[Tamanna Yadav is a student at NALSAR University of Law, Hyderabad]
In March 2025, the Vuenow Group of Companies, a purported cloud service provider, sold cloud storage units, termed “cloud particles”, worth ₹3,558 crore, luring investors with promises of high returns through a lease-back model. However, the entire scheme was fraudulent. There was no actual cloud infrastructure, and the company failed to store or manage any digital assets, causing significant harm to thousands who had entrusted their data to the platform. The failure of Vuenow to safeguard these digital assets ultimately led to the arrest of its CEO. This incident underscores the urgent need to update and expand the legal framework of bailment.
The Indian Contract Act, 1872 (ICA), was introduced over a century ago, making its application limited. While the Indian Contract Act addresses bailment of goods, the advent of technology raises concerns about its application.Section 148 of the ICA defines bailment as “delivery of goods by one person to another for some purpose”. Section 2(7) of the Sale of Goods Act, 1930 (SOGA) defines “goods” as every kind of movable property, excluding actionable claims and money. Since digital data does not qualify as tangible movable property, it falls outside the legal definition of “goods.” As a result, data cannot be the subject of bailment under the current legal framework. However, the act of transferring and entrusting data to a cloud service provider for storage closely resembles the legal structure of bailment.
As such, the post seeks to address, first, the concept of cloud liens; second, the duties of a bailee; and third the status and scope of bailment law in the UK and the US, while proposing a digital bailment model for India. Lastly, the post concludes by arguing for the need for reforms in light of growing concerns over data access, misuse, and privacy.
Cloud Lien
Cloud data refers to digital information stored and managed by the storage service providers. A cloud lien gives a quasi-legal right to such providers to deny access or retain control over the data when certain obligations are unfulfilled.
Lien, in legal terms, is defined under Section 170 of the ICA, which provides that where the bailee has, in accordance with the purpose of the bailment, rendered any service involving the exercise of labour or skill in respect of the goods bailed, he has in the absence of a contract to the contrary, a right to retain such goods until he receives due remuneration for the services rendered. Analogically, when data is stored by the cloud service provider, they essentially act as a bailee rendering services such as data storage that involve the exercise of labour or skill to protect data. The cloud service provider (bailee) may retain the goods (digital data) until the bailor (customer) fulfills the conditions, which may include payment for the services rendered. Such cloud liens are commonly encountered through platforms like Google Storage, iCloud, or OneDrive. While there have been cases dealing with taxation of cloud computing services in India such as Amazon Web Services, Inc v. ACIT, New Delhi (2023), the concept of cloud lien has not been addressed directly in judicial decisions. This gap is significant because cloud liens become highly relevant in situations involving control over user data, especially when access is restricted due to non-payment or breach of terms. Such situations raise important concerns regarding data access and retention, further underscoring the need to address cloud lien within the legal framework.
Duties Of Bailee
Bailee’s duty to take care
Section 151 of the ICA deals with the duty of the bailee to take care: “the bailee is bound to take as much care of the goods bailed to him as a man of ordinary prudence would, under similar circumstances, take of his own goods of the same bulk, quality and value as the goods bailed.” If a bailee stores the data in an unsafe location leading to subsequent damage, the bailee would be liable in accordance with the conditions of Section 152 of the ICA. Similarly, a cloud storage provider has the duty to take care of the entrusted data and is expected to exercise reasonable care to protect it from unauthorized use, accidental deletion and technical failures.
Bailee’s duty to return the goods
When a person bails their goods to a bailee, they expect them to be returned on demand, subject to the fulfillment of the conditions specified in the contract of bailment. Section 160 of the ICA outlines the bailee’s duty to return the goods or deliver according to the bailor’s directions at the time of expiration of time or accomplishment of purpose. A digital contract is signed by the user when entrusting their data to a cloud storage service. As such, a consumer expects to access the data on demand at any time, unless its contractually barred. Therefore, a cloud storage provider has the duty to return the data to the entitled user on termination of the service, or on request by the consumer. The objective of this duty is to prevent unauthorized retention of goods.
Comparative Analysis: The UK & The US
“The Indian Contract Act is in effect…a code of English law” (emphasis supplied). Thus, it warrants an analysis of the status of digital bailment in the UK. While the UK has not yet recognized digital bailment in its statutory framework, there has been growing recognition of its significance. The Law Commission’s Final Report has underscored the importance of Digital Assets in the modern world. Moreover, the Property (Digital Assets etc) Bill was introduced in the UK House of Lords in 2024. If enacted, it would classify digital assets as a third category of personal property.
