Judgment in Civil Appeal No.5802 of 2022 – 2022 (5) KLT 747 (SC) –

ForsakenRights of A Prospective Child

(By Devi A.R., Under Secretary to Government, Law Department,
                              Government Secretariat,Thiruvananthapuram)

In a non barbarian, civilised society, where rule of law is ruling the system, no one
should be deprived of his life except according to the procedure prescribed by law. Judiciary, while interpreting the factual and legal matrix of a case, is not supposed to over look the rights of any party connected to the matrix.

Coming straight to the judgment of the Hon’ble Apex Court in Civil Appeal No.5802
of 2022 (X v. Principal Secretary, Health and Family Welfare Department of NCT of Delhi & Anr. (2022 (5) KLT 747 (SC))¹ The factual matrix in the case is that the appellant is an unmarried major woman aged around twenty-five years had become pregnant as a result of a consensual relationship with his partner. She wished to terminate her pregnancy as “her partner had refused to marry her at the last stage.” She invoked the writ jurisdiction of the High Court seeking its permission to terminate her pregnancy before the completion of twenty-four weeks on 15 July 2022. The High Court observed that since the appellant, being an unmarried woman, whose pregnancy arose out of a consensual relationship, was not covered by any of the sub-clauses of Rule 3B of the MTP Rules. Section 3(2)(b) of the MTP Act was inapplicable to the facts of the case. Hence she approached the Hon’ble Supreme Court.

The appellant contended before the Apex Court that she did not want to carry the pregnancy to the term since she was wary of the “social stigma and harassment” pertaining to unmarried single parents, especially women and moreover, the appellant submitted that in the absence of a source of livelihood, she was not mentally prepared to “raise and nurture the child as an unmarried mother.” The appellant stated that the continuation of the unwanted pregnancy would involve a risk of grave and immense injury to her mental health. The appellant sought permission to terminate her pregnancy in terms of
Section 3(2)(b) of the Medical Termination of Pregnancy Act 1971 and Rule 3B(c)of the Medical Termination of Pregnancy Rules 2003 (as amended on 12 October 2021). The appellant instituted a Criminal Miscellaneous Application for grant of interim relief to terminate her pregnancy during the pendency of the Writ Petition and the Hon’ble Apex Court allowed the same.

The Hon’ble Apex Court in its judgment dated 29.09.2022 considered the factual and legal matrix under different heads viz., The Medical Termination of Pregnancy Act, 1971 and the rules framed thereunder, barriers to accessing safe and legal abortions, RMPs’ fear of prosecution, Social stigma surrounding unmarried women, the rule of purposive interpretation, Transcending the institution of marriage as a source of rights, Modern or a typical forms of familial relationships, the equal status of married and unmarried or single women, the object and purpose of the MTP Act , the MTP Act as an aid of interpretation: Understanding “injury to mental health” construing Rule 3B,Constitutional values animating the interpretation of the MTP Act and MTP Rules , The right to reproductive autonomy, the right to dignity, Purposive interpretation of Rule 3B furthers the constitutional mandate, India’s obligations under international law, Reiterating the positive obligations of the State etc. But the seventy five page judgment never focused on the rights of unborn child.

The Medical Termination of Pregnancy Act is an Act to provide for the termination of certain pregnancies by registered medical practitioners and for matters connected therewith or incidental thereto.²  But the Act does not provide any positive assertion of the right to medical termination of pregnancy but it is limiting the right to termination of pregnancy in certain cases only and it lay down the situation wherein this right can be exercised.

 In the instant case the prospective child was born out of a consensual relationship the appellant wished to terminate her pregnancy as her partner had refused to marry her at the last stage. She did not want to carry the pregnancy to term since she was wary of the “social stigma and harassment” pertaining to unmarried single parents. She also contended that continuation of the unwanted pregnancy would involve a risk of grave and immense injury to her mental health. She did not wish to continue the pregnancy and have the child out of wedlock as she lacked the financial resources to do so. She was not employed and her parents were farmers. The above mentioned grounds are positively considered by the Hon’ble court and granted relief sought by the appellant. But there are some discrepancy in the reasoning for the judgment and the relief granted.

The appellant contended that she and her family is financially not sound enough to bring up the child. At paragraph 10 of the judgment the view of Ms. Aishwarya Bhati, learned senior counsel and Additional Solicitor General has assisted the Court in the interpretation of Section 3(2) of the MTP Act and Rule 3B(c) of the MTP Rules is extracted and 10(e) interprets live in relationship as equivalent to marital relationship.

“e).“Live-in relationships” are equivalent to marital relationships because in both types of relationships, the woman is entitled to maintenance. Further, the children born out of such a relationship are vested with the right of succession. Various national legislations, including the MTP Act, do not make a distinction between married woman and unmarried or single woman;...”

From the above interpretation which is accepted by the Court it very clear that as per law the appellant in the instant case is entitled to maintenance from the partner. Hence the contention of financial inability to maintain the child as a ground for abortion is not legally sustainable. As per the Domestic Violence Act the male partner is duty bound to maintain the woman and child. Moreover in a welfare State there are State machineries to take care of such child if the both parents are unable to maintain the child. 

Second issue raised by the appellant is about the social stigma. At para 26 of the judgment the Hon’ble Apex Court discussed about notion of social stigma around an unmarried pregnant woman. The Apex Court itself in its judgment in Nandakumar & Anr. v. State of Kerala³ held that the woman and man who attained the age of majority have right to live together even outside wedlock, as the ‘live-in relationship’ is now recognized by the Legislature itself which has found its place under the provisions of the Protection of Women from Domestic Violence Act, 2005. When the cohabitation of major man and woman is recognised in the statute then, how the child born out of consensual cohabitation can create such stigma is not convincingly explained in the judgment.

