1) clarify the nature and scope of existing data protection rules; (2) promulgate rules that promote open standards, data portability, and market-based mechanisms like those promoted by the SIIA Cloud White Paper for policymakers;57 and (3) extend the smallest possible subset of these rules to the world of cloud computing and to utilize regulatory restraint so that the market may still develop. THE NEW INDIAN PRIVACY LAW The most recent development by the Indian Government with respect to data privacy came in June, 2011, when it passed the 2011 Information Technology Rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information). A key component of these rules was that any organization processing personal information in India requires written consent before undertaking certain activities and must implement reasonable security policies and procedures.58 These rules apply to organizations operating in India and are independent of whether the data originates in India or if it pertains to Indian citizens. It also enforces a disclosure obligation for privacy policies wherein an organization must clearly explain the purposes of processing the involved personal information. These laws make Internet Intermediaries responsible for harmful content on the Internet.59 The intention of the Indian Government is to enhance the data security and privacy in the country and it feels that this is a crucial step to promote offshoring in India.15 However, the actual nature of these rules does not completely solve the original purpose.60 The extensive requirements of the new rules are likely to increase the overhead of time, energy, and money to be spent by companies when offshoring to India. The new privacy law is very new, and ultimately, it will be important for its interpretation and enforcement to be measured so as to allay the fears that have already been expressed by many multinational businesses.61

R E C O M M E N DAT I O N S TO T H E T E L E C O M R E G U L ATO RY AU T H O R I T Y O F I N D I A The TRAI was created by the Telecom Regulatory Authority of India Act of 1997.62 Its mission is To ensure that the interests of consumers are protected and at the same time to nurture conditions for growth of telecommunications, broadcasting and cable services in a manner and at a pace which will enable India to play a leading role in the emerging global information society. One of the most important things that TRAI can do is to leverage the unique perspective that TRAI has on infrastructure. Indeed, it is telecom infrastructure that powers the cloud, and the continued growth of cloud services depends on ongoing investment in infrastructure so that the growth can continue.63 The role of the TRAI is centered on ISPs and their customers. Per the Telecom Regulatory Authority of India Act of 1997, some of its core functions include recommending the need and timing of a new ISP, forming the conditions of, granting, monitoring, revoking of licenses to ISPs, to facilitate competition between service providers, to monitor quality of service provided, quality of equipment used in the network and make appropriate recommendations, and to resolve disputes between ISPs or between an ISP and a customer. At the CII Content Summit, TRAI chief J. S. Sharma mentioned that there was definitely concern over sections of content present on the Internet and these would be carefully studied over the next few months. This article endorses the general opinion that cloud computing is very important for multiple sectors of the Indian economy including SMEs, educational institutions, and the government. It also respects the sentiment of the Indian Government of having some sort of regulatory oversight over cloud computing applications. Research indicates that there are many laws and regulations in India that sufficiently protect consumers from breach of data, from breach of contract, and from misuse of data. It recommends further clarification of existing regulation and its extension to cloud computing in a subtle way rather than developing an untested set of new regulations. Such an untested set of regulations would slow down the momentum of future cloud-services adoption, raise legal concerns over past decisions, and develop 15

