India embraces an increasingly changing workforce amid tremendous technological progress and new models of work…
Legal Implications of IPR Protection ‘In The Cloud’: an Indian Analysis
With the overwhelming majority adopting cloud computing resources and the prevalent practice of storing data in the cloud, it is evident that cloud computing has emerged as the predominant model for computer and information technology services worldwide. Cloud services are regularly used, whether users are aware of it or not, whether it be Google Drive, X (formerly Twitter), or Azure.
When considering Intellectual Property (IP), embracing the cloud is like a double-edged sword. On one hand, cloud technology enables the collaboration and innovation that businesses require by bringing numerous advantages, including cost savings, scalability, adaptability, dependability, and improved security, but it also poses a potential threat to the security of sensitive IP data that needs to be properly secured and protected from unauthorized use and infringement.
WHAT IS CLOUD COMPUTING?
When you use services and resources that are delivered through the internet rather than on local devices or servers, you are using a technology known as the “cloud”. The “cloud” is an infrastructure for storing and processing data that operates independently of the client. A ‘client’ is a hardware device or software used to access a cloud service, for example, a personal computer. Remote client access to such infrastructure is practical, typically through the Internet. Users can access and store data in the cloud, run apps, write software, and accomplish other tasks without having to buy, install, or manage their own hardware or software, aka on-premise deployment.
Importantly, none of the data processing or storage currently done in the cloud needs to be done on the client, which dramatically lowers the hardware, software, and security requirements of the client device. This implies that data processing and storage in the cloud eliminates the need for operations on the client’s device. Services can be offered to a client in one jurisdiction, processed and stored in locations elsewhere, possibly across different jurisdictions. This implies uncertainty regarding the physical locations of the cloud provider’s hardware and software, as well as locating the physical storage of the client’s data.
JURISDICTIONAL DISCREPANCIES IN THE CLOUD: A LEGAL QUAGMIRE FOR IPR OWNERS.
The amorphous nature of cloud computing presents a challenge when it comes to determining which laws will be applicable. Given that IP rights are territorial and a particular cloud computing service can operate across multiple jurisdictions, it can be quite uncertain which IP regulations should govern activities in the cloud computing environment.
Although cloud offerings are often global and multi-jurisdictional, the IP laws governing services generally remain territorial and national. Copyright laws, for instance, vary from jurisdiction to jurisdiction. What constitutes copyright infringement in one country may not be in another. Thus, in Tiffany(NJ) Inc. v. eBay Inc.[1], the cloud service provider was not made liable even after abetting the infringement.
[Image Sources: Shutterstock]However, in the case of Neetu Singh and Ors. Vs. Telegram FZ LLC and Ors. (2022)[2], the High Court of Delhi held that because the respondent chose to put its service in Singapore, the Plaintiff cannot be rendered helpless against actual infringers. The mere fact that the respondent operates in India and has servers in India empowers Indian courts to deal with copyright disputes to address this matter. “In the present age of cloud computing and diminishing national boundaries in data storage, conventional concepts of territoriality cannot be strictly applied. The dynamic evolution of law is essential to ensure appropriate remedies in case of violation of copyright and other IP laws.”
INFRINGEMENT DETECTION CHALLENGES
The Infringement of IPR in the cloud is a complicated and expanding subject including legal, technical, and ethical issues. Thus, there are no well-established methodologies for detecting such infringements. Moreover, IP rights are inherently territorial, creating problems for IP owners who use cloud computing, such as their patented inventions being used or infringed in multiple locations without their consent or knowledge.
The Delhi High Court in Bajaj Electricals Limited vs. Gourav Bajaj & Anr.[3] held that the plaintiff’s trademark and trade dress was infringed by defendants. Using cloud services to host their website and storing their data aided the difficulty in tracing their name and location. “The cloud is facilitated by the hardware owners and service providers, and the cloud itself might be the result of a subcontract among the parties. Hence in these cases, there arises the situation of divided infringement for which no definitive law exists.”[4]
SOLUTION
IP audit and due diligence can help identify the IP rights and obligations of the parties involved, as well as the potential IP threats and opportunities. To ensure IP compliance and security of the cloud service providers or customers the following may be practiced:
- Anti-counterfeiting technologies that aim to protect, identify, and track intellectual property content in digital media, computers, and electronic devices including methods such as watermarking, fingerprinting, encryption, digital rights management, and blockchain.