The Hon’ble Apex Court at paragraph 51 of the judgment observed that MTP Act was enacted by Parliament as a “health” measure, “humanitarian” measure and “eugenic” measure. But in the case at hand none of the above grounds are attracted. Considering the unmarried woman in par with married woman under the Medical Termination of Pregnancy Act is judicious. But in the instant case while considering the foetal rights of the unborn, the reasons that narrated for allowing the termination of such pregnancy is not convincing.

As stated by Ms.Aishwarya Bhati, learned senior counsel and Additional Solicitor General who assisted the Court in the instant case⁴, Women enjoy the right to bodily integrity and autonomy, as well as reproductive rights. They are entitled to exercise decisional autonomy but when it comes to medical termination of pregnancy its limit should be fixed also by considering the life of foetus. In a modern welfare society, wherein “living in relationship” is legally recognised, allowing the medical termination of a pregnancy on the ground of social stigma and financial inability of a woman is not convincible.

Foot Notes:

        1.     https://main.sci.gov.in/supremecourt/2022/21815/21815_2022_2_1501_38628_Judgement_29-Sep-2022.pdf

        2.     https://www.indiacode.nic.in/bitstream/123456789/1593/1/A1971-34.pdf

3.    2018 (2) KLT 783(SC).

University Grants Commission Regulations:
Whether Binding on States and Universities

(By S. Muhammad Haneef, Advocate, Supreme Court of India & High Court of Kerala)

1). The University Grants Commission Act, 1956 [herein after referred to as the UGC Act) was enacted to make provision for the co-ordination and determination of standards in Universities and for that purpose, to establish a University Grants Commission. Section 12 deals with “Functions of the Commission”, while Section 14 speaks of “Consequences of failure of Universities to comply with recommendations of the Commission”. Section 26 deals with “Power to make regulations”. In exercise of these powers, the UGC had been issuing Regulations on criteria for award of Ph.D; minimum qualifications for appointment of teachers and other academic staff in universities and colleges and measures for the maintenance of standards in higher education etc.

2). By virtue of Section 26 of the UGC Act, 1956, the UGC is empowered to frame Regulations for the purpose of performing its functions, which includes determination of standard of Universities, promotion and co-ordination of university education, for the determination and maintenance of standards of teaching, examination and research in universities, for defining the qualifications regarding the teaching staff of the university, maintenance of standards etc. Further, as per Section 28 of the Act, every Rule and Regulations under the Act shall be laid before the both Houses of the Parliament and when both the Houses agree then the Rules/Regulations can be given effect with such modifications as may be made by the Parliament and thereafter notified in the Official Gazette. By following the procedure UGC Regulations once passed by the Parliament becomes the part of the Act, and therefore a Central Legislation which comes under Schedule VII List III Entry 25 inter alia Schedule VII List I Entry 66 of the Constitution of India and therefore Subordinate Legislation enacted by the Parliament of India. 

3). As pointed out above, UGC Regulations are Central Legislation and the State Government orders or even Legislations in conflict with the same, to the extent to which the State Legislation is in conflict with the UGC Regulations is void. Though the State legislation may have been purported to be made under Entry 25 of the Concurrent List, but in effect when encroached upon legislations including subordinate legislations made by the Centre under Entry 25 of the Concurrent List or under Entry 66 of the Union List, it would be void and inoperative. Further, The Hon’ble Apex Court in Preeti Srivastava v State of M.P. (1999 (3) KLT SN 31 (C.No.32) SC = (1999) 7 SCC 120) held that, State has right to control education so long as the field is not controlled by any Union Legislation. Further, the Hon’ble Apex Court in Annamalai University v. Information and Tourism Department (2009 (1) KLT OnLine 1146 (SC) = (2009) 4 SCC 590) held that, UGC Act is a Central Legislation and to the extent which the State legislation is in conflict with the Central legislation including subordinate legislation made by the Central legislation under entry 25 of the Concurrent List shall be repugnant to the Central Legislation and would be inoperative. 

4]. The Hon’ble Supreme Court of India in Kalyani Mathivan v. K.V.Jeyaraj(2015 (2) KLT Suppl.145 (SC) = (2015) 6 SCC 363), held that, once the UGC Regulations are adopted by the State Government then the State Legislation to be amended appropriately in par with the Central Legislation. Therefore, the cardinal question that will decide whether UGC Regulations are binding on States and Universities or not is, whether the State/University concerned has accepted or adopted the UGC Regulations. Once the State or University concerned has adopted the Regulations, the State Government or University concerned shall amend their respective Legislations/Subordinate Regulations in tune with the UGC Regulations.  However, A Full Bench of the Hon’ble High Court of Kerala in Radhakrishnan Pillai v. Travancore Devaswom Board and connected cases (2016 (2) KLT 245 (F.B.)) wherein I had appeared for a few of the parties, held that, irrespective of whether the University Acts enacted under Entry 25 of the List III or the Statute framed thereunder are amended in line with UGC Regulations or not, in view of its adoption by the State of Kerala, the universities and affiliated Colleges in the State are bound to comply with the UGC Regulations. Therefore when UGC Regulations 2018 have been adopted by the State Government, it cannot pass any orders which are in conflict with the concerned UGC Regulations. The SLP preferred against the above judgment stands dismissed. Therefore, irrespective of amending of statutes in tune with UGC Regulations, once the Regulations are adopted by the Government or the concerned Universities, the Regulations become mandatory and binding.

5). Therefore, the law as it stands, specifies that, the Government have the option to not adopt the UGC Regulations which are issued from time to time by the UGC. However, once it has been adopted, the Government and Universities & affiliated colleges under it are bound to implement the same notwithstanding an amendment to the University Act/ Statues/Regulations etc in this regard.

