E-COMMERCE & M- COMMERCE SEMINAR PAPER

DATA PROTECTION IN E- COMMERCE IN INDIA

Submitted By:
Chandan Tiwari
BBA.LLB- B
14040142020
Batch: 2014- 19

Course Teacher:
Prof. Umamahesh Sathyanarayan

ALLIANCE SCHOOL OF LAW

ALLIANCE UNIVERSITY, BANGALORE
Date of Submission: 24th April, 2019

1
 TABLE OF CONTENTS
1. INTRODUCTION………………………………………………………………….3
2. RESEARCH PROBLEM…………………………………………………………..4
3. RESEARCH OBJECTIVE AND SCOPE………………………………………….4
4. HYPOTHESIS……………………………………………………………………...5
5. CONCEPT OF PRIVACY IN DATA PROTECTION…………………………….6
6. INTERNET AND PERSONAL DATA ISSUES…………………………………..7
7. PRIVACY ISSUES…………………………………………………………………8
8. ISSUES IN E- COMMERCE……………………………………………………… 8
9. LEGAL FRAMEWORK FOR DATA PROTECTION IN INDIA…………………10
10.PROVISONS IN EUROPEAN UNION…………………………………………..12
11.(DRAFT) E- COMMERCE POLICY: A RAY OF HOPE?.......................................14
12.CONCLUSION……………………………………………………………………….16
13.BIBLIOGRAPHY…………………………………………………………………….17

2
 DATA PROTECTION IN E- COMMERCE IN INDIA
CHAPTER- I

Abstract:
This paper is primarily about the security of electronic data in India in E- Commerce. Data
protection means the issues related to the collection, storage and the use of data provided by the
online users of the World Wide Web. In the context of e-commerce, data is any type of information
converted into a binary digital form that is efficient to store, process and transfer across different
devices, platforms, servers and borders. Data is a resource for any individual, corporation or a
Government. It has a measurable value. Data produced over the internet is automatically stored in
the data cloud, which is a network of computers, information technology and software applications.
Online users of any web using the website want their data to be confidential when they are engaging
in E- commerce. This paper highlights the laws related to the electronic data protection in India, the
various issues relating to data protection and issues in the e – commerce industry. Lastly, it briefly
evaluates the recent Draft e- commerce policy and highlights the various aspects of the Draft policy.

1. INTRODUCTION:
E-Commerce is the continuance of business using the Internet with the help of web. E-
commerce business has become very popular now-days and is surrounded with many privacy
issues. As the result, users leave this platform, if these issues are not combated, users will
refuse to do online transactions1.
The Organization for Economic Cooperation and Development (OECD) defines E-
Commerce as a way for conducting online business, that are established through various
mediums of network, which uses proprietary protocols that are established through an open
standard setting process such as the internet. E-Commerce refers to the interchange of the
intermediaries such as of goods and services through the medium of Internet. All major retail
brands can be accessed online-Commerce also applies to business to business transactions,
for example, between manufacturers and suppliers or distributors2. In the online retail space,
there are a number of models that retailers can adopt. Traditionally, the Web presence has

1
Asia Muneer,Razzaq S,‘Data Privacy Issues and Possible Solutions in E-commerce’,ISSN: 2168-9601, can be
accessed on<https://www.omicsonline.org/open-access/data-privacy-issues-and-possible-solutions-in-
ecommerce-2168-9601-1000294-104325.html>.
2
Mr. Hardik Nariya, Prof. Chirag Gohel, ‘E-commerce system: A Review on security challenges and Indian
Perspective’,ISSN: 0975 – 6760| NOV 12 TO OCT 13 | VOLUME – 02, ISSUE – 02.

3
been kept distinct from the bricks and mortar presence, so transactions were limited to buying
online and delivering the goods or services3.
However E- Commerce is an important platform for the consumers so that they can research
about their product over the online websites and can purchase the same product later on in the
store. E-Commerce systems are also relevant for the services industry. For example, online
banking and brokerage services allow customers to retrieve bank statements online, transfer
funds, pay credit card bills, apply for and receive approval for a new mortgage, buy and sell
securities, and get financial guidance and information4.

