The Ministry of Electronics and Information Technology (e-Governance Division) recently introduced a draft policy titled ‘Data Centre Policy, 2020’, with an aim to drive necessary regulatory, structural, and procedural interventions for enabling ease of doing business in the data centre sector, create infrastructure to promote data localisation, and accelerate the data centre sector’s growth. The objectives are ought to be achieved through fiscal & non-fiscal incentives, facilitation of uninterrupted and cost effective power supply, and promote capacity building along with skill development of human resource.
It also focuses on making India the most favorable country for establishing data centres by resolving the challenges of mundane infrastructure, complex and time consuming clearances/ approvals processes, high cost of power, absence of specialised building norms for building of data centres, limited regional submarine cable network connectivity, and high cost of operational expenditure and capital. Ultimately, it envisions to grow the size of Indian digital economy from 200 billion USD in 2017-18, to 1 Trillion USD by 2025 by actively resolving the issues plaguing the sector.
This initiative is commendable given that India is the biggest data generating economy and as such, it must be capable to store the data it produces, well within its geographical boundaries. Data centres are used by organisations and individuals to house their data. This data can be personal data, sensitive personal data, critical data, business related data, trade secrets, or data with Intellectual property rights such as copyrights and patent and confidential data. Therefore, it makes sense to keep this data secure.
Imperatively, this makes the security of the data centre facility and the data crucial, physically as well as virtually. As the digitization of Indian economy continues, it also dictates that rights of the citizens be further safeguarded in the democracy through Data Protection Laws, implementation of which would be facilitated through enforcement of this policy. We are supportive of the draft data centre policy; however, we have certain suggestions/ recommendations to make it even better!
Our recommendations on the draft data centre policy are related to its following aspects:
- Security of data and its risk assessment
- Physical security of data centres
- Declaration of data centres as essential services
- DCIS, participation of the renewable energy industry, and software industry
- Environmental Impact and Optimisations
- Abolishing redundant compliances/ approvals
- Grievance redressal mechanism for Data Centres
- Coordination between Centre and States
- Research and development for innovative data centre designs/ equipment
- Winding up procedures and migration of data outside the data centre/ country.
SECURITY OF DATA AND RISK ASSESSMENT
A data centre holds tremendous amounts of data. 1 TB space can roughly store about 2,50,000 photos taken with 12 MP camera or 500 hours of HD videos or 6.5 million document pages stored in the form of .docx or PDFs or PPTs. 1 TB is equivalent to 13,000 physical filing cabinets of paper. Amazon has already acquired a facility on the outskirts of Hyderabad of 66,000 sq. mt (710,000 sq. ft) which can contain approximately 156,000,000 TB data with 20,000 cabinets with each cabinet of 2 feet by 8 feet of floor space. This data comprises of personal data, sensitive personal data, critical data, business data, trade secrets, data with Intellectual property rights such as copyrights and patent, and confidential data or other forms of crucial data. The security of such data is of paramount importance.
The draft data centre policy suggests to follow international standards which should be published by the MeiTY and follow the state of the art to maintain the security of the data centres. The draft also mentions about the Data Protection Bill of 2019. We believe that basic principles for security must be followed at data centres to protect the confidentiality of data, its integrity, and at the same time enable continued availability. The security practices provisioned in the Information Technology Act, 2000, are insufficient to meet global security practices. E.g. There is no provision for breach reporting/ disclosure, regular risk management or audit exercises, forensic investigation of breached/ suspected systems, liability for breaches/ non-compliance with reasonable security practices, etc. The standards mentioned in Data Protection Bill, 2019, are also insufficient to secure this data because this bill is primarily restricted to personal data and sensitive personal data of natural persons, and does not cover other categories of data which can be crucial for businesses and individuals.
The policy draft is silent about the measures to safeguard against physical security of data centres, especially at data centres co-hosted in a data centre park, in the case natural calamity or physical attack. Measures like back up of data at separate places, connectivity to such infrastructures, their governance policy, are also missing. The policy must address these challenges.
