Regulations

Overview: Regulations
• EU
• General Data Protection
• Digital market Act
• Digital services Act
• AI Act
• India
• Digital personal data protection
• E-commerce rules
• Other related rules
General Data Protection Regulation
• Drafted and passed by the European Union (EU); put into effect from May ,2018
• It imposes obligations onto organizations anywhere, so long as they target or collect data related to
people in the EU
• Right to privacy: “Everyone has the right to respect for his private and family life, his home and his
correspondence.”
• Personal data
• Names and email addresses; Location information, ethnicity, gender, biometric data, religious beliefs
• Data subject
• The person whose data is processed
• Data processing
• Any action performed on data; collecting, recording, organizing, structuring, storing, using, erasing
• Data controller
• Owner or employee in your organization who handles data
• Levy harsh fines against those who violate its privacy and security standards
GDPR: Obligation for Companies
• Accountability
• Maintain detailed documentation of the data you’re collecting, how it’s used, where
it’s stored, which employee is responsible for it, etc
• Data security
• Limiting access to personal data to only those employees in your organization who
need it
• Data protection by design and by default
• Minimize the amount of data and how you will secure it with the latest technology
• Processing data
• Allowed to process data only if there is unambiguous consent from the data subject
• Consent
• Freely given, specific, informed and unambiguous

Source: What is GDPR, the EU’s new data protection law? - GDPR.eu
GDPR: People’s privacy rights
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling
Digital Markets Act: Regulating
Big
• A levelTech
playing field for all digital companies, regardless of their size
• Stop them from imposing unfair conditions on businesses and consumers
• Ranking services and products offered by the gatekeeper itself higher than
similar services or products offered by third parties on the gatekeeper's
platform or not giving users the possibility of uninstalling any preinstalled
software or app.
• Interoperability between messaging platforms
• Set out the criteria for identifying large online platforms as gatekeepers
• European Commission will have the power to carry out market investigations
Digital Services Act: Safer
digital space
• Will give people more control over what they see online
• Users will have better information over why specific content is
recommended to them and will be able to choose an option that does
not include profiling
• Targeted advertising will be banned for minors and the use of sensitive
data, such as sexual orientation, religion or ethnicity, won’t be allowed
• Help tackle harmful content
EU AI Act
• Better conditions for the development and use of this
innovative technology
• Unacceptable risk
• Cognitive behavioral manipulation of people or specific vulnerable
groups
• Social scoring: classifying people based on behavior, socio-economic
status or personal characteristics
• High risk
• Toys, aviation, cars, medical devices and lifts
• AI systems falling into specific areas that will have to be registered
in an EU database
• All high-risk AI systems will be assessed before being put on the
market and also throughout their lifecycle.
• Transparency requirements
• Disclosing that the content was generated by AI
Indian Digital Personal Data Protection Bill, 2023

• Data Fiduciaries
• Persons, companies and government entities who
process data) for data processing (that is,
collection, storage or any other operation on
personal data);
• Data Principals
• The person to whom the data relates
• Data Protection Board
• Oversee the implementation
• Financial penalties for breach of rights,
duties and obligations
Digital Personal Data Protection Bill: Principle
• Consented, lawful and transparent use of personal data
• Purpose limitation
• Data minimisation
• Data accuracy
• Storage limitation
• Reasonable security safeguards
• Accountability
Digital Personal Data Protection Bill: Right to individual

• The right to access information about personal data

processed
• The right to correction and erasure of data
• The right to grievance redressal
• The right to nominate a person to exercise rights in
case of death or incapacity.
• For enforcing his/her rights, an affected Data
Principal may approach the Data Fiduciary in the
first instance.
• In case he/she is not satisfied, he/she can complain
against the Data Fiduciary to the Data Protection
Digital Personal Data Protection Bill: Obligations on the data
fiduciary
• To have security safeguards to prevent personal data breach
• To intimate personal data breaches to the affected Data Principal and the
Data Protection Board
• To erase personal data when it is no longer needed for the specified
purpose
• To erase personal data upon withdrawal of consent
• To have in place grievance redressal system and an officer to respond to
queries from Data Principals
• To fulfill certain additional obligations in respect of Data Fiduciaries
notified as Significant Data Fiduciaries, such as appointing a data auditor
and conducting periodic Data Protection Impact Assessment to ensure
higher degree of data protection.
 Digital Personal Data Protection Bill:
Responsibility of Board
• To give directions for remediating or mitigating data breaches
• To inquire into data breaches and complaints and impose
financial penalties
• To refer complaints for Alternate Dispute Resolution and to accept
Voluntary Undertakings from Data Fiduciaries
• To advise the Government to block the website, app etc. of a
Data Fiduciary who is found to repeatedly breach the provisions
of the Bill
Consumer Protection (E-Commerce) Rule, 2020
under Consumer Protection Act 2019
• E-commerce entity means persons who own, operate or manage a digital or electronic facility or platform for electronic
commerce
• Display or promotion of Advertisement by seller
• E-tailers should not allow ‘misleading’ Ads
• Don’t advertise sellers offering discount
• Country of origin
• Details should be given
• Cancellation charge
• NIL cancellation
• Explicit consumer consent
• Should not manipulate search results
• No promotion of own brands
• Should not use e-tailers brand with the product
• Sponsored product/services
• Identifiable
• No abuse of dominant positions
• In-house logistics provider should not differentiate among sellers of same category
Consumer Protection (E-Commerce) Rule, 2020 Cont…
• Restricting Related Parties: To tackle growing concerns of preferential treatment, none of the related
parties are allowed to use any consumer information (from the online platform) for ‘unfair advantage’
• The rules introduced the concept of fall-back liability, which makes the e-commerce firms liable in case
a seller on their platform fails to deliver goods or services due to negligent conduct, which causes loss
to the customer
• FDI policy prohibits companies such as Amazon and Flipkart from having control over the inventory sold on their
platforms
• Mandatory Registration: There is a need for mandatory registration for e-commerce entities with the
Department of Promotion for Industry and Internal Trade (DPIIT), Ministry of Commerce and Industry.
• The e-commerce sites are also directed to ensure appointment of Chief Compliance Officer (CCO) and
a nodal contact person for 24x7 coordination with law enforcement agencies.
• All e-commerce entities must provide information within 72 hours on any request made by an
authorised government agency, probing any breach of the law including cyber security issues
Other Relevant Acts
• IT Act 2000
• Duty of Central Government towards promotion of e-governance and e-
commerce
• Data protection
• Information Technology (Reasonable security practices and procedures
and sensitive personal data or information) Rules 2011
• Display of content
• Information Technology (Guidelines for Intermediaries and Digital Media
Ethics code) Rules 2021
• Intermediaries to publish their rules and regulations, privacy policy and user
agreement
• Inform users about place of hosting, storing, publishing etc.
References
• Text Book: Introduction to Electronic Commerce and Social
Commerce, Efraim Turban, Springer
• White Paper: Open Network for Digital Commerce:
Democratizing Digital Commerce in India
Thank you