Data Privacy Regulations Applicable to Cloud Computing in India

Cloud computing is not explicitly defined under the laws of India, but it is governed by several sectoral regulations and frameworks based on the industry in which the cloud service is utilised. The primary legal framework that governs data privacy and security in the context of cloud computing includes the Information Technology Act, 2000 (the “IT Act”), read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”), enshrined under Section 43A of the IT Act. These regulations govern corporate bodies handling sensitive personal data in computer resources, including cloud-based systems. Any negligence in implementing adequate security standards, resulting in wrongful loss or gain, subjects the corporate bodies to liability for damages.

In 2013, the Ministry of Electronics and Information Technology (MeitY) introduced Meghraj, India’s own GI Cloud Initiative to accelerate the adoption of cloud computing in the government sector. Cloud service providers (CSPs) empanelled by MeitY are expected to offer services across different categories, such as basic, advanced and managed cloud services through Meghraj, to optimise government expenditures on information and communications technology.

In August 2023, India introduced the Digital Personal Data Protection Act, 2023 (the “DPDP Act”), India’s first comprehensive data protection legislation. However, the Act is awaiting notification by the central government and is thus not yet in force, as the corresponding Rules are yet to be notified. Once formally effectuated, the DPDP Act will repeal Section 43A of the IT Act, thereby removing the relevance of the SPDI Rules entirely.

Other sector-specific regulations addressing cloud computing technologies include the following.

• Reserve Bank of India (RBI): RBI’s Master Directions on IT Outsourcing (2023) (the “RBI Master Directions”) require regulated financial entities to develop IT outsourcing policies that include governance of cloud services and adherence to cybersecurity standards.
• Insurance Regulatory and Development Authority of India (IRDAI): the Insurance Regulatory and Development Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017 (the “IRDAI Regulations”) prohibit insurers from outsourcing core functions that involve personal data, such as investment management, underwriting and actuarial functions, to CSPs.
• Securities and Exchange Board of India (SEBI): the Framework for Adoption of Cloud Services by SEBI Regulated Entities, 2023 (the “SEBI Cloud Framework”) requires financial entities using cloud services to ensure data localisation, robust security protocols and regulatory access to stored data.

Defining Personal and Sensitive Data

Personal data and sensitive personal data are primarily governed by the IT Act and the SPDI Rules. The latter define “personal data” as any information that relates to an identified or identifiable individual, including name, contact information and financial data. “Sensitive personal data” includes information such as passwords, financial information (like bank account or credit card details), health conditions, sexual orientation, biometric data, etc. The processing and handling of sensitive data must adhere to prescribed reasonable security practices and procedures.

In addition, sector-specific regulations such as the SEBI Cloud Framework and the IRDAI Regulations impose strict controls on the processing and storage of customer data, especially sensitive financial and insurance-related information.

Requirements for Processing Personal Data in the Cloud

Under Indian law, entities must adhere to several key requirements when processing personal data in the cloud. They must publicly disclose a privacy policy detailing data collection and processing methods, as mandated by the SPDI Rules, and obtain explicit consent before handling sensitive personal data. Data localisation is crucial, particularly for SEBI-regulated financial entities, which must store data within India to ensure compliance with regulatory oversight.

Entities must also follow the security standards detailed in 2.1 Data Security and the Cloud, mandating additional measures such as disaster recovery, business continuity plans and ensuring access for regulatory authorities.

Obligations on Data Controllers and Processors in the Cloud Environment

Data controllers and processors using cloud services must meet several key obligations. They are required to implement reasonable security practices, such as compliance with the security standards mentioned in 2.1 Data Security and the Cloud, and are liable for compensation if negligence leads to data breaches under the IT Act. Entities must also maintain oversight through board-approved IT outsourcing policies, conduct regular audits, and ensure disaster recovery and service continuity, especially in the financial sector as per the RBI Master Directions. Transparency and accountability are also crucial, with CSPs needing to adhere to security and regulatory requirements.

The DPDP Act introduces the concept of a Significant Data Fiduciary (SDF), a classification for data fiduciaries that handle large volumes of sensitive data. Under Section 10 of the DPDP Act, the central government may notify any data fiduciary or class of data fiduciaries as an SDF based on an assessment of the following factors, among others:

• the volume and sensitivity of personal data processed;
• the risk of harm to the data principal;
• the potential impact on the sovereignty and integrity of India;
• the security of the state and risk to electoral democracy; and
• public order.

Once designated, an SDF is subject to additional compliance obligations beyond those of a regular data fiduciary. These obligations are detailed in the DPDP Act and further clarified in the Draft DPDP Rules, 2025 (the “DPDP Rules”), and include the appointment of key personnel, periodic assessments and audits, algorithmic accountability, and data transfer restrictions.

Cross-border data transfers in cloud computing raise privacy concerns, particularly when data moves across jurisdictions. Once the DPDP Act is effectuated, cross-border data transfers in cloud computing are expected to be governed through a “blacklist” approach, which would allow the government to restrict transfers to countries where adequate safeguards may not exist. Exceptions are anticipated to include transfers necessary for contractual performance, compliance with legal obligations or transfers with the data subject’s consent.