Similarly, the US has not explicitly recognized digital bailment in its legal framework. Most cloud service providers in the US, such as Google Cloud, require users to sign service contracts that grant the provider rights to deny access or suspend services if the users fail to make payments. While the US lacks precedential cases on cloud liens, cases like In re: Yahoo! Inc. Consumer Dat Security Breach Litigation (2017) have emphasised the legal obligations of cloud providers. In this case, Yahoo faced a lawsuit after failing to adequately secure its users’ data. The court underscored the duty of care cloud service providers owe to their users. It highlighted the responsibility of the service provider to ensure the security of the data entrusted to them.
A Two-Tired Model for Reforming Digital bailment
In Tata Consultancy Services v. State of A.P. (2004), the Supreme Court held that a software, although intangible in nature, qualifies as “goods” once it is put onto a medium such as a CD. Drawing from this reasoning, it could similarly be argued that digital data, once stored in the cloud, may be treated as goods, given its utility, transferability, and deliverability. Whether digital data can be legally classified as “goods” under the SOGA becomes a foundational consideration in extending the scope of bailment and lien. This approach suggests that instead of introducing entirely new provisions for digital bailment, Indian legislation could evolve by expanding the scope of “goods” to include intangible assets such as data, tokens, and cloud storage. However, merely reclassifying digital data as “goods” is not sufficient to address the broader concerns of privacy, misuse and accountability. For instance, Singapore’s data protection framework addresses such concerns. India could similarly adopt a specialised legal regime to regulate data handling, ensuring accountability of the bailee, and a reasonable standard of care.
This interpretation opens up the possibility of extending bailment and lien doctrines. Such an extension cannot solely rely on the analogy with software. A more comprehensive legal model is needed. The proposal is for a two-tiered model-
- Expansion of the Definition of “goods” under existing Law: Amend the SOGA and the ICA to explicitly recognize digitally stored goods such as files, personal data, and cloud tokens.
- Add a Digital Bailment Code (DBC): To address privacy, misuse, and accountability. A Digital Bailment Code should supplement existing contract law with the duties of the bailee.
This model recognizes a fundamental truth: the nature of “possession” has changed, but the relationship of trust, custody, and liability remain. With bailment encompassing sub-sets such as pledge, gratuitous bailment, non-gratuitous bailment, and bailment for hire, the scope of possession extends even further. In PTC India Financial Services Ltd. v. Mr. Venkateshwarlu Kari (2022), the Supreme Court of India (SCI) recognized the validity of pledges created over dematerialized securities. The Court further clarified that, under Section 12 of the Depositories Act, 1996, mere entry in the records of depository serves as evidence of a pledge, thereby reinforcing the idea of constructive possession of digital goods. This recognition illustrates that the existing legal frameworks can, to an extent, adapt traditional legal concepts like bailment to technological realities. However, whether this case can serve as a blueprint for the proposed two-tiered model remains questionable. There are two main concerns. First, a pledge is merely a ‘subset’ of bailment and does not account for the broader range of custodial relationships of digital goods. Second, the Court’s holding was limited to the specific framework of The Depositories Act, 1996. While Section 172 of the ICA defines a pledge as a contract of bailment that creates a special right for the pawnee only upon a delivery of possession, either actual or constructive, the Court’s interpretation in this case extended the concept of pledge to dematerialized securities through a harmonious reading of ICA with the Depositories Act. However, because of the aforementioned limitations, the decision offers only a piecemeal statutory solution. Therefore, the proposed two-tiered model, which involves redefining “goods” and introducing a dedicated legal code, is essential to address the rapidly evolving technological landscape.
Conclusion
The issue remains largely unaddressed not only in India but across many jurisdictions. While some regions like the European Union (EU) have acknowledged digital privacy concerns through laws such as General Data Protection Regulation, 2018 (GDPR), and the United States has adopted a decentralized system, market-driven approach with laws like the California Consumer Privacy Act, 2018 (CCPA), most countries still lag behind in introducing comprehensive statutory frameworks that recognize concepts like cloud liens. These developments largely focus upon data privacy, leaving significant gaps in addressing the complex relationships such as cloud liens or the obligations arising from digital bailment.
This is where the concept of constructive bailment becomes increasingly relevant. Constructive bailment refers to a legal relationship implied by law, often emerging without any formal agreement, where one party is deemed to have custody of another’s property. A relevant example in today’s urban landscape is the use of app-based electric scooter services like Yulu, now commonplace in metro cities across India. When a user ends their ride and leaves the scooter at a designated drop-off point, the company assumes responsibility for the vehicle, triggering a constructive bailment, despite the absence of any direct handover. In such a case, the law may recognize this situation as a constructive bailment, imposing a duty of care on the service provider.
Thus, this post argues that legal reform in India is no longer a matter of choice but of necessity. As digital infrastructure becomes deeply embedded in our daily lives, the legal framework must evolve to ensure accountability, especially in situations involving unauthorized access, misuse, or wrongful retention of digital assets.
– Tamanna Yadav