2. RESEARCH PROBLEM:

The 21st century has been described as the 'information age' due to the extensive use of
information and almost everyone is constantly connected to the internet. The analysis of large
and complex sets of data has become a specialized science called 'Big Data' analytics
providing never before insights to alleviate societal problems relating to areas such as health,
food security, transport and urban planning. Governments of the day are launching
specialised programmes focused on this digital revolution, like the one launched by the
Government of India called 'Digital India' initiative.

Both the public and the private sector are engaged in amassing personal data which seems to
be generated ceaselessly. While there are justifiable uses that are vastly beneficial, such
centralization of data, profiling of individuals and increased surveillance, has led to concerns
relating to erosion of privacy of individuals, ability to impact public decision-making process
and national security.

3. RESEARCH OBJECTIVE & SCOPE:

The paper aims to fulfil following objectives:

 To highlight the various types of issues relating to ‘data’.

 To highlight various existing laws relating to data protection in India.
 To evaluate whether the recent Draft Policy would suffice for the data protection.

3
Ibid.
4
Supra FN 2.

4
“Data” has become very vital in day to day functioning of individual, corporations or even
government hence the ambit of area where “data” can be used is very wide. However, the
current paper aims to study and fulfil the aforementioned objectives only in the light of E-
commerce industry in India.

4. HYPOTHESIS

In Indian context there is a lack of proper legislation model regarding the data protection in
e- commerce industry. As a result, it is extremely difficult to ensure protection of data rights.
But in absence of specific laws there are some few proxy laws or incident safeguard that the
government is using for privacy purpose.

Well structured framework for Protection of data in e- commerce industry is definitely

important for an individual but also for society as well as economical growth of country.

5. METHODOLOGY & CHAPTERISATION

The methodology adopted for the purpose of conducting research on this paper is purely
doctrinal. The data has been collected from various articles and other primary sources like
reports etc. It is purely an interpretive and analytical study. For the purpose of convenience,
this paper has been divided into 5 chapters:

 The first chapter would give an overview with the introduction of the entire
topic and would go on to identify the research problem and the scope and
objective of study.
 The second chapter being descriptive would introduce the concept of privavy
in data protection and point various issues relating to ‘data’.
 The third chapter would discuss the legal framework relating to data
protection and also look at the provisions of EU.
 The fourth chapter would try to analyze whether the recent draft policy would
suffice for need of data protection in e- commerce industry.
 The concluding chapter would sum-up the entire discussion in chapters above.

5
 CHAPTER-II

6. CONCEPT OF PRIVACY IN DATA PROTECTION:

The jurisprudence of privacy has a fragmented history. Privacy, as a distinct legal concept,
probably has its origin in an essay published in 18905. Louis Brandeis and Samuel Warren
reviewed the long history of protection under the English common law for various individual
liberties and private property, and extrapolated a general “right to privacy6.
Data protection refers to the issues related to the collection, storage, accuracy and use
of data provided by net users in the use of the World Wide Web. Visitors to any website want
their privacy rights to be respected when they engage in e-commerce. It is part of the
confidence creating role that successful e-commerce businesses have to convey to the
consumer. If the industry does not make sure it is guarding the privacy of the data it collects,
it will be the responsibility of the Government and it is their obligation to enact legislation.
Any transaction between two or more parties involves an exchange of essential information
between the parties. Technological developments have enabled transactions by electronic
means. Any such information/data collected by the parties should be used only for the
specific purposes for which they were collected. The need arose, to create rights for those
who have their data stored and create responsibilities for those who collect, store and process
such data. The law relating to the creation of such rights and responsibilities may be referred
to as “data protection” law7.

