internetfreedom.in @internetfreedom +91 9899734350 rohin@internetfreedom.in 

By Email
To,
Uma Chauhan
Director/Scientist F
Department of Electronics and Information
Technology

Email:​uma.chauhan@meity.gov​.in,
cmo@meity.gov.in

Dated: Nov. 11, 2020

IFF/2020/170

Dear ma’am,

Re: Comments on Draft Data Centre Policy

1. Internet Freedom Foundation (“IFF”) is a registered charitable trust which advocates for
people’s rights over the internet across public institutions and the private sector. IFF’s
origins stem from the SaveTheInternet.in public movement which enabled more than a
million Indians to advocate that net neutrality be recognised as a core tenet of the public
internet. We work across a wide spectrum of issues, with expertise in free speech,
electronic surveillance, data protection, net neutrality and innovation; we champion
privacy protections, digital security, and individual freedoms in the digital age.

2. We are writing to you to offer our input on the Draft Data Centre Policy on which
comments have been invited till November 21, 2020. The formation of data centres will
play a key part in boosting India’s digital infrastructure while also providing a strong fillip
to the economy. We are largely supportive of the policy, though we feel it can improve
further, especially with respect to digital rights - which increasingly form a part of the
user expectations with a marked preference for online security and privacy. Such a focus
also helps India on the path to making it a global data centre hub.

3. For clarity our inputs focus on four key clusters:

3.1. Security: ​The draft policy does not specify any security standards that data
centres must adhere to, or may be prescribed in future by the Data Protection
Authority. Such standards ensure governance norms and audit processes that
are beneficial to prescribe and improve industry practices. There is a tangible
need to address this as several big data leaks have plagued local technology
companies in recent times, exposing swathes of confidential and often sensitive
data of Indian users. This is a situation exacerbated by the fact that due to the
COVID-19 pandemic many companies have moved towards a work-from-home

E-215, Third Floor, East of Kailash, New Delhi 110065

 

internetfreedom.in @internetfreedom +91 9899734350 rohin@internetfreedom.in 

set-up, which has meant a greater degree of digitalisation and so a greater need
to ensure digital security. In light of this, we feel it is important for the Policy to
firmly law down, at the very least, a broad framework for ensuring the protection
of data.

3.2. Privacy and digital rights: ​The policy does not mention the method in which
data centres will ensure they protect the digital rights of users. If it is
contemplated that such issues are to be covered under the proposed Data
Protection Bill, 2019, then a method for ensuring compliance with the same must
be specified.

3.3. Need for firm regulatory oversight: ​There should be a clear and unequivocal
acknowledgement within the policy for oversight by the Data Protection Authority
contemplated by the impending Personal Data Protection Bill, 2019. Here ideally
the primary mandate of the Inter-Ministerial Empowered Committee (along with
the Data Centre Facilitation Unit) should be limited to ease of business and any
overlap with the Data Protection Authority should be limited.

3.4. Imposition of Essential Services Maintenance Act: ​While we recognise the

importance of digital infrastructure for both the modern economy and modern
governance, we feel that the inclusion of data centres under Essential Services
Maintenance Act (ESMA) may be a step too far. Employees’ right to freedom of
expression is fundamental, and ESMA puts significant curbs on it. The Act has
already faced criticism, especially for its granting of power to arrest without a
warrant.

We look forward to your response. We remain at your disposal should you wish to discuss the
matter any further.

Kind Regards,

Rohin Garg,
Associate Policy Counsel, Internet Freedom Foundation
rohin@internetfreedom.in

E-215, Third Floor, East of Kailash, New Delhi 110065

 

internetfreedom.in @internetfreedom +91 9899734350 rohin@internetfreedom.in 

Detailed Submissions on the Draft Data Centre Policy

Outline of the present submission

As stated in the covering letter our submission is branched into four broad headings for
convenience and consideration. Each section is a specific cluster that highlights an
overarching theme that is divided into specific areas of support and concern after which more
granular suggestions are then made. These are namely, guaranteeing security, ensuring
privacy and digital rights are upheld, the need for firm regulatory oversight, and finally the
imposition of ESMA.

