Legal & Regulatory Framework for E-commerce in India

Authors: Pranav Prakash & Tuhin Batra

INTRODUCTION

India has experienced an unprecedented digital revolution in the past five years. Minimal internet prices, countless smartphones at affordable rates, a push to digitize the rural population of India, and the rise of e-wallets and digital payment systems have been instrumental in revolutionizing the internet presence in the country. There are more than 600 million active internet users in India as of now, out of which there are more internet users in Rural India than in the Urban areas of the country.^[1]

Such deep levels of internet penetration plays out to be a welcome opportunity for entrepreneurs to take their businesses to the internet and tap this large market. E-commerce is already a huge hit in urban India. You can find everything, from a screwdriver to a telescope, online. E-commerce in Rural India is likely to increase due to the growing internet consumption. While intermediaries and product and service aggregators have captured a lot of niche markets, there are still a lot of product markets and service markets that have great e-commerce potential.

E-commerce is governed by various laws in India. From the stage of setting up the business till the time the ecommerce business is up and running, there are different legislations that come into the picture. Right from developing a website to the product being packaged and delivered to the customer. Here is a primer on the legal and regulatory framework governing e-commerce in India.

1. PRIVACY, DATA PROTECTION AND DATA SECURITY

The business of e-commerce is largely data driven. Personal data of the customers and website users are collected by e-commerce entities to offer a personalized, enhanced, and hassle-free online shopping experience. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency. While personal data of the customers and website users is essential for the success of an e-commerce entity, due care must be taken to collect such data in accordance with the law. Not doing so will attract hefty fines and ultimately result in the goodwill of the entity being compromised.   

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

The IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 rules are laid down by the Central Government as a delegated legislation under section 87(2)(ob) read with section 43A of the IT, Act. It lays down what constitutes “sensitive personal data or information” and how the one can use such data or information.

Sensitive personal data or information of a person means such personal information which consists of information relating to;

1. password;
2. financial information such as Bank account or credit card or debit card or other payment instrument details ;
3. physical, physiological and mental health condition;
4. sexual orientation;
5. medical records and history;
6. Biometric information;
7. any detail relating to the above clauses as provided to body corporate for providing service; and
8. any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.[2]

Usage of Personal data?

• The e-commerce entity must develop a privacy policy which mentions what personal data is going to be used by the e-commerce entity and how it is going to be used.[3]
• The policy must be made available for view to the consumers from whom such data is collected.[4]
• The policy must clearly mention the fact that the data is being collected, the purpose, the intended recipients of the data and the name and address of the e-commerce entity. (If entity collecting the data is a different entity, and another one retaining data, the names and addresses of both such companies must be provided).[5]
• The consumers must be able to see and review what data they have given and should also be able to make changes to the data they have given.[6]
• An e-commerce entity must give an option to the consumers to not provide their personal data, and also to withdraw personal data once given to the e-commerce entity.[7]
• An e-commerce entity must have a Grievance Officer who deals with consumer grievances regarding their data being processed in a time bound manner. The GO’s name and contact details must be published on the website.[8]

Data Security

• An e-commerce entity must adhere to The international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” of data security.[9]
• Entity can also follow any other codes of best practices for data protection, provided that such a code is approved by the Central Government.[10]
• The code must be regularly audited by an independent auditor notified by the Central Government either once a year, or when the e-commerce entity significantly upgrades its process and computer resource.[11]
• Only the e-commerce entity shall use the personal data of the consumers and shall not publish such data anywhere.[12]
• The data must be strictly used only for the purpose mentioned and agreed to by the consumer in the privacy policy.[13]
• If personal data of the consumer is to be shared with any third-party, then the same should be mentioned in the privacy policy.
• The third party must also ensure the same level of data security offered by the e-commerce entity.[14]
• The data must be shared only to fulfil the contract between the e-commerce entity and consumer.
• However, the entity can share personal data of the consumers with any Government Agency upon getting a written request mentioning the purpose of seeking such data. The data can be shared for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.[15]

2. E-MAIL MARKETING AND TELEMARKETING

There is no dedicated law regulating e-mail marketing specifically. However, section 67 of the IT Act will be relevant. The provision reads as follows:

“Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to three years and with fine which may extend to five lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.”