The need to protect data and data privacy in India is relatively new, arising from the ever
expanding off-shoring business operations conducted in India by overseas companies
wherein personal data is exported by these overseas companies to their off-shore agents or
counterparts in India8. India has already a legal framework for protection of data. Data is the
principal basis of almost all the business transactions.

5
1890) 4 Harv L. R. 193.
6
Christopher Millard, ‘Communications Privacy in Telecommunication Law (Ed.)’, Walden & John Angel,
(Blackstone Press, London), First Edn. (2001).
7Dr. S.S Das, Electronic Data Protection in India,2012 PL March S-11
8
Latha R. Nair,‘Data Protection Efforts in India: Blind Leading the Blind’,4 IJLT (2008) 19.

6
7. INTERNET AND PERSONAL DATA ISSUES:
The issue of the protection of personal Data that is kept in government records and the
impact on collection and transfer of personal data and the emerging problems of personal
data posed by new technology. Privacy concerns relate not only to interception and
subsequent misuse of credit cards or personal data on the Internet but also extend to the
Government use of information held on computers about individuals, such as health, tax
and social security records, and to monitoring of what is downloaded from government
web sites and by whom.9
“Without the transparency afforded by building freedom of information
and data protection principles into the systems which will deliver online government
services, it is hard to see why people should trust the Government not to abuse the powers
it will need to tie together the data from disparate sources. If the same ‘smart’ electronic
card will in future be used for financial transactions, to hold medical records, criminal
records, driving license details and to authenticate my dealings with government
departments, how can I be sure the Government will not abuse the technology to track my
movements, lifestyle, reading matters and so on? This gap in public trust is going to be
one of the biggest problems facing the wiring up of public service delivery, and strict
freedom of information and data protection laws are the absolute requirements to bridge
the divide10.

8. PRIVACY ISSUES:
Privacy is a sensitive issue in the business context. The data used in digital systems and new
computational techniques for data mining are easier. E-commerce sites are collecting the high
amount of data related to customer preference, their buying patterns and the things they
search at high volume11 . Business analysts are using this data for the personalization of a
customer’s experience and for the improvement of e-site.
 Consumers are concerned about unauthorized access due to security breaches.

9
Andrew Ecclestone, “Freedom of Information: An Electronic Window onto Government” in LIBERTY,
Liberating Cyberspace: Civil Liberties, Human Rights & the Internet, Pluto Press (London, 1st Edn., 1999), 44-
67, at p. 62.
10
Faizan Mustafa, ‘Privacy Issues in Data Protection : National and International Laws’,2004 PL WebJour 16.
11
Elmarie Kritzinger, ‘An information security retrieval and awareness model for industry’.

7
  They are concerned about secondary use – the reuse of their personal data such as
sharing the data with third parties12.

9. ISSUES IN E- COMMERCE INDUSTRY::

a) Snooping – Snooping occurs when someone check your files for finding something
interesting. Snooping is one of the easiest way to check the client credentials through
the medium of E commerce. As millions of computers are connected to
the Internet every minutes and many of the user are unaware of the security feature
and network vulnerabilities. Moreover, software and hardware vendors are not paying
enough attention to guide about the security concerns of the devices and system, they
are using. In this environment, it’s very easy to snoop the computer of the e-
commerce client.
b) Password Guessing Attacks: Password guessing attacks generally happen when an
account is attacked in a repetitive manner. This is done when the attacker is putting
possible passwords to use that account.
c) Phishing: Phishing means the stealing of a person’s information related to bank and
phishing is generally used when there is unauthorised transfer of money to another
bank account.
d) Domain name Issues: The Internet Assigned Numbers Authority manages the
Domain Name System. Several problems may arise when companies having the
similar domain name compete all over the world with the same domain name. the
domain name choose by the company should be treated as a trade mark that the
copyright of that should not be used by the third party.
e) Electronic Payment Issues13: The growth in e-commerce activities has necessitated
the evolution of electronic payment mechanisms. In addition to normal currencies, e-
financial instruments / digital currencies such as cyber cash and e-cash can be used
for the purchase of current as well as capital assets over the Internet and for carrying
on other commercial activities. Before regulating the use of such financial
instruments, it would be essential to identify the issues that these instruments pose.
Some of these issues are:

12
Supra FT 1.
13
K.SusheelBarath.’Legal Issues in E-Commerce Transactions- An Indian Perspective’,
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 4 Issue: 11

8
 Secure Credit Card Transactions
 Recognition of digital currencies
 Determining the relevant jurisdiction
 Risk of Regulatory Change
 Consumer-oriented risks
 Disabling IT Act
 No virtual banks.