Under the existing law (ie, the IT Act and the SPDI Rules), cross-border transfers of sensitive personal data are permitted only if the receiving jurisdiction ensures the same level of data protection as provided under Indian law. In addition, such transfers can only occur if the data subject has provided explicit consent or if the transfer is necessary for the performance of a lawful contract. The SPDI Rules mandate that organisations handling sensitive personal data must adopt reasonable security practices and ensure that the recipient entity abroad also adheres to these standards, safeguarding the data throughout the transfer process.

While there are no specific penalties targeting breaches in cloud computing under Indian laws, data privacy violations are governed by the IT Act, Section 43 of which penalises unauthorised access to computer systems, including cloud infrastructure, with uncapped compensation to the person so affected. Section 43A further mandates that corporate bodies failing to implement reasonable security practices, resulting in wrongful loss or gain, are liable to compensate affected individuals.

Section 44 imposes penalties of up to INR150,000 for failing to furnish required documents or reports, with additional fines accruing at INR5,000 per day of non-compliance. Non-maintenance of records can attract a penalty of INR10,000 per day. Following the prospective enforcement of the DPDP Act, breaches involving large-scale data processing could result in exorbitant fines of up to INR2.5 billion for failure to implement reasonable security safeguards and up to INR2 billion for failure to notify personal data breaches.

Security Measures for Data Stored in the Cloud

As mentioned in 1.1 Data Privacy and Cloud Computing, data security in the cloud is governed by various standards, regulations and guidelines, primarily set forth by MeitY. One of the key standards is the ISO/IEC 27001 standard, as delineated under Rule 8 of the SPDI Rules, which outlines best practices for Information Security Management Systems (ISMS). Compliance with this standard is essential to safeguard against cyber-attacks and data breaches. In addition, ISO/IEC 27018 is specific to CSPs and is designed to protect personally identifiable information (PII) stored or processed in the cloud, focusing particularly on securing cloud environments.

Other notable security measures include compliance with the Payment Card Industry Data Security Standard (PCI DSS) for organisations processing credit and debit card transactions. These frameworks ensure a shared responsibility between CSPs and their clients in securing data, especially financial and personal information.

Measures to Ensure the Confidentiality, Integrity and Availability of Data

The above-mentioned standards collectively uphold the principles of confidentiality, integrity and availability. By mandating multi-layered security controls, organisations are required to secure data at the physical, network and application levels, to facilitate the following.

• Confidentiality: cloud providers are required to implement strong encryption protocols to protect data both at rest and in transit. Compliance with data segregation and privacy policies ensures that sensitive information is shielded from unauthorised access.
• Integrity: regular audits, hashing mechanisms and data verification processes ensure that the data is not tampered with during storage or transit.
• Availability: disaster recovery mechanisms, back-up protocols and failover systems ensure that data remains accessible in the case of an incident or outage, thereby maintaining service availability.

Encryption Standards Recommended for Data in Transit and at Rest in the Cloud

Encryption remains a fundamental pillar of data security in cloud environments. For data in transit, India’s regulatory bodies, such as SEBI and RBI, recommend a minimum of 128-bit Secure Socket Layer encryption to secure financial transactions. This encryption method is widely adopted for browser-to-server communications, protecting sensitive financial data during transmission.

For data at rest, the encryption standards typically recommended include 256-bit Advanced Encryption Standard. The Unique Identification Authority of India (UIDAI) is India’s national agency responsible for issuing Aadhaar (India’s national resident identification number), and mandates 2048-bit encryption for Aadhaar-related data. These encryption norms apply across sectors, including financial institutions and healthcare services, ensuring robust protection against unauthorised access or breaches.

Managing Access Controls in the Cloud Environment

Access control in cloud computing is primarily managed through identity-based policies that regulate who can access specific resources within an organisation’s cloud infrastructure. These policies may include the following:

• identity-based policies: users, groups and roles can be assigned specific permissions based on organisational needs;
• role-based access control (RBAC): this mechanism ensures that only authorised personnel have access to sensitive data and applications;
• geo-fencing: access can be restricted geographically to prevent unauthorised access from outside designated locations; and
• IP and device restrictions: cloud providers offer options to limit access based on device types and IP addresses, ensuring further security against external threats.

CSPs also deploy session policies and organisation-wide service control policies to manage access at a granular level. These access control mechanisms ensure that only legitimate users can interact with the cloud environment, mitigating the risk of unauthorised access.

Measures to Prevent Unauthorised Access or Data Breaches

The IT Act provides the fundamental legal framework to prevent unauthorised access and data breaches in India. Compliance with standards like ISO/IEC 27001 (ISMS) and ISO/IEC 27018 (protection of PII in public clouds acting as PII processors) facilitates CSPs to maintain strict security controls, including best practices such as encryption, data anonymisation and regular security audits.

Furthermore, sector-specific regulations such as SEBI’s guidelines for encryption of data in transit and the RBI’s mandate for end-to-end encryption in mobile financial services significantly reduce the risk of unauthorised access. The “know your customer” (KYC) norms enforced by regulatory bodies such as RBI and SEBI also ensure that CSPs maintain a strict identification process, preventing unauthorised access to sensitive data.

