Ashwini Dissertation PDF

THE NATIONAL LAW INSTITUTE UNIVERSITY, BHOPAL
Dissertation
on
Privacy Issues In Electronic Commerce From Consumer’s Perspective- A Comparative

Analysis of Indian And US laws
Submitted in partial fulfillment of the requirement of award of the Degree of LL.M.
submitted
by
Ashwini Kelkar
2017 LL.M. 03
under the Guidance
of
Associate Prof. Kavita Singh
2017-18
ACKNOWLEDGMENT
The completion of this dissertation would have been impossible without the help and
contribution of the talented faculty of National Law Institute University, Bhopal. There are many
people behind the completion of this dissertation. I want to thank all of them and in particular:
I express my gratitude and deep regards to my Supervisor Prof. Kavita Singh for giving me such
a wonderful opportunity to make a Dissertation on the topic entitled “Privacy Issues In
Electronic Commerce From Consumer’s Perspective- A Comparative Analysis Of Indian
And US laws” which involves such an interesting discussion on Indian and US laws regarding
the protection of consumer’s privacy in Electronic Commerce. It has indeed enhanced my
knowledge and also widened the scope of my study. I would like to thank her for her exemplary
guidance, monitoring and constant encouragement throughout the course of this research.
I also take this opportunity to express a deep sense of gratitude to my friends Jagrati Vasuniya,
Palak Nema and Shivanshu Pandey for their cordial support, valuable information and guidance,
which helped me in completing this task through various stages.
I am obliged to the staff members of the Library, for the timely and valuable information
provided by them in their respective fields. I am grateful for their cooperation during the period
of my assignment.
Lastly, I thank my family for their constant encouragement without which this assignment would
not have been possible.
Place: Bhopal ASHWINI KELKAR

Date: Roll No.: 2017 LL.M. 03
Enrollment No: - B-0717
National Law Institute University, Bhopal
i
DECLARATION
I, Ashwini Kelkar, a student of LL.M. of National Law Institute University Bhopal (NLIU),
hereby declare that this dissertation work has been originally carried out by me under the
guidance and supervision of Mrs. Kavita Singh, Associate Professor of law, at NLIU, Bhopal and
that this work has not been submitted elsewhere for any other degree, diploma etc., for any other
university.
I hereby declare that any published or unpublished works or internet sources that I have quoted
or drawn reference from for this work have been fully referenced in the text and in the contents
list. I understand that failure to do this will result in failure of this Dissertation due to plagiarism.
PLACE: Bhopal
DATE: ASHWINI KELKAR
Roll No.: 2017 LL.M. 03
National Law Institute University, Bhopal
ii
CERTIFICATE OF THE SUPERVISOR
This is to certify that the research work titled " Privacy Issues in Electronic Commerce from
Consumer’s Perspective- A Comparative Analysis of Indian and US laws” has been done by
Miss. Ashwini Kelkar (Roll No. 2017 LL.M.03) under my guidance and supervision. The
candidate has earnestly completed on all fronts all the essential requirements needed to be put in
place in partial fulfillment of LL.M. Degree of the National Law Institute University, Bhopal.
To the best of my knowledge, the work submitted is the result of her independent study and
research. The present work is up to the mark and worthy of consideration at the hands of the
examiner for the award of Master of Law degree.
Kavita Singh
(Supervisor)
Associate Professor
NLIU, Bhopal
iii
LIST OF ABBREVIATIONS
AIR All India Reporter
CLOUD Clarifying Lawful Overseas Use of Data Act
COPPA Children's Online Privacy Protection Act
EC Electronic Commerce
FCRA Fair Credit Reporting Act
FTC Federal Trade Commission
IP Internet Protocol
IT Information Technology
OECD Organization for Economic Cooperation and Development
PI Personal Information
PII Personally Identifying Information
SC Supreme Court
SCA Stored Communication Act
SCR Supreme Court Reporter
www World Wide Web
iv
LIST OF AUTHORITIES
INDIAN STATUTES:
 Information Technology Act, 2000.

 Indian Penal Code, 1860.
 Indian Constitution.
 Consumer Protection Act, 1986.
 The Right To Information Act, 2005
US STATUTES:
 US Constitution
 California Shine The Light Law
 Electronic Communication Privacy Act, 1986
 Freedom Of Information Act, 1967
 Privacy Act, 1974
 Fair Credit Reporting Act, 1970
 Electronic Fund Transfer Act, 1978:
 Occupational Safety and Health Act 1970:
 Health Insurance Portability And Accountability Act 1996:
 The Computer Fraud And Abuse Act, 1986
 The Children's Online Privacy Protection Act Of 1998
 Can -Spam Act Of 2003
 Gramm, Leach, Bliley Act, 1999
 Cloud Act, 2017
 Usa Freedom Act, 2015
 Judicial Redress Act, 2015:
v
TABLE OF CASES
INDIAN CASE LAWS:

Avnish Bajaj v. State (NCT Delhi) (2005) 3 Comp. LJ 364 (Delhi)…………………..………...53
Bennett Coleman v. Union of India AIR 1973 SC 60………………………………..…….……61
Delhi Hackers’ Case……………………………………………………………………….…….52

Govind v. State of Madhya Pradesh AIR (1975) 2 SCC 148……………………………………19
Indian Cyber Lotto Case…………………………………………………………………...…….41
Indian Express Newspaper (Bombay) v. Union of India (1985)1 SCC 641……………..………62
Infinity e-search (Gurgaon BPO)…………………………………………………………...……36
Justice K. Puttuswamy (retd.) and Anr. v. Union of India and Ors W.P.(C)
NO.000372/201……………………………………………………………………………….......1
Kharak Singh v. State of Uttar Pradesh AIR 1963 SC 1295………………………………...…..18
Kumar v. Whiteley……………………………………………………………………..….…..…52
M. Nagaraj v. Union of India (2006) 8 SCC 212……………………………...…..............……..20
M P Sharma & Others v. Satish Chandra, District Magistrate, Delhi & Others.AIR 1954 SCR
1077………………………............................................................................................………...18
Mrs. Ritu Kholi Case……………………………………………………………………….........42
National Association of Software and Service Companies (NASSCOM) v. Ajay Sood and others
119 (2005) DLT
596……………………………………………………………………….............................…....40
PUCL v. Union of India (1997) 1 S.C.C. 301……………………………………………….......51

Pune Citibank Mphasis Call Center Fraud case………………………………………….……....48
R. Rajagopal v. State Of T.N (1994) 6 SCC 632…………………………..………………….....19
Sony.Sambandh.com Case…………………………………………………………………..…...60
State v. Rajesh Gosain & Anr DE/0409/2014…………………………………………………..53
vi
US CASE LAWS:
Carlisle v. Fawcett publication 201 Cal. App. 2d 733, 20 Cal. Rptr. 405……………….……....23
Carter v. Carter Coal Co. 298 U.S. 238 (1936)………………………………………..………....15

City of Ontario v. Quon 130 S. Ct. 2619 (2010)…………………...…………………..……..….66
FTC v. Accusearch, Inc. 570 F.3d 1187 (2006)…………………………………………….……85
FTC v. Eli Lilly…………………………………………………………………………..………82
Gibbons v. Ogden, 22 U.S. (9 Wheat.) 1 (1824)……………………………………......……….15
Griswold v. Connecticut 381 U.S. 479 (1965)…………………………………………….….….22
Jane Roe v. Henry Wade 410 US 113 (1973)…………………………………………...…….....19

