Naavi.org

The ongoing discussion on Linked in has brought a query which I thought could be answered in greater detail here.

Query:

“I would really love to hear your thoughts on why India is adapting the path of “data should not be transferred to certain countries, which is completely a different approach from GDPR wherein they have taken a positive approach of transferring data to the listed countries who has adequate safeguards”. Do you think this is the right approach?”

The provision under Section 16 of DPDPA 2023 states that

“the Government may by notification restrict the transfer of data by a Data Fiduciary for processing to such country or territory outside India as may be so notified”.

It goes on to further state

“Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.“

Under the draft rules proposed, it is stated that “transfer of personal data within India or outside shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.”

The minister has made a statement publicly that the Meity will form a committee which from time to time review the requirements and suggest what restrictions should be applied and under what context.

The provisions read together is flexible and will cover the provisions of EU GDPR under article 45 as well as 46,47,48 and 49.

The Committee can take a decision like “Biometric data will not be transferred to any country including USA or EU Countries” and ignore the claim that in that country there is a stringent data protection law. On the other hand Committee may allow transfer of data for a social media company handling non-sensitive information to most countries. Committee can also decide that a particular Data Fiduciary is in defence sector and it shall not transfer data anywhere even within the country and the data centres of the company shall reside in premise.

Thus We have taken a fair and flexible approach. EU approach cannot be called “Positive” just because they give 11 countries out of 193 plus UN members, the status of adequacy and consider other 182 countries as “Prohibited countries”. Even GDPR adequacy has a restricted sectoral permissions within the adequacy countries. EU thinks that it has the right to decide what are “Adequate Security Safeguards” and suggests that other countries should follow its norms. India thinks that it is a sovereign country and we decide which processing outside the company is safe and should be allowed and which should be prohibited.

From the practical perspective, instead of hardcoding a list of countries, the committee reserves the right to make decisions from time to time.

Let us hope that the Committee will do its duty properly and if so it would be a better proposition than what GDPR proposes. It also gives us an opportunity to create our own “Data union/Trusted Counties for data transfer” as Naavi had proposed to MeitY during the JPC discussions on PDPB.

Naavi

Recently we saw that RBI came up with a circular (Refer TOI article here). RBI had in its earlier circulars (Refer here) starting from 1976 had indicated that the purpose of opening minor accounts was to encourage the habit of “Savings” at an early age. That was the time when there was no digital banking and not digital banking risks. The minors were allowed to open the account with the consent of the natural guardians and there was a limit to the transactions and no third party cheques could be issued. The minor could only come to the bank and withdraw or deposit the money.

Now the old guidelines are repealed and the new guidelines state that Banks are free to issue ATM/Debit Cards, Chequebook facility etc based on the risk management policy of the Banks. There is no limit on the balances.

In this context I want to ask the RBI officials including the Governor whether they are out of their minds? Are they aware of the Risks to Banking system because of this new grand gesture?

Today, Banks are no longer interested in promotion of “Savings”. They are as greedy as a commercial organization like Google or Meta or Amazon and today every account is seen as a profit center. They are also completely ignorant of the Banking law and through this circular RBI has also demonstrated that they donot respect Banking law.

I want to discuss here few specific issues for which I demand that RBI has to answer.

1. Banks are ignorant of the Banking law and donot understand the Banking Customer relationship not the ITA 2000 while applying “Debit Freeze” and “KYC Freeze” on the accounts.
2. Banks are not respecting the RBI’s own circular on “Zero Liability”
3. Minor Accounts

Banker Customer Relationship

It is an age-old Banking law that recognizes the Banker-Customer relationship as a “Debtor-Creditor” relationship where a Bank is a debtor who has borrowed money from the depositor and has the power to use it as he decides. The depositor is not the owner of the money deposited and is only a creditor who can claim the money bank as per rules and if not returned can sue the Bank. Bank deposit is not “Property” and is not in the control of the depositor once it passes onto the control of the Bank.

As a result, whenever a Bank fraud takes place, the money lost is not that of the customer but is of the Bank. If a customer observes that money ahs vanished from his account, his right to withdraw has been curtailed and like filing a complainant of any cognizable offence is expected to report the crime.

The RBI has rightly held that if the customer disputes any debit the Bank is obliged to repay the same instantly.

Indus Ind Bank does not care for RBI Circular

I came across a case of Indus Ind Bank Thane Branch recently where I filed an e-mail complaint to Mr. Dickson Baptista , Head – Customer Care OPUS Center 47, Central Road, Opp. Tunga Paradise Hotel MIDC Andheri (East) Mumbai 400093  pointing out a customer’s dispute of two transactions which ought to be refunded. This email was sent on 8th April 2025 and there is no response till date.

I am charging the Bank of “Denial Of Access” under Section 43 of ITA 2000 and read with Section 66 of ITA 2000 it is a report of a crime.

Does RBI have any answer to the impunity with which Bank refuses to even acknowledge the e-mail?

Is this post which is a public notice not sufficient for the vigilance department of both Indus Ind Bank and RBI to seek action?… Let me see how they react.

