INTRODUCTION

Today E-Commerce has become an integral part of our lives. It is not a luxury but a necessity
for most people particularly in urban areas nations. It has revolutionized the way goods and
services are bought and sold. They have in most parts of the world almost replaced physical
mode of buying goods and services and in light of the number of Electronic Transactions
increasing at a rapid rate legislatures around the world are evaluating the current legal
framework. Because E-Commerce has the ability to traverse national boundaries it would be
advantageous to do a comparative analysis between the legal frameworks of India where the
E-Commerce Sector has grown rapidly over the last few years and that of the United States
which already has a very well established jurisprudence with regards to e-commerce. This
project seeks to highlight the difference between the two systems as well as the lacunae in the
approach undertaken by both the nations in reforming their legal frameworks in light of
changing business environment. This faulty approach is most apparent in India where sadly
the law has not caught up with the changing times and hence a number of legal loopholes
exist. The United States has perhaps the most advanced jurisprudence in the field of ecommerce. In this project we will endeavour to compare the legislative framework of the two
countries with regards to the e-commerce and how it affects the lives of consumers.

DATA AND PRIVACY ISSUES IN E-COMMERCE

E-Signatures
Though the Internet has eliminated the need for any kind of Physical contact it cannot do
away with the need to record or authenticate such transactions, because of this different kinds
of authentication technologies have been developed over a period of time for authenticating
the documents as well as identifying the parties involved in the transaction1. Further we have
witnessed that processing payments form an important part of e-commerce transactions.
Hence we have seen different kind of payment systems being developed which has led to
payment gateways such as PayPal and mobile wallets such as Paytm and Citrus to
become popular.
The Tricky part in such transactions is that the parties involved have no prior relationship
which leads to significant concerns of the persons identity and authenticity with respect to
issues of the persons capacity, authority and legitimacy to enter the contract 2. Electronic
Signatures over the last few years has been touted as a solution to solve this problem.
The Position in India
The IT Act has given legal recognition to the authentication of documents through Digital
Signatures as long as the procedure given in the IT Act is followed. The It Act even provides
the regulatory framework which governs Electronic Signatures.
In particular the IT Act provides that an electronic signature shall be deemed to be a secure
electronic signature if:
i.

The signature creating data at the time of affixing the signature was under the sole

ii.

control of the signing party and no other party.

The signature creation data was stored and affixed in such exclusive manner as
may be prescribed3.

1Venkatesh Ganesh, Going Back to Brick and Mortar available

<http://www.thehindubusinessline.com/news/variety/going-back-to-brick-andmortar/article3836141.ece>, last visited on 15th August 2016.

at

2 Jonathan D. Bick Cited from Unconscionable Terms Prevent Enforceability Of E-Commerce Contract
Clauses ,18 F. Supp. 2d 1165 (2002).

Position in US
Digital Signatures in the United States are mainly governed under two statutes, the United
States Electronic Signatures in Global and National Commerce (ESIGN) Act and the Uniform
Electronic Transactions Act (UETA). They list down four major requirements that need to
fulfilled if a Digital Signature has to be considered as legally valid.

Intent to Sign Electronic Signatures like their wet ink counter-parts are valid only

when the parties involved intended to sign it.

Consent to Do Business Electronically The parties to the transaction must consent
to do business electronically. Establishing that a business consented can be done by
analysing the circumstances of the interaction, but consumers require special
considerations. Electronic records may be used in transactions with consumers only
when the consumer has: (i) received UETA Consumer Consent Disclosures; (ii)
affirmatively agreed to use electronic records for the transaction; and (iii) has not

withdrawn such consent.

Association of Signature with the Record In order to qualify as an electronic
signature under the ESIGN Act and UETA, the system used to capture the transaction
must keep an associated record that reflects the process by which the signature was
created, or generate a textual or graphic statement (which is added to the signed

record) proving that it was executed with an electronic signature.

Record Retention US law on E-Signatures requires the record of the signatures to
be accessible or reproducible by all parties or persons entitled to retain the contract or
record4.

Apart from these statutes various other Federal Statutes may also apply.

3
NDA
Hotline,
available
<http://www.nishithdesai.com/fileadmin/user_upload/pdfs/Research%20Papers/ECommerce_in_India.pdf>, last visited on 15th August 2016.

at

4 DocuSign.com, US Electronic Signature Laws and History, available at <

https://www.docusign.com/esign-act-and-ueta>, last visited on 15th August 2016.

