Beruflich Dokumente
Kultur Dokumente
Submitted By:
Chandan Tiwari
BBA.LLB- B
14040142020
Batch: 2014- 19
Course Teacher:
Prof. Umamahesh Sathyanarayan
1
TABLE OF CONTENTS
1. INTRODUCTION………………………………………………………………….3
2. RESEARCH PROBLEM…………………………………………………………..4
3. RESEARCH OBJECTIVE AND SCOPE………………………………………….4
4. HYPOTHESIS……………………………………………………………………...5
5. CONCEPT OF PRIVACY IN DATA PROTECTION…………………………….6
6. INTERNET AND PERSONAL DATA ISSUES…………………………………..7
7. PRIVACY ISSUES…………………………………………………………………8
8. ISSUES IN E- COMMERCE……………………………………………………… 8
9. LEGAL FRAMEWORK FOR DATA PROTECTION IN INDIA…………………10
10.PROVISONS IN EUROPEAN UNION…………………………………………..12
11.(DRAFT) E- COMMERCE POLICY: A RAY OF HOPE?.......................................14
12.CONCLUSION……………………………………………………………………….16
13.BIBLIOGRAPHY…………………………………………………………………….17
2
DATA PROTECTION IN E- COMMERCE IN INDIA
CHAPTER- I
Abstract:
This paper is primarily about the security of electronic data in India in E- Commerce. Data
protection means the issues related to the collection, storage and the use of data provided by the
online users of the World Wide Web. In the context of e-commerce, data is any type of information
converted into a binary digital form that is efficient to store, process and transfer across different
devices, platforms, servers and borders. Data is a resource for any individual, corporation or a
Government. It has a measurable value. Data produced over the internet is automatically stored in
the data cloud, which is a network of computers, information technology and software applications.
Online users of any web using the website want their data to be confidential when they are engaging
in E- commerce. This paper highlights the laws related to the electronic data protection in India, the
various issues relating to data protection and issues in the e – commerce industry. Lastly, it briefly
evaluates the recent Draft e- commerce policy and highlights the various aspects of the Draft policy.
1. INTRODUCTION:
E-Commerce is the continuance of business using the Internet with the help of web. E-
commerce business has become very popular now-days and is surrounded with many privacy
issues. As the result, users leave this platform, if these issues are not combated, users will
refuse to do online transactions1.
The Organization for Economic Cooperation and Development (OECD) defines E-
Commerce as a way for conducting online business, that are established through various
mediums of network, which uses proprietary protocols that are established through an open
standard setting process such as the internet. E-Commerce refers to the interchange of the
intermediaries such as of goods and services through the medium of Internet. All major retail
brands can be accessed online-Commerce also applies to business to business transactions,
for example, between manufacturers and suppliers or distributors2. In the online retail space,
there are a number of models that retailers can adopt. Traditionally, the Web presence has
1
Asia Muneer,Razzaq S,‘Data Privacy Issues and Possible Solutions in E-commerce’,ISSN: 2168-9601, can be
accessed on<https://www.omicsonline.org/open-access/data-privacy-issues-and-possible-solutions-in-
ecommerce-2168-9601-1000294-104325.html>.
2
Mr. Hardik Nariya, Prof. Chirag Gohel, ‘E-commerce system: A Review on security challenges and Indian
Perspective’,ISSN: 0975 – 6760| NOV 12 TO OCT 13 | VOLUME – 02, ISSUE – 02.
3
been kept distinct from the bricks and mortar presence, so transactions were limited to buying
online and delivering the goods or services3.
However E- Commerce is an important platform for the consumers so that they can research
about their product over the online websites and can purchase the same product later on in the
store. E-Commerce systems are also relevant for the services industry. For example, online
banking and brokerage services allow customers to retrieve bank statements online, transfer
funds, pay credit card bills, apply for and receive approval for a new mortgage, buy and sell
securities, and get financial guidance and information4.