6). The Apex Court in Gambhirdan K.Gadhvi v. The State of Gujarat & Ors.(2022 (2)KLT OnLine 1106 (SC) = 2022 Live Law (SC) 242) was posed with an interesting issue to be decided regarding applicability of UGC Regulations when the same has not been adopted by the State Government. The State of Gujarat has not adopted the UGC Regulations (Minimum Qualifications for Appointment of Teachers and Other Academic Staff in Universities and Colleges and Measures for the Maintenance of Standards in Higher Education) 2010 and further no amendment were carried out in the Statutes and Regulations of the Universities in the State, in the case at hand ‘Sardar Patel University’. The Apex Court held that, the eligibility criteria when once fixed by the UGC under its regulations would apply to all the Universities which are aided by the UGC to be bound by the said regulations even in the absence of the same being incorporated under the respective universities Act of the respective States or in the absence of the State Government adopting the Regulations. It was further clarified that, the Government of Gujarat had adopted the revision of pay Scheme 2008 whereby the pay of Vice Chancellors of Universities were revised. In pursuance to the same, the grants from the UGC were accepted by the Government as well. In the circumstances, even though the UGC Regulations were not adopted by the State, the same was held to be binding on the Universities in the State.

7). Thus, to sum up, the UGC Regulations issued by the UGC in exercise of its powers under Section 26 of the UGC Act and following the procedure contemplated in Section 28 of the Act is Central Subordinate Legislation. Once these Regulations are adopted by the States or even aid or grants from the UGC or Central Government in this regard is accepted, the Regulations are mandatory. The State Governments and Universities are bound by these Regulations even in the absence of their legislations amended in tune with the UGC Regulations.

Paradigm of Cloud Computing

(By Dr.Raju Narayana Swamy, IAS)

Cloud Computing : The Concept

Cloud computing involves a subscription based service that satisfies computing and storage needs from a virtually unlimited hardware and communication infrastructure which is managed by a third-party provider. Put it a bit differently, cloud computing occurs when an internet connection delivers hardware power and software functionality to users regardless of where they are or which computer they are using. NIST (National Institution of Standards and Technology) defines it as “Cloud is a model for enabling convenient, on demand network access to a shared pool of all configurable computing resources (storage, networks, services, servers and applications) that are easily released and rapidly provisioned with minimum management effort.” Needless to say, the five critical characteristics that form the hallmark of the above standard definition are – on demand self service, broad network access, rapid elasticity, resource pooling and measured services. By contrast, the Gartner Group defines cloud computing as a style of computing in which massively scalable IT – related capabilities are provided as a service using internet technologies to multiple external users.

Clouds are essentially data centres or server farms on which software and data can be remotely stored, instead of on-site. It is a natural evolution of distributed computing and the general variation of virtualization and service oriented architecture (SOA).  Cloud computing activities are often described as falling into one or more of the following service categories:

a)   Infrastructure as a Service (IaaS): raw computing resources such as processing power and storage.

b)   Platform as a Service (PaaS): platforms for developing and deploying software applications (Google App Engine is a classic example)

c)   Software as a Service (SaaS): end user applications

Apart from the above three service models, there are four deployment models too – public, private, hybrid and community. The essential characteristics of all these models are

(I)  Pay as per use

(II)Use it as and when required

(III) Services provided by a third party service provider

(IV) No change in the ownership of the main property.

Rationale behind cloud computing

The genesis  of cloud computing days back to the early 2000s when organizations started spending money to set up their IT infrastructure for improvement of business by purchasing own dedicated server. As the day progressed, these servers became virtual and easily available publicly through internet. Thus the cloud was born as a model that is easily manageable, accountable and configurable. Perhaps the best example of this kind of service is one that is almost ubiquitous now  : web-based email services like gmail and hotmail. From legal research to word processing, file storage and movie viewing, computer users are able to take advantage of the cloud for a variety of tasks – some mundane and some others extremely sensitive and highly technical (storing and securing personal information for millions of credit card subscribers or health records for insureds being classical examples). Google has introduced Google Chrome OS, an operating system designed to function almost completely through the cloud providing essentially remote computing software that can be updated automatically through the web.

No discussion on cloud computing will be complete without the case study of Animoto – a software provider that converts personal photos into music videos it developed a Facebook application that took the company from 25000 users to 2,50,000 users in three days. At its peak, Animoto was signing up 20000 new users per hour. It launched the service with five virtual servers and by the end of three days expanded to 3500 servers. Animoto’s ability to scale up at such an incredible rate was accomplished by using a cloud provider that was able to add resources as demand for product increased. Mention also needs to be made of the increasing popular concept of netbooks – low cost light weight laptop computers with reduced hardware capacity and processing power – that provide users with vast resources because the cloud is fully accessible. Today companies such as Google, Facebook and Microsoft who need to process large quantities of data operate numerous massive cloud data centres that may each occupy tens of thousands of square feet and contain thousands of computers. Like Feynman’s Los Alamos team – narrated in his wonderful auto biography “Surely You’re Joking, Mr Feynman” – these computing complexes provide computing as a service for many people.

What Cloud Computing can offer us : the next generation of internet

The existing internet provides us content in the form of videos,  emails and information served up in webpages. With cloud computing, the next generation of internet will allow us to “buy” IT services from a web portal, drastically expanding the types of merchandise available beyond those on e-commerce sites such as eBay. We would be able to rent from a virtual store front the basic necessities to build a virtual data center – such as CPU, memory and on top of that the middleware necessary : web application servers, databases, enterprise server bus etc., as the platforms to support the applications we would like to either rent from an independent software vendor or develop ourselves. Together this is what we call “IT as a Service” (ITaaS) bundled to us – the end users – as a virtual data center.

Advantages of Cloud Computing

Cloud computing offers the following advantages :

a)   Scalability in terms of resources : A company can start small and increase its hardware resources as it needs.                                                                     

b)   Flexibility in terms of the different software packages and operating systems

c)   Pay–as–you–go  economic model borrowed from utility computing

d)   Consolidation of System Maintenance and Management : this overhead is shifted from cloud users to its providers

e)   Reliability : The system’s fault tolerance is managed by the cloud providers and users no longer need to worry about it

f)   High utilization and reduced carbon footprint as typically a large number of custom servers is consolidated into a smaller number of shared servers.