Identity Theft and Impersonation

Indian Law on Identity Theft
The IT Act provides that the identity of a person shall be deemed to have been stolen when
any unique identification of a person (such as her electronic signature or password) is
fraudulently or dishonestly used. The Act prescribes a penalty of imprisonment of up to 3
years and fine up to INR 1 lakh5.
The IT Act provides that whoever, by means of any communication device or computer
resource cheats by impersonation, shall be punished with imprisonment of up to 3 years and
with fine of up INR 1 lakh6.
The IPC further provides that any person who cheats by personation shall be punishable with
imprisonment of up to three years and/ or fine7.
US Law on Identity Theft
Identity Theft and Assumption Deterrence Act was officially listed as a Federal Crime in
1998 . This act strengthened the law with regards to identity theft. Specifically, it amended 18
U.S.C. 1028 ("Fraud and related activity in connection with identification documents")
which made it a federal crime to knowingly transfer or use, without lawful authority, a means
of identification of another person with the intent to commit, or to aid or abet, any unlawful
activity that constitutes a violation of Federal law, or that constitutes a felony under any
applicable State or local law. The Identity Theft and Assumption Deterrence Act
accomplished four things:

Identity theft was made a separate crime against the individual whose identity was
stolen and credit destroyed. Previously, victims were categorized solely on the basis
of financial loss and often the emphasis was on banks and other financial institutions,
rather than on individuals.

5 Section 66 C of the Information Technology Act, 2000.

6 Section 66D of the Information Technology Act, 2000.
7 Section 419 of the Indian Penal Code, 1860.

It established the Federal Trade Commission (FTC) as the Federal Governments one
central point of contact for reporting instances of identity theft by creating the Identity

Theft Data Clearinghouse.

It substantially increased criminal penalties for identity theft and fraud. Specifically,
the crime now carries a maximum penalty of 15 years imprisonment and substantial

fines.
It closed legal loopholes, which previously prohibited a person from producing or
possessing false identity documents, but did not prohibit stealing another personals
personal identifying information8.

Over time, state legislative bodies also started to pass laws that were victim friendly, and
these laws ended up being the basis for many national laws years later. As most crimes are
prosecuted on the state level, these laws came to have a significantly positive impact on
victims.
Other federal laws have also been enacted to address the growing complexities surrounding
identity theft and fraud such as Fair Credit Reporting Act (FCRA) and the Fair and Accurate
Credit Transactions Act (FACTA) of 2003 Identity Theft Penalty Enhancement Act of 2004
and the Identity Theft Enforcement and Restitution Act of 2008. Many other Federal Statutes
also overlap with them9.
Privacy
Almost any e-commerce transaction involves collecting some kind of personal information
from the user. This generally includes details about their personal identity and their financial
information. Apart from this primary data other secondary data in the form of preferences and
patterns of search may also be collected.
Hence it becomes imperative for every e-commerce platform to maintain the privacy of its
users. Generally any user will have two major concerns.

Unauthorized access to personal information.

Misuse of such personal information.

8 www.ov.gov, available at, < http://www.ovc.gov/pubs/ID_theft/idtheftlaws.html>, last

visited on 16th August 2016.
9 Ibid.

Stance on Privacy in India

Since the concept of data privacy is a modern concept there is no specific legislation in India
dealing with it but the Supreme Court in cases such as Kharak Singh v. State of UP10 and
PUCL v. Union of India11 recognised the right to privacy as a subset of the larger right to
life and personal liberty under Article 21 of the Constitution of India.
The IT Act deals with violation of privacy only in a limited way, if private pictures of the
body are captured, published or transmitted without the persons consent then it is punishable
3 years imprisonment and fine of upto 2 lakhs12.
Only recently in 2011 has the government under Section 43A of the IT Act notified the
Reasonable practices and procedures and sensitive personal data or information Rules,
2011 which provide a framework for the protection of data in India.
There are basically two categories of information which are covered under the IT Act which
need to be considered with respect to data protection.
i. Personal information (PI)which is defined as the information that relates to any natural
person, which either directly or indirectly along with the information available with a body
corporate capable of identifying such aperson. .
ii. Sensitive personal data or information (SPDI) which is defined means such PI of a
person which consists of
a. password;
b. financial information such as Bank account or credit card or debit card or other payment
10 AIR 1963 SC 1295.
11 1997 (1) SCC 318.
12 Supra at 3.