Before we proceed with these issues, we would like to commend the approach towards
improving India’s digital infrastructure. As the digitalisation of the indian economy continues,
upgrading capacity and facilitating the rapid growth of data facilities is a task of paramount
importance, especially after the COVID-19 given fillip towards ‘going online’. This makes it
even more necessary to ensure that the rights and security of citizens is protected. Thus, we
have given our inputs taking the perspective of the millions of indian citizens who would be
users of the system.

Proceeding from this premise, our core approach is towards ensuring that data centres
operate in a safe and secure manner that upholds the rights of users. Here, we focus on four
core issues that we feel are of supreme importance. We believe the mass establishment of
data centres is extremely important. In the rush to do so however, regulatory standards should
not be reduced, for this impact not only the rights of citizens but also the establishments
themselves.

1. Security

1.1. According to the Indian government, 2019 witnessed 1,05,849 cyber security incidents
(including phishing, network scanning and probing, virus / malicious code and website hacking)
in just the first five months.​1 2019 and 2020 (til August) saw 54 and 37 Central and state

1
Unstarred Question no. 1848, Lok Sabha Questions, July 3, 2019;
http://loksabhaph.nic.in/Questions/QResult15.aspx?qref=2148&lsno=17​.

E-215, Third Floor, East of Kailash, New Delhi 110065

 

internetfreedom.in @internetfreedom +91 9899734350 rohin@internetfreedom.in 

government websites hacked respectively.​2 Leaks in Aadhar data, banking data, and credit card
information have also increased.​3​,​4​,​5 Even nuclear plants, such as the one in Kudankulam, have
been shown to be vulnerable.​6

1.2 Furthemore, as the COVID-19 pandemic necessitates the greater usage of the
work-from-home set-up, enterprises too feel that digital infrastructure has to be upgraded to deal
with new security challenges, as 66% of Indian firms have reported at least one data breach
since they shifted to working from home.​7 Given that organisations faced a cost of Rs. 14 crore
on average per data breach in 2019-20, it is clear that data security processes need further
tightening and regulation.​8

1.3 The Policy does not mention any specified security standards itself, and instead
delegates this to MEITY. It is encouraging that security is acknowledged as a key issue.
However, given the major role that data centres have been envisioned to have in India’s digital
infrastructure, it is vital that the policy take a more proactive approach to ensuring the security of
data. Additionally, given that the policy proposes non-fiscal incentives and rationalisation

2
Unstarred Question no. 656, Lok Sabha Question, September 16, 2019;
http://loksabhaph.nic.in/Questions/QResult15.aspx?qref=17299&lsno=17​.
3
The Hindu BusinessLine Bureau, ​1 bn records compromised in Aadhaar breach since January:
Gemalto​, The Hindu BusinessLine, October 20, 2018;
https://www.thehindubusinessline.com/news/1-bn-records-compromised-in-aadhaar-breach-since-january
-gemalto/article25224758.ece​.
4
Whittaker, ​India’s largest bank SBI leaked account data on millions of customers, ​Tech Crunch, January
30, 2019; ​https://techcrunch.com/2019/01/30/state-bank-india-data-leak/​.
5
Rebello, ​RBI asks Indian banks to probe alleged data leak of 1.3 million cards​, The Economic Times,
October 31, 2019;
https://economictimes.indiatimes.com/news/economy/finance/rbi-asks-indian-banks-to-probe-alleged-data
-leak-of-1-3-million-cards/articleshow/71837356.cms?from=mdr​.
6
Palani & Anantharaman, ​What happened when the Kudankulam nuclear plant was hacked – and what
real danger did it pose?,​ Scroll, November 20, 2019;
https://scroll.in/article/943954/what-happened-when-the-kudankulam-nuclear-plant-was-hacked-and-what
-real-danger-did-it-pose​.
7
Ramasubramanian, ​About 66% Indian companies faced data breaches, survey finds,​ The Hindu, August
24, 2020;
https://www.thehindu.com/sci-tech/technology/about-66-indian-companies-faced-data-breaches-survey-fi
nds/article32429823.ece​.
8
​Organisations in India lost Rs 14 cr on average to data breaches in August 19- April 20: IBM​, Financial
Express, July 29, 2020;
https://www.financialexpress.com/industry/technology/organisations-in-india-lost-rs-14-cr-on-average-to-d
ata-breaches-in-august-19-april-20-ibm/2038497/​.