I fought the case of S Umashankar Vs ICICI Bank for 14 years before got a refund from the bank for a phishing fraud where Mr Umashankar was a victim. After the Zero liability circular came into effect many cases might have been settled without such a dispute resolution going through Adjudication, Appellate Tribunal and the Courts. But still there are many Banks who consider that their Fraud Customer is more valuable than the Victim customer and try to protect and shield the fraud by making it difficult for the victims to recover their losses.

Debit Freeze

In the above case of Indus Ind Bank, while the Bank has not acted on the refund of the disputed transactions, they have put a debit freeze on the balance. What should we say on the intelligence of the Indus Ind Bank to have considered that the victim should be further inconvenienced by such a debit freeze on the balance remaining after the fraudsters have withdrawn part of the money? (In the Umashankar case I did not have the problem since the fraudster had cleaned out the entire account)

I now ask the RBI whether their “Debit Freeze” applies to the balance remaining in an account where some fraudulent debits have occurred. If Banks are allowed to get away unpunished for this action, there will be a chilling effect on Cyber Crime victims and they will be hesitant to report frauds. As it is we the consultants tell victims that if the amount lost is small, then forget it since Police donot have time. Now we need to even consider that if there is a balance of one lakh in my account and there is a UPI fraud and there is a fraudulent debit of Rs 1000 and I report it to the Bank, Bank may classify the account as “Involved in a Cyber Crime and put a debit freeze.

Is RBI aware of this possibility? Will it take any action?

The debit freeze is defended under Section 106 of Bharatiya Nagarika Suraksha Samhita 2023 (BNSS 2023) as the power to seize “Property” .

In the context of the “Banker Customer Relationship” does the “Bank Balance” represent “Property”? What we claim today as “My Bank Balance”, is it not a “Right to withdraw money lent to the Bank”? Is it not an “Actionable Claim”. Is this not the argument under which Banks some times refuse premature closure of deposits even when the Bank is considered an insolvency risk?

Now in the case of digital banking, how can the binaries that show up on my computer withing the banking application as “Balance” be considered as “Property”?

If there is a debit freeze, the debit freeze is legally treated as “Denial of Access” which is an offence under Section 66 of ITA 2000.

Neither the RBI nor a Police officer wrongly using Section 106 of BNSS can cause denial of access under an excuse that he is trying to investigate a crime.

I want the Ministry of Home Affairs to confirm if this is part of the “Nagarika Suraksh” that they want to achieve under the new Act? Is it not a “Police Excess” using powers to investigate the criminal being applied to harass the victim?

I want lawyers who are fighting such cases to argue this with the Courts since even Courts have forgotten the concept of “Debtor-Creditor” relationship and make police, Banks and RBI answerable to the harassment that is going on in the name of Cyber Crime prevention?

The same denial of access charge is also applicable when Banks put a debit freeze on accounts for non updation of KYC which is randomly asked by the Bank from time to time. Banks think “Know Your Customer” is not satisfied when they “Know the Customer” in one account but not in “Another Account” and request multiple documentation for the same customer. The non Banking REs like the payment gateways also have their own ignorance and often refuse to update KYC for companies for lack of Aadhaar of a company.

I recently had an observation that my account with ICICI Bank in the Bengaluru urban area was inoperative for KYC non updation for more than 15 days and even after updation of the KYC, the papers remained in the drawers of an ignorant staff who had no clue to what is KYC. The manager confessed that the quality of staff are today so inadequate that it is difficult to get work done by them. In our times it was difficult to get work done by Bank staff because of Union problems but today it is the lack of awareness that is hurting the Bankers.

The MeitY/Ministry of Finance have their own share of ignorance when they declare such Banks as “Protected Systems under Section 70 of ITA 2000” and “Too Big to fail”.?

Is Meity imposing the restrictions envisaged under Protected System Security on Banks like ICICI Bank, HDFC Bank, Union Bank etc whom they have royally declared as “Protected Systems” as if it is a feather in their cap.

Minor Account

At this point of time what on earth makes RBI think that Bankers are capable of handing the “Minor’s” account in digital form?

As per the latest RBI circular, if Minors are allowed to issue cheques to third parties, what will be the impact on the rights of the beneficiary of the cheque? or more importantly the endorsee of the Cheque who is a “Holder in Due Course”? How will Courts determine the liability of the drawer of the cheque under Section 138?

Similarly since there is no upper limit on the balances on these accounts, are these minors not exposed to Cyber Frauds and Digital Arrest frauds? Will RBI take responsibility when some minors either commit suicides or start stealing from their own parents on the basis of teachings by fraudsters?

In Kannada there is a proverb “ಬೇಲಿಯೇ ಎದ್ದು ಹೊಲ ಮೈದರೆ ಕೇಳೋರ್ಯಾರು?” ( BEliye edhdhu hola maidare KEloryaru?) meaning: who will listen when the fence itself eats the crop?

Currently RBI has allowed “Freezing of Bank accounts” which itself is illegal. It is allowing Minor accounts which is illegal. Banks continue to support fraudster customers against victim customers. Police not Courts come to assist the victims and they are more concerned with their own interests. Even Supreme Court is supporting the Bitcoins and fraudulent Judges instead of the innocent citizens.

