Taxation issues of foreign technology companies deriving profit and revenue from India have been vexing Indian government for long. Most of these foreign technology companies are also not complying with the techno legal requirements of Indian laws so far. Now many such companies would be liable to pay tax in India due to recent changes in the taxation rules of India. For instance, an eight-member committee on taxation of e-commerce had in March 2016 proposed that services ranging from online advertising and cloud computing to software downloads and web hosting be subject to an “equalisation levy” of 6-8% of gross payment if the provider of the service is a foreign entity without a “permanent establishment” in India. Thus, cloud computing related legal compliances in India are going to increase in near future.

Cloud computing is a business model that relies upon shared computing resources in lieu of payment. Big technology companies can invest significant financial resources in cloud computing infrastructures that small and medium scale enterprises can use for a certain payment. The advantage for small and medium scale enterprises by using cloud computing model is that they need not to spend money upon building technology infrastructure. However, there are cyber security, data security, data protection, privacy and many more similar concerns that are resulting in lower adoption and use of cloud computing world over.

As far as India is concerned, use of cloud computing is still at nascent stage. There are many policy and law related issues that are responsible for slow growth and adoption of cloud computing in India. Absence of an effective cloud computing policy of India is responsible for its limited utilisation in India. However, legal issues of cloud computing in India are the main reason for cautious adoption of cloud computing by businesses and entrepreneurs. For instance, we have no dedicated regulatory framework for cloud computing in India. In fact, the chief information officers (CIOs) in India are not comfortable using cloud computing for their businesses.

Even the cloud computing due diligence in India is missing and companies and individuals are using the same in great disregard of the various laws of India. Cloud computing service providers in India are required to follow cyber law due diligence (pdf). The cyber law due diligence for Indian companies is now well established but cloud computing and e-commerce service providers are not taking it seriously. There is an urgent need to regulate e-commerce websites operating in India by Indian government.

We believe that India must not use software as a service (SaaS), cloud computing, m-governance, etc till proper legal frameworks and procedural safeguards are at place. This has also been accepted by the CIOs community and it is now for the Indian government to do the needful. Similarly, cloud computing security in India is also required to be strengthened. As on date, use of cloud computing in India is not a viable solution as we are ignoring legal and security concerns. Cloud computing in India must be techno legal in nature and till it meets the techno legal requirements, it should not be used in India.

Besides regulatory framework for cloud computing in India we must also ensure high availability levels, appropriate data erasing mechanisms, data privacy at the service provider’s level, export restrictions upon data, data handling monitoring mechanisms, jurisdictional issues, cloud computing security issues, licensing issues for cloud computing, etc.

Privacy violations, data breaches, data thefts, cyber crimes, etc would definitely arise in cases of use of cloud computing in India. Even if a company or individual offers cloud computing services in India, it/he has to comply with many legal provisions and cyber due diligence requirements. The information technology act 2000 (IT Act 2000) has prescribed due diligence requirements for various business organisations and stakeholders. These due diligence requirements equally apply to cloud computing service providers in India.

These due diligence requirements are very stringent and cloud computing providers can find themselves in legal hassles if they ignore the same. Managing sensitive and personal data and information in India is no more a causal approach but it has become very stringent. With the proposal to codify law of torts in India, more and more civil proceeding for violation of privacy rights may be initiated against the cloud computing service providers. It would be a wise option to establish best practices and cloud computing policy by all stakeholders in their own larger interests.