E-Commerce Regulations And Laws In India

Electronic commerce in India is witnessing a good growth due to progressive policies and liberal foreign direct investments (FDIs). E-commerce uses information and communication technology (ICT) to operate. Although many technological aspects are also taken care of by an e-commerce platform, yet establishment and running of an e-commerce website is the most important requirement.

Internet is boundary less and a website hosted in a particular country can be accessed from any part of the world. Further, there may be cases where a websites located in a particular country may attract legal jurisdictions of multiple countries. Thus, compliance with the laws of the principal country as well as those countries where such e-commerce websites targets audience and customers is of prime importance.

There have been instances where e-commerce websites located in India failed to observe cyber law due diligence in India. Criminal trials and criminal liabilities have been imposed by Indian legal system upon such websites. The bazee.com case and the criminal and civil trials against companies like Google, Yahoo, Facebook, Microsoft, etc are few examples of the same. Such cases against e-commerce websites and foreign companies would further increase and e-commerce players must appoint nodal officers in India to comply with Indian laws.

Thus, not only legal requirements for undertaking e-commerce in India are stringent but even Internet intermediaries liability in India must be taken seriously by companies engaged in online transactions and businesses. We have no dedicated e-commerce laws in India but the information technology act 2000 (IT Act 2000) covers basic level e-commerce legal framework in India. The IT Act 2000 also prescribes cyber due diligence for foreign websites in India.

E-commerce due diligence in India is a much needed requirement that all e-commerce players, whether Indians or foreign, must undertake as soon as possible. Non observation of local and foreign laws can tarnish the image and brand of a company that cannot be regained again. It is better to err on the side of precaution rather than caught on the wrong side of the law.

Google, Facebook, Microsoft, Etc Must Appoint Nodal Officers In India

The Information Technology (Intermediaries Guidelines) Rules, 2011 of India prescribe stringent provisions regarding Internet intermediary liability in India. However, till now foreign companies and websites have not followed the Guidelines and Rules issued by Indian government in this regard. In fact, they are avoiding compliance with Indian laws.

Legal liability of foreign websites in India is now well established after the matter has been brought to the attention of Indian judiciary. A criminal complaint has been filed against companies like Google, Facebook, Microsoft, Yahoo, etc before a Trail Court for non observation of cyber due diligence by them. Even the Delhi High Court has not quashed the criminal complaint against these companies so far and in the absence of the same the representatives of these foreign companies would now personally appear before the Trail Court on 13th March 2012.

Another related problem that has to be addressed is that foreign companies and websites have not established a procedure that can deal with complaints and notifications arising out of the Information Technology act, 2000 (IT Act 2000) and Rules made there under. This is so even though companies like Google, Microsoft, Yahoo, etc have subsidiary companies and offices in India.

When these foreign companies and websites and their subsidiaries are deriving financial gains out of Indian operations, non following of Indian laws seems to be a grave disregard to Indian laws and regulations. These foreign companies and websites must follow Indian laws and this is the right time to do so.

We at Perry4Law and Perry4Law Techno Legal Base (PTLB) suggest that the best method to do so is to appoint a nodal officer who is responsible for managing cyber law due diligence issues arising out of Indian transactions. By not doing so, companies like Google, Facebook, Microsoft, etc are heading towards a big trouble. The sooner these nodal officers are appointed the better it would be for the larger interest of Internet intermediaries in India.

Information Technology (Intermediaries Guidelines) Rules 2011 Of India

Internet intermediary law in India is incorporated in the Information Technology Act 2000 (IT Act 2000) and the Rules made there under. Internet intermediaries’ liability in India is now well established and foreign companies and websites must duly comply with the same to avoid civil, criminal, administrative and financial penalties. In short, these foreign companies and their Indian subsidiaries must ensure that they comply with the cyber law due diligence in India.

The Gazette Notification numbered G.S.R. 314(E), dated 11-04-2011, formulated the Information Technology (Intermediaries Guidelines) Rules, 2011 of India. These rules provide the rights and responsibilities of internet intermediaries in India. If the Internet intermediaries follow these rules and exercise proper cyber due diligence, they are entitled to a “safe harbour protection”. Otherwise, they are liable for various acts or omission occurring at their respective platforms once the matter has been brought to their notice.