Katz v. United States 389 U.S. 347…………………………………………..…………….…....64
Kyllo v. United States, 533 U.S. 27, 37–38 (2001)………………………….………….……….65
Melvin v. Reid 112 Cal.App.285, 297…………………………………………………….…......22
Norman v. City Of Las Vegas 64 Nev. 38, 177 P.2d 44…………………..…..………………....22
Olmstead v. United States 277 U.S. 438 (1928)………………………………………….……...22
Re DoubleClick Inc. Privacy Litigation 154 F. Supp. 2d 497 (200……………………….…..…84

Remsburg v. Docusearch……………………………………………………………………..….76
Riley v. California 134 S. Ct. 2473 (2014)……………………………………………..………..66
Roe v. Wade 410 U.S. 113……………………………………………...………………….…….22
Smith v. Maryland 442 U.S. 735, 741-46 (197…………………………………….………...…..71
Suzlon Energy Ltd v. Microsoft Corp. 671 F.3d 726, 729 (9th Cir. 2011)………….…...……...71
United States v. Jones 132 S. Ct. 945…………………… ………….………………….……….65

United States v. Microsoft 253 F.3d 34……………………………………………………...…..81
Welton v. Missouri 91 U.S. 275 (1875). ……………………………………………………...…15
vii
MODE OF CITATION:
In this study, the researcher has uniformly followed the Bluebook (Nineteenth Edition) style of
citation by way of footnotes, with certain modification in relation to books and articles.
viii
SUMMARY OF CONTENTS
Acknowledgment ………………………………………………………………………………………..……i
Declaration ………………………………………………………………………………………………….ii
Certificate of supervisor.................................................................................................................iii
List of abbreviations…………………………………………………………………………………..…....iv
List of authorities………………………………………………………………………………………….…v
Table of cases……………………………………………………………………………….……………...vii
Mode of citation……………………………………………………………………………………………..ix
Chapter 1- Introduction………………………………………...…………………………..……..1
Chapter 2- Privacy in electronic commerce vis- a vis consumer rights- A conceptual analysis... 9
Chapter 3-Privacy issues in Electronic Commerce………………………………………………23
Chapter 4- Statutory framework of US and Indian laws in context of Privacy in Electronic
Commerce……………………………………………………..…………………………………43
Chapter 5- Conclusions and Suggestions…………………………………...…………………....92
Bibliography……………………………………………………………………………………..97
ix
Contents
Acknowledgment ...................................................................................................................................... i
Declaration ............................................................................................................................................. ii
Certificate Of The Supervisor ................................................................................................................. iii
List Of Abbreviations.............................................................................................................................. iv
List Of Authorities ................................................................................................................................... v
Table Of Cases ....................................................................................................................................... vi
Mode Of Citation: ................................................................................................................................ viii
CHAPTER 1 – INTRODUCTION: ............................................................................................................... 1
REVIEW OF LITERATURE: ........................................................................................................................ 2
A. Books:.................................................................................................................................. 2
B. Articles: ............................................................................................................................... 3
c. Report: ................................................................................................................................. 6
1.1 STATEMENT OF PROBLEM: ................................................................................................... 6
1.2 HYPOTHESIS: ........................................................................................................................ 6
1.3 RESEARCH QUESTIONS: ........................................................................................................ 6
1.4 OBJECTIVES OF THE STUDY: ................................................................................................ 6
1.5 METHOD OF RESEARCH:........................................................................................................ 7
1.6 SCOPE OF THE STUDY: .......................................................................................................... 7
1.7 CHAPTERISATION: ................................................................................................................ 7
CHAPTER 2-PRIVACY IN ELECTRONIC COMMERCE VIS A VIS CONSUMER RIGHTS- A
CONCEPTUAL ANALYSIS: ............................................................................................................... 9
2.1 Electronic Commerce: .......................................................................................................... 9
2.2 Commerce:......................................................................................................................... 11
2.3 Origin of the term Commerce in United States: ................................................................... 11
2.4 Privacy: ......................................................................................................................................... 13
“A state in which one is not observed or disturbed by other people”. .................................................. 14
2.4.1 Origin of the term Privacy: ................................................................................................. 14
2.4.2 Concept of Privacy through Judicial Lens in India: ............................................................. 15
2.4.3 Essential Nature Of Privacy:............................................................................................... 17
2.4.4 Various Aspects Of Privacy: ............................................................................................... 18
2.4.5 Privacy under US Constitution: .......................................................................................... 18
x
2.5 Meaning of Consumer: ....................................................................................................... 20
2.5.1 E- Consumer: ..................................................................................................................... 21
2.5.3 Reasons for the Growth of E-Consumer: ............................................................................. 22
CHAPTER 3- PRIVACY CONCERNS IN ELECTRONIC COMMERCE: .................................... 23
3.1 Personally Identifying Information (PII): ....................................................................................... 24
3.1.1 E-Commerce and Information Privacy: ............................................................................... 24
3.1.2 Disclosure and Transfer Of Private Information: ................................................................. 26
3.2 Personal Information and Privacy Issues: ....................................................................................... 28
3.2.1 Social Networking Sites and Online Privacy: ...................................................................... 28
3.3 The Big Data Challenge: ................................................................................................................ 29
3.3.1 Virtually Irretrievable Data:................................................................................................ 30
3.3.2 Buying and Selling Of Data: ............................................................................................... 31
3.3.3 Data Brokers: ..................................................................................................................... 31
3.3.4 Publishing Personal Data: ................................................................................................... 33
3.3.5 Breach of Consumer Privacy: ............................................................................................. 34
3.4 Phishing: ....................................................................................................................................... 36
3.5 Online Shopping and Consumer Protection: ................................................................................... 40
3.6 Harm To Self-Development Caused By Online Self-Disclosure: .................................................... 42
CHAPTER 4: STATUTORY FRAMEWORK OF US AND INDIAN LAWS IN CONTEXT OF
PRIVACY IN ELECTRONIC COMMERCE.................................................................................... 43
4.1 E Commerce Privacy Laws For Consumer Protection In India: ...................................................... 43
4.1.1 Information Technology Act, 2000: .................................................................................... 43
Information Gathering: ...................................................................................................................... 48
4.1.2 The Information Technology (Reasonable Security Practices and Sensitive Personal Data or
Information) Rules, 2011 (SPDI Rules):............................................................................................. 53