9
 CHAPTER- III

10. LEGAL FRAMEWORK FOR DATA PROTECTION IN INDIA:

(a) The Information Technology Act, 2000.

The Information Technology Act, 2000 (hereinafter referred to as the “IT Act”) is:

An act to provide legal recognition for transactions carried out by means of

electronic data interchange and other means of electronic communication, commonly
referred to as “electronic commerce”, which involve the use of alternatives to paper-based
methods of communication and storage of information to facilitate electronic filing of
documents with the government agencies14.

The provisions pertaining to data protection are mentioned in the Information Technology
Act, 2002. The act was enacted for the purpose of providing legal recognition to the
transactions which are carried through the medium of electronic Commerce and that is also
stated in its preamble. The definition of “data” in the Act covers a representation of
information, knowledge, facts and so on, which are being prepared or processed in a
computer system in any form or stored internally in the memory of the computer15.
In view of growing concerns raised by recent instances of data theft, the Ministry of
Information Technology proposed certain amendments to the IT Act, 2000. One such
amendment, pertinent to data protection, is the proposed insertion of a new S. 43-A wherein
sensitive personal information would be handled with reasonable security practices and
procedures16. The proposed amendment reads as follows:
43-A. Where a body corporate, possessing, dealing or handling any sensitive
personal data or information in a computer resource which it owns, controls or
operates, is negligent in implementing and maintaining reasonable security practices
and procedures and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation not exceeding
five crore rupees, to the person so affected.

14
Supra FT 7.
15
S. 2 of the IT Act defines data” as “representation of information, knowledge, facts, concepts or instruction
which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is
being processed or has been processed in a computer system or computer network, and may be in any form
(including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored
internally in the memory of the computer”.
16
Supra FT 7.

10
 Explanation: — For the purposes of this section, —

(i) “body corporate” means any company and includes a firm, sole proprietorship
or other association of individuals engaged in commercial or professional
activities;

(ii) “reasonable security practices and procedures” means security practices and
procedures designed to protect such information from unauthorized access,
damage, use, modification, disclosure or impairment, as may be
specified in an agreement between the parties or as may be specified in any
law for the time being in force and in the absence of such agreement or any
law, such reasonable security practices and procedures, as may be prescribed
by the Central Government in consultation with such professional bodies or
associations as it may deem fit;

(iii) “sensitive personal data or information” means such personal information as

may be prescribed by the Central Government in consultation with such
Professional bodies or associations as it may deem fit.

The proposed section deals with the aspect of protection of data such as in the form of
processing of personal data, handling of sensitive personal data, data that can be collected
from the individuals such data should be collected in the confidential manner.

(b) The Data Security Council Of India:

The National Association of Software and Services Companies (Nasscom) has took a
regulatory initiative for the protection of data and its privacy protection called the Data
Security Council of India (DSCI). The data Security Council of India is a body established
for the industry for the purpose of data privacy and for the better knowledge and the
protection of commercial issues involved in the business. It is a nonprofit organization.
Organizations associated with data security and privacy protection such as Information
Technology (IT) and Information Technology enabled Services companies, academic or
research institutions and universities can also become members of the DSCI17.
The DSCI's stated mission seeks to:18

17
Data Security Council of India: A Self-Regulatory Initiative in data Security a Privacy Protection.
18
Ibid.

11
  Enable IT and ITeS companies to provide a high standard of security
and data protection by adopting best practices.
 Develop, monitor and enforce an appropriate security and data protection standard
for the Indian IT and ITeS industry that would be adequate, cost effective, adaptable
and comparable with global standards.
 Build capacity to provide security certification for organizations.
 Create a common platform to promote the sharing of knowledge about information
security and foster a community of security professionals and firms.
 Create awareness among industry professionals and other stakeholders about
security and privacy issues.