- Surveillance and analysis of IP-related activities on the internet, such as domain name registration, web crawling, social media monitoring, and online marketplace scanning which can help detect potential IP infringement cases, such as cybersquatting, phishing, counterfeiting, piracy, and plagiarism.
CONFIDENTIALITY, TRADE SECRETS AND SECURITY CONCERNS IN THE CLOUD
Ensuring data security poses a major challenge for businesses, especially when operational data is stored in the cloud, raising concerns about safety and protection from manipulation. IP owners, in particular, worry about safeguarding their valuable data and trade secrets.
While the cloud introduces hazards, it also offers a potential silver lining for security. Unlike traditional network servers, which are frequent targets of data breaches, cloud provides safer storage options. Traditional databases are prone to attacks like malware, phishing, and employee negligence. In contrast, cloud security features make it a more robust choice, reducing the risks associated with continuous access and the impracticality of encrypting sensitive content each time on traditional servers.
Companies usually build better firewalls for additional protection. However, by relocating protected data from the servers companies can confidently ensure its security while still enjoying all the benefits the cloud has to offer. “With adequate safeguards, IP data stored in the cloud will be safer than on any single physical network. The key to securing cloud-based storage is encryption.”[5]
DATA ENCRYPTION
Data encryption is the primary means by which IP in the cloud may be protected. Encrypted data can only be decrypted by authorised people who have the relevant key. IP owners can restrict unauthorised access or exposure of sensitive information, such as product designs, by encrypting data at the file level i.e., it is invariably encrypted from prior to reaching the cloud to after leaving it.
Even if the cloud provider or encryption provider is attacked by hackers or bad insiders, the IP data will be safe and intact if encryption keys are kept separate from IP data. Neither the cloud provider nor the encryption provider will have access to the IP data.
LAYERED CLOUD SECURITY
Implementing layered cloud security solutions establishes a comprehensive audit trail. Vigilant monitoring of encrypted files and maintaining records of authorized individuals and their access times are of paramount importance for preventing security breaches and safeguarding IP. Utilization of cloud infrastructure not only offers myriad advantages for IP projects but also introduces vulnerabilities that necessitate preemptive mitigation measures.
GOVERNMENTAL ACCESS OF IP THROUGH THE CLOUD
Even when data is encrypted, the government can investigate it, thanks to vulnerabilities introduced by service providers for law enforcement purposes. Governmental access to the cloud refers to the ability of government authorities to access, monitor, or obtain data stored in cloud services for national security, or other public interest purposes, without adequate safeguards or oversight.
“Ignoring the fundamental & privacy rights of data principals or requirements of data fiduciaries The Digital Personal Data Protection Act (DPDP), 2023[6] authorises the central government to exclude government agencies from any restrictions in interest of achieving state security and public order, including processes for prevention, investigation, and prosecution of crimes. Excessive collection of sensitive IP data which may be held by numerous government entities begs the issue of whether these exemptions will pass the proportionality test.”[7] Risk of unauthorised disclosure, copying, or use of confidential or proprietary information, trade secrets, or copyrighted material stored in the cloud increases.
Section 69 of The Information Technology Act 2000[8] requires a person in charge of computer resources to provide all available assistance to law enforcement agencies affecing the ownership and control of IP data and content stored in the cloud, especially if the data is transferred across different jurisdictions with different laws and regulations. Some countries may claim sovereign rights over data stored within their territory, regardless of the contractual agreements between the data owner and the cloud provider.
Uncertainty and inconsistency in the enforcement and protection of IPR in the cloud causes a lack of harmonisation or coordination among different legal systems and authorities posing significant challenges and risks for both cloud providers and users, as well as for IPR holders and creators. For example, some countries may have more stringent or lenient standards for granting or denying governmental access requests or for imposing sanctions or remedies for IPR violations.
Therefore, it is important to have clear and transparent policies and practices regarding governmental access to the cloud, as well as effective mechanisms for resolving disputes and ensuring accountability.
LEGAL RECOGNITION OF ‘THE CLOUD’ IN INDIA
There are no overarching consolidated laws on providing cloud services in India and none of the existing IP laws recognize it either. However, certain provisions may be relevant be potentially applicable to address IPR disputes.
In 2023, the enactment of the DPDP marked a significant milestone as the inaugural comprehensive legislation safeguarding the privacy and security of data belonging to Indian residents. This Act bears resemblance to the GDPR[9], acknowledged as the most stringent security and privacy law globally. Statutes such as the Integrated Goods and Service Act 2017[10], Trade-Related Aspects of Intellectual Property (TRIPS)[11], the Information Technology Act of 2000, Rules on Information Technology 2011[12], and judicial developments are acknowledging activities and infringements in the cloud.