The situation has become so bad today that fraudsters are using this as a threat to genuine customers to say ” I will get your account frozen if you donot do this…”. A threat of this nature was received by a professor in Bangalore recently. This was a case where an unknown person had called and said I have wrongly credited some amount to your account and you should transfer it back. As most of us know this is one of the standard modus operandi for UPI frauds and the alleged recipient is advised not to act on such requests. In this case when the account holder has refused to talk to the person, he has threatened that he will get the account frozen.

We all know that these criminals have their supporters even in the Police Stations and it is not difficult to get a letter issued to the Bank for freezing the account. The Police should not have the power to issue such “Garnishee” orders in the first place and neither the RBI nor the Bank seem to mind. The Ministry of Home Affairs also does not mind such illegal practices.

How will RBI react to this new “Weaponization of debit freeze” by fraudsters?

I have been an ex-Banker and am aware that once the power to freeze bank accounts were only through “Garnishee Orders” from a Court. Today such powers are being exercised by all law enforcement agencies including a Police inspector and is therefore amenable for abuse. I refer to an article in manupatra which speaks of the Section 102 of CrPC or 106 of Bharatiya Nagarika Suraksha Samhita which states as under

106. Power of police officer to seize certain property.

(1)Any police officer may seize any property which may be alleged or suspected to have been stolen, or which may be found under circumstances which create suspicion of the commission of any offence.(2)Such police officer, if subordinate to the officer in charge of a police station, shall forthwith report the seizure to that officer.(3)Every police officer acting under sub-section (1) shall forthwith report the seizure to the Magistrate having jurisdiction and where the property seized is such that it cannot be conveniently transported to the Court, or where there is difficulty in securing proper accommodation for the custody of such property, or where the continued retention of the property in police custody may not be considered necessary for the purpose of investigation, he may give custody thereof to any person on his executing a bond undertaking to produce the property before the Court as and when required and to give effect to the further orders of the Court as to the disposal of the same:Provided that where the property seized under sub-section (1) is subject to speedy and natural decay and if the person entitled to the possession of such property is unknown or absent and the value of such property is less than five hundred rupees, it may forthwith be sold by auction under the orders of the Superintendent of Police and the provisions of sections 503 and 504 shall, as nearly as may be practicable, apply to the net proceeds of such sale.

It is clear that this section will hold only if we accept that Bank Balance in digital form is “Property”. I think this is not feasible unless the Courts forget the nature of Banker Customer relationship and treat it not as Debtor-Creditor relationship but as Bailor-Bailee relationship.

Concluding Remarks

It is a pain to attack several Government agencies in this one blog and watch the deterioration of RBI and Banks to a state that customers are the last of their priorities. I have in the past appreciated RBI for some of their bold stand against Bitcoin as well as the Zero liability circular. But it seems that the management has now changed and the new crop of Governors and Deputy Governors are not committed to the principles under which RBI was functioning so far. It is necessary for them to be reminded of the reports of the SR Mittal working group, Gopala Krishna working group and Damodaran Committee which appear to be a past golden era in Indian Banking.

The current generation of the society need to think Banking as “E Commerce” and either spread their risks or disable internet Banking in most of their accounts. In today’s regulatory scenario in Banking I am afraid that we are not ready for he “UPI Revolution”.

If there are any genuine souls in RBI who still respect the Banking customer, I want them to respond to the concerns expressed here. Minimum restrictions suggested to be mandated by RBI are:

1. Limit the balance to a maximum of Rs 25000/-
2. Cheques to be pre-printed as “Self Cheques,Not to be endorsed” and “Minor Account”
3. No RTGS, NEFT, IMPS or UPI
4. Debit card drawing limit fixed at Rs 5000/- per day

Naavi

By Advocate Sri M G Kodandaram , IRS

Introduction

India’s e-commerce sector has experienced significant growth in recent years, establishing itself as a crucial contributor to economic development. However, despite this remarkable progress, the sector has long struggled with a lack of a comprehensive regulatory framework due to its fragmented and unorganized structure. This has led to various issues, including consumer deception and fraud resulting from inadequate compliance with consumer protection laws. Added to this, the frequent personal data breaches have created risks to consumers, as no dedicated regulation or Authority currently exists to safeguard personal data.

To establish order and accountability, the Ministry of Consumer Affairs, Food, and Public Distribution enacted the ‘ Consumer Protection (E-Commerce) Rules, 2020’ . While these regulations laid the groundwork for consumer rights and business accountability, they did not offer an all-inclusive governance model, leaving critical areas such as fair-trade practices, data security , which include personal data security , and ethical business conduct insufficiently addressed. Recognising this gap, the Bureau of Indian Standards (BIS) has circulated a ‘ Draft Indian Standard ‘E-Commerce – Principles and Guidelines for Self-Governance’ (herein after ‘ Guidelines ’ for brevity), which provide a structured approach to addressing the sector’s evolving challenges, for feedback from the stake holders. These Guidelines aim to enhance consumer confidence by ensuring transparency, preventing unfair business practices, and aligning e-commerce operations with existing data protection laws. Moreover, they emphasize self-regulation, thereby allowing businesses to implement responsible practices while reducing the need for stringent government oversight.