11. PROVISONS IN EUROPEAN UNION:

The harmonization of the European Union, there are various directives that member countries
are required to adopt as their national laws. The Data Protection Directive was enacted for
the protection of individuals with regard to the processing of personal data and the free
movement of such data19. On the other hand, the E-commerce Directive was enacted with a
view to, inter alia, contribute to the proper functioning of the internal market by ensuring the
free movement of information society services among the member states.20 Under Art. 2(a) of
the Data Protection Directive, “personal data” is defined as, “any information relating to an
identified or identifiable natural person”. The Directive is to apply to the processing of
personal data, wholly or partly by automatic means, and to the processing of
personal data which forms part of a filing system, otherwise than by automatic means.
Certain types of processing, such as the processing of personal data for public security,
defense, State security, activities in the areas of criminal law and processing by a person in
the course of personal or household activities, are exempt from the scope of the Directive21.
India is recently using a new ground as far as data protection and e-commerce laws are
concerned. Data protection is part of e-commerce, the implications of protecting data have a

19
Latha R. Nair,’ Data Protection Efforts in India: Blind leading the Blind’, 4 IJLT (2008) 19
20
Ibid.
21
Council Directive 95/46, Art. 1, 1995 OJ (L281) 31 (EC).

12
wider reach and scope and will have to be dealt with in detail through a separate piece of
legislation22.

22
Bageshree S., Now Biometric Identification for Ration Cards Too, can be accessed
on<https://www.thehindu.com/todays-paper/tp-national/tp-karnataka/Now-biometric-identification-for-ration-
cards-too/article14884704.ece>.

13
 CHAPTER- IV

12. (DRAFT) E-COMMERCE POLICY: A RAY OF HOPE?

In the era of globalization and with the boom in the e- commerce industry, ‘data’ serves as
the building block of everything we are trying to do in this age of industry. It is a valuable
resource for any individual, corporation or the government. Considering the magnitude of
importance ‘data’ has in the idea of governing the e- commerce industry in India, the
Department of Industrial Policy & Promotion on Feb 23rd, 2019 published the ‘Draft E-
Commerce Policy’ (“Draft policy”).23

Prima facie, the objective of the Draft Policy is to prepare and enable stakeholders to fully
benefit from the opportunities that would arise from progressive digitalization of the
domestic digital economy. The Draft Policy focuses on data protection, the State's
paternalistic attitude towards the use of the citizen's data and cross border transactions. The
Draft Policy intends to regulate some things beyond e-commerce i.e. it proposes to regulate
technologies like AI, IoT, Cloud computing and Cloud-as-a-Service etc. The Draft Policy is a
mix of visionary thought process, advanced technological solutions, putting in place digital
infrastructure to support India's digital economy etc.

The idea and intent of the legislature that is formulated under the Data Protection Bill, 2018
as far as the rights of an individual over data are concerned can be evidently seen in the Draft
Policy. Streamlining the protection of personal data and empowerment of the
users/consumers with respect to the data they generate and own are the prime focus and
objective of the Draft Policy.

However, the real intent of the legislature is yet to be seen in the upcoming future and
remains debatable as of now.