Therefore, the e-commerce entity must ensure that any e-mail sent in furtherance of their e-mail marketing campaign must be free from any obscenity and lascivious content.

Further, it is always safe to ensure that promotional e-mails are absolutely free from any virus and are only sent after obtaining the consent of the consumer. This will ensure that the e-commerce entity does not attract section 43 of the IT Act which penalizes wrongful access, or damage to computer systems, computer network, or data.   

E-commerce entities can indulge in telemarketing practices through phone calls and SMS too. Telemarketing is the transmission of any message through telecommunication services for the purpose of soliciting or promoting any commercial transaction in relation to goods, investment, or services. Telemarketing is governed by the Telecom Commercial Communications Customer Preference Regulations, 2018. Under the Regulations, the following requirements must be satisfied if an e-commerce entity wants to indulge in telemarketing:

• The entity must register itself with an Access Provider such as Basic Telephone Service Provider, Cellular Mobile Telephone Service Provider, Unified Access Service Provider, etc for the purpose of telemarketing.[16]

• Upon registration, the entity will receive a registered Header (an alphanumeric string) which must be used for telemarketing. The entity must not make use of any other number for telemarketing which is not registered as a header under the Regulations.[17]

• The entity may be put under a “usage cap” which determines the maximum outgoing calls and messages that can be sent by the e-commerce entity in a day. The usage cap must be strictly adhered to.[18]

• The entity must not indulge in telemarketing through abandoned calls or calls made through an auto-dialer without prior notification sent to the Access Providers. Further, such calls must only be made within the boundaries of the Regulations.[19]

3. PAYMENT MEHCANISM

Payment mechanism for e-commerce is regulated by the Payment and Settlement Systems Act, 2007, Payment and Settlement Systems Regulations given by RBI from time to time.

Payment and Settlement Systems Act, 2007

The Payment and Settlement Systems Act, 2007 (PSSA, 2007) provides for the regulation and supervision of payment systems in India and authorizes the RBI to perform such regulation. The Act defines important terms such as “payment systems”, “system provider”, “system participant”, etc. If an e-commerce entity outsources the establishment and operation of a payment system to Payment Gateway providers, it must ensure that such Payment Gateway providers operate within the PSSA, 2007.

If an e-commerce entity is itself a system provider that offers a payment system, the provisions of this Act must be adhered to strictly. Any default or failure in adhering with the provisions of the PSSA, 2007 will result in hefty fines and/or penalties being issued.

• RBI Guidelines on Regulation of Payment Aggregators and Payment Gateways, 2020

The RBI, vide a circular dated March 17, 2020, issued these Guidelines. Through these Guidelines, the RBI seeks to (a) regulate in entirety, the activities of payment aggregators; and (b) provide baseline technology-related recommendations to payment gateways.

The Guidelines has defined the terms “payment gateways” and “payment aggregators”. While payment gateways have been limited to “entities which provide technology infrastructure to route and facilitate the processing of an online payment transaction without any involvement in handling of funds”, the definition of payment aggregators is broad and extends to all entities that facilitate e-commerce sites and merchants to accept various payment instruments from the customers for completion of their payment obligations without the need for merchants to create a separate payment integration system of their own. 

E-commerce companies already providing payment aggregator services have been mandated to discontinue this activity before June 30, 2021. If such entities desire to pursue payment aggregator services, they must do so through a separate business, and such business must receive authorization from the RBI under the PSSA, 2007. The Companies must make sure that they have a minimum net-worth of INR 15 crores at the time of application for authorisation and a net-worth of INR 25 crore by the end of third financial year of grant of authorization, which must be maintained at all times thereafter.

4. INTELLECTUAL PROPERTY

Intellectual Property concerns are one of the most important aspects that an e-commerce business operator should take into careful consideration. An IP violation will prove to be extremely detrimental to the finances and reputation of the business. Here are the following elements that an entrepreneur must keep in behind while setting up an e-commerce business:

• Trade Marks Act, 1999
• The logo, tagline and the domain name can be trademarked under the Act.
• Application for Registration of Trademark u/s 18 of the Act.
• Renewal of the Trademark once every 10 years u/s 25 of the Act.
• Trade Marks Rules, 2017.