J O U R N A L O F I N T E R N E T L AW

October

2011

a negative sentiment in the minds of the Indian people towards this new, yet wonderful technology. We highly recommend future research in this regard but strongly believe that minimum regulation is the primary factor to preserve the growth and innovation of cloud computing in India. In the second largest democracy in the world, it is imperative that the free flow of information be preserved. N OT E S
1. In 1944, the first large-scale automatic digital computer began operation. Built by IBM and Harvard professor Howard Aiken, the Mark I was 55 feet long and eight feet high. The World Almanac and Book of Facts (Ken Park ed., 2002). Patrick S. Ryan, Wireless Communications and Computing at a Crossroads: New Paradigms and Their Impact on Theories Governing the Publics Right to Spectrum Access, 240 J. on Telecomm. & High Tech. L. 3, at 247. Young M. Kang et al., Comments on Groschs Law Re-Visited: CPU Power and the Cost of Computation, 29 Comm. ACM 779 (1986) In the 1960s and 1970s, Groschs law was still highly regarded by scientists and policy analysts, and respected papers continued to espouse his centralized computing law. While some challenged his theories, the scientific community on the whole still had great faith in them. See e.g., Martin B. Solomon, Jr., Economies of Scale and the IBM System/360, 9 Comm. ACM 435 (1966) (concluding that larger computers offer the greatest economies of scale and indicating that Groschs Law, stated in the 1940s, appears to be prophetic); A. E. Oldehoft & M. H. Halstead, Maximum Computing Power and Cost Factors in the Centralization Problem, 15 Comm. ACM 94 (1972) (In addition to increases in the level of technology, one can expect for any given level, a return to scale approximated by Groschs Law). But see Charles W. Adams, Groschs Law Repealed, 8 Datamation 38 (1962) (Adams suggests that Groschs law may not be accurate. Adams work was part of an early movement that ultimately led to the so-called repeal of Groschs law.). Miniaturization is most often associated with the growth of personal computers that took place from the 1970s through the 1980s, and it is most often expressed in terms of Moores law. Moores law, developed by Intel founder Gordon Moore in the 1970s, holds that the microprocessors performance will double every 18 months. See Caught in the Net, The Economist, March 27, 1997, at S16 (describing Moores law and indicating that it has so far proven to be correct). See Xavier Amadei, Standards of Liability for Internet Service Providers, 35 Cornell Intl L.J. 189, 195 (2002). See Jack Kessler, The French Minitel, D-Lib Magazine, December 1995, available at http://www.dlib.org/dlib/december95/12kessler. html. Terminals available for sale by France Telecom today can be viewed at http://goo.gl/TZDC3 (last accessed June 20, 2011). Although announcements claim that the Minitel terminals finally will be discontinued on September, 2011. Ken Pottinger, Le Minitel Still Frances Preferred Internet, French News Online, January 9, 2011, available at http://goo.gl/ipUKr. See Russel Carlberg, The Persistence of the Dirigiste Model: Wireless Spectrum Allocation in Europe, la Franaise, 54 Federal Communications, L.J. 129, 136 (2001).

11. See Amadei, supra n.6. 12. See Selignan, supra n.10 (describing the phenomenon as follows: in 1985, heavy traffic generated by these sex lines caused what remains the systems only large-scale crash, drawing the attention of the national news media. The technical problem was quickly solved, but the public retained the impression that the Minitel was mostly about sex.) 13. Guide to Cloud Computing for Policymakers, Software & Information Industry Association White Paper, June 2011 at 5, available at: http://goo.gl/cLqu0. 14. VMWares Zimbra, for example, is an open-source product that has been widely adopted by enterprises. It also is seen as a competitor to Microsoft Office 365 and to Google Apps. See Microsoft Office 365 Launch: Zimbra Scores Surprise PR Win, The VAR Guy, June 28, 2011, available at http://goo.gl/CLohp. 15. In 1995, the European Parliament and Council adopted Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive applies to all 27 member states of the European Economic Area (EEA). Several sources have noted that the Directive has significant weaknesses and that many aspects of it are ineffective. See Neil Robinson, Hans Graux, et. al., Review of the European Data Protection Directive, RAND Europe Technical Report (2009), available at http://goo.gl/d9OUM. 16. See www.37signals.com. 17. Jason Fried, David Heinemeier Hansson, Matthel Linderman, Getting Real (2009); Jason Fried & David Heinemeier Hansson, ReWork, (Crown, 2010) 18. See www.evernote.com. 19. See www.evite.com. 20. See www.tripit.com. 21. See www.huddle.com. 22. The enzyme that won, The Economist, May 11, 2006 (describing the interactive Web as follows: But what is Web 2.0? It began with a specific and useful definition. In contrast to the static web pages of the 1990s, the second wave of websites would use software . . . that makes web pages look like dynamic software applications that traditionally run only on personal computers.) 23. George Simpson, A Billion Here and a Billion There, Online Media Daily, July 1, 2011, available at http://goo.gl/1LKOQ. 24. See Dan Salcedo, Free e-commerce catalogs managed with Google Docs, Google Docs Blog, February 3, 2010, available at http://goo. gl/gyO6. 25. Known in the European Union as the Electronic Signatures Directive, it forced the adoption of a specific technology standard (a PKI-focused provision) into the regulatory framework. The United States, however, took a more technology-neutral, market-driven approach, which helped foster the eSignatures market. In the United States, the Electronic Signatures in Global and National Commerce Act did not provide any guidance with regard to specific technology primarily because the PKI market was at that point in its infancy. As the eSignatures market developed post legislation, many businesses resisted PKI adoption because it was deemed more expensive and difficult to use and instead adopted alternative solutions. 26. See SIIA Cloud White Paper, cited supra n.13, stating that a rule that makes sense when applied in a business-to consumer context might be inappropriate when applied in a business-to-business context. In addition, a rule that might apply to a public cloud offering might not work as applied to a private cloud offering. . . . policymaker concerns about specific issues can and are being addressed through industry-led voluntary action, public private partnerships and best practices enforced through contracts and existing legislation. Id., at 13. 27. Lock-in occurs when a customer is uniquely dependent on a vendor for products and services, unable to use another vendor without

