Data Privacy in Indian E-commerce: Contractual Challenges and Legal Solutions Mansi Javiya Legal Article Fri, Dec 15, 2023, at ,11:37 PM The Indian e-commerce industry is booming, with a projected value of US$350 billion by 2025. However, this rapid growth has also posed new challenges, particularly in the area of data privacy.E-commerce companies collect a vast amount of personal data from their users, including names, addresses, contact information, payment details, and browsing history. This data is essential for businesses to operate efficiently and provide personalized services to their customers. However, it also raises serious privacy concerns. This data is often used for marketing purposes, but it can also be used for other purposes, such as fraud prevention and risk assessment.In recent years, there have been several high-profile data breaches at Indian e-commerce companies, exposing the personal data of millions of users. This has led to increased scrutiny of the data privacy practices of e-commerce companies.Data Privacy Framework in IndiaThe Contract Act can be used to enforce data privacy rights. For example, if an organization collects personal data from an individual without their consent, the individual may be able to sue the organization for breach of contract.Additionally, the Contract Act can be used to negotiate terms of use and privacy policies that are more favorable to individuals. For example, an individual may be able to negotiate a right to access and delete their personal data, or a right to be notified when their data is shared with third parties. The Personal Data Protection Bill (PDPB) The cornerstone of data privacy regulations in India is the Personal Data Protection Bill (PDPB), which was introduced in 2019. Once enacted, this bill will establish a comprehensive framework for the collection, processing, and storage of personal data. It outlines principles such as data minimization, purpose limitation, and consent, which e-commerce companies must adhere to. Violation of these principles can result in substantial penalties. The Information Technology Act, 2000 The Information Technology Act, 2000, plays a crucial role in regulating electronic commerce and data privacy. It provides legal recognition to electronic documents and digital signatures and sets out penalties for data breaches. Companies must ensure they have robust security measures in place to protect customer data, as non-compliance can result in legal repercussions.The data privacy framework in India is currently being developed, but the Information Technology Act, 2000 (IT Act) and the Indian Contract Act, 1872 (Contract Act) provide some basic protections for personal data Guidelines on Data Privacy by the Reserve Bank of India For e-commerce companies dealing with financial transactions, the Reserve Bank of India (RBI) has issued guidelines on data privacy and security. These guidelines require companies to establish stringent security measures and report data breaches promptly.However, these sector-specific laws do not provide a uniform approach to data privacy across all sectors of the economy, and they do not address many of the key issues that are addressed by comprehensive data privacy laws, such as the rights of individuals to access and control their personal data, and the obligations of organizations to protect personal data. The Digital Personal Data Protection Act, 2023 The Digital Personal Data Protection Act, 2023 (DPDP Act) is a new law that was passed by the Indian Parliament in August 2023. The DPDP Act provides a comprehensive framework for the protection of personal data in India.The DPDP Act also gives the government the power to regulate the processing of personal data by government agencies and foreign entities.As India’s economy becomes increasingly digital, it is important that the country has strong and comprehensive data privacy laws in place to protect the rights of individuals and to build trust in the digital economyLegal Challenges for Indian CompaniesIndian contract law does not have any specific provisions on data privacy. However, there are a few general principles that can be applied to e-commerce contracts. 1. Lack of a comprehensive data privacy lawIndia does not currently have a comprehensive data privacy law. The Personal Data Protection Bill, 2019, is currently pending before Parliament, but it is unclear when it will be passed. In the absence of a comprehensive data privacy law, e-commerce companies are required to comply with a patchwork of laws and regulations, which can be difficult and confusing.2. Liability of e-commerce platforms for third-party sellersThe legal status of e-commerce marketplaces as intermediaries has been subject to debate in India. Some courts have held that e-commerce marketplaces are not liable for the quality of goods sold on their platforms, while other courts have held that they can be held liable in certain circumstances. This lack of clarity creates uncertainty for e-commerce companies and can make it difficult for them to manage their risks.3. Security of consumer dataE-commerce companies in India are required to take reasonable steps to protect the