4.1.3 Data Protection and IT Act, 2000: ...................................................................................... 54
4.2.1 Indian Penal Code, 1860 (IPC): .......................................................................................... 56
4.3.1 The Right to Information Act, 2005: ................................................................................... 58
4.3.2 Data Protection & Right to Information Act, 2005: ............................................................. 58
4.3 Data Protection & Consumer: ........................................................................................................ 59
A P SHAH REPORT ON ONLINE PRIVACY: .................................................................................... 59
Principle 2: Choice and Consent .................................................................................................... 60
Principle 3: Collection Limitation .................................................................................................. 61
xi
Principle 4: Purpose Limitation ...................................................................................................... 61
Principle 5: Access and Correction ................................................................................................. 61
Principle 6: Disclosure of Information............................................................................................ 62
Principle 7: Security ...................................................................................................................... 62
Principle 8: Openness .................................................................................................................... 62
Principle 9: Accountability............................................................................................................. 62
4.4 European Union Directive on Data Protection: ............................................................................... 62
4.5 US Legislative Framework on Privacy Laws in E-Commerce:........................................................ 63
4.5.1 Fourth Amendment and Right to Privacy: ........................................................................... 63
4.6 Laws relating to Electronic Privacy in US: ..................................................................................... 67
4.6.1 Electronic Communication Privacy Act, 1986:.................................................................... 67
4.6.2 Freedom of Information Act, 1967: .................................................................................... 72
It requires the government to make available to the public certain government information. ............... 72
4.6.3 Privacy Act, 1974: .............................................................................................................. 72
4.6.4 Fair Credit Reporting Act, 1970 (FCRA): ........................................................................... 73
4.6.5 Electronic Fund Transfer Act, 1978: ................................................................................... 75
4.6.6 Occupational Safety and Health Act 1970: .......................................................................... 75
4.6.7 Health Insurance Portability and Accountability Act 1996: ................................................. 75
4.6.8 The Computer Fraud and Abuse Act, 1986: ........................................................................ 75
4.6.9 The Children's Online Privacy Protection Act of 1998 (COPPA): ....................................... 76
4.6.10 PRIVACY IN THE GRAMM, LEACH, BLILEY ACT, 1999 (GLBA): ............................. 78
4.6.11 CLOUD ACT, 2017: .......................................................................................................... 80
4.7 Role of Federal Trade Commission In Protection Of Consumers Privacy: ...................................... 81
4.8 Foreign Intelligence Surveillance Act, 1978 (FISA): ...................................................................... 86
4.9 Present Scenario of Online Privacy Laws in US: ............................................................................ 88
4.10 OECD Guidelines and International Privacy: ................................................................................. 90
CHAPTER-5 CONCLUSIONS AND SUGGESTIONS: .................................................................... 92
A) Conclusions ..................................................................................................................................... 92
B) Suggestions .................................................................................................................................... 94
BIBLIOGRAPHY: ................................................................................................................................ 97
A) Books: ................................................................................................................................ 97
B) Articles: .............................................................................................................................. 97
xii
C) Dictionaries: ....................................................................................................................... 99
D) Webliography:.................................................................................................................. 100
xiii
CHAPTER 1 – INTRODUCTION:
This research work has dealt the concept of privacy in electronic commerce and the various
threats posed by the use of Electronic commerce to the consumers. Privacy in Electronic
Commerce (EC) means the protection of privacy of the parties involved in trading through E-
commerce. There is no generally accepted definition of E-commerce. However, the concept of E-
commerce is broader than internet shopping. It encompasses all commercial transactions based
on the electronic processing and transmission of datum, text, sound and image. Privacy is the
“right to be let alone”, but its application in today’s modern world is not that straightforward.
The Supreme Court in its recent judgment of Justice K. Puttuswamy (retd.) and Anr. V. Union
of India and Ors1 has declared that the right to privacy is an intrinsic part of Article 21 of the
Constitution of India.
A comparative analysis of Indian and US laws has been done on the basis of the legislative
frameworks in both the countries. In India, consumer’s rights are guaranteed under the Consumer
Protection Act. The Consumer Protection Act 1986 does not include any service that is free of
charge in its ambit. Thus an online transaction that does not charge the consumers clearly
remains unprotected by the Consumer Protection Act, 1986. Thus discrepancies and loopholes
pose a huge hurdle in protecting the consumers who participate in E-Commerce. Thus in India,
we do not have an adequate law which can deal with the privacy violation of consumers in an
online market. Thus it can be observed that at present, India needs a law which will provide
adequate protection to consumers in an electronic commerce platform thereby ensuring that their
personal information is not being misused by a third party. Here third party means that the
individuals or a company which steals the information of the consumers for profit making
purposes.
The United States is a country where Internet technology is most developed. In the United States,
the concern for privacy protection and the measures adopted have kept at the foreword ranks of
the world. While there is no provision in the US Constitution that explicitly grants a right to
privacy, the right in a limited form is reflected in the Fourth Amendment to the US Constitution
which is the right against unreasonable searches and seizures. The Federal Trade Commission
(FTC), is a federal agency with the dual mission to protect consumers and promote competition
1
Justice K. Puttuswamy (retd.) and Anr. V. Union of India and Ors W.P.(C) NO.000372/2017.
1
which has the responsibility to ensure consumer privacy enforcement. The principles of notice
and consent have been the forerunners of FTC. In this dissertation the comparisons of US and
Indian laws have been done in order to analyze the legal framework in these countries. The US
privacy model recognizes the value of data vis-a-vis self regulation, and therefore allows
collection of personal information as long as the individual is informed of such collection and
use. Thus the object of this research work was to compare the laws of India and US and ascertain
that India too needs a legislative framework based on the notice and consent model of US which
can ensure the protection of online consumers. Consumers are the backbone of the economy and
no actual progress can occur without safeguarding their interests. Thus, a strong legislation is the
need of the hour which can protect the consumer’s personal information online thereby ensuring
that privacy remains intact.
REVIEW OF LITERATURE:
A. Books:
1. Nandan Kamath in his book titled as Law Relating to Computers Internet & E-
commerce 2 – A Guide to Cyber laws & The Information Technology Act, 2000 the
author brought out the potential of internet along with the challenges. The recent time of
internet and its growth and potential is laid down. The chapter 13 of this book deals with the