E-215, Third Floor, East of Kailash, New Delhi 110065

 

internetfreedom.in @internetfreedom +91 9899734350 rohin@internetfreedom.in 

frameworks to be drafted by the centre, efforts must be made to ensure that regulatory and
compliance standards with respect to data security are strengthened and not made more
flexible.

1.4 In light of this, we recommend that the framing of such guidelines should be left to the
Data Protection Authority envisioned by the Personal Data Protection Bill, 2019, which would be
well equipped to address such issues. For the time period till the Data Protection Authority
comes into force, the policy must explicitly spell out security standards. The ISO/IEC 27000
series and ISO/IEC 19395 may be considered. Security experts and those with technical
expertise must also be consulted. Additionally, while we acknowledge the industry as a fledgling
one (and thus one that would need nurturing), it is imperative that security standards not be
made lax in effort to improve the ‘ease of doing business’.

2. Privacy and digital rights

2.1 To update India’s regulatory framework in the digital age, the Centre has introduced the
Personal Data Protection Bill, 2019 in Parliament. The Bill seeks to provide for the protection of
personal data, and proposes the establishment of a Data Protection Authority to regulate the
same. Certani clauses of the Bill proved to be contentious, especially since they differed from
the recommendations of the Justice Srikrishna Committee, and so the Bill was sent to a
Standing Committee for review.​9

2.2 With respect to this, the policy contains two issues. Firstly, given that the Personal Data
Protection Bill, 2019 is yet to be passed, the adoption of this policy in its existing form would be
tantamount to a completely laissez-faire regulatory framework. Secondly, in case the policy
templates this policy to be complementary to the Bill, it does not specify any framework for
ensuring that data centres comply with data protection guidelines.

2.3 Considering the fact that data centres are to be central to the nation’s digital
infrastructure, it is imperative that data centres be made to ensure that they comply with privacy
regulations and do not infringe on the digital rights of users. To this end, we recommend that the
policy provide a detailed framework for ensuring that data centres protect the privacy of users.
This may be done, for example, by providing a model privacy-by-design policy (as has been
contemplated by the Personal Data Protection Bill, 2019) for data centres, which would be
drafted by the Data Protection Authority. Once again, till the Data Protection Authority comes
into force, a temporary model policy may need to be specified.

3. Need for firm regulatory oversight

9
​The Personal Data Protection Bill, 2019: How it differs from the draft Bill​, PRS Legislative Services,
December 27, 2019;
https://www.prsindia.org/theprsblog/personal-data-protection-bill-2019-how-it-differs-draft-bill​.

E-215, Third Floor, East of Kailash, New Delhi 110065

 

internetfreedom.in @internetfreedom +91 9899734350 rohin@internetfreedom.in 

3.1 The Personal Data Protection Bill, 2019 proposes a Data Protection Authority (DPA) to
deal with issues related to personal data. Amongst other things, the Bill designates the
monitoring the application and enforcement of the provisions of the Bill to be a key function of
the DPA. The Bill also provides the DPA with the power to issue directions to data fiduciaries
and data processors.​10

3.2 To facilitate the ease of doing business, the draft policy proposes an Inter-Ministerial
Empowered Committee (IMEC) under the chairmanship of the Secretary to the MEITY. The
policy also proposes a Data Centre Facilitation Unit (DCFU) within the MEITY, as well as a Data
Centre Industry Council (DCIC) to facilitate dialogue between industry and the government.

3.3 The policy fails to clarify the relationship between the DPA and the IMEC, and leaves it
to the MEITY to detail the Terms of Reference of the IMEC. The issue here is that these two
bodies seem to have mandates that, while possibly complimentary, may not always be in
concordance: the IMEC’s mandate at the outset is to facilitate the private sector help build up
data centre capacities, while the role of the DPA is to protect the rights of users and ensure
compliance.

3.4 Given that data centres are a fledgling industry, the creation of bodies such as the IMEC
and the DCIC is welcomed as they will allow the government to take inputs from the private
sector on how best to provide support to industry. However, allowing the decisions of the IMEC
to supersede the authority of the DPA may result in regulations that, though intentioned towards
improving India’s digital capacity, may end up infringing upon the rights of citizens.