Handling Security Accidents and Breaches in the Cloud

In the case of a security breach, CSPs are required to follow the incident reporting and response framework outlined in the IT Act, read with the guidelines issued by the Indian Computer Emergency Response Team (CERT-In), under MeitY. Key measures include the following:

• ISO/IEC 27001: CSPs must have an ISMS in place, designed to respond swiftly to data breaches;
• Service Organization Control Type 2 (SOC 2) compliance: CSPs are obliged to maintain the confidentiality, integrity and availability of data, and must produce regular reports to verify their compliance; and
• PCI DSS: for card payment data breaches, organisations must follow strict protocols to mitigate the risks and report the incident in compliance with PCI DSS.

In addition to regulatory frameworks, CSPs often offer contractual guarantees, such as cloud service agreements (CSAs) or service level agreements (SLAs), which outline the procedures and timelines for addressing and reporting security breaches.

Addressing Data Ownership and Control in Cloud Agreements

In cloud agreements, data ownership and control are key concerns addressed through specific contractual provisions. Typically, the ownership of the data resides with the entity that uploads or stores it on the cloud, often referred to as the “data owner”. In India, CSAs tend to follow this principle, ensuring that the data customer retains ownership rights over the data, while the CSP acts as a custodian or processor. This is explicitly outlined in the ownership clauses, which clarify that any data stored in the cloud remains the intellectual property of the customer, not the provider. Cloud agreements usually incorporate additional clauses to regulate data usage, such as the following.

• Licence to use data: providers often seek a limited licence to use, store or process the data, strictly for service delivery purposes. It is essential for customers to scrutinise these clauses to ensure that their data is not used beyond the agreed-upon scope.
• Intellectual property rights: while data ownership resides with the customer, the CSP may retain intellectual property rights over the software, infrastructure or algorithms used in managing the data. This distinction is crucial in delineating rights and responsibilities between the provider and the customer.

Rights of Data Subjects Over Their Data in the Cloud

The DPDP Act proposes that data subjects (referred to as “data principals” in the DPDP Act) are to be granted significant rights concerning their personal data. These rights would apply even when the data is stored in the cloud. Data subjects are envisioned to have the following key rights under the DPDP Act.

• Right to Access (Section 11): data subjects can request information regarding what personal data is held by the data controller (referred to as a “data fiduciary” in the DPDP Act), the purpose of its processing, and whether the data has been shared with third parties. This right extends to cloud environments where data fiduciaries store personal data using cloud services.
• Right to Corrections and Erasure (Section 12): data subjects have the right to request corrections to any inaccuracies in their personal data or the completion of incomplete data. In cloud agreements, CSPs are obliged to implement mechanisms allowing for rectification at the behest of the data fiduciary. Furthermore, the data principal can request the deletion of personal data when it is no longer required or when consent has been withdrawn. As data processors, CSPs must ensure that the data is fully erased across all instances, including back-ups.
• Right of Grievance Redressal (Section 13): data subjects have the right to access grievance redressal mechanisms provided by a data fiduciary or consent manager for any act or omission related to the handling of their personal data stored in the cloud, or the exercise of their rights under the DPDP Act. These entities are obliged to respond to such grievances within a prescribed timeframe, ensuring timely resolution.
• Right to Nominate (Section 14): a data subject also has the right to nominate another individual to exercise their data protection rights in the event of their death or incapacity.

Exercising Data Access, Rectification and Deletion Rights in Cloud Environments

Data subjects can exercise their rights over cloud-stored data through mechanisms established by the data fiduciary, which collaborates with the CSP. To exercise the right to access, data subjects can submit a request to the data fiduciary to obtain their personal data, which is then retrieved from the cloud by the CSP and provided in a clear, accessible format. For the right to rectification, data subjects can request corrections or updates to inaccurate or incomplete data. The data fiduciary is responsible for ensuring that these corrections are applied across all cloud systems, including back-ups.

Likewise, CSPs must ensure the deletion of personal data that is no longer required for its original purpose upon the data subject’s request for the deletion of their personal data. By co-ordinating with the data fiduciary and CSP, data subjects can effectively exercise these rights, ensuring that their personal data is handled in compliance with the legal framework. CSAs must also incorporate these rights to maintain regulatory compliance and protect user data.

However, it is important to note that, as the DPDP Act has not yet been implemented, the rights of data subjects outlined above, and their ability to exercise those rights, are not yet legally enforceable.

Indian laws do not explicitly include the right to data portability, unlike the EU’s GDPR. The preliminary drafts of the DPDP Act featured a limited right to data portability with exceptions for legal compliance, trade secrets and technical feasibility, but the enacted iteration excluded this right due to potential concerns about data security, such as identity fraud and complications in transferring shared data in cloud environments.

That said, the DPDP Act introduces “consent managers”, which will be entities registered with the Data Protection Board of India (DPB) and will act as intermediaries between users and platforms. These managers will aim to facilitate user control over personal data, potentially enabling limited data transfers through interoperable platforms in cloud environments. Therefore, the DPDP Act does indicate an inclination of the legislators to move towards enhanced data mobility.

In cloud computing, data portability remains challenging due to the lack of standardisation among CSPs. Seamless data transfer requires uniform data formats and technical compatibility, which the current laws do not holistically address. As India’s legal framework evolves, more mechanisms may emerge to support data portability in cloud services, balancing user autonomy with security concerns.