2. RESEARCH PROBLEM:
The 21st century has been described as the 'information age' due to the extensive use of
information and almost everyone is constantly connected to the internet. The analysis of large
and complex sets of data has become a specialized science called 'Big Data' analytics
providing never before insights to alleviate societal problems relating to areas such as health,
food security, transport and urban planning. Governments of the day are launching
specialised programmes focused on this digital revolution, like the one launched by the
Government of India called 'Digital India' initiative.
Both the public and the private sector are engaged in amassing personal data which seems to
be generated ceaselessly. While there are justifiable uses that are vastly beneficial, such
centralization of data, profiling of individuals and increased surveillance, has led to concerns
relating to erosion of privacy of individuals, ability to impact public decision-making process
and national security.
3
Ibid.
4
Supra FN 2.
4
“Data” has become very vital in day to day functioning of individual, corporations or even
government hence the ambit of area where “data” can be used is very wide. However, the
current paper aims to study and fulfil the aforementioned objectives only in the light of E-
commerce industry in India.
4. HYPOTHESIS
In Indian context there is a lack of proper legislation model regarding the data protection in
e- commerce industry. As a result, it is extremely difficult to ensure protection of data rights.
But in absence of specific laws there are some few proxy laws or incident safeguard that the
government is using for privacy purpose.
The methodology adopted for the purpose of conducting research on this paper is purely
doctrinal. The data has been collected from various articles and other primary sources like
reports etc. It is purely an interpretive and analytical study. For the purpose of convenience,
this paper has been divided into 5 chapters:
The first chapter would give an overview with the introduction of the entire
topic and would go on to identify the research problem and the scope and
objective of study.
The second chapter being descriptive would introduce the concept of privavy
in data protection and point various issues relating to ‘data’.
The third chapter would discuss the legal framework relating to data
protection and also look at the provisions of EU.
The fourth chapter would try to analyze whether the recent draft policy would
suffice for need of data protection in e- commerce industry.
The concluding chapter would sum-up the entire discussion in chapters above.
5
CHAPTER-II
The need to protect data and data privacy in India is relatively new, arising from the ever
expanding off-shoring business operations conducted in India by overseas companies
wherein personal data is exported by these overseas companies to their off-shore agents or
counterparts in India8. India has already a legal framework for protection of data. Data is the
principal basis of almost all the business transactions.
5
1890) 4 Harv L. R. 193.
6
Christopher Millard, ‘Communications Privacy in Telecommunication Law (Ed.)’, Walden & John Angel,
(Blackstone Press, London), First Edn. (2001).
7Dr. S.S Das, Electronic Data Protection in India,2012 PL March S-11
8
Latha R. Nair,‘Data Protection Efforts in India: Blind Leading the Blind’,4 IJLT (2008) 19.
6
7. INTERNET AND PERSONAL DATA ISSUES:
The issue of the protection of personal Data that is kept in government records and the
impact on collection and transfer of personal data and the emerging problems of personal
data posed by new technology. Privacy concerns relate not only to interception and
subsequent misuse of credit cards or personal data on the Internet but also extend to the
Government use of information held on computers about individuals, such as health, tax
and social security records, and to monitoring of what is downloaded from government
web sites and by whom.9
“Without the transparency afforded by building freedom of information
and data protection principles into the systems which will deliver online government
services, it is hard to see why people should trust the Government not to abuse the powers
it will need to tie together the data from disparate sources. If the same ‘smart’ electronic
card will in future be used for financial transactions, to hold medical records, criminal
records, driving license details and to authenticate my dealings with government
departments, how can I be sure the Government will not abuse the technology to track my
movements, lifestyle, reading matters and so on? This gap in public trust is going to be
one of the biggest problems facing the wiring up of public service delivery, and strict
freedom of information and data protection laws are the absolute requirements to bridge
the divide10.