Legal Issues

Cloud computing service providers – whether global or regional – will inevitably run up against international law, particularly data protection law and privacy regulations. Each country has its own set of laws – some being dramatically more stringent than others. There are no laws unique to the cloud. But the cloud brings with it some legal issues which while not applying only to the cloud are perhaps now uniquely important to those operating or using a cloud-based service. The most important among these pertains to sovereignty on the internet: location and use of data. A key question with any cloud computing service is “where is the data stored or processed?”. The reality in this regard is that even the cloud service provider may not know where the data is residing.

 Unlike a fixed server in the office or at a data centre, data in the cloud could potentially be located anywhere in the world – even in multiple data centres in multiple copies worldwide. Read these with the fact that cloud computing services involve processing of masses of data that is often commercially sensitive, confidential and “personal information” and the picture is complete. To put it a bit differently, sending and processing data around the globe could in the process fail to comply with data protection and privacy laws in various countries. The EU for example provides a strict legal regime under the EU Data Protection Directive where unless certain steps are taken, companies can be prohibited from transferring personal information to countries that do not give the same level of protection. If a European company is processing data on the cloud and is processing personal information in the EU, it may not be complying with EU laws if data is moved to countries outside the EU.

The classic case of Microsoft Corporation v. US District Court

No discussion on the legal issues pertaining to cloud computing can be complete without a reference to the Microsoft Corporation case. Microsoft is a major player in the cloud industry with a 12% market share. Their innovation – Office 365- is a highly popular cloud based office software and email platform.

It all started in 2013 when the Justice Department asked for access to the email account contents and Microsoft refused that query with a response that data which are not stored in US is outside of US jurisdiction. In 2014, the US District Court for the Southern District of New York issued a search warrant (under the SCA 18 USC) seeking access to the contents therein whose data was stored in Ireland. Francis M.J., the US Judge issued the warrant since he believed that the government presented enough evidence to support the belief that the mail account was being used for narcotics trafficking. Microsoft delivered all contents of the mail account whose data were stored in locations inside US, but advised that the most valuable data were located in their Irish based storage and that to provide the same they would need to transfer the data from Irish based storage to US based storage which they declined to do. Instead they requested for revocation of the warrant. But the District Court denied the motion to quash and ruled Microsoft to be in civil contempt.

Microsoft‘s contention was that a warrant intrinsically includes territorial restrictions and hence in the present case does not cover Europe. The government on the other hand argued that the warrant was applied as a compelled disclosure similar to a subpoena. Therefore the actual physical location of the object is of no consequence if it is under the control of Microsoft and can be delivered by them.

Upon having their motion to quash the warrant dismissed, Microsoft appealed to the US Court of Appeals. The Court deduced that the warrant is against extra territoriality as it may bring international conflicts. Since Microsoft satisfied the warrant by providing all data that were stored in US and only refused to provide data stored outside US territory, the Court of Appeal lacked authority to enforce the warrant. Thus the US Court of Appeals (2015) reversed the District Court’s dismissal of the request to quash the warrant.

      The aforesaid case has had profound implications on the future of internet privacy, ethics in technology, respecting other countries borders and user’s privacy. It needs special mention here that Microsoft successfully illustrated that no matter how big or small the case is, the company take privacy of users very seriously. However the persistent nature of US government’s attempts to access user’s data without their consent has sent shivers down many spines. In a kneejerk response, many users have signed cloud service contracts with oversees cloud providers. Another situation is for users to encrypt their data. Mention must be made here of the Open Whisper Systems encryption algorithm which is known for its high reliability. In fact, the algorithm is so reliable that governments would not bother to request access to the users’ data as they know that even if the data is supplied, encryption will mean that it is not possible to view the contents. Add to these the fact that many countries have decided to pass “data localization laws” and the picture is complete.

The US case is not the first one wherein Microsoft was requested to provide users’ data nor will it be the last time. For instance, in 2013, Brazil asked Microsoft for the same kind of access, but it was for access to Skype application data located outside of Brazil. Microsoft refused to provide the data. The result was that the Brazilian authorities arrested the local manager of Microsoft in January 2014.

The EU, it needs to be mention here, takes this kind of transaction very seriously. An example is a case wherein the European authorities found that by virtue of a US court’s order, the Belgium based branch of an international bank and the SWIFT (Society for Worldwide Interbank Financial Telecommunications) provided some financial  transaction data of a European citizen to the US government. Belgium found this act to be a violation of EU privacy law.  SWIFT was forced to change its network structure in order to remove any possible future transfer of European data to outside of EU unless it complied with EU data privacy legislation.

Issues pertaining to Lock In

A major concern of cloud computing is lock in which refers to the complexity to switch from one cloud service provider to another. Needless to say, it increases dependency on the service provider. Questions that arise in this context are:-

a)   Is the data portable between service providers ?

b)   If service providers change, can the records be accessed ?

c)   What are the obligations on each party regarding an exit plan?

 Vint Cerf, the computer scientist who is often called the father of the internet, has identified the issue of moving data between clouds as one of vital importance. According to him, developing intercloud standards and protocols so that data does not get caught in one cloud is the equivalent now of the issues faced in 1973 when networks could not communicate with each other.