Data retention and deletion in cloud environments are generally governed by the existing IT regulations and contractual agreements between CSPs and clients. The SPDI Rules require CSPs to implement reasonable security practices, including clear retention and deletion policies. Under Rule 5(4) of the SPDI Rules, sensitive personal data or information should not be retained for longer than necessary for the purpose for which it was collected or processed. Once the data is no longer required, it must be deleted to ensure compliance with the retention policy.

Akin to the SPDI Rules, Section 8(7) of the DPDP Act requires data controllers to erase personal data once the data subject withdraws consent or when the specified purpose for which the data was collected is no longer being served, whichever comes first. Notably, the DPDP Rules propose specific retention periods; for instance, large e-commerce entities, online gaming intermediaries and social media intermediaries may be required to erase personal data if a user has not accessed their account or exercised their rights for a period of three years, subject to certain exceptions. In addition, the data fiduciary must ensure that any data processor involved also erases the personal data provided for processing, unless retention is necessary for compliance with existing legal obligations.

In addition to legal requirements, contractual agreements between CSPs and their clients typically outline specific retention periods and conditions for data deletion within cloud environments. These agreements may include provisions for the secure removal of data, including back-ups, upon the termination of services or upon client request. To ensure secure data management, established CSPs like Amazon Web Services, Microsoft Azure, Google Cloud, etc, frequently utilise automated data lifecycle management tools, encryption and stringent access controls.

Due Diligence Considerations for Selecting a CSP

Choosing a CSP may entail comprehensive due diligence measures to ensure compliance with applicable laws and parallel alignment with organisational and project-specific needs. Broadly, these considerations may be bifurcated into two aspects, as set out below.

• Organisational cloud policy due diligence: key considerations include evaluating the CSP’s compliance with the security standards identified in 2.1 Data Security and the Cloud. The CSP’s approach to data handling – including customer data, intellectual property rights, data portability and deletion policies – must be thoroughly assessed, particularly with respect to cross-border data flow restrictions. It is also essential to ensure the CSP provides robust protection for PII, adheres to law enforcement access protocols and holds the requisite security certifications, alongside conducting periodic data audits.
• Project-specific due diligence: the CSP’s availability, flexibility and scalability must be evaluated to ensure it can meet the project’s specific workload and performance requirements. Furthermore, the CSP’s crisis measures should be examined, including disaster recovery protocols, along with back-up and restore policies. It is also critical to assess the CSP’s customer support services, ensuring that response times and communication methods align with the project’s needs, particularly for handling critical incidents.

Data Protection Requirements in CSAs

Data protection is a fundamental element of CSAs, especially in light of India’s evolving regulatory landscape. These agreements should be tailored to ensure that CSPs comply with robust data security and privacy standards, safeguarding personal data from unauthorised access, breaches and misuse. Typical provisions of CSAs include the following.

• Information security standards: CSPs are generally required to comply with internationally recognised security frameworks such as those mentioned in 2.1 Data Security and the Cloud, ensuring the implementation of strong security controls, encryption and access management to maintain data integrity and security.
• Encryption: for sensitive data, agreements often mandate encryption for data both in transit and at rest, ensuring it is protected throughout its lifecycle. The agreements may also provide flexibility for clients to choose encryption methods and key management solutions based on the sensitivity of the data.
• Data localisation: agreements must address the localisation of specific categories of data, particularly in compliance with the sector-specific regulations (as detailed in 6.2 Data Localisation), to ensure that such data is stored within the Indian jurisdiction.
• Incident reporting and breach notification: the agreements must ensure that CSPs take immediate corrective action and inform both the client and relevant regulatory authorities, ensuring accountability.
• Confidentiality obligations: for sensitive data, confidentiality clauses are often required, including non-disclosure agreements (NDAs). These provisions ensure that CSPs and their subcontractors protect sensitive information and restrict access to authorised personnel only.
• Data retention and deletion: agreements must clearly define data retention periods and outline secure deletion procedures once data is no longer required or upon contract termination.
• Law enforcement access: agreements should clarify how CSPs will handle law enforcement requests for customer data, ensuring that such requests are lawful and proportionate. Procedures for notifying clients of these requests, where permissible, should also be outlined.
• Audit and compliance: regular audits are a critical component of cloud agreements, ensuring that CSPs comply with the agreed-upon security standards and certifications. Clients must have the right to review audit reports and certifications, ensuring transparency and ongoing compliance with data protection obligations.

Ensuring Compliance with Data Privacy Regulations by CSPs

The IT Act and the forthcoming DPDP Act set out several measures that CSPs would need to follow in order to comply with data privacy regulations. Illustratively, in compliance with Section 8 of the DPDP Act, CSPs are expected to adopt a “privacy by design” approach – ie, integrating privacy principles into their services from the outset and thereby embedding personal data protection directly into their technical infrastructure. The DPDP Act is also expected to ensure that CSPs adhere to the principle of data minimisation, ensuring that only the necessary personal data is collected and retained for the required period, with secure deletion thereafter.