Significance of DPDP Act

In today’s digitally interconnected and rapidly evolving cyber society, safeguarding personal data has become a critical legal, ethical, and operational challenge for businesses, governments, and societies. Inadequate management of personal information often leads to unauthorized access, data breaches, identity theft, and misuse of sensitive data, which can be exploited for fraudulent activities or even sold on the dark web. Recognizing the significance of data security, governments across the globe are implementing comprehensive data protection laws to regulate the collection, processing, storage, and usage of personal information.

An important development in this regard is India’s Digital Personal Data Protection Act, 2023 (DPDP Act), which received presidential assent on August 11, 2023. The Draft DPDP rules 2025 are being circulated for necessary Public Consultations. The primary objective of this legislation is to establish a structured compliance and regulatory framework that governs the handling of digital personal data while ensuring transparency and accountability. Organizations handling Indian consumers’ data must reassess their internal policies, operational structures, and data governance frameworks to align with the new regulatory landscape.

The DPDP Act reflects the growing public consciousness regarding privacy rights and the ethical management of personal data. Compliance with this law is no longer a mere legal formality but a strategic necessity for businesses operating in India, particularly those in the e-commerce sector and other digital marketplaces.

This article critically examines whether the ‘ Draft Indian Standard Guidelines for Self-Governance ’ effectively integrate the important provisions of the DPDP Act and evaluates their strategic implications for shaping a robust e-commerce ecosystem. By doing so, it aims to provide insights into how companies can proactively adapt to the evolving data protection regime and establish trust-based digital ecosystems.

Draft Indian Standard -E-Commerce – Guidelines

As the e-commerce sector expands rapidly, it brings immense opportunities but also challenges related to consumer trust and protection. Establishing clear governance guidelines are essential for promoting fairness, transparency, and ethical business practices while preventing fraudulent activities. Recognizing this need, the BIS has circulated the drafts guideline standards to regulate online transactions effectively. These Guidelines define core principles applicable to various stages of an e-commerce transaction – pre-transaction, contract formation, and post-transaction responsibilities. Their primary aim is to nurture consumer confidence, ensure seller accountability, and maintain fair competition. By addressing critical areas such as seller verification, transaction security, product listings, grievance redressal, and anti-counterfeiting, these Guidelines provide a structured framework for ethical and transparent e-commerce operations in India.

Basic Regulations in the Guidelines

The pre-transaction phase emphasizes rigorous seller verification, requiring platforms to authenticate business credentials through Know Your Customer (KYC) procedures. Additionally, platforms must disclose their contact details and clearly define policies on cancellations, exchanges, and refunds, ensuring informed purchasing decisions.

During the contract formation phase, explicit consumer consent is mandatory, with pre-selected checkboxes prohibited. Secure payment mechanisms are crucial, ensuring compliance with financial regulations and transparency in service fees.

The post-transaction phase focuses on consumer protection, requiring compliance with the Consumer Protection Act, 2019. Platforms must establish a grievance redressal system accessible through multiple communication channels. Real-time order tracking via SMS and email is essential, along with strict return and refund policies, particularly for counterfeit goods.

Beyond transactions, the Guidelines enforce ethical e-commerce practices. Fair competition, counterfeit prevention, and transparent sponsored content are prioritized.

Addressing Digital Personal Data Security

The rapid expansion of e-commerce and the digital transformation necessitates a robust framework to ensure consumer protection, data security, and transaction integrity. The BIS draft guidelines are aimed at safeguarding digital personal data security. These guidelines outline a structured approach to consumer consent, transaction records, payment security, subscription transparency, data protection, and commercial communication.

• Express Informed Consent (Para 4.3.1): A fundamental principle of digital commerce is ensuring that consumers have control over their purchasing decisions. The BIS draft mandates that e-commerce entities must obtain explicit, informed consent from consumers before recording their agreement to purchase goods or services. Automatic consent mechanisms, including pre-ticked checkboxes, are strictly prohibited. This provision enhances consumer autonomy and prevents inadvertent purchases, thereby fostering a fair and transparent online marketplace.
• Transaction Record Maintenance (Para 4.3.4): Accountability in e-commerce transactions is critical for both consumers and businesses. The BIS draft requires e-commerce platforms to maintain complete, accurate, and durable records of all transactions. Consumers should have access to these records and be able to retain copies for the duration specified under applicable law. This measure ensures traceability, dispute resolution, and compliance with regulatory requirements, thereby strengthening consumer confidence in digital transactions.
• Payment Principles (Para 4.3.5): Secure and transparent payment processing is vital to the integrity of online commerce. The BIS draft mandates that e-commerce platforms must offer diverse payment methods, including credit/debit cards, mobile payments, e-wallets, and bank transfers, ensuring inclusivity for all users. Additionally, platforms must disclose all associated costs, such as processing fees, before the consumer finalizes the transaction. Security remains a top priority, with platforms required to implement encryption, two-factor authentication, and other fraud prevention measures.
• Recurring Charges and Subscription Transparency (Para 4.3.7): The BIS draft stipulates that e-commerce platforms must provide comprehensive disclosure on the duration, intervals, and exact amounts related to recurring payments. Consumers must also have a straightforward process to opt-out or cancel subscriptions at any time. In cases where terms and conditions, including pricing, are altered during the subscription period, consumers must be pre-informed, and continued service must require their express consent.
• Data Protection Measures (Para 4.5.2): The BIS draft establishes stringent data protection norms to ensure that consumer data is used exclusively for transaction facilitation or other explicitly disclosed purposes with consumer consent. E-commerce platforms, acting as data custodians (called as data fiduciary in DPDP Act) are prohibited from misusing data for commercial or alternative purposes. This reinforces consumer privacy and mitigates risks associated with unauthorized data exploitation.
• Unsolicited Commercial Communication (Para 4.5.3): The prevalence of unsolicited commercial communication has raised concerns about consumer privacy and digital harassment. The BIS draft mandates that all communication from e-commerce entities to consumers must be based on explicit consent or directly related to a transaction. Non-transactional communication must require an express opt-in from the consumer and include an option to cease such messages at any time. These provisions aim to curtail spam and intrusive marketing practices, ensuring that consumers retain control over their digital interactions.

