Blog

Introduction Industries are known for adopting automated facilities to generate maximum profit. The first industrial revolution caused the formation of innovative machinery in the west.1 Its second version was responsible for further mechanization resulting in automatic factories.2The third version resulted in a robust use of technology encompassing electronics, telecommunications, and computer systems, which laid the foundation of internet.3 Further, due to the emergence of the internet, conventional commercial transactions underwent an epoch of renaissance, resulting in e-commerce. According to the OECD, e-commerce is defined “as a new form of doing business that occurs across networks that employ non-proprietary protocols developed through an open standard-setting process such as the Internet”.4In the present context, e-commerce companies have exploited the phenomenon of global digitalization, thereby becoming successful in capturing markets all over the world. India is no exception in this regard. According to a survey by marketing data and analytics company Kantar, India has added 125 million online customers over the last three years, with an additional 80 million likely to join by 2025.5 Furthermore, the country is soon to become a home for 900 million internet users by 2025. However, these digital interfaces in the form of e-commerce platforms are vulnerable to cyber-attacks due to the high volume of online transactions and the involvement of sensitive customer data, according to a recent report, “The Anatomy of Fraud 2023” by “Bureau”, an AI-architecture platform.6   Today, “data” is considered the new oil of the 21st century7 because based on it, several organizations design their strategies, plan their products and services, and then invest.8 Further, in cases where cyber criminals are successful in stealing valuable data, the aftermath is “Data breach”.9 Recovery from a cyberattack or data breach can take a long time and be very expensive. In 2022, the average cost of a data breach was estimated to be a staggering $4.35 million based on a review of 550 incidents across 17 nations and 17 sectors.10 Also, it has become unavoidable for the customers to restrain from providing their sensitive information relating to financial status, personal characteristics etc. to e-commerce platforms.11 Therefore, apart from humongous financial losses, data breach can result in the violation of the right to privacy of millions of citizens, coupled with a threat to national security in certain circumstances.12 Therefore, in this backdrop, it becomes imperative to understand the Indian legal framework protecting from data-breaches particularly in the context of e-commerce, and suggest positive reforms and improvements therein. Provisions under the Indian Legal Framework Governing Data Breach in E-Commerce 1. The Information Technology act, 200013 In India, there are several laws relating to e-commerce which are efficacious when it comes to protection from data breach. The Information Technology act, 200014 was the first e-commerce law passed by the Indian government. The UNCITRAL Model Law on Electronic Commerce (E Commerce Law), which was released in 1996, was the main goal of this legislation.,15 This legislation primarily enshrines offences relating to cybercrimes which also encompasses “data breach”. Under Section 2(w) of the act16 “intermediary” is defined to be inclusive of online marketplaces. Therefore, this definition is applicable to e-commerce websites such as Amazon, Flipkart etc. Provisions of IT act imposing liability on perpetrators of data breach Cybercriminals often attempt to damage the targeted computer systems or network interface such as e-commerce platforms in order to commit “data breach”. Section 43 of IT act demands compensation for damage in case where any person without permission of the owner or any person in-charge of the computer system for the time being acquires unauthorized access;17 extracts, copies or downloads valuable information;18 infects or causes to infect a system with virus;19 steals, conceals, destroys, or alters a computer source code himself or by any other person.20 Section 65 penalizes, Tampering with Computer source documents with imprisonment of 3 years, or with fine which extends to 2 lakh Rupees.21 Whereas Section 66 penalizes an act enshrined under Section 43 done dishonestly or fraudulently with imprisonment for a term extending to 2-3 years or with fine which may extend up to 5 lakhs.22 Section 66C Penalizes the commission of identity theft. Suppose a person dishonestly or fraudulently makes use of a password or electronic signature in order to commit a “data breach” or any other related crime. In that case, he shall be liable for imprisonment for 3 years and fine of l lakh Rs.23 Furthermore, a person shall be held liable under section 75 for data breach happening from outside India in case it affects the computer system or network present within India.24 Responsibilities of intermediaries (inclusive of e-commerce platforms) under IT act and rules Apart from imposition of liability upon offenders committing data breach, IT act makes sure that intermediaries are duty bound to make sure that all the responsibilities have been fulfilled and no negligence on their part has been reported. Section 79 of the IT act25 is renowned for its enriching jurisprudence surrounding the grant of exemption to intermediaries.26 Section 79(2) explicates the conditions to be fulfilled for claiming exemption. Section 79(2)(a) targets the limited functionality of intermediaries wherein it can only provide access to a communication system over which information made available by third parties is temporarily stored or hosted. Further, section 79(2)(b) which is separated by “or” makes it clear that intermediary must not have initiated the transmission, selected the receiver of transmission, and selected or modified the information contained within the transmission. Thereafter, comes section 79(2)(c) which makes a condition for observance of “due diligence” and is neither separated by “or” nor “and”. However, this ambiguity was addressed by Delhi High court by stating that “The use of the words “or” between (a) and (b) makes them disjunctive, although (c) has to co-exist with (a) or (b) whichever is applicable.”27 In particular, Clauses (b) and (c) mandate absence of deliberate negligent act on part of intermediary coupled with observance of due diligence. This due diligence is further elaborated in rule 3 of IT (intermediary guidelines) Rules, 2011.28 Furthermore, Section 79(3) negates the exemption on fulfillment of certain conditions. According to its clause (a), intermediary must not be involved in conspiracy or abetment