In relation to data breaches, Section 8(6) of the DPDP Act proposes to mandate CSPs to promptly notify data principals and the DPB, ensuring swift action to mitigate any potential damage. Furthermore, under Section 8(4) of the DPDP Act, read in conjunction with the extant Rule 8 of the SPDI Rules, CSPs would need to implement robust information security measures, including but not limited to encryption, access controls and compliance with industry standards like ISO/IEC 27001. Rule 6 of the DPDP Rules further clarifies that such “reasonable security safeguards” include data encryption or masking, access control measures, monitoring logs to detect unauthorised access, and maintaining data back-ups.

To ensure accountability and compliance, large-scale CSPs may be further obliged to appoint data protection officers and undergo regular audits, as stipulated under Section 10 of the DPDP Act.

Structuring Data Processing Agreements (DPAs) in the Cloud Environment

DPAs typically outline the scope of services provided by the CSP, which may include data migration, technical support, software development and updates. The agreement applies to data processed within the CSP’s infrastructure and any approved sub-processors. Confidentiality is a critical component, with the DPA mandating that CSPs maintain strict confidentiality and prevent unauthorised access to customer data, personal data and other sensitive information, including by sub-processors. DPAs also specify data processing details, such as the subject matter, duration and purpose of processing, ensuring that the data controller is fully aware of how their data will be handled.

The DPA may further oblige the CSP to comply with established data protection standards, in addition to undergoing periodic audits to ensure secure data management. DPAs may also grant the data controller audit rights, allowing them to request audit reports or conduct their own audits to verify the CSP’s compliance with data protection obligations.

In addition to the above, governing law and dispute resolution clauses are also vital from the standpoint of structuring a DPA, in order to establish a clear mechanism for resolving disputes, particularly in the context of cross-border data processing.

Typical Termination and Exit Strategies for CSAs

Termination and exit strategies in CSAs are vital for securing the customer’s data and ensuring a smooth transition to another CSP.

CSAs typically include two types of termination clauses:

• termination for convenience allows either party to end the agreement without needing a specific cause, wherein the customer can stop using the service at any time, and the provider may terminate with prior notice (generally 30 days) without liability; and
• termination for cause enables either party to terminate if the other materially breaches the agreement and fails to remedy the breach within a specified period (generally 30 days) after receiving notice.

Best practices for exit strategies to ensure a smooth exit process, protect the customer’s interests and facilitate secure data transfers, include the following.

• Data retention: the CSP must maintain all customer data for a minimum period (often three to six months) after termination, giving the customer time to verify data migration and ensure the completeness of the transfer.
• Data extraction assistance: before termination, the CSP should provide assistance to the customer for the extraction and migration of their data to a new provider.
• Exit confirmation: upon complete exit, the CSP must provide written confirmation that all customer data has been fully removed from their systems, including any derived analytics.

Migrating Data and Services Between Cloud Providers

Data migration from one cloud provider to another requires careful planning and execution to ensure the security and integrity of the data. MeitY has issued guidelines for migrating applications and data between cloud providers, particularly for government departments. The data migration process is typically structured in the following key phases:

• Phase 0 (Mobilise and Initiate), where a project kick-off meeting is held to finalise the project plan;
• Phase 1 (Assess and Strategise), during which an assessment of application readiness and technical feasibility is conducted to define the best migration strategy;
• Phase 2 (Planning), which involves the CSP submitting a technical design document, outlining tools and resource needs, and ensuring alignment with business goals;
• Phase 3 (Migrate and Implement), which focuses on preparing the cloud environment, migrating data and verifying successful implementation through testing and customer acceptance; and
• Phase 4 (Management and Monitoring), which ensures continuous management, security checks and monitoring post-migration to maintain data integrity and service quality.

Given the absence of specific migration regulations in India, organisations should follow industry best practices such as the Cloud Standards Customer Council’s Practical Guide to Cloud Migration and National Institute of Standards and Technology’s Cloud Computing Standards to ensure smooth transition between providers.

Reporting Data Breaches in the Cloud

The reporting of data breaches in the cloud is primarily governed by Section 70B of the IT Act, which mandates the reporting of cybersecurity incidents to CERT-In. Under the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-In Rules”), two types of reporting apply:

• voluntary reporting, whereby any individual, organisation or corporate entity affected by a cybersecurity incident may voluntarily report the incident to CERT-In at their discretion; and
• mandatory reporting – if a cybersecurity incident falls within the categories outlined in the CERT-In Rules, it must be reported to CERT-In within the timelines indicated in 5.3 Notifying Data Breaches.

CERT-In also publishes guidelines on the formats and methods for reporting incidents, which are regularly updated on its official website. Reporting must follow the “Point of Contact” (POC) format, which is sent to CERT-In via email and updated periodically per the directives of MeitY.

Section 8(6) of the DPDP Act will also require data fiduciaries to promptly notify data principals and the DPB upon the occurrence of any personal data breach. Rule 7 of the DPDP Rules specifies that notification to the affected data principal must be made “without delay” and must include the nature of the breach, likely consequences and mitigation measures. The notification to the DPB must occur “without delay”, with a detailed report submitted within 72 hours.

Penalties for Failing to Report Data Breaches in the Cloud

Failure to report a data breach in the cloud attracts penalties under Section 70B(7) of the IT Act, including imprisonment for up to one year, a fine of up to INR10 million, or both, for non-compliance with the mandatory reporting requirements.