PHYSICAL SECURITY OF THE DATA CENTRES
The policy draft does not mention any measures for physical security of the data centre and leaves the issue of regulating security of the data centres on MeiTY.
Like mentioned earlier, physical security of data centres is also a critical component of the overall security strategy. This assumes all the more importance in co-hosted data centres in data centre parks. Security with regard to security of networking/ electrical cables within the data centre parks, demarcated area, cooling components, restricted personnel access with logging to specific areas of the infrastructure, no access to visitors within the premises, active patrolling, etc., are of paramount importance. Therefore, the policy must also aim to look at the physical security aspect of data centres and data centre parks.
DECLARING DATA CENTERS AS ESSENTIAL SERVICES
The draft policy proposes to declare as an Essential Service under “The Essential Services Maintenance Act, 1968 (ESMA)” for continued delivery of services even during times of calamities or crisis.
This act allows the Central Govt. to bring under ESMA those services for whom strikes therein would prejudicially affect the maintenance of any public utility service, the public safety or the maintenance of supplies and services necessary for the life of the community or would result in the infliction of grave hardship on the community. The Essential Services Maintenance Act holds provision for imprisonment of six months in case of strike and an imprisonment for one year in case of instigating a strike. The title of Essential service has potential to curtail the right to strike of the workers against the breach of contract in public utility service as enshrined under Section 22(1)(a) of the Industrial Disputes Act, 1957. The application of this Act has been criticised multiple times.
Rather than the status of essential service, the status of protected system and Critical Information Infrastructure (CII) under Section 70 of the Information Technology Act, 2000, can be more efficient and appropriate. This Section protects the system against physical damage and unauthorised access in contravention of this Section is punishable with an imprisonment up to 10 years and fine.
PARTICIPATION OF THE RENEWABLE ENERGY INDUSTRY
The policy puts emphasis on continued availability of power at low rates, which is commendable. The policy also focuses on facilitation of power generation units by data centre parks. However, the policy only slightly touches upon the issue of renewable power generation units.
At the moment, solar power generation has become a credible alternative as its efficiency and cost effectiveness has increased. To encourage use of renewable energy resources, if not for the entire facility then at least for back-up/ minimum operational requirements, the Data Centre Incentivization Scheme shall also cover use of locally sourced/ manufactured renewable sources of energy.
Similarly, the policy talks about testing and certification framework for the Data Centre ecosystem, including equipment and software products. However, we believe the policy should take once step further and the Data Centre Incentivization Scheme (DCIS) shall be extended to the use of software, security solutions, data centre management software, etc., to encourage use of locally developed software.
ENVIRONMENTAL IMPACT AND OPTIMISATIONS
The issue of environmental protection must be looked at compassionately, and not just from a purely business perspective as another approval or compliance. Although the policy ever so slightly touches upon the use of renewable resources of power, it does not take into consideration, with a more compassionate view towards the local environment, the fact that a large piece of land would be used, and data centres emit a lot of heat, thus have intense cooling requirements, and also consume tremendous amounts of energy.
Policy, especially technology policy, must be equally innovative to solve bigger problems simultaneously. Since establishing data centre parks, which would need large areas of land, would naturally claim a lot of wildlife, and its operations would have an environmental impact for the reasons stated above, the policy must have also come up with some innovative solutions to minimise/ mitigate its carbon footprint. It would be much appreciated that apart from standards of build, security, IT and non-IT operations, the efficiency of a data centre, or data centre parks, is also emphasized upon. Setting up of data centres at cooler places should be preferred, and heat emanating from the equipment can be channelled to heat other parts of the building. At places of moderate temperature, cooling shall be optimised and overcooling must be eliminated. All efforts shall be made to achieve higher levels of efficiency.
