The E-Commerce Rules define “e-commerce entities” as any person who owns operates, or manages a digital or electronic facility or platform
Compliance of e-commerce platforms with the Digital Personal Data Protection Act of 2023
The E-Commerce Rules define “e-commerce entities” as any person who owns operates, or manages a digital or electronic facility or platform (i.e., such as an online interface, be it software, a website, or mobile applications) for electronic commerce.1
A seller who utilizes a marketplace e-commerce platform to sell their goods or services falls outside the scope of the aforementioned definition. Therefore, the definition of e-commerce entities covers only those entities involved in the operation or management of digital or electronic platforms. However, it’s important to acknowledge that sellers will be categorized as data fiduciaries if they collect personal information from individuals to determine the purpose of their services.2
The Digital Personal Data Protection Act (DPDPA) outlines key obligations:
- The Act provides for the processing of digital personal data in a manner that recognizes both individuals’ rights to protect their personal data as well as the need to process such personal data for lawful purposes.3
- The Act will apply to the gathering and use of personal data in India, encompassing online as well as digitized offline data, and additionally, it will apply outside of India in connection with any activity related to personal data, including the offering of products or services in India.4
- Consent: It has been provided under the Act that personal data may be processed only for the specified purpose and after obtaining the consent of the data principal (i.e., an individual).
- Such consent has to be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action.5
- Every request for consent should be in clear and simple language, giving the data principal the option to access such a request in English or any other language specified in the Eighth Schedule of the Indian Constitution.
- A notice has to be given by the data fiduciary before seeking consent, containing details about the personal data to be collected and the purpose of processing.6
- Make reasonable efforts to ensure the accuracy and completeness of data and implement appropriate measures to protect personal data in its possession or under its control.
- Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).
- Data Breach the Act defines a “personal data breach” as any unauthorized processing or accidental disclosure, use, alteration, or destruction of personal data that compromises its confidentiality, integrity, or availability.7
- It is the obligation of a data fiduciary to build reasonable security safeguards to prevent a data breach.
- In case there is a data breach, the data fiduciary will inform the Data Protection Board of India (i.e., the adjudicatory body) and the affected person whose data has been compromised.
The data principal (i.e., the individual whose data is being processed) shall have certain rights as follows:
- Right to access information about personal data.
- Seek correction and erasure of personal data.
- Nominate another person to exercise rights in the event of death or incapacity.
- Withdraw her consent at any time during or after the processing of personal data.
Establishing an adequate grievance redressal mechanism for redressing the grievance of the data principal.
- Non-compliance with the aforementioned legal obligation may result in financial penalties of up to INR 250 crore, with determinations made on a case-by-case basis.
1- Section 3(b) of the Consumer Protection (E-Commerce) Rules, 2020
2- Sections 3(f) and 3(g) of the Consumer Protection (E-Commerce) Rules, 2020
3- Section 2(i) of the Digital Personal Data Protection Act, 2023
4- Section 3 of the Digital Personal Data Protection Act, 2023
5- Section 6 of the Digital Personal Data Protection Act, 2023
6- Section 5 of the Digital Personal Data Protection Act, 2023
7- Section 2(u) of the Digital Personal Data Protection Act, 2023
The far-reaching effects of whatsoever one may propagate through the internet is not surprising. Therefore, there’s been an endless debate Read more
Income inequality, characterized by the unequal distribution of wealth and resources, has emerged as a critical issue with profound socio-economic Read more
In the dynamic landscape of business, managing a long list of bad debtors can pose significant challenges for corporationsIntroduction In Read more
With the snowballing number of proceedings under Section 138 and 141 of the Negotiable Instruments Act, 1881 (“NI Act”), the Read more
Startups are the tomorrows of India. The expansion of numerous industries has led to a rise in the number of Read more
Introduction In order to preserve financial stability and protect the interests of consumers and the economy, Indian banks operate in Read more
Co-working Employment Coworking spaces have revolutionized office cultures by encouraging cross-collaboration and interconnection between start-ups, entrepreneurs, business institutions, and their Read more
The idea of the LiFE campaign was introduced at the 26th United Nations Climate Change Conference of the Parties (COP26) Read more
Intellectual property (IP) refers to the legal rights granted to individuals or entities over intangible creations such as patents Intellectual Read more
Multilateral institutions play a major role in promoting global economic and social development, with a growing emphasis on addressing climate Read more
