The E-Commerce Rules define “e-commerce entities” as any person who owns operates, or manages a digital or electronic facility or platform
Compliance of e-commerce platforms with the Digital Personal Data Protection Act of 2023
The E-Commerce Rules define “e-commerce entities” as any person who owns operates, or manages a digital or electronic facility or platform (i.e., such as an online interface, be it software, a website, or mobile applications) for electronic commerce.1
A seller who utilizes a marketplace e-commerce platform to sell their goods or services falls outside the scope of the aforementioned definition. Therefore, the definition of e-commerce entities covers only those entities involved in the operation or management of digital or electronic platforms. However, it’s important to acknowledge that sellers will be categorized as data fiduciaries if they collect personal information from individuals to determine the purpose of their services.2
The Digital Personal Data Protection Act (DPDPA) outlines key obligations:
- The Act provides for the processing of digital personal data in a manner that recognizes both individuals’ rights to protect their personal data as well as the need to process such personal data for lawful purposes.3
- The Act will apply to the gathering and use of personal data in India, encompassing online as well as digitized offline data, and additionally, it will apply outside of India in connection with any activity related to personal data, including the offering of products or services in India.4
- Consent: It has been provided under the Act that personal data may be processed only for the specified purpose and after obtaining the consent of the data principal (i.e., an individual).
- Such consent has to be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action.5
- Every request for consent should be in clear and simple language, giving the data principal the option to access such a request in English or any other language specified in the Eighth Schedule of the Indian Constitution.
- A notice has to be given by the data fiduciary before seeking consent, containing details about the personal data to be collected and the purpose of processing.6
- Make reasonable efforts to ensure the accuracy and completeness of data and implement appropriate measures to protect personal data in its possession or under its control.
- Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).
- Data Breach the Act defines a “personal data breach” as any unauthorized processing or accidental disclosure, use, alteration, or destruction of personal data that compromises its confidentiality, integrity, or availability.7
- It is the obligation of a data fiduciary to build reasonable security safeguards to prevent a data breach.
- In case there is a data breach, the data fiduciary will inform the Data Protection Board of India (i.e., the adjudicatory body) and the affected person whose data has been compromised.
The data principal (i.e., the individual whose data is being processed) shall have certain rights as follows:
- Right to access information about personal data.
- Seek correction and erasure of personal data.
- Nominate another person to exercise rights in the event of death or incapacity.
- Withdraw her consent at any time during or after the processing of personal data.
Establishing an adequate grievance redressal mechanism for redressing the grievance of the data principal.
- Non-compliance with the aforementioned legal obligation may result in financial penalties of up to INR 250 crore, with determinations made on a case-by-case basis.
1- Section 3(b) of the Consumer Protection (E-Commerce) Rules, 2020
2- Sections 3(f) and 3(g) of the Consumer Protection (E-Commerce) Rules, 2020
3- Section 2(i) of the Digital Personal Data Protection Act, 2023
4- Section 3 of the Digital Personal Data Protection Act, 2023
5- Section 6 of the Digital Personal Data Protection Act, 2023
6- Section 5 of the Digital Personal Data Protection Act, 2023
7- Section 2(u) of the Digital Personal Data Protection Act, 2023