• Website Design Protection
• Website Design is protected u/s 13 of the Copyright Act as “literary work”u/s 2 (o) of the Act includes computer programmes, tables and compilations including computer databases.
• The Website Design, therefore, can be registered as a Copyright under Chapter X of the Indian Copyright Act, 1957 and Rule 70 of Copyright Rules, 2013.
• However, even without such registration, the Website Design will be considered as the Copyright of the e-commerce entity as registration of a copyright is not mandatory under the Copyright Act. An unregistered copyright has the same protections that a registered copyright has in India.

• Use of Third-Party Content

Third party content usage shall be very carefully used by the e-commerce entity. If there are any third-party content that is protected under Intellectual Property laws, then to use such content, a proper IP licence must be obtained.

Trademark

The Trade Marks Act, 1999 – Section 49 of the TM Act states that the registered user and registered proprietor shall apply jointly by way of an agreement in writing to the Registrar for permitted use of the trademark.

Copyright

The Copyright Act, 1957 – Section 30(3) of the Copyright Act states that the copyright owner may grant any interest in his copyright work by a licence in writing signed by him or his agent.

5. CONTENT REGULATION

Content within an e-commerce website is regulated by several laws. So, any advertising on the website must be carried out keeping in mind the following provisions.

• Indian Penal Code, 1860

Obscenity

• Section 292 of IPC – any material which is lascivious or appeals to the prurient interest or which may deprave and corrupt persons would be considered obscene, and any person publicly exhibiting such obscene material will be punishable with imprisonment and fine under the Code.

Defamation

• Section 500 of the IPC also makes it an offence to sell or offer for sale any printed or engraved substance knowing that such substance contains defamatory matter.
• The punishment for this offence is simple imprisonment for up to two years and/or with fine.

• Indecent Representation of Women (Prohibition) Act, 1986 (“IRWPA”)

An indecent representation of a woman which includes depiction of the figure of a woman, her form or body or any part which has the effect of being indecent, or derogatory to, or denigrating, women, or is likely to deprave, corrupt or injure the public morality or morals is punishable under the IRWPA.

• Information Technology Act, 2001

Content on an e-commerce site must not be in violation of Sections 67, 67A, and 67B of the IT Act.

Anyone who publishes or transmits or causes to be published or transmitted in an electronic form

(a) any material which is lascivious or appeal to the prurient interest or which may deprave and corrupt persons[20]; or

(b) any material which contains sexually explicit act or conduct would be liable under this Act[21]; or

(c)  any material which depicts children in a sexually explicit act or conduct[22] will be liable for punishment with imprisonment and fine under the IT Act.

6. CONSUMER PROTECTION

There are no specific provisions or rules governing consumer protection in e-commerce. As of now, the sale of goods over e-commerce is still governed by the provisions of Consumer Protection Act, 2019. The Act provides that the Central Government may make rules to prevent unfair trade practices in e-commerce.[23] In such light, a set of draft rules exclusively governing e-Commerce entities for Consumer Protection is in motion with its sole purpose to regulate consumer protection in e-commerce have been formed in 2019, but are yet to be notified by the Central Government.[24]

• PACKAGING

An e-commerce business will have to pack the products it sells and ship them to the customer’s address. The packaging of the products is regulated by the The Legal Metrology Act, 2009. It majorly regulates the packaging of commodities sold. Section 18 of the Act provides that,

• No goods shall be sold in packaging until the packaging is in compliance with standard quantities or number and bears thereon such declarations and particulars in such manner as may be prescribed.
• Any advertisement mentioning the retail sale price of a pre-packaged commodity must contain a declaration as to the net quantity or number of the commodity contained in the package in such form and manner as may be prescribed.
• Chapter 2 of the Act deals with the standards of measurement of packages.
• Legal Metrology (Packaged Commodities) Rules, 2011 provides for specific standards and packaging mechanisms for packaged commodities.

Therefore, due care must be taken by the e-commerce business in its packaging process, and provisions under the Legal Metrology Act, 2009 and subsequent Rules therein must be complied with.