3.5 Thus, we recommend that regulatory oversight with regards to data centres be
unambiguously brought under the ambit of the DPA, as it would be the authority best placed to
handle such issues. Consultation with the IMEC, DCFU, and the DCIC is encouraged, but the
decision of the DPA must be final. The ambit of the IMEC should be restricted to enabling the
ease of doing business in the sector, and implementation and compliance should be left to the
DPA.

4. Imposition of Essential Services Maintenance Act

4.1. The Essential Services Maintenance Act, 1968 (ESMA) has a long and chequered
history. A key component of the criticism the Act faces comes stems from its latter clauses,
which are: 1) imprisonment for up to six months for taking part in an illegal strike, 2)
imprisonment for up to on year for instigating a strikes, 3) imprisonment for up to one year for
providing financial aid in support of a strike, and 4) giving the police the power to arrest without

10
​Personal Data Protection Bill, 2019, ​ PRS Legislative Services,
https://www.prsindia.org/sites/default/files/bill_files/Personal%20Data%20Protection%20Bill%2C%202019
.pdf​.

E-215, Third Floor, East of Kailash, New Delhi 110065

 

internetfreedom.in @internetfreedom +91 9899734350 rohin@internetfreedom.in 

a warrant anyone reasonably suspected of having committed any offence under this Act. Critics
have termed these as draconian.​11

4.2 Recent attempts to widen the scope of ESMA have faced protests. For example, recently
the Ministry of HRD took back it’s decision to bring Delhi University under the ambit of ESMA
after protests by the Delhi University Teacher’s Association.​12 Attempts to amend Goa’s Goa
Essential Services Maintenance Act, 1988 were also halted as the amendment, that was
demanding harsher punishment and making arrests cognisable, had to be sent to a Select
Committee for review.​13 It has also been noted that several state governments have misuse the
act to discipline workers rather than listen to their demands.​14

4.3 Clause 5.2.3. of the draft policy states that “Continuous functioning of Data Centres is
critical for continued delivery of services and to maintain the normalcy of day to day activities.”
However, does the processing of data really fit the definition of a critical service? ESMA allows
the central government to bring under ESMA those services for whom “strikes therein would
prejudicially affect the maintenance of any public utility service, the public safety or the
maintenance of supplies and services necessary for the life of the community or would result in
the infliction of grave hardship on the community”.​15 While data processing centres would form
an integral part of the nation’s infrastructure, it cannot be said that strikes in a data processing
establishment would affect public utility services or those services necessary for the life of the
community, nor can they be said to inflict grave hardship on the community.

4.4 The process of building up India’s digital infrastructure is a momentous and important
task, but this process should not end up infringing upon the fundamental right to freedom of
expression of those it is being built for: the users i.e. the citizens of India. In light of this, we feel
that clause 5.2.3. of the policy should be removed.

11
Shyam, Sunder; ​Essential Services Maintenance Act,​ Economic and Political Weekly Volume 47, May
26, 2012; ​https://www.epw.in/journal/2012/21/commentary/essential-services-maintenance-act.html​.
12
Indian Express news service, ​Under fire from teachers, HRD won’t bring Essential Services
Maintenance Act in DU​, Indian Express, accessed on November 13, 2020;
https://indianexpress.com/article/india/duta-hrd-delhi-university-teachers-essential-services-maintenance-
act-du/​.
13
​Following criticism, ESMA Bill referred to Select Committee​, Herald Goa, accessed on November 13,
2020; ​https://www.heraldgoa.in/Goa/Following-criticism-ESMA-Bill-referred-to-Select-Committee-/156626​.
14
Barnagarwala, ​Maharashtra: State govt warns healthcare staff with MESMA, nurses say need more
safeguards, Indian Express, ​accessed on November 13, 2020;
https://indianexpress.com/article/india/maharashtra-state-govt-warns-healthcare-staff-with-mesma-nurses
-say-need-more-safeguards-6423106/​.
15
Essential Services Maintenance Act, 1968, Indian Kanoon; ​https://indiankanoon.org/doc/902835/​.

E-215, Third Floor, East of Kailash, New Delhi 110065