8. PRIVACY ISSUES:
Privacy is a sensitive issue in the business context. The data used in digital systems and new
computational techniques for data mining are easier. E-commerce sites are collecting the high
amount of data related to customer preference, their buying patterns and the things they
search at high volume11 . Business analysts are using this data for the personalization of a
customer’s experience and for the improvement of e-site.
Consumers are concerned about unauthorized access due to security breaches.
9
Andrew Ecclestone, “Freedom of Information: An Electronic Window onto Government” in LIBERTY,
Liberating Cyberspace: Civil Liberties, Human Rights & the Internet, Pluto Press (London, 1st Edn., 1999), 44-
67, at p. 62.
10
Faizan Mustafa, ‘Privacy Issues in Data Protection : National and International Laws’,2004 PL WebJour 16.
11
Elmarie Kritzinger, ‘An information security retrieval and awareness model for industry’.
7
They are concerned about secondary use – the reuse of their personal data such as
sharing the data with third parties12.
a) Snooping – Snooping occurs when someone check your files for finding something
interesting. Snooping is one of the easiest way to check the client credentials through
the medium of E commerce. As millions of computers are connected to
the Internet every minutes and many of the user are unaware of the security feature
and network vulnerabilities. Moreover, software and hardware vendors are not paying
enough attention to guide about the security concerns of the devices and system, they
are using. In this environment, it’s very easy to snoop the computer of the e-
commerce client.
b) Password Guessing Attacks: Password guessing attacks generally happen when an
account is attacked in a repetitive manner. This is done when the attacker is putting
possible passwords to use that account.
c) Phishing: Phishing means the stealing of a person’s information related to bank and
phishing is generally used when there is unauthorised transfer of money to another
bank account.
d) Domain name Issues: The Internet Assigned Numbers Authority manages the
Domain Name System. Several problems may arise when companies having the
similar domain name compete all over the world with the same domain name. the
domain name choose by the company should be treated as a trade mark that the
copyright of that should not be used by the third party.
e) Electronic Payment Issues13: The growth in e-commerce activities has necessitated
the evolution of electronic payment mechanisms. In addition to normal currencies, e-
financial instruments / digital currencies such as cyber cash and e-cash can be used
for the purchase of current as well as capital assets over the Internet and for carrying
on other commercial activities. Before regulating the use of such financial
instruments, it would be essential to identify the issues that these instruments pose.
Some of these issues are:
12
Supra FT 1.
13
K.SusheelBarath.’Legal Issues in E-Commerce Transactions- An Indian Perspective’,
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 4 Issue: 11
8
Secure Credit Card Transactions
Recognition of digital currencies
Determining the relevant jurisdiction
Risk of Regulatory Change
Consumer-oriented risks
Disabling IT Act
No virtual banks.
9
CHAPTER- III
The provisions pertaining to data protection are mentioned in the Information Technology
Act, 2002. The act was enacted for the purpose of providing legal recognition to the
transactions which are carried through the medium of electronic Commerce and that is also
stated in its preamble. The definition of “data” in the Act covers a representation of
information, knowledge, facts and so on, which are being prepared or processed in a
computer system in any form or stored internally in the memory of the computer15.
In view of growing concerns raised by recent instances of data theft, the Ministry of
Information Technology proposed certain amendments to the IT Act, 2000. One such
amendment, pertinent to data protection, is the proposed insertion of a new S. 43-A wherein
sensitive personal information would be handled with reasonable security practices and
procedures16. The proposed amendment reads as follows:
43-A. Where a body corporate, possessing, dealing or handling any sensitive
personal data or information in a computer resource which it owns, controls or
operates, is negligent in implementing and maintaining reasonable security practices
and procedures and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation not exceeding
five crore rupees, to the person so affected.
14
Supra FT 7.
15
S. 2 of the IT Act defines data” as “representation of information, knowledge, facts, concepts or instruction
which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is
being processed or has been processed in a computer system or computer network, and may be in any form
(including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored
internally in the memory of the computer”.