Under Section 33(1) of the DPDP Act, a data fiduciary may face a substantial penalty of up to INR2 billion for failing to notify the DPB and affected data principals of a personal data breach, in compliance with Section 8(6).

Data breaches in the cloud are investigated and remedied in accordance with the CERT-In Rules, under the supervision of CERT-In. When a breach is detected, CERT-In initiates an investigation by requesting information from the CSP, which must submit relevant data, including technical reports and logs, as per the CERT-In Directions of 28 April 2022.

Non-compliance can result in escalated actions, where the designated officer may report the matter to the Director General of CERT-In, and eventually to the Review Committee, which may initiate legal proceedings under the IT Act. Remedial measures may include patching vulnerabilities and strengthening security protocols to mitigate the breach’s impact, in addition to any other reasonable measures that may be required on a case-specific basis.

Timelines For Notifying Data Subjects and Regulators of Data Breaches

As discussed in 5.1 Requirements to Report Data Breaches, data breach notification standards are governed by CERT-In. The notification process varies depending on the type of reporting, as follows.

• Vulnerability reporting: when cybersecurity vulnerabilities are identified, they can be reported to CERT-In, which acknowledges the report within 72 hours and co-ordinates with vendors to resolve the issue within 120 days. However, CERT-In has clarified in its “FAQs on Cyber Security Directions of 28.04.2022” that reporting vulnerabilities in isolation, not connected with a cybersecurity incident, is not mandatory.
• Incident reporting: data breaches involving cloud services are classified as cybersecurity incidents and must be reported to CERT-In within six hours of detection.

Information to Include in Data Breach Notifications

Data breach notifications in India must include specific details based on whether they are incident reports or vulnerability reports. The following particulars must be provided.

• Contact information: name, organisation, contact number and email. Anonymity is an option for vulnerability reports.
• Product/system details: affected product (website, software, hardware), vendor details and version. For incidents, the domain, IP address, operating system and location of the affected system should be provided.
• Description: for vulnerabilities, a detailed description of the vulnerability, proof of concept and any public disclosure plans should be included. For incidents, the date, time and nature of the breach must be specified, including for breaches affecting the cloud system.
• Impact and mitigation: details on whether the vulnerability is exploited or discussed publicly, and suggested mitigation strategies, should be included. For incidents, the breach’s potential impact and any technical details for mitigation should also be indicated.

Co-Ordinating Data Breach Notifications With CSPs

Co-ordination between CSPs and regulatory authorities is critical when reporting data breaches. Under CERT-In Directions, CSPs are required to comply with several duties to ensure effective breach management.

• Duty to report: CSPs must immediately report cybersecurity incidents to CERT-In, in the prescribed format for reporting.
• Duty to synchronise: CSPs are required to ensure their systems’ clocks are synchronised with the Network Time Protocol (NTP) servers of the National Informatics Centre (NIC) or National Physical Laboratory (NPL). This ensures that all incidents are reported with precise timestamps.
• Duty to maintain logs: CSPs must maintain logs of all their ICT systems securely for a rolling period of 180 days. These logs must be kept within the Indian jurisdiction and provided to CERT-In during incident reporting or when requested.
• Duty to KYC: CSPs, including data centres and VPN providers, must maintain accurate records of their subscribers and the services availed. This information must be stored for a minimum of five years after the service has been cancelled or withdrawn.

Regulating International Data Transfers in the Context of Cloud Computing

International data transfers in the Indian jurisdiction are currently governed by the IT Act, read in conjunction with the SPDI Rules. With the introduction of the DPDP Act, a more structured framework is set to govern cross-border data flows in cloud environments.

The DPDP Act empowers the government to restrict data transfers to specific countries (a “blacklist” approach), based on their data protection standards. Accordingly, for restricted jurisdictions, CSPs would need to implement stricter legal safeguards.

Mechanisms for Transferring Data Outside India

The SPDI Rules currently regulate international data transfers through several mechanisms. Upon its enforcement, the DPDP Act will allow the government to permit transfers to all jurisdictions by default, unless a specific country or territory is explicitly restricted by notification. For countries without such restrictions, Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) of the EU can be referred to as benchmarks, which are legally recognised international standards facilitating cross-border data transfers within multinational corporations.

Addressing Data Protection Measures in International Data Transfer Agreements

International data transfer agreements in cloud computing must ensure that personal data remains protected according to the SPDI Rules and the forthcoming DPDP Act. A crucial aspect introduced by the DPDP Rules is the requirement for a data fiduciary to comply with any government orders restricting the availability of personal data to foreign states or their agencies. Key contractual mechanisms may include SCCs, which impose obligations on the data importer to maintain data subject rights, enforce security standards like encryption and access control, and address concerns about third-party government access.

Furthermore, BCRs may be incorporated into contractual agreements, which are essentially a set of internal policies for multinational companies to ensure compliance with data protection standards across borders. BCRs focus primarily on accountability, governance and redress mechanisms.

It is worth mentioning that both the SPDI Rules and, particularly, the DPDP Act rely heavily on obtaining the explicit consent of data subjects for processing their personal data, which includes cross-border data transfers. Therefore, explicit consent from data subjects must be obtained for transferring their personal data across jurisdictions.