security of consumer data. However, there have been a number of high-profile data breaches involving e-commerce companies in recent years. This raises concerns about the security of consumer data and the ability of e-commerce companies to protect it.4. Consent for the collection and use of personal dataE-commerce companies must obtain consent from users before collecting and using their personal data. However, there have been concerns that some e-commerce companies are not obtaining consent properly or that they are using consent to justify the collection of more data than is necessary.Data privacy compliance in the Indian e-commerce sector is a complex endeavor, particularly when viewed through the lens of contract law. E-commerce companies must prioritize the creation of contracts and privacy policies that align with the principles of the Indian Contract Act, emphasizing clarity, transparency, and the importance of consent.In a digital age where customer trust and reputation are paramount, these contracts are not just legal obligations but also crucial instruments for building and maintaining trust. By aligning data privacy practices with contract law principles, Indian e-commerce companies can navigate the complexities of data privacy regulations, protecting personal data while ensuring sustainable growth in the digital economy.Case LawsThere have been a few cases in India that have dealt with data privacy issues in the context of e-commerce.In the case of Justice K.S. Puttaswamy (Retd.) v. Union of India, the Supreme Court of India held that the right to privacy is a fundamental right under the Constitution of India. This case has implications for e-commerce companies, as they must now ensure that they collect and use personal data in a manner that is consistent with the right to privacy.In case of K.S. Puttaswamy v. Union of India, (2018) 10 SCC 1, the Supreme Court of India upheld the validity of the Aadhaar program, but it also imposed certain restrictions on the government's use of Aadhaar data. The Court held that the government cannot make Aadhaar mandatory for accessing essential services and that it cannot collect or use Aadhaar data without the consent of the individual.In another case, Puttaswamy v. Union of India, the Supreme Court of India struck down Section 66A of the Information Technology Act, 2000, which prohibited the posting of "offensive" content online. This case is also significant for e-commerce companies, as it removes a legal obstacle to users suing companies for data privacy violations.The Digital Personal Data Protection Act, 2023The Digital Personal Data Protection Act, 2023 (DPDP Act) is a new law that was passed by the Indian Parliament in August 2023. The DPDP Act provides a comprehensive framework for the protection of personal data in India.The DPDP Act builds on the existing protections in the IT Act and the Contract Act. It also introduces a number of new safeguards, such as: A requirement for data fiduciaries to obtain explicit consent from individuals before collecting their personal data. A requirement for data fiduciaries to implement appropriate technical and organizational measures to protect personal data. A right for individuals to access, correct, delete, and port their personal data. A right for individuals to object to the processing of their personal data for certain purposes. A requirement for data fiduciaries to establish a grievance redressal mechanism for individuals. The DPDP Act also gives the government the power to regulate the processing of personal data by government agencies and foreign entities.ConclusionThe Indian e-commerce industry is booming, but it is facing new challenges in the area of data privacy. The lack of a comprehensive data protection law and the lack of clarity on the liability of e-commerce companies for data breaches are two of the biggest challenges.E-commerce companies in India need to be aware of their legal obligations under Indian contract law and take steps to protect their users' data. Companies should also support the passage of a comprehensive data protection law in India. The data privacy framework in India is still evolving, but the IT Act, the Contract Act, and the DPDP Act provide a basic level of protection for personal data. Individuals can use these laws to enforce their data privacy rights and to negotiate more favorable terms of use and privacy policies with organizations.RecommendationsThe Indian government should enact more comprehensive data protection law that provides clear guidance to e-commerce companies on their contractual obligations with respect to data privacy. Additionally, the government should establish a data protection authority to oversee the implementation of the law and to investigate data privacy violations.Indian e-commerce companies should also take steps to improve their data privacy practices. For example, companies should adopt clear and transparent data privacy policies, and they should obtain consent from users before collecting their personal data. Additionally, companies should implement strong security measures to protect personal data from unauthorized access, use, disclosure, and destruction.