Concerns of data security

Unlike the traditional model  wherein users had control over their data and could implement whatever safeguards they thought necessary to retain control, cloud users neither possess nor control their data. This raises serious apprehensions on the data security front. The issue vis-a-vis cloud computing is that the customer using the services is not aware what part of their data is getting saved on their device and what is getting saved on the cloud. In fact,  data security in the context of cloud computing has to be analyzed in the backdrop of the triad concepts of confidentiality, integrity and availability. Confidentiality is the anticipation of intended or unintended unauthorized disclosure of contents whereas integrity guards both data and system against any illegal modification or deletion thereby ensuring originality and nonrepudiation of data. Availability on the other hand gives the assurance of trustworthy and timely access of information. This  concern  centres on critical applications and data being available. Well publicized incidents of cloud outages include gmail’s one-day outage in mid October 2008, Amazon S3’s over seven – hour downtime on July 20, 2008 and Flexi Scale’s 18 hour outage on October 31, 2008. Availability also means the extent to which user’s data can be recovered when accidents such as hard disk damage, fire and network failures occur. Viewed from this triad, the security issues in cloud computing can be categorized into three broad classes – traditional security concerns, availability issues and third party data control related issues. Common security concerns in the cloud are:-

a)   Data breaches :- The chances of data breaches or losses increase in cloud environment. According to a research carried out by the Ponemon Institute titled “Man in Cloud Attack”, the likelihood of over all data breaches is three fold in a cloud environment.

b)   Hijacking of Accounts:- Hackers having login information to remotely contact data in cloud can cause hijacking. Moreover they can manipulate data through captured credentials.

c)   Denial of Service Attack:- It tries to make websites and servers unavailable to legitimate users.

d)   Insider Threat:- Employees can utilize authorized access to misuse or access sensitive information.

e)   Abuse of Cloud Service :- It affects both the service provider and its client

f)   Insecure APIs (Application Programming Interfaces)

g)   Malware Injection:- These are scripts/codes embedded deliberately into cloud service. Once executed, attackers can eaves drop and compromise integrity.

h)   Side Channel Attacks:- An emerging concern for cloud delivery models using virtualization platforms is the risk of side channel attacks causing data leakage across co-resident virtual machine instances.

Transfer to public cloud involves a change of responsibility and giving accessibility of data to the provider. This can be ensured by building clauses in the contract with the provider which have appropriate provisions for security and help in maintaining legal protections for data stored. The user also must ensure foolproof services within their own systems. Issues like standard of the services being provided, the ownership of IP, service level agreements, liability regimes, warranties and indemnity provisions, confidentiality obligations and termination clauses must all find their places in the contract for cloud based services. Needless to say, the various requirements imposed by law will subsist in addition to the terms of the contract. A classic example in this regard is the provision regarding liability of the parties under the Australian Trade Practices Act.

An interesting example of the inadequacy of standard terms and conditions  to meet the expectations of a business user can be seen from a successful bid by Google to provide cloud based services to the city of Los Angels1. The contract included unlimited damages for data breach, guarantees as to where the data will remain and penalties if the services are not available for longer than five minutes a month.

No discussion on data security in the context of cloud computing will be complete without a reference to mash-up authorization. As adoption of cloud computing grows, more services performing mash-ups of data will be witnessed. A case study in this regard is provided by Facebook, the users of which upload both sensitive and non-sensitive data. This data is used by Facebook to present data to other users and this data is also utilized by third party applications. Since these applications are typically not verified by Facebook, malicious apps running in Facebook’s cloud can potentially   steal sensitive data.

Problems vis-a-vis data privacy

Privacy refers to the right of self determination. It is the ability of an individual or group to seclude information about themselves and thereby reveal them selectively. It has the elements of when, how and extent. A good reference for use in defining universal principles for the protection of personal data and privacy is the Madrid Resolution (2009). The basic principles that must govern the use of personal data include those of lawfulness and fairness, proportionality, purpose specification, data quality, openness and accountability. It needs to be mentioned here that there is a huge divide between developed and developing countries in terms of adequate legislation of protection of personal data.

In the cloud, privacy means when users visit sensitive data, the cloud services can prevent potential adversaries from inferring the user’s behaviour by the user’s visit model. ORAM (Oblivious RAM) is a promising technology in protecting privacy in the cloud.

No discussion on confidential and sensitive data in the context of cloud computing can be complete without a mention of the Odense Municipality case. The view of the Municipality was that sensitive data about students and parents can be processed in Google Apps. However, the Municipality’s use of cloud computing to store sensitive information was rejected by the Danish Data Protection Agency (DDPA). The case confirms that a serious risk assessment must be made before switching to cloud services. It also points out that standards should play an essential role in fostering adoption thereof.

Issues pertaining to incomplete data deletion

A major concern of cloud computing is that it is always possible that data has not been properly deleted and that multiple copies or traces may have been stored. When users delete their data with confirmation, all copies of data should be deleted at the same time. Cloud storage providers should ensure that the deleted data of users cannot be recovered and used by other unauthenticated users. This is particularly important in the backdrop of data recovery technologies that could recover data deleted by users from the hard disks. To avoid data be recovered and unauthenticatedly used, a possible approach is to encrypt the data before uploading to the cloud storage space. A classic example is FADE system which is based on technologies such as Ephemenzer.

Cloud service providers and liability for content

Cloud providers are by no means exempted from any accountability if the material that users store in the service is the ground for a civil or criminal offence. The general rule in this regard is that the provider is exempt from liability for illegal or infringing content on its servers if the following two conditions apply:-

A)  It has no part in determining the content of the transmission or it has no knowledge or control of illegal information stored on its servers and

B)  It acts expeditiously to remove or prevent further storage and transmission of any illegal information it is made aware of.

The latter requirement  is referred to as notice and take down obligation.

However due to the differences in the various regimes, the applicability thereof to cloud computing services must be evaluated on a case-by-case basis, depending on the provisions of the specific country and nature of the service provided on the cloud. In particular, cloud providers in EU and US can generally benefit from all the liability exemptions generically offered to ISPs (Internet Service Providers).