For above specific guidelines refer Appendix to this article.

Fusion of DPDP Act Provisions in the Guidelines

Under the DPDP Act 2023, all e-commerce entities who process digital personal data qualify as data fiduciaries and are required to comply with its provisions. A review of the guidelines clearly indicates that they emphasize integrating the fundamental principles of the DPDP Act into business operations in India. Some of these key provisions are summarised below for reference.

• Data Collection and Consent Mechanisms: The BIS draft Guidelines emphasise the necessity of obtaining explicit user consent before collecting personal data, aligning with Section 6 of the DPDP Act, 2023, which mandates that consent must be free, specific, informed, unconditional, and unambiguous. E-commerce platforms must ensure that consumers are fully aware of how their data will be used, stored, and shared. The guidelines advocate for opt-in mechanisms where users must actively provide consent rather than relying on pre-checked consent boxes, mirroring the affirmative consent requirement under the DPDP Act.
• Data Storage and Protection Measures: The BIS guidelines require e-commerce platforms to adopt robust data security measures, which correspond with Section 8 of the DPDP Act, emphasizing the duty of data fiduciaries to implement appropriate security safeguards to prevent unauthorized access, data breaches, or misuse. Platforms must incorporate encryption techniques, secure cloud storage, and stringent access controls. Furthermore, the guidelines encourage businesses to store personal data within India, in alignment with Section 16, which outlines data localization norms to ensure better oversight and security.
• Consumer Rights and Data Access: The BIS draft guidelines support consumers’ rights to access, modify, and delete their personal data, in accordance with Section 12 of the DPDP Act, which grants individuals the right to correction, erasure, and access to their personal information. E-commerce platforms must provide user-friendly mechanisms that allow consumers to review their data and exercise their rights easily. This provision enhances transparency and ensures that users have greater control over their information, reinforcing the principle of data ownership under the DPDP Act.
• Third-Party (Processors)Data Sharing Regulations: Given the frequent data exchanges between e-commerce platforms and third-party entities like advertisers, service providers, and analytics firms, the BIS guidelines impose strict data-sharing regulations. These align with Section 6 of the DPDP Act, which mandates explicit user consent before sharing personal data with third parties. Moreover, under Section 8, data fiduciaries must ensure that third-party recipients (processors) adhere to the same data protection obligations as the primary data fiduciary. This prevents unauthorized data processing and ensures a uniform standard of data protection.
• Data Breach Notification and Response Mechanisms: To minimize the impact of data breaches, the BIS draft guidelines require e-commerce platforms to follow stringent notification protocols. This requirement corresponds to Section 8(6) of the DPDP Act, which obligates data fiduciaries to notify affected users and the Data Protection Board in case of a personal data breach. Additionally, businesses must establish incident response mechanisms, including risk assessments and remedial measures, to prevent future breaches and ensure accountability.
• Grievance Redressal Mechanisms: To enhance consumer trust, the BIS guidelines mandate that e-commerce platforms establish effective grievance redressal mechanisms, reflecting Section 13 of the DPDP Act, which requires the appointment of a grievance officer to handle user complaints. Companies must set up dedicated customer support channels such as helplines and online portals and resolve complaints within a time-bound framework, ensuring swift action on data security and service-related grievances.

Enhancing Data Security Under Guidelines and DPDP Act

To ensure the seamless implementation of the BIS draft guidelines and strengthen digital personal data protection, some of the following strategic measures can be adopted:

• Stakeholder Engagement and Industry Collaboration: Actively involving industry leaders, consumer advocacy groups, and policymakers can help refine the guidelines and address practical challenges in implementation.
• Leveraging Advanced Technologies for Data Security: Promoting the integration of artificial intelligence, blockchain, and other emerging technologies can enhance data protection frameworks and minimize security risks.
• Regular Audits and Compliance Monitoring: Conducting periodic audits, risk assessments, and compliance checks will ensure continued adherence to regulatory norms under Guidelines and DPDP Act and boost consumer trust.
• Consumer Awareness and Digital Literacy Programs: Both the government and private sector should undertake initiatives to educate consumers about their data rights, security practices, and responsible digital behaviour, promoting a culture of data protection.