instrument details ;
c. physical, physiological and mental health
condition;
d. sexual orientation;
e. medical records and history;
f. Biometric information
The Data Protection Rules, inter alia, set the rules through which such SPDI is to be
protected.
i. The need to have a privacy policy in accordance with the parameters set out in the Data
Protection Rules;
ii. The need to obtain consent in a specific manner from the provider of SPDI;
iii. The need to provide an opt out option to the provider of SPDI;
iv. The need to maintain reasonable security practices and procedures in accordance with the
requirements of the Data Protection Rules.
Wrongful disclosure of information is punishable under the IT Act with upto 3 years
imprisonment and a fine of upto Rs 5 lakhs.. The It Act also provides for compensation to be
provided to a person who is a victim of such disclosure13.
Position in the US
Unlike other jurisdictions, the US does not have any specific data protection law, but
regulates it by a sector by sector or industry basis. There are a number of legislations that deal
with privacy law in the US, which includes laws both at the Federal and State levels . These
laws and regulations may be enforced by federal and state authorities, and many provide
individuals with a private right to bring lawsuits against organisations they believe are
violating the law14.

13 NDA Hotline, available at, < http://www.nishithdesai.com/New_Hotline/IT/>, last visited

on 15th August 2016.

As is the case with legislation there is no single regulatory authority overseeing data
protection in the US. The Regulatory authority governing the situation generally depends on
the legislation governing the issue. In the financial services context, for example, various
financial services regulators (as well as state insurance regulators) have adopted GrammLeach-Bliley Act standards that dictate how firms subject to their regulation may collect, use
and disclose non-public personal information. Similarly, in the health-care industry, the
Department of Health and Human Services is responsible for enforcing of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) against covered entities.
Outside of the regulated industries context, the Federal Trade Commission (FTC) is the
primary federal privacy regulator in the US. Section 5 of the FTC Act, which is a general
consumer protection law that prohibits unfair or deceptive acts or practices in or affecting
commerce, is the FTCs primary enforcement tool in the privacy arena. The FTC has used its
authority under section 5 to bring numerous privacy enforcement actions for a wide-range of
alleged violations by entities whose information practices have been deemed deceptive or
unfair. Although section 5 does not give the FTC fining authority, it does enable the
Commission to bring enforcement actions against alleged violators, and these enforcement
actions typically have resulted in consent decrees that prohibit the company from future
misconduct and often require audits biennially for up to 20 years. Under section 5, the FTC
is able to fine businesses that have violated a consent decree15.
At the state level, attorneys general also have the ability to bring enforcement actions for
unfair or deceptive trade practices, or to enforce violations of specific state privacy laws.
Some state privacy laws allow affected individuals to bring lawsuits to enforce violations of
the law.
In general, violations of federal and state privacy laws lead to civil, not criminal, penalties.
The main exceptions are the laws directed at surveillance activities and computer crimes.
Violations of the federal Electronic Communications Privacy Act (ECPA) (which is
composed of the Wiretap Act, the Stored Communications Act, and the Pen Register Act) or
the Computer Fraud and Abuse Act (CFAA) can lead to criminal sanctions and civil liability.
14ABA Section of International Law, Privacy, E-Commerce & Data Security Committee
Quarterly Newspaper, Volume I, Issue 3, Spring 2013.
15 Lisa J Sotto and Aaron P Simpson, Data Protection and Privacy, available at, <
https://www.hunton.com/files/Publication/1f767bed>, last visited on 15th August 2016.

In addition, many states have enacted surveillance laws that include criminal sanctions, in
addition to civil liability, for violations.
Outside of the surveillance context, the US Department of Justice is authorised to criminally
prosecute serious HIPAA violations. In circumstances where an individual knowingly violates
restrictions on obtaining and disclosing legally cognisable health information, the DOJ may
pursue criminal sanctions.