Businesses in developing countries like India face upgrade and vendor lock-in issues however Government is also coming up with “GI Cloud” or “Meghraj” pertaining to an initiative by the Government of India aimed at creating a national cloud computing platform. Officially designated as Megh Raj – Government Infrastructure as a Service (GIaaS) this project is overseen by the National Informatics Centre (NIC), functioning under the Ministry of Electronics and Information Technology (MeitY). It is designed as an Infrastructure as a Service (IaaS) platform. It offers virtualized computing resources, such as virtual machines, storage, and networking, over the Internet.
CONCLUSION
Even while ‘the Cloud’ is legally recognised and laws exist, they are murky and poorly defined. It is unknown whether their jurisdiction extends to cloud computing situations. Hence, there is a need for robust legislation in this field to ensure that no one’s rights are violated. Some countries have a solid structure in place not only for cloud computing but also for IT regulations. To exemplify, individuals or companies trying to open cloud services in China need a VATS license. Moreover, the Cloud Computing Act is a proposed legislation aiming at providing clarity regarding the rights and responsibilities of the CSP and Users regarding the IPR in the cloud USA. Thus, cloud services are easily regulated. To ensure that the rights are not hampered as the enjoyment of sophisticated technologies persists the need of the hour is to enact stronger legislation in this field.
Author: Diya Gohil, in case of any queries please contact/write back to us via email to [email protected] or at IIPRD.
[REFERENCES]
- Tiffany(NJ) Inc. eBay Inc., N 04 Civ. 4607 (RJS).
- Neetu Singh and Ors Telegram FZ LLC and Ors., CS (COMM) 282/2020.
- Bajaj Electricals Limited vs. Gourav Bajaj & Anr., 2020(82)PTC40(Bom).
- Kurakar, L.T. (2023) IP issues in cloud computing, Intellectual Property, IPR & Corporate Law Firm Chennai, Bengaluru. https://www.altacit.com/ip-management/ip-issues-in-cloud-computing/ (Accessed: 29 October 2023)
- Cidon, A. (2015) Protecting intellectual property in the cloud, WIPO. https://www.wipo.int/wipo_magazine/en/2015/03/article_0004.html (Accessed: 29 October 2023).
- Ministry: Electronics and Information Technology (2023) The Digital Personal Data Protection bill, 2023, PRS Legislative Research. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (Accessed: 29 October 2023).
- the Information Technology Act, § 69, No. 21, Acts of Parliament, 2000 (India).
[1] Tiffany(NJ) Inc. v. eBay Inc., N 04 Civ. 4607 (RJS).
[2] Neetu Singh and Ors v. Telegram FZ LLC and Ors., CS (COMM) 282/2020.
[3] Bajaj Electricals Limited vs. Gourav Bajaj & Anr., 2020(82)PTC40(Bom).
[4] Kurakar, L.T. (2023) IP issues in cloud computing, Intellectual Property, IPR & Corporate Law Firm Chennai, Bengaluru. https://www.altacit.com/ip-management/ip-issues-in-cloud-computing/ (Accessed: 29 October 2023)
[5] Cidon, A. (2015) Protecting intellectual property in the cloud, WIPO. https://www.wipo.int/wipo_magazine/en/2015/03/article_0004.html (Accessed: 29 October 2023).
[6] Digital Personal Data Protection Act, No. 22, Acts of Parliament,, 2023 (India)
[7] Ministry: Electronics and Information Technology (2023) The Digital Personal Data Protection bill, 2023, PRS Legislative Research. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 (Accessed: 29 October 2023).
[8] the Information Technology Act, § 69, No. 21, Acts of Parliament, 2000 (India).
[9] Regulation (EU) 2016/679, European Parliament and of the Council of 27 April, 2016
[10] Integrated Goods and Service Act, 2017, No. 13, Acts of Parliament, 2017 (India).
[11] Agreement on Trade-Related Aspects of Intellectual Property Rights, Apr. 15, 1994, Marrakesh Agreement Establishing the World Trade Organization, Annex 1C, 1869 U.N.T.S. 299, 33 I.L.M. 1197 (1994)
[12]Ministry of Communication and Information Technology, Rules on Information Technology, 11th April, 2011 (India).