These measures, aligned with the DPDP Act, 2023, will contribute to a more secure and privacy-centric e-commerce ecosystem in India.

Conclusion

The BIS draft Guidelines for e-commerce align closely with the DPDP Act, 2023, reinforcing digital personal data security, transparency, and consumer rights. By addressing key aspects such as data collection, storage, third-party sharing, and breach response, these guidelines lay the foundation for a more secure and ethical digital marketplace. While challenges in implementation remain, proactive collaboration between regulators, businesses, and consumers will be crucial in ensuring compliance and cultivating trust. As India continues to refine its digital data protection framework, these guidelines serve as a critical step toward responsible and sustainable e-commerce growth.

Mr. M. G. Kodandaram,

Appendix: Extracts from Draft Indian Standard (WC Draft) (For comments only) E-COMMERCE- PRINCIPLES AND GUIDELINES FOR SELF-GOVERNANCE

Para 4.3.1 Express Informed Consent

Every e-commerce entity shall only record the consent of a consumer for the purchase of any good or service offered on its platform where such consent is expressed through an explicit and no such entity shall record such consent automatically, including in the form of pre-ticked checkboxes.

Para 4.3.4 Transaction Record

E-commerce entities shall maintain a complete, accurate and durable record of every transaction carried out on its platform and shall enable the consumers to access and retain a copy of their particular record for such time as required under applicable law.

Para 4.3.5 Payment Principles

E- commerce platforms shall strive to offer a variety of payment methods that are accessible to all users irrespective of the type of product or seller chosen by the user, including credit/debit cards, mobile payments, e-wallets, and bank transfers. While choosing the mode of payment all the associated costs including processing charges, shall be disclosed to the consumer.

E-commerce platforms shall ensure that payment transactions are secure and protected from fraud and other security breaches through the use of encryption, two-factor authentication, and other security measures. E-commerce platforms shall comply with all relevant laws and regulations related to payment processing, including data protection and privacy laws, anti- money laundering regulations, and other financial laws.

Para 4.3.7 Recurring Charges and Subscriptions

Any payment option or transaction involving a specified recurring charge, automated repeat purchases, transaction renewals or a subscription contract ‘Recurring Obligations’, shall carry a full disclosure on the specific duration, intervals, and exact amount in relation to the Recurring Obligations, as well as information, and a clear, accessible process to opt-out from or cancel such Recurring Obligations at any time before or during the tenure/currency of such subscription.

If a customer has subscribed for a stated period, any changes in the terms and conditions including any changes in price, quantity, service conditions shall be pre-informed to the consumers and shall be continued after the express consent of the consumer. In case the consumer seeks to discontinue the subscription due to a change in the terms and conditions, he shall be permitted to do so. Any subscription services provided by the E-commerce platform shall be the responsibility of such platform.

Para 4.5.2 Data Protection

E-commerce entities shall ensure that it complies with all applicable laws in relation to data protection. Specifically, they shall ensure the following:

1. All personal data collected from a consumer, at any time, shall be used solely for the purpose of facilitating transactions on the platform, and for such other purposes that are disclosed to the consumer at the pre-transaction stage and for which he has given express consent; and
2. As a custodian of the data, every marketplace platform shall ensure that there is no misuse of data for any other commercial or alternative use.

Para 4.5.3 Unsolicited Commercial Communication

E-commerce entities shall ensure compliance with all applicable law pertaining to commercial communications, including the following:

1. All communication originating from the e-commerce entity to the consumer shall be made only with the express consent of the consumer, or in relation to a transaction made by the consumer on the platform.
2. All non-transactional communication originating from the e-commerce entity to the consumer shall be on the basis of an express opt-in by the consumer and shall be accompanied with an option to silence or cease such communications.

Today I received a query on DPDPA 2023 on Linked In. Since this could be interesting for others as well, I thought of answering this here in detail.

The query was ..

“I want your insight on how relationship between data fiduciary, consent manager and data principal would prevail (how is consent manager approached and by whom) under DPDP Act, 2023?“

The short answer to the above is that the Consent Manager is also a data fiduciary and provides certain services related to “Giving”, “Managing”, “Reviewing” and “withdrawing” of consent on behalf of the data principal to the principal data fiduciary. We may consider him as a “Joint Data Fiduciary”. To the data principal he is an agent. Ideally he is approached by the data principal for the services. The data fiduciary is only the user of the services rendered by the consent manager in behalf of a data principal. Consent Manager is not an agent of the Principal Data Fiduciary nor an employee.

However, in view of the confusion that prevails in the community and my own disagreement with the interpretation of the MeitY itself on this aspect, I would like to expand my answer and invite a debate. I also invite the MeitY to consider these views and make necessary corrections in the rules to justify their current interpretation.