While there is no overarching central legislation governing data localisation, it has become a critical regulatory requirement for certain sectors, particularly those involving sensitive personal data, financial data and critical infrastructure. This push towards localisation has significant implications for cloud computing, affecting operational efficiency, costs, security and compliance. Some sectoral data localisation requirements are set out below.

• RBI: in its notification dated 6 April 2018, RBI mandated that all data related to payment systems operated by licensed banks and payment system providers must be stored exclusively in India. This includes end-to-end transaction details and any data processed as part of payment instructions. While transactions with foreign elements can store data abroad, a local copy of such data must be retained by CSPs in India.
• SEBI: the SEBI Cloud Framework requires that any financial data such as credit and market risk data, audit records, etc, pertaining to regulated entities stored on cloud platforms must be retained within India. This impacts CSPs, as they must ensure compliance with SEBI’s framework and store a copy of the data in India, even if a foreign parent entity is involved.
• IRDAI: the IRDAI’s Maintenance of Insurance Records Regulations, 2015, require that insurance providers store policy and claims data on systems located within India. This affects cloud-based insurance service providers, ensuring that data localisation requirements are duly fulfilled.
• The Companies Act, 2013: under Section 128, companies in India must prepare and store their books of accounts and financial records at their registered office. With respect to the Companies (Accounts) Fourth Amendment Rules, 2022, companies storing these records in electronic form are now required to ensure that such data is accessible in India at all times, impacting any companies relying on CSPs to maintain their accounts.
• CERT-In (MeitY): in its Directions dated 28 April 2022, CERT-In mandated that service providers offering services to Indian users must maintain logs and records of financial transactions within India. This applies to CSPs and businesses providing cloud-based services, adding to the localisation requirements.

Implications

The aforementioned data localisation norms mandate that particular categories of data be stored within India. This directly impacts CSPs and necessitates them to invest in local infrastructure, raising operational costs and reducing flexibility in managing global data. Localisation also impacts the availability of advanced cloud services, such as AI-based analytics and real-time fraud detection, which rely substantially on cross-border data flows. These requirements pose challenges, particularly for start-ups and businesses relying on cloud-driven technologies.

While these localisation measures aim to enhance data sovereignty and privacy, they do not necessarily improve data security, as concentrating data in a sole jurisdiction can lead to vulnerabilities to cyber-attacks and loss of data due to natural disasters. In addition, CSPs may face increased compliance burdens as the Indian regulatory landscape evolves, with additional layers of complexity, making it more difficult for them to operate efficiently while ensuring regulatory compliance synchronously.

Addressing Conflicts of Law in Cross-Border Data Transfer

Conflicts of law in cross-border data transfers within the cloud computing framework particularly arise when different jurisdictions enforce varying data protection standards. The DPDP Act will govern such transfers by allowing data movement unless a country is specifically blacklisted. However, conflicts may also arise when sector-specific laws (as indicated in 1.1 Data Privacy and Cloud Computing and 6.2 Data Localisation) impose stricter requirements – eg, mandating that certain classes of data be stored within India’s borders, despite the existing SPDI Rules and the forthcoming DPDP Act permitting cross-border transfers.

To address these conflicts, CSPs and businesses must ensure compliance with sector-specific regulations while facilitating cross-border data transfers, where allowed. This can be achieved by integrating localisation requirements into their operational infrastructure. Furthermore, as discussed in 6.1 Cross-Border Transfer Regulation, cross-border data transfer agreements should be tailored to incorporate SCCs and BCRs, in addition to clear contractual provisions, to reinforce compliance with international data protection standards and minimise potential conflicts.

Risks and Challenges Associated With International Data Transfers in the Cloud

International data transfers in cloud computing face significant challenges, particularly around compliance with varying legal frameworks. Jurisdictional conflicts arise when the data of Indian residents is transferred to countries with differing regulations, like the GDPR in the EU or the CCPA in California, USA. This leads to uncertainty concerning the applicability of the law, especially when data protection standards are not equivalent. Strict sector-specific localisation requirements, as mentioned in 6.2 Data Localisation, that mandate data storage within India further complicate cross-border transfers.

There are also significant data security risks associated with transferring data to regions with weaker or no statutory protection standards, making the data vulnerable to unauthorised access or government surveillance. The DPDP Act shoulders legal liability on Indian data fiduciaries, inferring that any breach by foreign processors can lead to hefty penalties. In addition, ensuring data subject rights, such as access or deletion requests, should be respected across multiple jurisdictions and their enforcement can be particularly challenging when foreign laws do not offer equivalent remedies.

Conducting Compliance Audits in Cloud Environments

Compliance audits in cloud environments in India are indirectly governed by regulatory frameworks such as the Companies Act, 2013, the SPDI Rules and other sector-specific regulations, including guidelines issued by MeitY. These audits are typically conducted by independent third-party auditors or government-approved internal auditors, to assess the security, privacy and legal compliance of corporate entities, including CSPs.