Concerns regarding IPRs

These concerns are closely connected to the question: Who owns the data in the cloud? The answer lies in the observation that normal copyright rules apply if the data being stored in the cloud is fit for copyright protection (ie) it has some degree of novelty and is the product of author’s intellectual work. Thus the user of the cloud service can very well have the author’s right over the work. However, the cloud terms of service may include provisions according to which the provider has some power over the data stored in the cloud.  This is not an actual copyright transfer, but the author might be limited in exercising his monopolistic rights over the copyrighted material. Ownership of IP can be eroded by a formal agreement or dedication of the work to the public domain, but in the cloud computing environment, mere uploading of information in a cloud platform does not entail losing IPRs. But it is important that the rights over the content in the cloud be kept well distinct from rights over cloud assets. By doing so, it is possible for the cloud customer to avoid undesired consequences such as loss of IPRs to the cloud provider. Conversely, the provider’s IPs need to be protected horizontally from unfair business practices by competitors and vertically from possible illicit behaviours by customers. Thus the provider will hold exclusive ownership over the rights used in providing the cloud service (ie) it owns IPRs to the software and the customer will be granted a license to use the technology. In the PaaS and IaaS delivery models, separation of ownership for applications developed by the customers and the tools used to develop them should be made clear in the contract terms. Mention also needs to be made here of the Japanese initiative towards introduction of a new form of IP protection for big data.

Concerns regarding bandwidth costs

With cloud computing, companies can save money on hardware and software, but they could incur higher network bandwidth charges. Bandwidth cost may be low for smaller internet based applications, which are not data intensive, but could significantly grow for data-intensive applications.

Laws, Standards and Regulations pertaining to Cloud Computing

These fall into four broad categories:-

a) Compelled disclosure to the government

Classic examples are

1)   USA : Stored Communications Act (SCA), Electronic Communications Privacy Act (ECPA), National Patriot Act and Fair Information Practice.

2)   UK : The Regulation of Investigatory Powers Act.

3)   Australia : Privacy Act in the APPs, APP12:Access  to Personal Information, Freedom of Information Act 1982.

Moreover policies of national cryptography in UK, Singapore, Malaysia etc., may allow a court order to access cryptography.

b) Regulations dictating how a cloud service provider protects customer data security

Examples are

1)   USA : Gramm – Leach – Biley Act (GLBA), Health Information Technology for Economic and Clinical Health (HITECH), Family Educational Rights and Privacy Act (FERPA).

2)   UK : Privacy and Electronic Communications (EC Directive), Data Protection Act and Directive.

3)   Australia : Privacy Act in the APPs, APP 11: Security of Personal Information.

c) Relating to transfer, retention and privacy of data between the clients and the data storage provider

Examples are

1)   USA : FTC Fair Information Practice, Payment Card Industry Data Security Standard (PCIDSS), Freedom of Information Act.

2)   UK : The Safe Harbor Agreement (defined in data transfer between USA and Europe).

3)   Australia : Privacy Act in the APPs, APP 8 : Cross-border disclosure of personal information, Privacy Act 1988 – Section 16C, Privacy business resource & Sending personal information overseas.

d) Relating to physical location of data storage servers

Examples are

1)   USA : Payment Card Industry Data Security Standard (PCIDSS), NARAregulations.

2)   UK : Euro Data Protection Directive.

3)   Australia : Privacy Act in the APPs, APP 8 : Cross-border disclosure of personal information.

The Legal Framework for Cloud Computing in India

Cloud computing services that deal with personal or sensitive information need to comply with the requirements set out under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 relating to security, encryption, access to data subject, disclosure, international transfer and publication of policy statements. Thus a cloud computing service company before trading with “sensitive personal information” having a link to India has to make sure to be in observance with the aforesaid Rules as any non-compliance would invite penalties and imprisonment. Cloud service providers in India may also be required to comply with the Information Technology (Intermediaries Guidelines) Rules 2011.

In addition to the IT Act and Rules, use of cloud computing in banking and insurance sectors is subject to specific restrictions. The RBI’s guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks sets out specific requirements to be complied with by banks while engaging cloud service providers. These requirements inter alia relate to vendor selection, data security, form of agreement, business continuity and disaster recovery or management practices. On the other hand, the Insurance Regulatory and Development Authority of India’s Guidelines on Information and Cyber Security require insurers to comply with requirements in relation to data, application and network security, indent management and information security audit while using services from a cloud service provider.

Conclusion

Cloud services are the best method to offer a dynamic and self adjustable computing and storage resource service to a wide range of clients – from residential users through small businesses to large multi-national organizations. A cloud is a pool of virtualized computer resources and can host a variety of different workloads, including batch-style backend jobs and interactive, nay user-facing applications. It supports redundant, self- recovering, highly scalable programming models that allow workloads to recover from many unavoidable hardware/software failures. However a word of caution is needed here – the cloud ecosystem must be designed to be secure, trustworthy and dependable. Cloud security faces different challenges and issues at various levels in the form of vulnerabilities and attacks – multitenancy, cloud secure federation, vendor lock in, loss of control, confidentiality, data integrity and privacy, data intrusion, virtualization vulnerabilities, cloning and resource pooling, UM hopping, XML signature attack, XSS attack, SQL injection attack and flooding attack, to name a few. Moreover, international law is not agile enough to compete with cloud computing developments. The onus therefore is on international cloud service providers to be familiar with data protection laws and policies of each country that they have a presence in – regardless of their essential understanding about the technology that they are providing via their platforms. In addition, the policies regarding data transfer between countries need to be seriously accounted for in their business plans.

 Issues surrounding development of standards and best practices in the areas of interoperability, escrow and privacy need to be addressed along with questions as to whether adequate due diligence has been carried out along the chain of responsibility. Otherwise cloud service providers will be exposed to an avalanche of claims including those pertaining to liability for data mining and liability under securities laws for improper  dissemination of investment information on social networking websites. The currently pending cases including class action litigations pertaining to Netflix Inc, Facebook “Beacon” Google “Buzz” should be eye openers in this regard. Mention also needs to be made here of the emergence of a parallel form of business called cloud brokering whose objective is to guide the potential enterprise in the choice of a cloud service provider, untwining the tangle of differential features.

