Legal Responsibility of Data Protection & Data Privacy of E-Commerce Websites & Portals: Lawyers Advice on IT Laws of India | IT Lawyer in Delhi NCR | Technology Lawyer in Delhi NCR | IT Attorney in Delhi NCR | Technology Attorney in India

T Attorney in India | Tech Attorney in India | Technology Attorney in India | IT Lawyer in India | Tech Lawyer in India | Technology Lawyer in India | Technology Lawyer in New Delhi | Technology Lawyer in Delhi NCR | Technology Lawyer in Delhi | Technology Lawyer in Noida | Technology Lawyer in Gurugram | Technology Attorney in New Delhi | Technology Attorney in Delhi NCR | Technology Attorney in Delhi | Technology Attorney in Noida | Technology Attorney in Gurugram | Corporate Lawyer in New Delhi | Corporate Lawyer in Delhi NCR | Corporate Lawyer in Delhi | Corporate Lawyer in Noida | Corporate Lawyer in Gurugram | Corporate Attorney in New Delhi | Corporate Attorney in Delhi NCR | Corporate Attorney in Delhi | Corporate Attorney in Noida | Corporate Attorney in Gurugram | IT Lawyer in New Delhi | IT Lawyer in Delhi NCR | IT Lawyer in Delhi | IT Lawyer in Noida | IT Lawyer in Gurugram | IT Attorney in New Delhi | IT Attorney in Delhi NCR | IT Attorney in Delhi | IT Attorney in Noida | IT Attorney in Gurugram |

There has been an exponential increase in the e- commerce market in India in recent years. Several government initiatives like Skill India, Make in India, Digital India, Innovation India and Start – up India have incentivised the setting up and carrying out of business activities on online platforms. Consequently, the Indian e- commerce sector is growing at an annual rate of 51 per cent which is the highest in the world.

The term ‘e-commerce’ has been defined under Section 2(44) of the Central Goods and Service Act, 2017 as “the supply of goods or services or both, including digital products over digital or electronic networks.”
It is near impossible for an e–commerce platform to complete a transaction without the collection of personal information from its customers. The information that is collected by these platforms may range from direct information such as financial information and identity to indirect information such as the spending patterns, personal preferences, etc., of their customers. With access to this information, comes a responsibility to use this information responsibly as well as to prevent this information from falling into the wrong hands.
The information that is collected and stored by an E–Commerce website is also susceptible to cyber theft and other crimes. It is the duty of the e–commerce website to take suitable steps to prevent the occurrence of the same.

Responsibilities of E-Commerce Websites under Indian Law
The Supreme Court of India has recognised the “right to privacy” under the “right to life and personal liberty” in People’s Union of Civil Liberties v. Union of India ((2003) 2 S.C.R. 1136), Kharak Singh v. State of U.P.(1964 SCR (1) 332) and K.S. Puttaswamy v. Union of India ((2017) 10 SCC 1). There is no specific legislation in India which deals with the protection of personal data. However, there is a framework for the same in the form of the Information technology Act, 2000 and the rules made thereunder.

The Information Technology Act, 2000
The framework for Data Protection in India is found in the ‘Information Technology (Reasonable practices and procedure and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”). The rules categorise personal data into two, namely Personal Information (PI) and Sensitive Personal Data or Information (SPDI). PI includes any information by virtue of which the person can be identified and SPID includes passwords, financial information, sexual orientation, medical records, biometrics, etc.

The Data Protection Rules provide for certain compliance requirements that body corporates handling, possessing or dealing with SPDI of customers are required to meet. These requirements include –
• Setting up and following a privacy policy that is within the framework of the Data Protection Rules.
• The obtaining of consent from the person who provides their SPID to the e- commerce platform.
• Providing the customer with an ‘opt – out’ mechanism through which they can withdraw their consent.
• Maintenance of reasonable safety practices that prevent the misuse of the information.
Section 43A of the Information Technology Act, 2000 (‘the Act”) provides for a liability that will be incurred by any entity that is negligent in the maintenance and the implementation of security practices. Further, section 72A of the Act provides for imprisonment for a period of two years, or a fine which may extend up to the tune of Rupees One Lakh, or both for the breach of the confidentiality and privacy of the customers.

The Draft National e–Commerce Policy
The Government of India came out with the ‘Draft National E-Commerce Policy’ in 2019. The objective of this policy is to set up a comprehensive technological and legal framework for the collection and the processing of sensitive personal data. It also provides for certain restrictions on the flow of data across national borders and lays down conditions for the processing of personal data. The conditions for business organisations processing sensitive personal data in India and storing them abroad are as follows –
• Such data is not to be made available to other businesses outside of India, with or without the consent of the customer;
• Such data is not to be made available to any third party outside India;
• Such data shall not be made available to a foreign government;
• Requests by Indian authorities to access such data shall be heeded to immediately;

The above mentioned restriction do not apply to –
• Data not collected in India;
• Business to business data collected as part of a contract of a commercial nature;
• Software and cloud computing services which have no community or personal implications; and
• MNCs moving data across borders where the data is not generated from users in India.
Despite the fact that this Policy is yet to be brought into force, it is advisable for e – commerce website to comply with the same as it is reasonable to expect this policy to be implemented in due course.

Compliance requirements if data of citizens of the EU is being processed
The General Data Protection Regulations (GDPR) are applicable to Indian E- commerce entities if the following criteria are met –
• Presence in a country of the European Union;
• Processes data in a country of the European Union; and
• Processes/stores personal data of European residents
The GDPR mandates a higher threshold of data protection than Indian law by requiring entities to adhere to the principles of protection from unlawful data processing, fairness and transparency, data integrity and accountability.

Suitable steps that can be taken to protect personal data of customers from cyber theft.
• Installation of a SLL certificate – This will ensure that data that is in transit from the browser of the customer to the payment processing site is encrypted. This can prevent hackers from stealing sensitive payment information when it is in transit.
• Web Application Firewall – a firewall can block malicious attempts made by hackers to hack into the resources of your server. In case you would like to undertake business operations only in India, you can use your firewall to block incoming traffic from foreign countries.
• Updating plug – ins – keeping you plug – ins updated will ensure that cyber criminals cannot hack their way in.
• Using automated anti malware software – This will ensure that you have all round protection of the sensitive personal information stored on your website by constantly reviewing the files on your site.
• Backing up and restoring important data – this will ensure that in the event of a security breach, you can revert back to an older version of your website which still contains the personal information of your customers.
• Being transparent in marketing – this will keep your customers aware of how their information is going to be used. This will have the advantage of creating a connection with your customer and will help your business in the long run.

By taking the above-mentioned steps, you will not only build customer confidence but will also ensure that your e – commerce platform is not in breach of any legal requirements.
Authored By: Adv. Anant Sharma & Vismay G.R.N.