Rule 8 of the SPDI Rules mandates corporate bodies handling sensitive personal data to conduct periodic audits, at least on an annual basis, to ensure compliance with reasonable data security standards. Likewise, Section 10 of the DPDP Act mandates SDFs to conduct data audits through an independent data auditor to ensure conformity with the provisions of the DPDP Act. Rule 12 of the DPDP Rules proposes that this audit, along with a Data Protection Impact Assessment (DPIA), be undertaken annually by SDFs.

The audit process may include verifying data centre security, disaster recovery plans, data privacy measures and compliance with sector-specific regulations. For government entities, MeitY has issued guidelines that include specific audit requirements. CSPs offering services to the government must submit a sample audit report that covers critical aspects like data integration, disaster recovery and business continuity. The scope of compliance audits also encompasses reviewing legal compliance, managed services, and exit and transition plans.

Key Areas of Focus for Compliance Audits in Cloud Computing

The key areas of focus during a compliance audit in cloud computing typically include the following.

• Information security: ensuring compliance with the data security/certification standards mentioned in 2.1 Data Security and the Cloud.
• Data privacy and protection: technological compliance with the IT Act and its corresponding subordinate regulations, in addition to ensuring encryption, access control and secure management of personal data.
• Disaster recovery and business continuity: reviewing disaster recovery protocols, back-up systems and business continuity plans to ensure minimal downtime and data integrity in the event of a disaster.
• Legal and regulatory compliance: ensuring adherence to sector-specific requirements, such as the guidelines and directives released by RBI, SEBI, IRDEA, etc, from time to time.
• Cloud-specific controls: auditing cloud-specific controls under ISO/IEC 27017, ensuring security of virtual environments, data isolation and resource management.
• Management of contracts and exit strategies: ensuring that CSAs/SLAs and contractual terms with customers, including data migration and exit strategies, comply with regulatory requirements.

Managing Audit Trails and Logs in the Cloud

Audit trails in the cloud are crucial for tracking user activities and system events, enabling companies to maintain transparency and accountability. These trails typically include:

• timestamps for all system activities;
• user identification to track who accessed or modified data; and
• event descriptions to specify the nature of the activity (eg, creation, modification or deletion of data).

CSPs also ensure that audit logs are maintained securely, typically using encryption and access controls to prevent tampering.

The Companies Act, 2013, read with Rule 11 of the Companies (Audit and Auditors) Rules, 2014, mandates that all companies using accounting software (including cloud-based software) must ensure that the software has a feature to maintain an audit trail (or edit log) of all financial transactions, which cannot be disabled.

Measures to Ensure the Integrity and Accuracy of Audit Reports

To ensure the integrity and accuracy of audit reports in cloud environments, CSPs and auditors must adopt a multifaceted approach that aligns with both legal and operational imperatives. At the forefront of this process is data validation, a critical step to ascertain the consistency, accuracy and reliability of data under audit. This is supplemented by robust encryption protocols, which shield sensitive information from unauthorised access and potential tampering, thus upholding data confidentiality throughout the audit process. The engagement of key stakeholders ‒ data fiduciaries, internal audit teams and regulatory authorities – is equally paramount, fostering a comprehensive oversight mechanism and ensuring that responsibilities are clearly delineated.

Regular audits, both internal and independent, are mandated to ensure ongoing compliance with India’s dynamic regulatory landscape, including the stringent requirements set forth by MeitY. Furthermore, data consistency checks are integral to verifying that no unauthorised alterations have been made within the cloud infrastructure, thereby safeguarding the integrity of the system. Collectively, these measures form the bedrock of a resilient audit framework in cloud computing environments, harmonising operational transparency with India’s data protection framework.

Addressing Audit Findings and Recommendations in the Cloud

Once audit findings and recommendations are documented, they are typically addressed through a structured process, which includes the following.

• Action plans: developing a remediation plan to address any non-compliance issues or weaknesses identified during the audit.
• Compliance reporting: CSPs submit compliance statements detailing the measures taken to address audit recommendations and improve security or operational practices.
• Stakeholder co-ordination: CSPs co-ordinate with key stakeholders, including regulatory bodies (such as MeitY or RBI) and customers, to ensure that findings are addressed within specified timeframes.
• Periodic reviews: follow-up audits are conducted to ensure that the corrective actions have been successfully implemented. Independent verification may be required for high-risk or critical findings.
• Legal compliance: CSPs must ensure that they comply with all regulatory and legal obligations post-audit, including updating policies and CSAs/SLAs, as necessary.

Statutory Penalties for Non-Compliance With Cloud Audit Requirements

Penalties for non-compliance with audit requirements can be both statutory and contractual, depending on the nature of the CSP and the sector concerned. Such penal implications include the following.

• Non-compliance with Rule 8 of the SPDI Rules is punishable under Section 43A of the IT Act, which holds a corporate body liable to pay damages by way of compensation, the extent of which is uncapped.
• An SDF's breach in observance of its obligations under Section 10 of the DPDP Act (including the requirement to conduct data audits), would be punishable with a fine up to INR1.5 billion.
• Sector-specific regulations may impose further penalties, including monetary fines or restrictions on certain services, for failing to adhere to cloud audit requirements.
• Contractual penalties in private agreements between CSPs and their clients may include termination of services, monetary fines or litigation. The consequences for non-compliance with audit terms are generally outlined in CSAs/SLAs.