The legal actions against foreign websites can be taken in India. Further, cyber litigations against such foreign websites would increase in India in the near future. It is of utmost importance for these foreign companies and websites to follow Indian laws in true letter and spirit.

Perry4Law and Perry4Law Techno Legal Base (PTLB) are providing the legal position regarding Internet intermediary liability in India under the IT Act 2000 in general and Information Technology (Intermediaries Guidelines) Rules, 2011 of India in particular. The salient features of the same are as follows:

(1) The Information Technology (Intermediaries Guidelines) Rules, 2011 of India have been formulated by the Central Government in exercise of its powers conferred by clause (zg) of subsection (2) of section 87 read with sub-section (2) of section 79 of the Information Technology Act, 2000 (21 of 2000).

(2) Definitions — (1) In these rules, unless the context otherwise requires,--

(a) "Act" means the Information Technology Act, 2000 (21 of 2000);

(b) "Communication link” means a connection between a hyperlink or graphical element (button, drawing, image) and one or more such items in the same or different electronic document wherein upon clicking on a hyperlinked item, the user is automatically transferred to the other end of the hyperlink which could be another document website or graphical element.

(c) "Computer resource” means computer resources as defined in clause (k) of sub-section (1) of section 2 of the Act;

(d) "Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthotrised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;

(e) "Data" means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

(f) "Electronic Signature" means electronic signature as defined in clause (ta) of sub- section (1) of section 2 of the Act;

(g) "Indian Computer Emergency Response Team” means the Indian Computer Emergency Response Team appointed under sub section (1) section 70 (B) of the Act;

(h) “Information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(i) “Intermediary” means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

(j) "User" means any person who access or avail any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary.

(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the meanings respectively assigned to them in the Act.

(3) Due diligence to be observed by intermediary — The intermediary shall observe following due diligence while discharging his duties, namely: —

(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access-or usage of the intermediary's computer resource by any person.

(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that —

(a) Belongs to another person and to which the user does not have any right to;

(b) Is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c) Harm minors in any way;

(d) Infringes any patent, trademark, copyright or other proprietary rights;

(e) Violates any law for the time being in force;

(f) Deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(g) Impersonate another person;

(h) Contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(i) Threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

(3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):

Provided that the following actions by an intermediary shall not amount to hosing, publishing, editing or storing of any such information as specified in sub-rule: (2) —

(a) Temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;

(b) Removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;

(4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six (36) hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes,

(5) The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non-compliant information.

(6) The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

(7) When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.

(8) The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011.

(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

(10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to "perform thereby circumventing any law for the time being in force:

Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.

(11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.

The cyber laws due diligence requirements for companies in India are strenuous in nature and Internet intermediaries in India need to take care of the same to avoid legal troubles.

Internet Intermediary Laws In India And Cyber Due Diligence

Cyber law due diligence in India has become very stringent. This applies to various fields and to multiple stakeholders. For instance, cyber due diligence for banks in India is now a well known requirement for banks in India. However, Internet intermediaries are the most widely covered stakeholders in this regard. Intermediaries liability for cyber law due diligence in India is really tough.

In absence of a clear cut Internet intermediary law in India, Indian government is indulging in Internet censorship in India. Stringent directions are frequently issued to Internet intermediaries under the rules of information technology act 2000. This occasionally results in censorship of Internet in India. Further, Indian government is now openly acknowledging surveillance of Internet traffic in India.

E-surveillance in India and surveillance of Internet traffic in India have increased to a considerable limit that now requires judicial scrutiny. Censorship of Internet in India should be challenged as soon as possible in the larger interests of Indian Internet users.

Recently Internet intermediaries in India have been asked to pre screen contents before they are posted on their websites. India wants companies like Google and Facebook to censor users’ contents before they are posted.

In fact, Yahoo has filed a petition raising the questions regarding the right to privacy of a company that stores sensitive data of its customers and users and to what extent authorities can coerce it to part with the information considered necessary to either track terror perpetrators or thwart future attacks.

The Google’s outcry for lack of Internet intermediary law in India is another example of growing dissatisfaction towards Indian cyber laws, especially Internet intermediary laws of India. Time has come for Indian government to address the issues of enacting sound and effective Internet intermediary laws in India and cyber due diligence requirements for internet intermediaries in India.