• TAXATION OF E-COMMERCE TRANSACTIONS

GST Act, 2017

• Since GST is a destination-based taxation system, an e-commerce entity should get GST registration in all the states where they intend to sell their products. However, in the following cases, GST registration is not mandatory:

• If Annual Turnover less than 10 lakhs – in Special Category States
• If Annual Turnover less than 20 lakhs – in Normal Category States

• Under Section 16 of the Act and GST Rules 36 to 45, the entity can claim Input Tax Credit for tax paid on acquiring inputs.

Income Tax Act, 1961

• Section 28 to 44B of the Act provides for computation of taxation for income under the head of Profits and Gains of Business or Profession.

Finance Act, 2020

• Under Section 165A of the Finance Act, 2020, 2% equalisation levy to include the consideration that e-commerce companies get from transactions originating in India, starting from April 1, 2020.
  
• FDI IN E-COMMERCE

Press Note 2 of 2018 issued by the Department of Industrial Policy & Promotion allows for 100% FDI in e-commerce entities operating a marketplace model. It is important to note that no FDI is allowed in e-commerce entities operating an inventory model. The Press Note also mandates that e-commerce entities operating a marketplace model shall not exercise any form of control over the operations or turnover of the vendors selling their products on the e-commerce marketplace.

1. ANTI-TRUST LAWS

Anti-trust issues have been rampant in against e-commerce entities evident from a plethora of anti-trust litigations against e-commerce giants such as Flipkart and Amazon.  Competition in respective industries in India is governed and regulated by the Competition Act, 2002. E-commerce entities must be diligent about the agreements and arrangements that they get into with vendors and customers. The agreements that e-commerce entities execute with its vendors regarding production, supply, distribution, storage, acquisition, and/or provisions of goods and/or services must not have an appreciable and adverse effect on competition in India. Such agreements in violation of the restriction will be declared as void.[25]

Further, e-commerce Companies must ensure that they do not abuse their dominant position in the relevant market. The Companies must not impose unfair or discriminatory prices or conditions in the purchase of sale of goods made through its platform. Further, they must not indulge in limited and restrictive practices, and predatory pricing in the market which makes it difficult for its competitors, vendors, and/or customers to operate in the same market.[26]

---

[1] Internet and Mobile Association of India, Digital in India – Round 2 Report, available at https://cms.iamai.in/Content/ResearchPapers/2286f4d7-424f-4bde-be88-6415fe5021d5.pdf, last seen on 15/06/2020

[2] R. 3, The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[3] R. 4, The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[4] Supra Note 3.

[5] R. 5(3), The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[6] R. 5(7), The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[7] Supra Note 6.

[8] R. 5(9), The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[9] R. 7(1), The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[10] Supra Note 9.

[11] R. 8(3), The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[12] Supra Note 3.

[13] Supra Note 3.

[14] R. 7, The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[15] R. 6(1), The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[16] Regulation 3, Telecom Commercial Communications Customer Preference Regulations, 2018.

[17] Supra Note 16.

[18] Supra Note 16.

[19] Regulation 4, Telecom Commercial Communications Customer Preference Regulations, 2018.

[20] S. 67, Information Technology Act, 2001.

[21] S. 67A, Information Technology Act, 2001.

[22] S. 67B, Information Technology Act, 2001.

[23] S.94, Consumer Protection Act, 2019.

[24] Draft Consumer Protection (E-Commerce) Rules, 2019.

[25] S. 3, Competition Act, 2002.

[26] S.4, Competition Act, 2002.

Disclaimer: The contents of this Article are the original work and intellectual property of the authors as mentioned above. Any publication of this Article in any form will not be deemed to grant any exclusive rights in favour of any entity publishing the same. By submitting the said article for publication, we do not relinquish and/or assign the copyright to you or the publication/name of the company or to any of its subsidiaries or associates.

About the Authors:

Pranav is a 5th year student of Law at Alliance School of Law, Bangalore.

Tuhin is a lawyer and specializes in Mergers & Acquisitions, Private Equity, Joint Ventures, Commercial Contracts, Corporate Advisory and commercial litigation strategizing. He has been advising start-up entities and their founders and mid-sized companies in India.