COMMON ISSUES FOR E-COMMERCE COMPANIES RELATED TO IPR

A. Designing a Platform / Content Creation Through a Third Party
Website Platforms for conduct of business is one of the primary places where disputes
with regards to ownership of IP occurs . Often e-commerce companies outsource the
job of designing such websites/ platforms or creation of content to third party
contractors. The main issue here is who would own the IP in the design and the
software that runs the website . Some of the important points for consideration in such

circumstances would be as follows:

A written agreement that clearly spells out the ownership of the IP including clauses

on term,
territory and the nature of right
If third party IP is used by the contractors, it is important to understand the chain of
title with respect to such third party IP and whether appropriate permissions have been

acquired from such third parties

A related issue here is the use of open source software. When open source software is
used the company should be mindful of the terms and conditions under which such

software has been license16.

B. Use of Third Party Content on Website
It is essential to understand that all the content available on the net cannot be used
without taking proper permission or giving due credit to the owner of that content.
Content could range from information to logos of third parties. In all of these
instances the IP (such as copyright or trademarks) is owned by a third party and the ecommerce business necessarily has to obtain the requisite approvals. Similarly
providing links to other websites is a concern that needs to be addressed as well17.
C. Domain Names
Any company that commences e-commerce activities would have to get their domain
names registered first. A domain name basically acts as an address in the internet such
www.youtube.com or www.google.com.In more technical terms a domain name is an
easily recognizable and memorable name to the Internet Protocol resource (which is
typically a set of numbers) of a website 18. Domain names generally fall within the
purview of trademark law. A domain name registry will never register two identical
16 The Economist, Intellectual Property and E-Commerce in India, available at, <
https://www.ciaonet.org/attachments/20726/uploads>, last visited on 15th August 2016.
17 Supra at 3.

names but will agree to register two similar names. This leads to a situation where
deceptively

similar

domain

names

can

be

registered

for

example

www.gooooooogle.com by a third party. Any person visiting www.gooooooogle. com

might think that the content on this website belongs to or it has been sponsored by
Google. In such cases trademark law comes to the rescue of Google. Further, while
registering domain names, if the company chooses a domain name that is similar to
some domain name or some existing trademark of a third party, the company could be
held liable for cybersquatting19.Indian courts have been proactive in granting order
against the use of infringing domain names 20.The take away from all these cases is
that domain name serves the same purpose as a trade mark, and is not a mere address
or like finding number on the internet but is critical in differentiating the website from
the others, and therefore, it is entitled to equal protection as a trademark and that even
an action for passing off can be filed for domain names. In fact in the case of Satyam
Infoway Ltd. v. Sifynet Solutions Pvt. Ltd 21., the Supreme Court had also held that a
domain name may pertain to the provision of services within the meaning of section
2(z) of the Trade Marks Act,1999.
Consumer Related Problems to IPR
Even consumers face problems due to the increasing number of counterfeit goods
being sold on E-Commerce websites. Whats more shocking is that such practices
have occurred on reputed sites such as Amazon and Snapdeal 22. Even the original
manufacturers of these products suffer due to the dilution of their brand by these
counterfeit goods.

18 Trade Marks & Emerging Concepts of Cyber Property Rights, V.K.Unni, 1st ed. 2002,
Eastern Law House, p. 15-16.
19 Supra at 3.
20 Yahoo Inc. v.. Aakash Arora & Anr AIR 2000 Bom 27.
21 AIR 2004 SC 3540.
22 See Economic Times 3rd December 2014, available at, <economictimes
.com/industry/services/retail/brands-cry-foul-over-counterfeit-products-on-e-commerce-siteslike-flipkart-snapdeal-amazon-others>, last visited on 15th August 2016.

CONCLUSION
Through this project we have seen that the United States and India have vastly different
frameworks with regards to dealing with the issues faced by consumers when dealing with ECommerce. India as of now has only one legislation i.e IT Act and no specific regulatory
body that deals with consumer complaints and grievances whereas the United States on the
other hand has many different legislations dealing with different sectors and that the
regulatory body changes according to the legislation in question. We have also understood
that there are various kinds of contracts that are being used in the E-Commerce industry but
India does not any legislation or any prior jurisprudence dealing with such kind of contracts
whereas the United States has a reasonably well developed jurisprudence dealing with the
same. At the end we can conclude by saying that India still has a long way to go before its
legal framework dealing E-Commerce comes on par with the system already in place in the
United States.