P.S: I think this is a moment similar to my Jurisprudential interpretation related to Section 65B of Indian Evidence Act when ITA 2000 was introduced where for 14 years I held and justified a contrarian opinion to the community until it was validated by the Supreme Court judgement in the case of P V Anvar Vs P K Basheer case. My views expressed here as well as earlier on the status of Consent Manager may be validated some time in the future or DPDPA 2023 may be amended to prove my interpretation wrong.

Roles of different entities

DPDPA 2023 has indicated the roles of Data Fiduciary (including Significant Data Fiduciary), Data Processor and Consent Manager for entities besides “Data Principal”.

Data Principal is always an individual whose personally identifiable digital data is the subject matter of collection, processing, transmission, disclosure and destruction in India or in connection with offer of services to individuals in India. Out of such data, data publicly made available by the Data Principal or caused to be made publicly available by authorities under law as well as data used by an individual for personal and domestic purposes are outside the scope of the other regulatory restrictions. In many other contexts, personal data is selectively exempted from some or all the provisions of the Act.

Data Fiduciary is the entity (includes an individual processing personal data for business purpose) who determines the purpose and means of processing of personal data. He may act individually or in conjunction with another (who we refer as Joint Data Fiduciary). Naavi also uses the term “Super Data Fiduciary” when a data fiduciary lends his name for collection and processing of personal data but permits an agent to determine the purpose and means of processing as in the case of “Brands”.

Data Processor is the entity who does not determine the purpose and means of processing but processes the DPDPA protected data (DPD) on behalf of another data fiduciary who undertakes the responsibility for compliance.

Processing may happen in India or outside India. When personal data belongs to non Indians and is processed in India under a contract with an entity outside India, DPDPA exempts such data from the operation of DPDPA to some extent.

Consent Manager is a special kind of data fiduciary who determines the purpose and means of processing of data as a representative of a data principal in transactions with the other data fiduciaries who use the personal data of the data principal.

The data principal needs to maintain an account with the consent Manager and provide him the authority to give, manage, review or withdraw consent.

A Consent Manager to be pre-registered with Data Protection Board and will be accredited based on certain eligibility criteria and accepted obligations duly audited and certified. This means that the Consent Manager is approached by the data principal for an account even before he approaches a data fiduciary for a service for which he may use the services of the Consent manager to “give” his personal information. It is possible that a data principal might have already opened a service account with a data fiduciary and later becomes a customer of a consent manager in which case prospective aspects of “Giving further consent”, “Managing, monitoring or reviewing or withdrawing” of further consent may be routed by the data principal through the consent manager.

The above is a jurisprudential interpretation of DPDPA 2023 as it exists today and may be interpreted (or should be interpreted) by Courts in future.

Under our interpretation of the law, Consent Manager is an entity which is empowered like a Power of Attorney holder by the Data Principal to not only “Give” consent for data requested by a data fiduciary but also “Review” and “Monitor” the data given. Review and Monitoring may include withdrawing consent if required. Whether the Consent Manager is expected to only observe and inform the Data Principal for seeking further instructions or can act on his own is a matter of conjecture.

Visibility of Data

Our interpretation is that he should be considered as a “Data Fiduciary” since he determines the purpose and means of use of personal data under his authority to give, monitor, review and withdraw consent. As a Data Fiduciary he is obliged to ensure compliance of DPDPA 2023 which includes section 4(1) and 8(1) under which he is obligated to ensure that personal data is processed only for lawful purposes and in accordance with the provisions of DPDPA 2023.

To fulfil this duty, Consent manager requires “Visibility” to the data that is processed by a data fiduciary to whom consent is passed on by the Consent Manager.

The Data Fiduciary requires to enable his “consent acceptance mechanism” to accept instructions from a Consent Manager on behalf of a data principal. This means that the consent form should have an option to select provision of the details through the consent manager (similar to but not equivalent to completing the form through Google or Facebook). When the data principal choses this option, the requested data elements would be populated by the query processed by the Consent Manager so that when the form is submitted, it carries the validation from the data principal.

Alternatively the data may be consumed without being displayed on the form in which case there will be no validation by the data principal to the data fiduciary and he needs to depend on the deemed validation from the consent manager who himself is blind to the data.

Currently Meity has implied in its draft rules that this obligation of a consent manager can be fulfilled without visibility of the data elements similar to the status of “Account Aggregators” under DEPA architecture. Many technology firms think that they have products to support this “Data Blind” consent provision.

In our considered view, this interpretation is incorrect since the responsibilities of a Consent Manager includes “Review”, “Monitoring” and “Withdrawal of consent”. These responsibilities require visibility of data by the Consent Manager.

It is agreed that in the “Data Blind” architecture, each decision is conveyed by the Consent Manager to the data principal and his concurrence obtained, this means that the data principal while seeking the service and sitting in front of the consent form presented by the data fiduciary has to provide consent on pop ups that may come concurrently from the cosnent Manager who will be scouting for authorised sources from which different data elements can be sourced.

If the Consent Manager does not have the reference data resources previously approved by the data principal or if the data principal has approved more than one data resources where the data do not synchronize or is incorrect, he will have to admit that some data elements are to be separately collected by the data fiduciary directly from the data principal.

