Rachana Rautray Senior Associate
SEBI-regulated entities availing cloud services are now subject to a new principle-based regulatory framework
To minimise risks associated with cloud computing and to strengthen regulatory responsibility on entities registered (RE) with the Securities Exchange Board of India (SEBI), SEBI has, by way of a circular, prescribed an additional regulatory framework stipulating various requirements to be met by the RE for the use of cloud services. Notably, the requirements under this framework are to be implemented in case the RE utilises either a public cloud (i.e. cloud infrastructure open for use by the general public), community cloud (i.e., cloud infrastructure provisioned for exclusive use by a specific community of consumers) or hybrid cloud (i.e., a combination of two or more out of public cloud, community cloud and private cloud). Therefore, REs utilising a private cloud (i.e., infrastructure exclusive to a single organisation) would not need to implement these requirements and instead will continue to be bound by other existing SEBI circulars, such as the cybersecurity circular and outsourcing circular.
The new circular proposes a regulatory regime based on principles such as governance, risk management, data localisation, and responsibility of the RE. These are elaborated in the circular through requirements such as following a prescribed process for appointing cloud service providers (CSP), undertaking due diligence of CSP, conducting regular audits of its cloud deployment and assessing CSP security controls, having a grievance redressal mechanism and localising all data within India (with limited exceptions for overseas investor data). Pursuant to this framework, REs with existing CSP arrangements will have to reassess their existing infrastructure and contractual terms to be able to migrate to the new setup within the grace period of 12 months provided under the new framework.
Supreme Court potentially opens the scope for implementing the right to privacy against private persons, and separately observes that children have the right to privacy in paternity suits
The Supreme Court in Kaushal Kishor v The State of Uttar Pradesh has suggested that fundamental rights under Articles 19 and 21 of the Constitution of India can be enforced against persons other than the State or its instrumentalities. While perhaps not intended by the Court, this could imply that the right to privacy under Article 21 – which has an established history of being enforceable only against the State – may now be enforced against private parties.
In a separate matter, the Supreme Court has also observed that a child’s right to privacy encompasses the right not to have their paternity frivolously questioned. In deciding a divorce petition in Aparna Ajinkya Firodia v Ajinkya Arun Firodia, the Court refused to allow a DNA test for a child’s paternity on several grounds based on the facts of the case, observing that a child’s rights and interests cannot be sacrificed for the benefit of a party to the trial.
While these judgements have been passed prior to the enactment of the Digital Personal Data Protection Bill (that seeks to establish a robust personal data protection regime), it is likely that prospective enforcement of privacy rights against private parties would lie under the Digital Personal Data Protection Bill as opposed to being a constitutional remedy.
Consumer machine-to-machine/internet of things devices must now be updateable and not have universal default passwords
Amidst the anticipated growth of the machine-to-machine (M2M)/Internet of Things (IoT) industry, the Department of Telecommunications has issued guidelines to reduce risks of unwanted intrusion into M2M and IoT networks and devices based on a technical report of the Telecommunication Engineering Centre.
Key among the guidelines are the requirements that universal default usernames and passwords (such as ‘admin’) should be replaced by device-specific unique passwords that are not resettable to universal default values, associated web services should use multi-factor authentication, M2M/IoT stakeholders must provide a public point of contact and manage reports of vulnerabilities pursuant to a public policy, and that retailers and manufacturers should follow certain standards with respect to timely updates for M2M/IoT software components and end-of-life policies.
The movement seen in the data protection, technology, and telecommunications space with a focus to facilitate private and public digital infrastructure is expected to continue in the coming days. Specifically, key draft legislation such as the Indian Telecommunication Bill, 2022 and Digital India Data Protection Bill, 2022 have undergone public consultations, with the Digital India Bill soon to follow. There are also discussions ongoing on several other aspects in the telecom space such as infrastructure and spectrum sharing and converged digital technologies. Given this, we anticipate the upcoming quarter to significantly overhaul the present regulatory regime on privacy, data protection and telecommunication.