16
Supra FT 7.
10
Explanation: — For the purposes of this section, —
(i) “body corporate” means any company and includes a firm, sole proprietorship
or other association of individuals engaged in commercial or professional
activities;
(ii) “reasonable security practices and procedures” means security practices and
procedures designed to protect such information from unauthorized access,
damage, use, modification, disclosure or impairment, as may be
specified in an agreement between the parties or as may be specified in any
law for the time being in force and in the absence of such agreement or any
law, such reasonable security practices and procedures, as may be prescribed
by the Central Government in consultation with such professional bodies or
associations as it may deem fit;
The proposed section deals with the aspect of protection of data such as in the form of
processing of personal data, handling of sensitive personal data, data that can be collected
from the individuals such data should be collected in the confidential manner.
17
Data Security Council of India: A Self-Regulatory Initiative in data Security a Privacy Protection.
18
Ibid.
11
Enable IT and ITeS companies to provide a high standard of security
and data protection by adopting best practices.
Develop, monitor and enforce an appropriate security and data protection standard
for the Indian IT and ITeS industry that would be adequate, cost effective, adaptable
and comparable with global standards.
Build capacity to provide security certification for organizations.
Create a common platform to promote the sharing of knowledge about information
security and foster a community of security professionals and firms.
Create awareness among industry professionals and other stakeholders about
security and privacy issues.
19
Latha R. Nair,’ Data Protection Efforts in India: Blind leading the Blind’, 4 IJLT (2008) 19
20
Ibid.
21
Council Directive 95/46, Art. 1, 1995 OJ (L281) 31 (EC).
12
wider reach and scope and will have to be dealt with in detail through a separate piece of
legislation22.
22
Bageshree S., Now Biometric Identification for Ration Cards Too, can be accessed
on<https://www.thehindu.com/todays-paper/tp-national/tp-karnataka/Now-biometric-identification-for-ration-
cards-too/article14884704.ece>.
13
CHAPTER- IV
In the era of globalization and with the boom in the e- commerce industry, ‘data’ serves as
the building block of everything we are trying to do in this age of industry. It is a valuable
resource for any individual, corporation or the government. Considering the magnitude of
importance ‘data’ has in the idea of governing the e- commerce industry in India, the
Department of Industrial Policy & Promotion on Feb 23rd, 2019 published the ‘Draft E-
Commerce Policy’ (“Draft policy”).23
Prima facie, the objective of the Draft Policy is to prepare and enable stakeholders to fully
benefit from the opportunities that would arise from progressive digitalization of the
domestic digital economy. The Draft Policy focuses on data protection, the State's
paternalistic attitude towards the use of the citizen's data and cross border transactions. The
Draft Policy intends to regulate some things beyond e-commerce i.e. it proposes to regulate
technologies like AI, IoT, Cloud computing and Cloud-as-a-Service etc. The Draft Policy is a
mix of visionary thought process, advanced technological solutions, putting in place digital
infrastructure to support India's digital economy etc.
The idea and intent of the legislature that is formulated under the Data Protection Bill, 2018
as far as the rights of an individual over data are concerned can be evidently seen in the Draft
Policy. Streamlining the protection of personal data and empowerment of the
users/consumers with respect to the data they generate and own are the prime focus and
objective of the Draft Policy.
However, the real intent of the legislature is yet to be seen in the upcoming future and
remains debatable as of now.