2.

3.

4.

5.

6. 7.

8.

9.

10. See Maite Selignan, Frances Precursor to the Internet Lives On, Washington Post, September 25, 2003, at 2.

16

October

2011

J O U R N A L O F I N T E R N E T L AW

substantial switching costs. Examples of lock-in include the difficulty in switching from one office-based provider to another; or to switch telephone providers in areas where the market is limited or where barriers to entry are high. See Carl Shapiro and Hal Varian, Information Rules (HBS Press 1999). 28. See Bill Coughan, Changes to the open Internet in Kazakhstan, The Official Google Blog, June 7, 2011, available at http://goo. gl/Y39qW. Also see Alan Cullison, Google Sidesteps Edict, The Wall Street Journal, June 9, 2011, available at http://goo.gl/3dvWS (describing the requirement from Kazakhstan for local servers and Googles withdrawal from the market as a result, quoting Eric Schmidts statement the doing so makes him very concerned that we will end up with an Internet per country.) 29. India in the Cloud Computing Arena, Downloaded Cloud Computing, June 16 2011, available at http://goo.gl/4USqy. 30. Javed Anwer, Office in the Cloud, The Times of India, May 8, 2011. (Noting that Indian offices and individuals are switching to Web-based suites that are not only cheaperbecause they do away with software costsbut are also accessible from any place with a decent internet connection). 31. Shipla Shanbag, Emerging from the Shadows, Dataquest, May 31, 2011 at 22. 32. Karan Bajwa, A private Affair, Microsoft Contributory Articles, March 31 2011, available at http://goo.gl/JZm0x. 33. See Pradeep Agarwal, Going Google in India: Indian Youth Congress & Punjilloyd move to Google Apps for Business, Google Enterprise Blog, June 20, 2011 available at http://goo.gl/adRgg. 34. Indian Youth Congress moves 28,000 members to Google Apps, Information Week, available at http://goo.gl/607hF. 35. Delhi Public School, Microsoft Case Studies, available at http://goo. gl/v5eKn. 36. IBM inks five year business transformation deal with Indias UTV Software Communication, Proactive Investors, January 14 2010, available at http://goo.gl/jLznn. 37. Basant Singh, 4+1 Reasons Companies are Moving to Cloud, Cloud Computing, June 10 2010, available at http://goo.gl/GHjpa. 38. About Us, Ministry of Micro, Small and Medium Enterprises (Government of India), available at http://goo.gl/9r20m. 39. Faiz Askari, eBay: The E-way of Doing Business, SmallEnterpriseIndia.com, June 7 2010, available at http://goo. gl/2cvAZ. 40. Cloud Computing: The Next Big Wave in SME Market, VarIndia, August 12 2010, available at http://goo.gl/VyChL. 41. See Wikipedia entry, at http://en.wikipedia.org/wiki/Sterlite_ Technologies. 42. A few companies that have gone Google (meaning that they have moved to the Google cloud) include: Saurashtra Cements (Mehta Group), Flipkart, Team Computers, India Pistons, easiptionBPO, Forbes Marshall, Cosmo Films, Haier Mobile, Compro Technologies, Rustomjee (part of Keystone Group), Indiamart, Neelkamal and many others. Source: interview. 43. How can VoIP reduce call center costs, Which VoIP, available at http://goo.gl/uzAXW. 44. Celebrating 150 years in India, HSBC Website: The Worlds Local Bank, available at http://goo.gl/rpQWw. 45. ATM theft: Security guard, two others arrested, The Times of India, August 18 2009, available at http://goo.gl/l4ib0. 46. Section 407 in The Indian Penal Code, 1860: Criminal breach of trust by carrier, etc.Whoever, being entrusted with property as a