ABOLISHING REDUNDANT COMPLIANCES/ APPROVALS
At the moment, around 30 different approvals and compliances, including several pre-setup approvals, from local, state, as well as central authorities are required to set up a data centre and start operations. The policy seeks to set up a single window clearance system, but many compliances and approvals can be done away with, e.g. environmental clearances, given that it would be the state government which would identify land parcels for data centre parks.
The data centre parks, as per the policy, would be pre-provisioned, therefore, some approvals & compliances can be done away with which would be effectively rendered redundant, reducing cost and time and ensuring speedy approvals. Some examples of these approvals are tree cutting NOC, Power Connection Feasibility, design & sanction approval, environmental clearance, etc. Moreover, to prevent delay, or to further facilitate ease of doing business, a deemed approval system can be introduced at all levels of governance after ensuring a minimum level of approval and compliance. Approvals shall also be a granted in a timely manner.
GRIEVANCE REDRESSAL MECHANISM FOR DATA CENTRES
One of the primary objectives of the policy is to create an institutional governance mechanism. The policy also aims for a single window compliance system for data centres, and a Data Centre Industry Council. However, there is no grievance redressal mechanism in place for speedy resolution of problem encountered in setting up or arising out of operations.
The policy should also seek to establish a grievance redressal mechanism, where grievance encountered during the setting up the data centre, and during operations could be raised and resolved in a timely manner. Feedback from this mechanism would be very crucial in further evolving the policy, and its implementation.
COORDINATION BETWEEN CENTRE AND STATES
The policy rightly proposes to set up an independent Data Centre Industry Council (DCIS), which would act as an interface between the sector and the Government. However, the policy remains silent on Centre-State coordination with regard to Data Centre Policy and Enforcement.
For increased cooperation between data centres and all levels of government, a joint Centre-State mechanism, to work on both policy and enforcement of the policy, should be implemented. The reason that this kind of a mechanism is indeed required lies in the fact that the approvals/ compliances required to set up and operate a data centre are to be obtained from both state and central level authorities. Further, resources required also entail involvement of state level and central level authorities.
RESEARCH AND DEVELOPMENT FOR INNOVATIVE DATA CENTRE DESIGNS/ EQUIPMENT
The policy aims to promote indigenous technology development, research, and capacity building. The policy also talks about incentivizing global component manufacturers to set up manufacturing units of IT/ Non-IT components in India, etc. The R&D aspect is restricted to equipment, IT and non-IT components, products, services, etc.
We believe that the R&D shall be promoted to operate beyond the confines of a data centre park, and shall also look to tap into new and cutting edge opportunities arising in the sector as a whole. For example, Microsoft’s Project Natick is experimenting with underwater data centres, which could be deployed and operationalised within a staggering period of 90 days! It also does away with cooling requirements, many physical security aspects, equipment malfunction is also highly unlikely. Given the vast coastal area that India has, this could be a wonderful opportunity for India to tap into.
WINDING UP PROCEDURES AND MIGRATION OF DATA OUTSIDE THE DATA CENTRE/ COUNTRY
The policy is all about setting up of data centres and data centres park but is awfully silent on winding up procedures of a data centre. We should keep in mind, ease of doing business encompasses all phases of a business, from setting up to winding up!
The policy should also aim to lay down guidelines regarding winding up of data centres, provisions to auction/ sell the data centre assets and other equipment, or other provisions deal with insolvency of a data centre. Most importantly, secure erasure of data, especially personal or sensitive personal data, from the storage facilities of data centres must be looked into.
In case there is a need to migrate all data from a data centre within or outside India, the policy must also look at that aspect, especially in case of a natural calamity.
The recommendations were researched upon and drafted with the help of Adv. Bhagyashree Swami, Adv. Ayushi Richa Mishra, and Mr. Pukhraj Biala. The recommendations were also sent to the Ministry of Electronics, and Information Technology, Government of India.
Hey! Would you also like to read our bird’s eye view of the proposed non-personal data protection rules? Click here!
Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.