In a de jure condendo perspective, a uniform legislative approach would be advisable. Internet services operate in a global market. Hence a unified approach – possibly one based on a WIPO treaty – would provide benefits to cloud customers by establishing uniform terms and conditions which drive consistency in the protection of data in the cloud. Opinions are galore that a “cyber seas” agreement may be the ideal vehicle for this kind of system because it provides a balance between a State’s ability to regulate the cloud and an over seeing international authority. Taking the prudent steps now to harness the cloud may in the near future allow the world to reflect on an entirely man-made global public utility and the beginnings of a truly cooperative world market. Needless to say, ultimately it is the users who will choose the model that makes the most sense given their needs – which may end up being a hybrid of cloud computing and the traditional model.

References

1)     Al – Khouri AM, Data ownership : who owns my data? Int J Manag Inf Technol 2007, 2(1); 1-8.

2)     Armbrust M, Fox A, Griffith R, Joseph AD, Katz R, Konwinski A et al, A view of cloud
computing, Commun ACM 2010; 53(4);50-58.

3)     Azeez A, Perera S, Gamage D, Linton R, Siriwardana P, Leelaratne D et al, Multi-Tenant SOA Middleware for Cloud Computing in Proceedings of the 3rd International Conference on Cloud Computing (CLOUD)2010; 458-465, IEEE.

4)     Bartolini C L, El Kateb D, Le Traon Y, Hagen D, Cloud Providers Viability: how to address
it from an IT and legal perspective ? in Altman J, Silaghi GC, Rana of Editors Economics
of Grids, Clouds, Systems and Services Vol 9512 Computer CommunicationNe works and Telecommunications, Springer International Publishing, 2016; 281 295.

5)     William Voorsluy, James Broberg and Rajkumar Buyya, Introduction to Cloud Computing in Cloud Computing: Principles and Paradigms (Wiley 2011).

6)     Mark H. Wittow and Daniel J Buller, Cloud Computing: Emerging Legal Issues for access to data, anywhere, anytime in Journal of Internet Law, Aspen publishers14(1),2010.

End Notes:

1. Legal issues in the cloud, Mark Vincent and Nick Hart, Computers and Law, January 2021.

Registration of Documents by a Power of Attorney Holder

(By P.B.Menon, Advocate, Palakkad)

This is in continuation of my Article published in 2020 (4) KLT 17 (Journal Section) at pages 20 to 22.

Section 32 and 33 of the Registration Act read with the rules framed thereunder deal with registration of documents using a power of attorney.

2009 (3) KLT 607 (SC) is followed in 2018 (4) KLT 1186 and recently the Apex Court too in 2022 (3) KLT SN 38 (C.No.29) SC) (kindly see the full text) as well as in Amarnath v. Gianchand & Anr., by Apex Court (Civil Appeal 5797/2009 dated 28.1.2022 2022 (3) KLT SN 45 (C.No.34) SC = 2022 (3) KLT OnLine 1203 (SC)) deals with the matter.

After a careful consideration of the said provisions of law in detail, it is held that a sale deed executed by a power of attorney holder (donee) on behalf of the donor, is competent to present the said document for registration before the concerned Sub Registrar for the purpose of registration as the person executed the document and the person who presents the same for the registration are one and the same person for the purpose of S.32 of the Registration Act. So if the document to be registered is executed by his power of attorney holder and presented the same for registration by him, such power should be an authenticated power of attorney and not a registered power of attorney (See AIR 1971 SC 761). It is held therein that such power of attorney holder is not obliged to produce his power before the Sub Registrar for registration purposes and that the inquiry by the Sub Registrar cannot extend to question as to whether the person who executed the document in his capacity of the power of attorney holder of the principal, was indeed having a valid power of attorney or no to execute the document. The production of the power of attorney before the concerned Sub Registrar arises only in cases when the document to be registered is executed by the principal and his power of attorney holder presents the same for registration. So only in such cases the Sub Registrar can verify as to whether it is or it is not an authenticated power of attorney and not in the cases where the power of attorney holder execute the document for registration as well present it for registration, as in such case production of the power of attorney is not necessary and no enquiry too is contemplated by the Sub Registrar. As early as in 1914 PC 16 it is held that presentation of the document for registration is imperative i.e., it should be by one who is clothed with power under a power of attorney which is authenticated. This view is followed by the Apex Court as well.

Now the question is as to what is the legal effect of a document registered when a power of attorney holder having a registered power executes the document and present it for registration. Under law it is a totally invalid document, as the two acts done by the power of attorney holder i.e., execution and presenting the same for registration are done on the strength of a registered power of attorney, which is taboo under the provision of law, which is clarified in Rule 61 and 62 of Registration Rules. All the above cases deal with presentation of document to be registered a power of attorney holder who executes and present it for registration as well as cases when principal executes the document to be registered being presented by his power of attorney holder using a power of attorney which should be an authenticated power. As a matter of fact there is reference only to authenticated power of attorney and the conclusive presumption regarding the same u/S. 85 of the Evidence Act and nothing about a registered power of attorney.

Let us see Rule 61, framed under the Registration Act, which reads thus: “Although a power of attorney may be registered, it is not valid for registration purposes unless authenticated..................”

Further the format of authentication is also shown therein. See Rule 62 too.

In 2022 (3) KLT 41 (C.No.30) SC)(In the full text paragraph 18 to 20) the difference between registration and authentication is clearly stated. In AIR 1950 All. 524 “the authentication is not merely attestation. It means that the power authenticating has assured himself of the identity of the person who has signed the instrument as well as the fact of execution’’. In AIR 1976 SC 263 holds that authentication is to avoid the necessity or as equivalent to an affidavit of identity.

Secondly in para 49 to 53 of the Apex Court, it is clearly stated that the Registration of a document take in 3 essential steps - (1) execution of the document by the executant signing or affixing his left hand thumb impression; (2) presenting the document for registration and admitting to the registering authority the execution of such document and (3) the registration of the document.

It is further made clear what all aspects relating to step (1) and (2) will arise for consideration in a suit for a declaration of title, wherein the validity of such registered document is challenged.

