Protecting Consumer Data in the Age of E-commerce: A Study of Indian Laws and Practices

11 October, 2024

Share on:

Introduction

In today's digital economy, the rise of e-commerce has revolutionized the way consumers shop. Everything is available from purchasing electronics to groceries, at the click of a button. However, as more consumers engage in online shopping, the protection of their data has become a significant concern. In India, especially with the growth of e-commerce, it has become very important for companies and organizations to offer secure consumer data protection. This article delves into the existing legal framework and practices designed to safeguard consumer data in India, focusing on e-commerce data privacy laws, the Personal Data Protection Bill, and cybersecurity laws that govern online transactions.

Need for Consumer Data Protection in India

E-commerce legal entities gather numerous personal data from consumers, including first and last names, addresses, payment details, purchasing history, and even behavior. These platforms continue to grow and with this growth, the threat of cyber crimes and data breaches becomes hazardous, thus consumer data has become something that cannot be ignored. Preserving the safety of information in Indian e-commerce environments is critical for consumers’ confidence and their rights in e-commerce. A regulatory response to consumer rights and data protection charges has emerged in India as people become increasingly worried about the misuse of the information freely provided by them to companies. Due to the advancement made by hackers in their operations, the government, with the help of different regulatory authorities, has been coming up with ways of protecting the consumer.

E-commerce Data Privacy Laws in India: Current Legal Framework

The Indian legal system has recognized the need for robust e-commerce privacy laws to safeguard consumer data in the digital age. Several key laws and regulations provide a foundation for data protection in Indian online shopping, some of them are discussed as follows:

Information Technology Act, 2000 (IT Act)

In India, the IT Act was one of the first laws addressing cybercrimes and electronic commerce. Section 43A and 72A specifically deal with data protection, mandating entities to implement reasonable security practices to protect consumer information. Section 43A (Compensation for failure to protect data) states that “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”

Section 72A (Punishment for disclosure of information in breach of lawful contract) states that “Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.”

Moreover, Section 66E provides punishment for violation of privacy. It states that “Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both.”

The Personal Data Protection Bill, 2019

This Bill, currently under review by the Indian Parliament, marks a major shift towards a comprehensive data protection framework. It is designed to ensure that businesses process personal data transparently and securely, giving consumers greater control over their data. The key provisions include Data Principal Rights (Empower consumers to have control over their data), Data Processing Guidelines (Imposing strict obligations on data processors to maintain transparency and secure storage of consumer data), and Cross-Border Data Transfer (Regulating the transfer of consumer data to foreign countries). While the bill has yet to be passed into law, it is expected to significantly strengthen consumer data protection in India by introducing penalties for non-compliance and mandating data audits for large companies.

It can be said that the Personal Data Protection Bill, 2019 is set to become a cornerstone in the protection of consumer data in India, especially for e-commerce privacy laws in India 2024. Once enacted, it will likely bring major changes to how e-commerce platforms operate, especially in terms of their data collection, storage, and processing practices. Some important provisions include sensitive personal data, Data Protection Authority, and Right to Erasure. These provisions aim to give consumers greater autonomy over their data while imposing stronger obligations on e-commerce platforms to prioritize data security in India.

E-Commerce Guidelines by the Ministry of Consumer Affairs

To further ensure consumer protection, India’s Ministry of Consumer Affairs has introduced guidelines specifically aimed at e-commerce platforms. These guidelines highlight the duties of e-commerce entities such as “Every e-commerce entity shall provide the following information in a clear and accessible manner on its platform, displayed prominently to its users, namely:--

the legal name of the e-commerce entity;
principal geographic address of its headquarters and all branches;
name and details of its website; and
contact details like e-mail address, fax, landline, and mobile numbers of customer care as well as of grievance officer.”

Moreover, the Rules also illustrate that “Every e-commerce entity shall establish an adequate grievance redressal mechanism having regard to the number of grievances ordinarily received by such entity from India, and shall appoint a grievance officer for consumer grievance redressal, and shall display the name, contact details, and designation of such officer on its platform.” It also determines the liabilities of marketplace e-commerce entities, duties of sellers on the marketplace, and Duties and liabilities of inventory e-commerce entities.

Indian Cybersecurity Law

India has introduced a range of cybersecurity initiatives under the National Cyber Security Policy, 2013 to address the increasing frequency of cyber threats. The vision of this policy is ‘To build a secure and resilient cyberspace for citizens, businesses and Government’. This policy encourages businesses, including e-commerce firms, to adopt best practices for cybersecurity, including encrypting customer data, safeguarding payment systems, and preventing data breaches.

Data Security and Cybersecurity Laws for E-Commerce in India

Due to the increase in cyber threats, cybersecurity laws for e-commerce in India have become critical. Data breaches, cyberattacks, and hacking incidents are becoming more prevalent, which makes it essential for online businesses to invest in security measures. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (under the IT Act) require e-commerce platforms to implement reasonable security practices. These rules demand that businesses, Use encryption to protect data, Regularly audit security systems, and Notify consumers in case of data breaches. Additionally, e-commerce businesses are also required to establish grievance redressal mechanisms and comply with the Consumer Protection (E-Commerce) Rules, 2020 to ensure consumer rights are protected in case of disputes.

Way Forward

As e-commerce continues to flourish in India, the focus on digital privacy rights for consumers is only going to intensify. While the current Indian legal framework for data protection provides a solid foundation, there is room for improvement, particularly in the areas of enforcement, consumer education, and addressing cross-border data flow concerns. The new bill, the Personal Data Protection Bill, is a good starting point for establishing the new legislation conforming to global standards, reconciling Indian consumers’ rights and openness to new IT developments. The expected passage of this bill will help India to set out on the process of offering enhanced security and consumer consumer-friendly e-commerce marketplace.

Conclusion

Technology is rapidly evolving within India and as a result of the increasing popularity of e-commerce, user’s personal data safety is paramount. The evolving legal landscape, including the Personal Data Protection Bill and e-commerce privacy laws in India 2024, reflects the growing emphasis on consumer rights and digital privacy. For e-commerce businesses, adapting to these laws is not just about compliance it's also about fostering trust and building long-term relationships with consumers. By prioritizing data security and respecting consumer privacy, India can create a safer and more secure online shopping experience for all.

1. How can consumers protect their data when shopping online?

Consumers should read the privacy policies, create robust passwords, track their transactions, and should refrain from inputting an individual’s data on insecure networks.

2. What laws govern consumer data protection in Indian e-commerce?

Key laws include the Information Technology Act, 2000, Personal Data Protection Bill, 2019 (pending approval), and Consumer Protection (E-Commerce) Rules, 2020.