Regulating e-commerce should not involve spying on consumers
The proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020, have proved controversial, with new statements of concern coming in every day. However, one issue that has garnered less attention is how it would expand the government’s powers to access data of consumers, raising fears regarding expanded surveillance intruding into consumer data and the right to privacy.
Rule 5(18) in the amendments would require any e-commerce entity to provide information under its control or possession to a requesting government agency within 72 hours of receipt of an order. Agencies can make this demand for over-broad purposes devoid of any limitations. The proposed grounds include the prevention, detection, investigation, or prosecution of any offence, or identity verification, or cybersecurity.
The information under the “control or possession” of many e-commerce platforms is not merely information that is willingly submitted in the form of names, addresses, payment details and order histories. It includes data gleaned by tracking our browsing habits, even beyond the e-commerce website itself, and data inferred about personal characteristics and preferences based on what we search for, click on or purchase and when, where and how we do it.
Under the rules, the definition of “e-commerce entities” is broad and includes entities engaged for fulfilment of orders. This could mean payment portals, delivery agents or even social media applications over which orders and payments are processed. Therefore, consumers’ data with any of the wide range of entities that fall in this broad bucket would be up for grabs.
This proposed amendment fails to meet the standards of legality, necessity and proportionality recognised by the Indian Supreme Court’s right to privacy judgments. The relevant section in the consumer protection Act empowers the government to make rules to prevent unfair trade practices and direct selling. This objective has no nexus with what is sought to be done through the amendment, i.e. amplifying the government’s powers to acquire data for broad purposes beyond specific consumer law grievance redressal. It reflects executive overreach and fails the legality test, not to mention contempt for parliamentary scrutiny.
It is far from clear that this intrusive measure of mandating disclosure of consumers’ data to the government by e-commerce entities is necessary to achieve any legitimate aim. The provision fails to limit the nature of the information that may be sought, nor does it require that the consumer be notified and provided an opportunity to be heard. The absence of any safeguards against arbitrary government action (for example, requiring judicial oversight of orders) raises a red flag of unwarranted surveillance.
These developments are made worse by the context within which they are triggered. India does not have a data protection law; the Personal Data Protection Bill is pending and requires significant improvements in order to make it an effective law. At present, more needs to be done to restrict the collection and retention of data, including by e-commerce entities. However, the proposed amendment serves to further open channels for unchecked flows of personal data in a way that is detrimental to privacy and unduly expands the surveillance powers of the government.
To enact a provision enabling untrammelled government access to data before the country has a data protection law in place is to place the cart before the horse. The government appears keen on securing access to the data that e-commerce players have on Indians, rather than regulating the data obsession in this sector. The provision does not lawfully belong in the proposed amendments to the e-commerce rules, and should be withdrawn.
Namrata Maheshwari is policy fellow and Raman Jit Singh Chima is Asia Pacific policy director, Access Now.
The views expressed are personal