The Draft Policy recognises the rights of an individual over its data by stating that "An
Individual owns the right to his data" and therefore the use of an individual's personal data
shall be made only upon seeking his/her express consent. It further states that the data of a
23
Novojuris Legal, Draft E-Commerce Policy: The Dawn Of A New Beginning, can be assessed at <
ww.mondaq.com/india/x/787434/data+protection/Draft+ECommerce+Policy+The+Dawn+Of+A+New+Beginni
ng>
14
group is a collective data and therefore a collective property of that particular group; it
extends this rationale to state that "Thus, the data that is generated in India belongs to
Indians, as do the derivatives there from". But the Draft Policy ends up categorising data of
Indians as a collective resource and therefore a "national resource".24
The abovementioned intent of the Draft Policy is fair and strives to achieve greater good of
the country, but at the same time it also presents some vital and debatable questions which
remain unanswered. If personal data belongs to an individual then the objective stated by the
Draft Policy shows that the State wants to interfere with the personal rights of a person. The
Draft Policy clearly states that "All such data stored abroad shall not be made available to
other business entities outside India, for any purpose, even with the customer's consent"25,
what follows this point in the Draft Policy, restricts sharing of data with any third party in a
foreign country even if the individual has consented to such sharing of the data.
One can however say that the intent behind such restriction might be that currently India
lacks stringent laws regarding cross-border flow of data. If there are no strict restrictions on
cross-border flow of data Indian stakeholders will merely be engaged in back end processing
of data for the EU / US based ecommerce entities without having the ability to create any
high-value digital products. While the Government considers data as a national resource and
compares it with coal, telecom spectrums etc. it ignores the fact that the inherent nature of
personal data is that it belongs to an individual and not to the State, unlike coal.26
The obvious reason as to why the State is taking such a stance is to eliminate issues related to
consent asymmetry. But is this paternalistic attitude warranted? If the Government is worried
about foreign countries using our national resource i.e. data to their advantage it should put in
place stringent data privacy and protection laws in India taking inferences from other
countries.
24
Sneha Johari , India’s Draft E- Commerce Policy is really a Digital Economy Policy, impacts the whole
ecosystem, can be assessed at < https://www.medianama.com/2019/02/223-india-draft-e-commerce-policy/>
25
https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf
26
Deep, A. (Aug 7, 2018). Draft National E-commerce Policy: data localisation and priority to domestic companies. Medianama.
Retrieved from https://www.medianama.com/2018/08/223-draft-national-e-commerce-policy-data-localisation-and-priority-to-
domestic-
companies/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+medianama+(Medianama:+Digital+Media+In+India
)
15
CHAPTER- V
13. CONCLUSION:
With the rapid changes in the digital economy, it becomes very vital on the part of Indian
government to respond accordingly by bringing new regulations and/or amending the existing
ones. Issues related to e-commerce must now be addressed on priority and in a way that the
pace of growth in the sector does not lag while the domestic stakeholders as well as the entire
population is benefitted by the positive spillovers.
However, the recent e – commerce policy has presented like a ray of hope but once the final
e-Commerce policy is enacted what will be interesting to see is whether Government opts for
ease of governance or ease of doing business.
At the end, the Draft Policy is a positive step towards making India one of the most
prominent digital economies in the world, especially considering the strict stance the
Government has taken during the WTO negotiations by not accepting the permanent
moratorium on waiving custom duties on digital goods sold through electronic transmission.
Specific issues regarding data/personal data of an individual still needs a deep intellectual
thinking, integrated with a practical approach from the Government before implementing a
sector wide policy, especially keeping in mind that at the end of the day personal data
belongs to an individual and the use of such personal data shall be the decision of the
respective individuals and not of the State.
16
14. BIBLIOGRAPHY:
PRIMARY SOURCES:
IT Act, 2000
Reports by Data Security Council of India
Draft Policy( E- Commerce)
GDPR
SECONDARY SOURCES:
Latha R. Nair,’ Data Protection Efforts in India: Blind leading the Blind’
Sneha Johari , India’s Draft E- Commerce Policy is really a Digital Economy
Policy, impacts the whole ecosystem.
Bageshree S., Now Biometric Identification for Ration Cards Too
Asia Muneer,Razzaq S,‘Data Privacy Issues and Possible Solutions in E-
commerce.
Christopher Millard, ‘Communications Privacy in Telecommunication Law
(Ed.)
17