carrier, wharfinger or warehouse- keeper, commits criminal breach of trust, in respect of such property, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine. 47. Indias First ATM Card Fraud, Indiaforensic, available at http:// goo.gl/yNMoe. Also see Joshi, infra n.48. 48. Mayur Sharad Joshi, Black Cards Forensics, Indiaforensic, 2006, at 34, available at http://goo.gl/vIOrG. 49. Credit Card Service in India, available at http://goo.gl/a945s. 50. Pheji Phalghunan, Unwanted Plastic?, Outlook Money, October 20, 2010, available at http://goo.gl/Hj3Ia. Also see Credit Card and Debit Card Users in India, IndiaFacts.in, available at http://goo. gl/Qm1et. 51. For example, the IIFL group, comprising the holding company, India Infoline Ltd (NSE: INDIAINFO, BSE: 532636, Bloomberg: IIFL) and its subsidiaries, is one of the leading players in the Indian financial services space. IIFL offers advice and execution platform for the entire range of financial services covering products ranging from equities and derivatives, commodities, and other instruments. IIFL owns and manages www.indiainfoline.com, one of Indias leading online destinations for personal finance, stock markets, economy and business. IIFL has moved to the Google cloud and has almost 18,000 users. See India Infolines Google Journey, Interview with CIO Sankarson Banerjee, May 24, 2010, available on YouTube at http://goo.gl/TT7HU. 52. The Mexican Secretary of Economy published a report that analyzed transnational data flows and identified India as one of the most significant locations for outsourcing of various services, and thus vitally important to a liberalized regime for transnational data flows. See Report on the Trilateral Committee on Transborder Data Flows, North American Leaders Summit, January 2010, available at http://goo.gl/lO4yY. 53. TRAI issues Regulation on Quality of Service for VOIP Based International Long Distance Service, 2002, Telecom Regulatory Authority of India, November 18, 2002, available at http://goo. gl/fTkrx. 54. Recommendations on Issues related to Internet Telephony, Telecom Regulatory Authority of India, 18 August 2008, available at http:// goo.gl/dWtpm. 55. Shalini Singh, No tariff cut now as VOIP gets delayed, The Times of India, February 20, 2009, available at http://goo.gl/j24VA. 56. First Analysis of the Data Protection Law in India, CRID, University of Namur, available at http://goo.gl/VO2wR, (hereinafter, CRID India Privacy Paper). 57. See SIIA Cloud White Paper, supra n.13. 58. See CRID India Privacy Paper, cited supra n.56. 59. Russell Smith, Indias New Data Privacy Rules: Will They Help or Hurt Legal Outsourcing?, Law Without Borders, May 23 2011, available at http://goo.gl/gUcfA. 60. Mani Malarvannan, New Privacy Laws To Impact Outsourcing to India, Outsource Portfolio, June 10 2011, available at http://goo. gl/zGY5l. 61. See Rama Lakshmi, India data privacy rules may be too strict for some U.S. companies, Washington Post, May 21, 2011, available at http://goo.gl/YFft2. 62. Powers and Functions of the Authority, TRAI Act 1997, available at http://goo.gl/vGMWU. 63. Another giant leap, The Economist, June 1, 2011, available at http://goo.gl/oQ8cJ (describing the many improvements that have happened, but that are also still needed, to Indian infrastructure for the benefit of the IT sector).

17