The Draft Policy recognises the rights of an individual over its data by stating that "An
Individual owns the right to his data" and therefore the use of an individual's personal data
shall be made only upon seeking his/her express consent. It further states that the data of a

23
Novojuris Legal, Draft E-Commerce Policy: The Dawn Of A New Beginning, can be assessed at <
ww.mondaq.com/india/x/787434/data+protection/Draft+ECommerce+Policy+The+Dawn+Of+A+New+Beginni
ng>

14
group is a collective data and therefore a collective property of that particular group; it
extends this rationale to state that "Thus, the data that is generated in India belongs to
Indians, as do the derivatives there from". But the Draft Policy ends up categorising data of
Indians as a collective resource and therefore a "national resource".24

The abovementioned intent of the Draft Policy is fair and strives to achieve greater good of
the country, but at the same time it also presents some vital and debatable questions which
remain unanswered. If personal data belongs to an individual then the objective stated by the
Draft Policy shows that the State wants to interfere with the personal rights of a person. The
Draft Policy clearly states that "All such data stored abroad shall not be made available to
other business entities outside India, for any purpose, even with the customer's consent"25,
what follows this point in the Draft Policy, restricts sharing of data with any third party in a
foreign country even if the individual has consented to such sharing of the data.

One can however say that the intent behind such restriction might be that currently India
lacks stringent laws regarding cross-border flow of data. If there are no strict restrictions on
cross-border flow of data Indian stakeholders will merely be engaged in back end processing
of data for the EU / US based ecommerce entities without having the ability to create any
high-value digital products. While the Government considers data as a national resource and
compares it with coal, telecom spectrums etc. it ignores the fact that the inherent nature of
personal data is that it belongs to an individual and not to the State, unlike coal.26

The obvious reason as to why the State is taking such a stance is to eliminate issues related to
consent asymmetry. But is this paternalistic attitude warranted? If the Government is worried
about foreign countries using our national resource i.e. data to their advantage it should put in
place stringent data privacy and protection laws in India taking inferences from other
countries.

24
Sneha Johari , India’s Draft E- Commerce Policy is really a Digital Economy Policy, impacts the whole
ecosystem, can be assessed at < https://www.medianama.com/2019/02/223-india-draft-e-commerce-policy/>
25
https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf
26
Deep, A. (Aug 7, 2018). Draft National E-commerce Policy: data localisation and priority to domestic companies. Medianama.
Retrieved from https://www.medianama.com/2018/08/223-draft-national-e-commerce-policy-data-localisation-and-priority-to-
domestic-
companies/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+medianama+(Medianama:+Digital+Media+In+India
)

15
 CHAPTER- V

13. CONCLUSION:

With the rapid changes in the digital economy, it becomes very vital on the part of Indian
government to respond accordingly by bringing new regulations and/or amending the existing
ones. Issues related to e-commerce must now be addressed on priority and in a way that the
pace of growth in the sector does not lag while the domestic stakeholders as well as the entire
population is benefitted by the positive spillovers.

However, the recent e – commerce policy has presented like a ray of hope but once the final
e-Commerce policy is enacted what will be interesting to see is whether Government opts for
ease of governance or ease of doing business.

At the end, the Draft Policy is a positive step towards making India one of the most
prominent digital economies in the world, especially considering the strict stance the
Government has taken during the WTO negotiations by not accepting the permanent
moratorium on waiving custom duties on digital goods sold through electronic transmission.
Specific issues regarding data/personal data of an individual still needs a deep intellectual
thinking, integrated with a practical approach from the Government before implementing a
sector wide policy, especially keeping in mind that at the end of the day personal data
belongs to an individual and the use of such personal data shall be the decision of the
respective individuals and not of the State.

16
14. BIBLIOGRAPHY:

 PRIMARY SOURCES:

 IT Act, 2000
 Reports by Data Security Council of India
 Draft Policy( E- Commerce)
 GDPR

 SECONDARY SOURCES:

 Latha R. Nair,’ Data Protection Efforts in India: Blind leading the Blind’
 Sneha Johari , India’s Draft E- Commerce Policy is really a Digital Economy
Policy, impacts the whole ecosystem.
 Bageshree S., Now Biometric Identification for Ration Cards Too
 Asia Muneer,Razzaq S,‘Data Privacy Issues and Possible Solutions in E-
commerce.
 Christopher Millard, ‘Communications Privacy in Telecommunication Law
(Ed.)

17