The law envisaged the Consent Manager as an expert who can act as an advisor to the data principal to manage the processing of personal data by a data fiduciary and prevent misuse of data either by collecting/processing it with a misrepresentation. He could understand the privacy notice better and compare it with the needs of the processing and contest of the data fiduciary exceeds his authority.

In our view, MeitY has diluted this provision and rendered the Consent Manager to be a worthless burden on the system who only acts under the instructions of the data principal and every time acts as a post office sending and receiving instructions from him without the ability to assist him. Unless the MeitY changes its view while notifying the rules, there is no useful role for a “Consent Manager” in the system.

Consent Manager under this system will be giving a deemed confirmation of data elements about which he himself is blind. It is like a blind man directing a person with normal vision to cross the road.

Some Data Fiduciaries loosely use the word “Consent Manager” even to their own employees or data processors who handle the responsibility of issuing notice, collecting and preserving the consent”. This is not a “Consent Manager” under the Act. Even the Google verification etc is not a Consent Manager since they are not registered with the DPB for this purpose and have their own vested interest in the data.

There is however a caveat to the above.

The law was framed by MeitY which is also taking on the responsibility for publishing rules from time to time through gazette notifications. They need to be placed before the Parliament and are also subject to scrutiny of the Court. What MeitY or any of its authorized officers publish as a notification therefore acquires a quasi legal status though they may be held incorrect later when questioned in a Court of law.

At present, there is an indication that MeitY has a view of the role of a Consent Manager which is not correct and which may not be in tune with the legislative intent that can be inferred from the law. (It is open to a Court to read down the law and give an alternate view of the role of a consent manager as expressed here in).

The draft rules published for public comments prescribe stringent conditions for accreditation of a Consent Manager all of which is redundant if a Consent Manager is not having visibility of data and acts only as a post office. It would be relevant only if the Consent Manager had visibility to the data. Hence Meity is itself in- consistent in its approach and exhibit confusion.

If Meity believes that a Consent Manager can function in a “Data Blind” manner, then there is no need to impose conditions equivalent to “Fit and Proper” criteria adopted for Financial regulated entities. The personal data in the custody of the Consent Manager would be only the name, email address and perhaps the phone of the data principal. Whenever other details are to be transmitted, he is expected to instruct one or more other data suppliers authorized by the data principal. In fact those data fiduciaries will be having access to what data has been requested by the data principal for a new service he is likely to avail. These reference sources are designated by the data principal and the data with them itself may be unreliable.

When the data fiduciary receives the data through the consent Manager, if the form is populated in front of the eyes of the data principal, for validation, then the same data is visible to the consent manager also. The consent Manager may however avoid visibility if he triggers the transfer of data and immediately disconnects himself so that he does not “View” the completed form. The system can also have the API call for data elements of the data fiduciary executed below the visible internet environment like a transmission of a https message. This however leaves the data principal to the mercy of vagaries of technical errors or even man in the middle attacks since the consent manager does not validate the data.

Hence the “are not readable” clause in the DPDPA Rules is impractical. (Refer Annexure IB, para 2)

While we have advocated and continue to advocate the Meity to change this rule related to Consent Manager, we are not confident that it would be modified. On the other hand, it is likely that the rule related to consent Manager may be deferred indefinitely. In the case of Section 65B, it took 14 years for the community to accept my view, in this issue of the role of a consent manager, I anticipate that the law itself may be amended to justify the current stand of MeitY.

I invite detailed debate on this aspect from professionals.

Naavi

Today a friend of mine pointed out to an article on peabea.substack.com indicating how apps installed on our mobile phones spy on what other apps are running on the mobile. He specially pointed out how the “AndoriodManifest.xml” file which he extracted for Swiggy APK indicated the presence of the following 154 package names allowing the Swiggy app to query those apps on the phone.

I have not personally checked the APK file on my mobile. I invite professionals to check the AndroidManisfest.xml files of different apps and try to establish the need why Swiggy should need to know if naukri app or dacthalon app is on my mobile.

If the above observation is correct, then there is a need for us to keep such apps on privacy watch so that we can raise the issue with DPB when it is in place.

I also want any of the apps present in the list above have permitted Swiggy to extract any information about the activities of their apps. Also if Swiggy or other apps like Zepto quoted the article have any counter view, we request them to respond.

The article also points out that one of the Loan apps namely Kreditbee watches 860 apps on a mobile.

It is obvious that the apps are developed with no concern on “Purpose Based Information Collection” and each of these companies can face the penalty of Rs 250 crore plus from DPB and the consolidated fund of India would be enriched.

I invite the attention of Mrs Nirmala Seetharaman to take this revenue potential into consideration and push MeitY to establish DPB without further delay so that they can start sending our inquiry notices to all these apps.

I welcome your views.

Naavi

The AI Chair of FDPPI has already announced one project on studying the “Impact of AI on the mental health of Children” . We are in the process of creating a planning committee with representations from different segments such as AI specialists, Neuro Science Specialists, Child Psychologists and Privacy Specialists etc to take the plan ahead.

A second project which is more related to Technology is also being planned for the development of a DPDPDA compliance solution based on DGPSI.

We shall constitute a separate Project committee for this project based on volunteers.

Naavi