Before I proceed further, a word about execution. In para 49, what is seen stated about execution is “signing or affixing his left hand thumb impression”. As far as my knowledge goes with reference to various case law and provision of law like Succession Act see 63 and General Clauses Act S.3(59), it is only signature or mark of an illiterate and not L.T.I. for the purpose of execution and such LTI is taken only before the Sub Registrar when document is presented for registration on the back side of the first page. Usually no one subscribe his LTI in token of execution in a document to be registered even if illiterate.

In Amarnath case mentioned above, it is stated correctly in para 26 “the expression person executing used in S.32 can only refer to the person who actually signs or marks the document in token of execution, whether for himself or on behalf of some other person”.

Thus we are left without an authoritative decision, regarding the real effect of execution and presentation by a power of attorney holder under a Regd.power and not an authenticated power.

I am of opinion that a registered power of attorney cannot be used by such donee either to execute and present the same for registration and if so used to register a document it will be null and void and illegal too as under the same no title will pass to the purchaser. Real legal effect will be, such registered document will be not valid.

Any criticism or other views on the subject is welcome.

LAMENT IN INTENSE AGONY

(By K.Ramakumar, Sr. Advocate, High Court of Kerala)

This country has gifted to the world Mathematics. It is this country that has given the universe the “OM” which signifies and represents movement of planets as was later ratified by the Russians. Long before Karl Marx was born, this country started believing in “Paritranaya Sadhunam” and had always adopted “Lokah Samastah Sukhino Bhavantu.”

Centuries back we had two renowned universities Thakshasila and Nalanda. Ujjain, the capital of Vikramadhithya was a well-known centre of literature art, music, dance etc.

Modern universities are formed mostly on the western pattern. The High Court of Kerala has this to say about universities:-

“All along, Universities do have a pride of place in country’s cultural and educational ethos. The academia lives in ivory towers, and they frown at intellectual imbecility or improbity leading to compromise on principles and curtailment of academic freedom. For them, supposedly, politics is an anathema, and their pandering to the shifting political whims is an abomination” - C.Premkumar v. M.G. University (2018 (1) KLT 907).

The Madras High Court observed as follows:-

......the University is expected to serve as the beacon light of higher education”

K.V. Jayaraj v. Chancellor of Universities (W.P.No.11350 of 2012).

The universities therefore play a very pivotal role in moulding of young generation in any country. It is not for nothing that the cream of Indian youth once took pride that they had studied in Universities like Cambridge and Oxford. Our universities had always been centers of excellence maintaining high academic standards and manned by eminent educationists and academicians.

Unfortunately, from the commanding heights of excellence and eminence they are now immured to intrigues infights and indulgence etc., the politicians taking over the role from academicians. The Vice-Chancellors of all universities were men of eminence adored by the people of the country. They included Dr.S.Radhakrishnan, Dr.Zakir Hussain, Shri Ashutosh Mukherjee an eminent lawyer of Calcutta High Court and a host of other popular personalities.  The Vice-Chancellor is not holding a mere post carrying pay and perquisites but a position of prominence, respect, regard and adulation.  It was reserved for men of eminence from various walks of life. The High Court of Madras in a brilliant judgement has lamented about the fall from the high pedestal.

“It is true that when the seeds of western education were sown in this country about 150 years ago, men of eminence from various walks of life were appointed as Vice-Chancellors. Several Judges of this Court have adorned the post of Vice-Chancellor of various universities including the Madras University itself. But apart from being great (and rare) Judges, those men were also distinguished academicians, who excelled in various fields. Students of Indian History would know that Sir John George Woodroff who was a Judge of the Calcutta High Court and who retired as the officiating Chief Justice of the same Court, collaborated with Ameer Ali in publishing the Civil Procedure Code: He was a great Sanskrit scholar who authored books on Mantra Sastra and Tantra Sastra, after retiring as the officiating Chief Justice, he served as a Reader in Law in the Oxford University for seven years. Great jurists, both (Lawyers and Judges) such as Sir Subramanya Ayyar, Sir P.S.Sivaswamy Ayyar, Justice F.D.Oldfield were among a few who became the Vice-Chancellors of Madras University, ever since its inception about 150 years. But today, it is not possible to continue with the same legacy for two reasons, namely:

(a) That we do not have such tall men of great eminence, and

(b) That today the field is regulated by law.”

The same Court has pithily put the present scenario as follows:

“Today, Albert Einstein cannot be appointed as the Vice-Chancellor of any university (at least in India)” –

(2014 SCC Online Mad.2701 which was reversed by the Supreme Court in (2015) 6 SCC 363).

Most of the institutions by the people and for the people have failed them totally. The Parliament instead of passing bills is dispersing every day after an acrimonious fight without transacting any business. The executive draws flak for every one of its actions. The Supreme Court has an unbearable weight of arrears of more than a lakh of cases. A second appeal supposed to be admitted and entertainable only on formulated questions of law has to wait for more than twenty years for disposal. So are criminal appeals with a wait of more than five years and writ petitions ten plus years.

These cannot be explained away as just individual decay. Necessarily, it is indicative of institutional deficiency, which needs to be addressed immediately to retain public confidence. Leading lawyers in the past considered it a call of duty to choose the  stressful and strainful life of a Judge, which is why Justices S/Shri R.F.Nariman, Nageswara Rao and U.U.Lalit chose the bench instead of the bar forsaking fabulous financial fortunes. They never canvassed or curried favor to reach a prestigious constitutional position, which again is not just a job with a pay packet, dearness allowance or HRA but shouldering a responsibility to serve the public. Gentle, mild mannered and amiable lawyers are invited to the Supreme Court for interaction but came back humiliated. The best among the lady lawyers, capable, committed and coming from an aristocratic family was similarly summoned to Delhi and she returned hurt. Surprisingly not even a whisper arose from any of the lawyers’ corners.

The late lamented Shri Justice V.R. Krishna Iyer was scoffed at and frowned upon when he made a caustic reference about the red brick building in Curzon road. A down to earth working of democracy though outrageously impermissible.

Individual decay can be diminished but institutional deficiency is inexpiable.