personal data privacy in the online context. The chapter deals with the privacy in the age of
new technology and data protection laws in USA. It also discusses about the OECD
guidelines which talks about the privacy legislations that may be taken by the states for the
protection of privacy.
2. Robert Gellman & Pam Dixon in their book Online Privacy3 deals with the concept of
online privacy and its rampant violation. The authors have also addressed topics that include
what comprises online privacy today, what protections exist in current law, and current
challenges in online privacy. The book specifically does not provide details about the
privacy issues from consumer’s perspective.
2
NANDAN KAMATH, LAW RELATING TO COMPUTERS INTERNET & E-COMMERCE – A GUIDE TO
CYBER LAWS& THE INFORMATION TECHNOLOGY ACT,2000,394-407,Delhi, Universal Law Publishing Co.
Pvt. Ltd, 4th ed.(2009).
3
1 ROBERT GELLMAN & PAM DIXON, ONLINE PRIVACY, A REFERENCE HANDBOOK ON ONLINE
PRIVACY, 1-20, California, contemporary world issues series, (2011).
2
3. Alan Davidson in his book titled The Law of Electronic Commerce 4 addresses the legal
issues relating to electronic commerce. It also defines the terms informational privacy and
personal privacy and differentiates between them.
4. Kamlesh K Bajaj & Debjani Nag in their book titled E- Commerce5 have talked about the
importance of e commerce and its application in today’s era.
5. Graham J H Smith in his book titled Internet Law and Regulation6 has talked about the
importance of data protection in the internet age. He has also discussed about the publication
of personal data on a website and its issues.
6. Kermit L. Hall & John J. Patrick in their book titled The Pursuit of Justice7 have laid
down various judgments of USA discussing the right to privacy and their impact on the
American citizens.
7. P. K. Majumdar in his book Law of Consumer Protection in India 8 deals with the
Consumer Protection Act 1986 and various case laws are also discussed in it.
B. Articles:
1. Babita Gupta, Lakshmi S Iyer, Robert S. Weisskirch in their article titled Facilitating
Global E-commerce: A Comparison of Consumers Willingness To Disclose Personal
Information online in the USA and in India 9 discusses that Consumers privacy and
security concerns are magnified as companies rely on worldwide networks for electronic
commerce. Global businesses that can persuade consumers to disclose their personal
information online are more likely to provide better service and product delivery. This is an
empirical study between two countries that is USA and India. It was found in the study that
the Indians are more willing to disclose their personal information as compared to the
Americans.
4
ALAN DAVIDSON, THE LAW OF ELECTRONIC COMMERCE, 216-221,(Delhi, Cambridge University Press,
1st ed. 2009).
5
KAMLESH K BAJAJ & DEBJANI NAG, E- COMMERCE, 14-18, New Delhi, Tata McGraw Hill Education
Private Limited, 2nd ed. (2005).
6
GRAHAM J H SMITH, INTERNET LAW AND REGULATION, 684- 693, London, Sweet & Maxwell, 4th ed.
(2007).
7
KERMIT L. HALL & JOHN J. PATRICK, THE PURSUIT OF JUSTICE, 150-158, New York, Oxford University
Press, 1st ed. (2006).
8
1 P. K. MAJUMDAR, LAW OF CONSUMER PROTECTION IN INDIA, New Delhi, Orient Publishing Company,
6th ed. (2015).
9
Babita Gupta & Lakshmi S. Iyer & Robert S. Weisskirch , Facilitating global E-commerce: a comparison of
consumers willingness to disclose personal information online in the USA and in India, 11 JECR. 41, 49-51(2010).
3
2. Muthaiyah Saravanan, Ernest Jude, Antony Joseph & Wai Kok Chew in Review of E-
10
commerce Issues: Consumers Perception on Security and Privacy article have
discussed the issues of privacy and security from consumer’s standpoint. The prime objective
of this paper is to determine the perception of consumers towards the security aspects of E-
commerce technology.
3. Samuel D. Warren; Louis D. Brandeis in their article titled the right to privacy11 have
talked about recent inventions and business methods that call for attention to the next step
which must be taken for the protection of the person, and for securing to the individual the
right ‘to be let alone’. But the article does not specifically deal with the issues of electronic
commerce.
4. Daniel J. Solove in his article titled Privacy self-management and consent dilemma 12 has
discussed the current regulatory approach for protecting privacy. Privacy self-management
addresses privacy in a series of isolated transactions guided by particular individuals. It is
virtually impossible for people to weigh the costs and benefits of revealing information or
permitting its use or transfer without an understanding of the potential downstream uses,
further limiting the effectiveness of the privacy self-management framework.
5. Dr. Gargi Rajvanshi and Mayank Singhal in their article Data Privacy and growth of E
commerce- an Indian Perspective 13 have laid emphasis on the importance of privacy for an
individual in electronic commerce and an adequate legislation for data privacy is the need of
an hour to ensure consumer trust in an e commerce platform.
6. Lawrence M. Friedman in his article The Eye That Never Sleeps: Privacy and the Law
in the Internet Era 14 has talked about the incarnation of the concept of privacy in the United
States and explained the concept of privacy as immunity from outside interference.
7. Corey Ciocchetti in his article titled Just Click Submit: The Collection, Dissemination,
and Tagging of Personally Identifying Information15 has discussed that as the twenty-first
10
Muthaiyah Saravanan &Ernest Jude & Antony Joseph & Wai Kok Chew, Review of E-commerce Issues:
Consumers Perception On Security And Privacy,3 IBERJ. 69, 69-78 (2011).
11
Samuel D. Warren; Louis D. Brandeis, The right to privacy, 193, 193-220, Har. L. Rev. Vol. 4, No. 5, (1890).
12
Daniel J. Solove, Privacy self-management and consent dilemma, 126 Har. L. Rev. 1880, 1880-1890 (2013).
13
Dr. Gargi Rajvanshi & Mayank Singhal, Data Privacy and growth of E commerce- an Indian Perspective,( Bharti
L. REV. 1, 1-20 (2016),
http://docs.manupatra.in/newsline/articles/Upload/46D5708A-2C89-424B-91A2-1144BCD95C4D.pdf.
14
Lawrence M. Friedman, The Eye That Never Sleeps: Privacy and the Law in the Internet Era, , 40 Tulsa L. REV.
Issue 4, 561, 561-578 (2005).
4
century bustles forward, the E-commerce arena becomes an ever more dangerous place. The
author has also discussed the concept of personal information and e commerce.
8. Shashi Nath Mandal in his article E-Consumers' Protection in India 16 has made an
endeavor to assess and device or improve the existing laws or policies apart from analysis
and comparison of usefulness of e-consumers protective mechanism for the protection of
consumer’ rights and keeping in view of Consumer Protection Act.
9. Julie E. Cohen in what privacy is for17 discussed that a society that permits the unchecked
ascendancy of surveillance infrastructures cannot hope to remain a liberal democracy.
10. Poonam Pathak in her article Challenges of Online Shopping and Consumer Protection18
has laid the importance of bringing in legislation for the protection of consumers in an online
platform. Despite the advantages of e commerce it possesses several threats of privacy to the
consumers.
11. Apar Gupta in Balancing Online Privacy In India19 has laid down the provisions of the
Information Technology Act, 2000 and other Indian laws which deals with the online
privacy.
12. Anita L. Allen in Coercing Online Privacy20 has said that Privacy is not an optional good,
like a second home or an investment account. Thus privacy should never be compromised
according to the author.
13. Jessica Litman in Information Privacy 21 has discussed the consequences of using the
internet for day to day activities. Everything we do on internet is noted and stored making it a
threat to information privacy.
14. Jayanta Ghosh & Dr. Uday Shankar Privacy and Data Protection Laws in India: a
Right- Based Analysis 22 The advancement of the technology and the dynamism of legal
world provides outlook of privacy and data protection issues in this recent era. Privacy is
something that is not to interfere to the interest of others. Privacy has become a concern of
15
Corey Ciocchetti, Just Click Submit: The Collection, Dissemination, and Tagging of Personally Identifying
Information, 10 VJETL. 553, 553-642, (2008).
16
Shashi nath mandal, E-Consumers' Protection in India, 16 Global Journals Inc. Issue 5, (2016).
17
Julie E. Cohen, What Privacy Is For, 126 Har. L. REV. 1904, 1904- 1916 (2013).
18
Poonam Pathak, Challenges Of Online Shopping And Consumer Protection, 3 IJMSS. 325, 325-330 ( 2015).
19
Apar Gupta, balancing Online Privacy In India, 43-57, 6 IJLT.43, 43-57 (2010).
20
Anita L. Allen, Coercing Privacy, 40 WM. & MARY L. REV. 723, 723-740 (1999).
21
Jessica Litman, Information Privacy, 52 Stanford L. REV. 1283, 1283-1300 (2000).
22
Jayanta Ghosh & Dr. Uday Shankar, Privacy And Data Protection Laws In India: A Right- Based
Analysis, Bharati L.REV. 54, 54-72 (2016).
5
every individual due to technological advancement and it also emphasizes narrowly for
protection of data.
15. Clayton Moore Henry in Financial Institutions and Electronic Commerce: A US
Perspective on the Issue of Privacy 23 has discussed various Acts relating to privacy in the
US constitution.
c. Report:
1. Justice A P Shah in his report on Privacy24 has recommended nine principles for protecting
online privacy.
1.1 STATEMENT OF PROBLEM:

Absence of an effective and adequate legislative framework in India guaranteeing the consumers
right to privacy in electronic commerce has led to privacy violations whereby the private
information of the consumers is susceptible to be misused.
1.2 HYPOTHESIS:
In comparison to US privacy laws in electronic commerce Indian law is ill-equipped and fails to
the emerging challenge of affording adequate protection to consumer’s privacy online.
1.3 RESEARCH QUESTIONS:
 What is the meaning of privacy and electronic commerce?

 How Electronic commerce infringes the online privacy of consumers?
 Whether existing laws concerning consumer’s rights in electronic commerce in India are
adequate for the protection of private information of consumers?
 Does India need a separate legislation for the protection of consumers in electronic
commerce?
 How does the legal framework in India and the US deal with privacy protection of
consumers?
1.4 OBJECTIVES OF THE STUDY:

 To analyze the importance of Protection of consumers privacy in E commerce.
23
Clayton Moore Henry, Financial Institutions and Electronic Commerce: A US Perspective on the Issue of
Privacy, 5 Y.B. Int'l Fin. & Econ. L. 361 (2000-2001),
http://heinonline.org/HOL/Page?handle=hein.journals/sifet5&collection=journals&id=373&startid=&endid=386.
24
Justice A P Shah, Report of the group of experts on Privacy, 1-92 (2012).
6
 To identify and explore the information privacy concerns of Indian consumers in electronic
commerce.
 To compare the legislative frameworks of India and US in respect of Electronic commerce
privacy.
 To study whether India needs a separate legislation for the consumer’s privacy in Electronic
commerce platform.
1.5 METHOD OF RESEARCH:

For this study the research is doctrinal. The nature of the work is both analytical and descriptive.
Information and data for the project will be from various books, articles and other online
resources. The research will include opinions of research scholars, academicians and other
experts who have dealt with this subject.
1.6 SCOPE OF THE STUDY:

 The scope of the study is only limited to informational privacy in electronic commerce
platform.
 The research only includes the comparative analysis of India and US with respect to privacy
issues in electronic commerce from consumer’s perspective.
 The research only deals the privacy issues from the point of view of consumer.
1.7 CHAPTERISATION:
 Introduction- This introductory chapter has addressed the purpose for studying this subject.
It has furthermore addressed the scope of this research by referring to the lack of prior
research conducted in India regarding privacy regulations. The chapter finishes by
establishing the research questions that will be investigated in the study.
 Privacy in Electronic Commerce vis- a vis Consumer Rights- A Conceptual Analysis-
The second chapter considers Electronic commerce (EC) its definition and various
perspective relating to it. Chapter two starts by returning to the roots of privacy and the
relationship between privacy and personal information is explored Additionally, in this
chapter, consumer’s rights are also highlighted with respect to online transactions.
 Privacy Issues in Electronic Commerce-. This chapter finishes by addressing some
examples that constitute a threat to individuals’ privacy and data protection as a consequence,
invade their right to privacy and leads to preventing consumer’s purchasing online. It finishes
7
by presenting the loopholes in the current legal framework related to the consumer protection
in electronic commerce.
 Statutory framework of US and Indian laws in context of Privacy in Electronic
Commerce- Chapter four provides an historical review about electronic commerce
implementation in India as a developing country, and the US as a developed country. It also
provides a comparative analysis of the two countries on the current regime of law relating to
privacy in electronic commerce. This chapter finishes by discussing the legal environment in
both countries and its role in regulating information privacy matters.
 Conclusions and Suggestions- Chapter five presents answers to the proposed research
questions in the current research. In addition, this chapter addresses the contributions to
knowledge that have been provided by this research. This chapter also utilizes this
background to propose a solution to the threats caused by current inadequate privacy law by
advocating for a new federal regulation.
8
CHAPTER 2-PRIVACY IN ELECTRONIC COMMERCE VIS A VIS CONSUMER
RIGHTS- A CONCEPTUAL ANALYSIS:
2.1 Electronic Commerce:

Electronic Commerce or simply put as E-commerce has been simply defined as conducting
business online. It refers to the activity of buying and selling online through the electronic
medium like internet and other mediums. The Organization for Economic Cooperation and
Development (OECD) defines Electronic commerce as a “new way of conducting business,
qualifying it as business occurring over networks which use non-proprietary protocols that are
established through an open standard setting process such as the Internet.” 25 Total trade carried
out electronically has grown enormously with extensive use of Internet. The use of commerce is
accomplished in this way is encouraging and improvement is visible in transferring funds,
managing supply chain, internet marketing, transaction processing, electronic data interchange,
inventory management systems, and automatic data collection systems.
Now a day’s electronic commerce typically uses World Wide Web (www) at a point in the
transaction's life cycle, even though it can cover a wider range of technologies including email as
well. Major portion of electronic commerce is conducted electronically for non tangible items
such as access to paid content on a website, but remaining electronic commerce involves the
shipping of physical items in some way. Now a day’s almost all big retail houses have their
presence electronically on the World Wide Web. Electronic commerce is by and large considered
to be the sales portion of E-business. It also consists of the swapping of data to facilitate the
financing and payment portion of the business transactions.
In order to understand the role of electronic commerce in today’s era, we first have to discuss as
to what the term electronic commerce means. The term “electronic” means
relating to computers or something that is done by computers.26 Electronic commerce thus means
business transactions conducted by electronic means other than the conventional means such as
25
Dr. Rama Sharma & Vibha Srivastava & Gargi Bhadoria, Consumer Protection in the Era of E-commerce, 1 IJR.
Issue-8, 1294, 1294-1307 (2014).
26
Cambridge English Dictionary, https://dictionary.cambridge.org/dictionary/english/electronic. (last visited on Feb.
21, 2018).
9
by post. The conduct of buying and selling products and services by businesses and consumers
over the internet.27 Here, E simply means anything done electronically, usually via the internet.
Robert Clarke 28 defined Electronic commerce as “the conduct of commerce in goods and
services, with the assistance of telecommunications and telecommunications based tools”. Thus,
E-commerce refers to the paperless exchange of business information using electronic data
interchange, electronic mail, World Wide Web and other network based technologies.
Ecommerce not only automates manual process and paper transactions, but also helps the
organizations and companies move to a fully electronic environment. 29
A commercial transaction can be divided into three main stages: the advertising and searching
stage, the ordering and payment stage and the delivery stage. Any or all of these may be carried
out electronically and may, therefore, be covered by the concept of ‘electronic commerce. 30
E-commerce is a modern business methodology that addresses the needs of the organization,
merchants and consumers to cut costs while improving the quality of goods and services and
speed of service delivery. The main vehicle of E-commerce remains the Internet and the World
Wide Web, but use of e-mail, fax and telephone orders is also prevalent. Electronic commerce is
the application communication and information sharing technology among trading partners to the
pursuit of business objectives .A key element of E-commerce is information processing.
Ecommerce (or ecommerce) consists of buying and selling products and services over the
Internet, as opposed to the standard commerce practices. Many businesses have become
extremely profitable through online sales. Dell Computers is a prime example. Small companies
and even individuals can also market their products or services on a worldwide basis through E-
commerce.
Today, the market place is flooded with several E-commerce options for shoppers to choose
from. In the last couple of years, the growth of ecommerce industry in India has been
phenomenal as more shoppers have started discovering the benefits of using this platform. A
27
Dictionary of information science and technology, Mehdi Khosrow-Pour, USA, Idea Group Reference, Vol 1.
(2006).
28
Clarke, “Electronic Commerce Definitions” http://www.rogerclarke.com/EC/ECDefns.html ( last visited on Mar.
13th, 2018).
29
supra note5.
30
supra note 25.
10
large number of shopping websites are being used by people these days. The prime examples of
these websites being Amazon, flipkart, jabong, sss online etc.
2.2 Commerce:
Commerce made its way into English from the Latin word commercium, com- meaning
31
"together," and mercium, meaning "merchandise. " Business, trade, and retailing are all
common synonyms. Commerce doesn't always refer to buying and selling, though, just as the
marketplace doesn't always refer to goods and services. Data, information, and opinions, too, can
be exchanged and traded, as on the Internet, which is a great place for the commerce of ideas.
According to the oxford English dictionary32 the term “commerce” means “the activity of buying
and selling, especially on a large scale”.
Commerce means the activities involved in buying and selling things. 33 “Intercourse by way of
trade and traffic between different peoples or states and the citizens or inhabitants thereof,
including not only the purchase, sale, and exchange of commodities, but also the
instrumentalities and agencies by which it is promoted and the means and appliances by which it
is carried on, and the transportation of persons as well as of goods, both by land and by sea”. 34
Thus, in simple terms, Commerce means that part of business which is concerned with the
exchange of goods and services and includes all those activities which directly or indirectly
facilitate that exchange."
2.3 Origin of the term Commerce in United States:

The exchange of goods, productions, or property of any kind; the buying and selling, and
exchange of articles. 35 The provision of U.S. const. (Art. I,) which gives congress exclusive
powers over interstate commerce. This power is the basis for a considerable amount of federal
legislation and regulation. It is known as the commerce clause. The Concept of Inter-State Trade
and Commerce in the Constitution of United States Sec.8, Clause (3) of Article I empowers the
31
https://www.vocabulary.com/dictionary/commerce . ( last visited on Feb. 21, 2018).
32
Oxford English Dictionary. https://en.oxforddictionaries.com/definition/commerce .(last visited on Feb. 21, 2018).
33
Cambridge English dictionary.https://dictionary.cambridge.org/dictionary/english/commerce. (last visited on Feb.
21, 2018).
34
Black’s Law Dictionary. https://thelawdictionary.org/commerce/. (last visited on Feb. 21,2018).
35
Black’s Law Dictionary, H.C. Black, 269, (West Publishing 6th ed. 1990).
11
Congress "to regulate commerce with foreign nations and among the several States and with
Indian Tribes”.
For the purposes of Fair Labor Standards Act 1938, commerce means trade, commerce,
transportation, transmission or communication among several states or between any state and
any place outside thereof.
In Welton v. Missouri 36 the US Supreme court held that Commerce is a term of the largest
import. It comprehends intercourse for the purposes of trade in any and all its forms, including
the transportation, purchase, sale, and exchange of commodities between the citizens of our
country and the citizens or subjects of other countries, and between the citizens of different
states. The power to regulate it embraces all the instruments by which such commerce may be
conducted.
In Carter v Carter Coal Co. 37 the Court drew a distinction between "production"-such as
manufacturing, agriculture, or mining-and "commerce" or trade in the things produced. In Carter
Coal, Justice Sutherland defined "commerce" as "the equivalent of the phrase 'intercourse for the
purpose of trade.' "Mining" he explained, "brings the subject matter of commerce into existence.
Commerce disposes of it."' Sutherland's definition harkens back to Marshall's use of
"intercourse" without the unwarranted suggestion that "commerce" embraces every form of
intercourse. It also seems a reasonable definition of the term "commercial intercourse.
Gibbons V. Ogden38 also known as the steamboat case, the court Chief Justice Marshall said:
"this would restrict a general term, applicable to many objects, to one of its significations
Commerce, undoubtedly, is traffic, but it is something more; it is intercourse. It describes the
commercial intercourse between nations, and parts of nations, in all its branches, and is regulated
by Congress prescribing rules for carrying on that intercourse."
Supreme Court decisions in the United States pertaining to its commerce clause shows that the
commerce clause in the United States Constitution has been given a very wide connotation to
bring within its purview traditional activities of buying and selling and barter systems or
36
Welton v. Missouri. 91 U.S. 275 (1875).
37
Carter v Carter Coal Co. 298 U.S. 238 (1936).
38
Gibbons v. Ogden, 22 U.S. (9 Wheat.) 1 (1824).
12
commercial activities which concern more than one State and also intrastate activities which
have substantial effect on interstate commerce Besides, the regulatory power of Congress has
been extended even to prohibit interstate transactions which have harmful effect on the society.
2.4 Privacy:
Historically, privacy was almost implicit, because it was hard to find and gather information.
But in the digital world, whether it's digital cameras or satellites or just what you click on, we
need to have more explicit rules - not just for governments but for private companies- Bill gates
(founder of Microsoft)
Privacy: The right to be let alone; the right of a person to be free from unwarranted publicity;
and the right to live without unwarranted interference by the public in matters with which the
public is not necessarily concerned. 39 “Privacy” means the state of being alone or someone’s
right to keep their personal matters and relationships secret.40
Privacy has been defined in many international conventions and one of them being Universal
Declaration of Human Rights (UDHR). Article 12 of the UDHR provides that “no one shall be
subjected to arbitrary interference with his privacy, family, home or correspondence, nor to
attacks upon his honor and reputation. Everyone has the right to the protection of the law against
such interference or attacks.41
The UN Special Rapporteur made reference to the right to privacy in his first report on 8th
March 2016. Two principles underpin his report – 1. Privacy safeguards must be available
regardless of national borders; and 2. Remedies for violations of privacy likewise must be
available across these borders.42
39
supra note 35.
40
Cambridge English dictionary, https://dictionary.cambridge.org/dictionary/english/privacy.(last visited on Feb. 21,
2018).
41
Article 12 of the Universal Declaration of Human Rights (UDHR), 1948.
42
Buddhadeb Halder, privacy in the age of big data,
http://defindia.org/wp-
content/uploads/2017/09/Privacy%20in%20India%20in%20the%20Age%20of%20Big%20Data.pdf, (last visited on
Feb. 11, 2018).
13
“A state in which one is not observed or disturbed by other people”. 43
The Black laws dictionary44 defines privacy as the right that determines the non intervention of
secret surveillance and the protection of an individual's information. It is split into 4 categories
 Physical: An imposition whereby another individual is restricted from experiencing an

individual or a situation.
 Decisional: The imposition of a restriction that is exclusive to an entity.
 Informational: The prevention of searching for unknown information and
 Dispositional: The prevention of attempts made to get to know the state of mind of an
individual.
The Supreme Court in its recent judgment of Justice K. Puttuswamy (retd.) and Anr. V.
Union of India and Ors.45 has held that the right to privacy is a fundamental right. The right to
privacy is a multidimensional concept. In modern society right to privacy has been recognized
both in the eye of the law and in common parlance. Article 21 protects the right to privacy and
promotes the dignity of the individual. The right to privacy refers to the specific right of an
individual to control the collection, use and disclosure of personal information. Personal
information could be in the form of personal interests, habits and activities, family records,
educational records, communications (including mail and telephone) records, medical records
and financial records, to name a few. Privacy means right to be left alone; right of a person to be
free from any unwarranted publicity; right to live freely from any unwarranted interference by
the public in matter with which public is not necessarily concerned.
2.4.1 Origin of the term Privacy:

The Greek philosopher Aristotle spoke of a division between the public sphere of political affairs
(which he termed the polis) and the personal sphere of human life (termed oikos). This
dichotomy may provide an early recognition of “a confidential zone on behalf of the citizen” 46.
Aristotle’s distinction between the public and private realms can be regarded as providing a basis
for restricting governmental authority to activities falling within the public realm. On the other
43
Oxford English dictionary, https://en.oxforddictionaries.com/definition/privacy . (last visited on Feb. 21, 2018).
44
Black law’s dictionary, https://thelawdictionary.org/privacy/ . (last visited on Feb. 21, 2018).
45
supra note 1.
46
Michael C. James, A Comparative Analysis of the Right to Privacy in the United States, Canada and Europe, 29
CJIL . Issue 2 (2014).
14
hand, activities in the private realm are more appropriately reserved for “private reflection,
familial relations and self-determination.
John Stuart Mill in his essay, ‘On Liberty’ (1859) gave expression to the need to preserve a zone
within which the liberty of the citizen would be free from the authority of the state. According to
Mill: “The only part of the conduct of any one, for which he is amenable to society, is that which
concerns others. In the part which merely concerns him, his independence is, of right, absolute
over himself, over his own body and mind, the individual is sovereign.” 47 Privacy is a right of the
individual to exercise control over his or her personality. It finds an origin in the notion that there
are certain rights which are natural to or inherent in a human being. Natural rights are inalienable
because they are inseparable from the human personality. The human element in life is
impossible to conceive without the existence of natural rights. In 1690, John Locke had in his
“Second Treatise of Government” observed that the lives, liberties and estates of individuals are
as a matter of fundamental natural law, a private preserve.
2.4.2 Concept of Privacy through Judicial Lens in India:

The very first cases to lay down the contours of the right to privacy in India were the cases of
Kharak Singh v. State of Uttar Pradesh 48 and M P Sharma & Others vs. Satish Chandra,
District Magistrate, Delhi & Others.49 In the case of Kharak Singh, Supreme Court bench of six
judges was required to decide the constitutionality of certain police regulations which allowed
the police to conduct domiciliary visits and surveillance of persons with a criminal record. The
petitioner in this case had challenged the constitutionality of these regulations on the grounds
that they violated his fundamental right to privacy under the ‘personal liberty’ clause of Article
21 of the Constitution. In this case a majority of the judges refused to interpret Article 21 to
include within its ambit the right to privacy part the majority stated “The right of privacy is not a
guaranteed right under our Constitution, and therefore the attempt to ascertain the movements of
an individual is merely a manner in which privacy is invaded and is not an infringement of a
fundamental right guaranteed in Part III.” The majority however did recognize the common law
right of citizens to enjoy the liberty of their houses and approved of the age old saying that a
“man’s home was his castle”. The majority therefore understood the term ‘personal liberty’ in
47
John Stuart Mill, On Liberty, Batoche Books (1859).
48
Kharak Singh v. State of Uttar Pradesh AIR 1963 SC 1295.
49
M P Sharma & Others vs. Satish Chandra, District Magistrate, Delhi & Others.AIR 1954 SCR 1077.
15
Article 21 in the context of age old principles from common law while holding domiciliary visits
to be unconstitutional. Justice Subba Rao held “It is true our Constitution does not expressly
declare a right to privacy as a fundamental right, but the said right is an essential ingredient of
personal liberty.” The similar verdict was given in M P Sharma’s case.
The question of privacy as a fundamental right presented itself once again to the Supreme Court
a few years later in the case of Govind v. State of Madhya Pradesh50 the petitioner in this case
had challenged, as unconstitutional, certain police regulations on the grounds that the regulations
violated his fundamental right to privacy. Although the issues were similar to the Kharak Singh
case, the 3 judges hearing this particular case were more inclined to grant the right to privacy the
status of a fundamental right.
The Court also relied upon the US Supreme Court decision in Jane Roe v Henry Wade51 in
which the Court upheld the right of a married woman to terminate her pregnancy as a part of the
right of personal privacy. The following observations of Justice Mathew, who delivered the
judgment of the Court, do indicate a constitutional recognition of the right to be let alone:
“Rights and freedoms of citizens are set forth in the Constitution in order to guarantee
that the individual, his personality and those things stamped with his personality shall be free
from official interference except where a reasonable basis for intrusion exists.”
This statement was however qualified with the disclaimer that this right was not an absolute right
and that the same could be curtailed by the State provided it could establish a “compelling public
interest” in this regard.
In R. Rajagopal v. State Of T.N:52 the court held that the right to privacy is implicit in the right
to life and liberty guaranteed to the citizens of this country by Article 21. It is a “right to be let
alone”. A citizen has a right to safeguard the privacy of his home, his family, marriage,
procreation, motherhood, child-bearing and education among other matters. None can publish
anything concerning the above matters without his consent whether truthful or otherwise and
whether laudatory or critical. If he does so, he would be violating the right to privacy of the
50
Govind v. State of Madhya Pradesh AIR (1975) 2 SCC 148.
51
Jane Roe v Henry Wade 410 US 113 (1973).
52
R. Rajagopal v. State Of T.N (1994) 6 SCC 632.
16
person concerned and would be liable in an action for damages. Position may, however, be
different, if a person voluntarily thrusts himself into controversy or voluntarily invites or raises a
controversy.
2.4.3 Essential Nature Of Privacy:

In M Nagaraj v Union of India53 it was held that it is the duty of the State not only to protect the
human dignity but to facilitate it by taking positive steps in that direction. No exact definition of
human dignity exists. It refers to the intrinsic value of every human being, which is to be
respected. It cannot be taken away. Every human being has dignity by virtue of his existence.
Privacy postulates the reservation of a private space for the individual, described as the right to
be let alone. The concept is founded on the autonomy of the individual.
The ability of an individual to make choices lies at the core of the human personality. The notion
of privacy enables the individual to assert and control the human element which is inseparable
from the personality of the individual. The inviolable nature of the human personality is
manifested in the ability to make decisions on matters intimate to human life. These are concerns
over which there is a legitimate expectation of privacy. The integrity of the body and the sanctity
of the mind can exist on the foundation that each individual possesses an inalienable ability and
right to preserve a private space in which the human personality can develop. Without the ability
to make choices, the inviolability of the personality would be in doubt. Recognizing a zone of
privacy is but an acknowledgment that each individual must be entitled to chart and pursue the
course of development of personality. Hence privacy is a basic right of human dignity itself.
Thoughts and behavioral patterns which are intimate to an individual are entitled to a zone of
privacy where one is free of social expectations. In that zone of privacy, an individual is not
judged by others. But this is not so in the era of E- commerce. Each behavioral pattern and habits
are being judged by a company or a body which is unknown to us. Privacy enables each
individual to take crucial decisions which find expression in the human personality. It enables
individuals to preserve their beliefs, thoughts, expressions, ideas, ideologies, preferences and
choices against societal demands of homogeneity. Privacy is an intrinsic recognition of the right
of the individual to be different and in creating a zone of solitude.
53
M Nagaraj v Union of India (2006) 8 SCC 212.
17
Privacy protects the individual from the searching glare of publicity in matters which are
personal to his or her life. Privacy attaches to the person and not to the place where it is
associated. Privacy constitutes the foundation of all liberty because it is in privacy that the
individual can decide how liberty is best exercised. Individual dignity and privacy are
inextricably linked in a pattern woven out of a thread of diversity into the fabric of a plural
culture. Privacy of the individual is an essential aspect of dignity.
2.4.4 Various Aspects Of Privacy:

Privacy can be divided into the following separate but related concepts: -
 Information privacy, which involves the establishment of rules which governs the
collection and handling of personal data such as credit information, and medical and
government records. It is also known as "data protection";
 Bodily privacy, which concerns with the protection of people’s physical selves against
invasive procedures such as genetic tests, drug testing and cavity searches;
 Privacy of communications, which covers the security and privacy of mail, telephones, e-
mail and other forms of communication; and
 Territorial privacy, which concerns the setting of limits on intrusion into the domestic and
other environments such as the workplace or public space. This includes searches, video
surveillance and ID checks.
The Internet is at once a new communication medium and a new locus for social organization on
a global basis. Because of its decentralized, open, and interactive nature, the Internet is the first
electronic medium to allow every user to "publish" and engage in commerce. Users can reach
and create communities of interest despite geographic, social, and political barriers. The Internet
is an unprecedented mechanism for providing invaluable information to government, social
organizations, health care, and educational institutions. As the World Wide Web has grown fully
support voice, data, and video, it has become a virtual "face-to-face" social and political medium.
2.4.5 Privacy under US Constitution:

The United States Constitution does not contain any explicit right to privacy. However, The Bill
of Rights expresses for protecting certain aspects of privacy. Constitution of USA has mostly
developed through judicial pronouncements.
18
In Griswold v. Connecticut54 (landmark Majority Judgment of the US Supreme Court, upholding
the Right to marital privacy). A Connecticut law prohibiting use of contraceptives in any form
was contested as violative of the 14th Amendment i.e., that "no state shall make or enforce any
law which shall abridge the privileges or immunities of citizens of the United States; nor shall
any State deprive any person of life, liberty, or property, without due process of law nor deny
any person the equal protection of the laws.
In Roe v. Wade 55 a pregnant single woman (Roe) brought a class action challenging the
constitutionality of the Texas criminal abortion laws, which proscribe procuring or attempting an
abortion except on medical advice for the purpose of saving the mother's life. US SC upheld a
woman's choice to have an abortion, as it was a private decision between her and her doctor.
In Olmstead v. United States56 A case of wire-tapping or electronic surveillance without actual

physical invasion. Only the minority dissent of Justice Brandeis, stated that the amendment
protected the right to privacy which meant "the right to be let alone", and its purpose was "to
secure conditions favorable to the pursuit of happiness", while recognizing "the significance of
man's spiritual nature, of his feelings and intellect: the right sought "to protect Americans in their
beliefs, their thoughts, their emotions and their sensations”. This became law several decades
later.
In Norman v. City Of Las Vegas57 False light in the public eye, consisting of publicity which
places the plaintiff in a false light in the public eye.
In Melvin v. Reid58 public disclosure of private facts, consisting of a cause of action in publicity,
of a highly objectionable kind, given to private information about the plaintiff, even though it is
true and no action would lie for defamation.
54
Griswold v. Connecticut 381 U.S. 479 (1965).
55
Roe v. Wade 410 U.S. 113.
56
Olmstead v. United States 277 U.S. 438 (1928).
57
Norman v. City Of Las Vegas 64 Nev. 38, 177 P.2d 442.
58
Melvin v. Reid 112 Cal.App.285, 297.
19
In Carlisle v. Fawcett publication59 tort actions for invasion of privacy fall into four general
clauses: Appropriation, consisting of appropriation, for the defendant’s benefits or advantage, of
the plaintiff’s name or likeness.
2.5 Meaning of Consumer:

“If you make customer unhappy in the physical world, they might each tell six friends. If you
make customers unhappy on the Internet, they can tell six thousand friends.” Jeff Bezos
It is a well-known fact that the consumer plays a pivotal role in an economy. Consumer is the
creator of an opportunity to perform an economic activity for the prosperity of the nation. The
importance of the consumer in all business activities is rightly focused by many authors by
laying due emphasis on the important position of the consumer in business world. Ideally the
customer is the King and the uncrowned Monarch. In a very beautiful way Adam Smith about
the centuries ago emphasized that:
“Consumer is the sole-end purpose of all production and the interest of the producer ought to be
attended to only so far as it may be necessary for promoting that of the consumer.”60
Consumer is a person one who consumes. Individuals who purchase, use, maintain, and dispose
of products and services. They are the users of the final products.61 Consumer is “A person who
purchases goods and services for personal use.” 62
Therefore, consumer means any person who buys any good or goods for consideration and any
user of such goods but it does not include a person who obtains such goods for resale or for any
commercial purpose. Commercial purpose does not include use by a consumer of goods bought
and used by him exclusively for the purpose of earning his/her livelihood by means of self-
employment.
The Consumer Protection Act, 1986 defines consumer 63 as any person who:
59
Carlisle v. Fawcett publication 201 Cal. App. 2d 733, 20 Cal. Rptr. 405.
60
Adam Smith, The Wealth of Nations, J.M. Dent & Sons Ltd., 155, (London, 1937).
61
supra note 35.
62
https://en.oxforddictionaries.com/definition/consumer ( last visited on Feb. 1, 2018).
63
Consumer Protection Act, 1986, (68 of 1986), Sec. 2(d).
20
(i) buys any goods for a consideration which has been paid or promised or partly paid and partly
promised, or under any system of deferred payment and includes any user of such goods other
than the person who buys such goods for consideration paid or promised or partly paid or partly
promised, or under any system of deferred payment, when such use is made with the approval of
such person, but does not include a person who obtains such goods for resale or for any
commercial purpose; or
(ii) [hires or avails of] any services for a consideration which has been paid or promised or partly
paid and partly promised, or under any system of deferred payment and includes any beneficiary
of such services other than the person who [hires or avails of] the services for consideration paid
or promised, or partly paid and partly promised, or under any system of deferred payment, when
such services are availed of with the approval of the first mentioned person [but does not include
a person who avails of such services for any commercial purpose].
India does not have a specific legislation to protect E- consumers. Thus, India needs a strong and
robust legislation which can protect the consumers in an online environment.
2.5.1 E- Consumer:
In general the rights of a consumer as provided by the domestic law (Consumer Protection Act,
1986) are also available to electronic consumer because no special stipulation has been framed in
most of the Consumer laws regarding applicability or non-applicability of electronic transactions.
But due to difference in the nature and place of business or medium of business few unique
practical problems like place of business, jurisdictional issues, non-availability of common
dispute resolution system, as there is every possibility of cross border transaction in electronic
system (e shopping), i.e. the buyer of one nation purchase from seller of another nation or vice-
versa etc., are indispensable in case of electronic transactions or E-commerce, which certainly
requires special measures that are not provided in the existing consumer legislations. The
Consumer Protection Act 1986 does not include any service that is free of charge in its ambit.
Thus an online transaction that does not charge the consumers clearly remains unprotected by the
Consumer Protection Act. In the era of E-commerce where all the websites does not charge a
penny from the consumers to access them will not be protected under the Act. The right of
consumers and e-consumers though equal in theory but different in operation or enjoyment.
Thus, in case of act of buying and selling of products or services on the virtual electronic world
21
the buyer is known as e-buyer, seller is known as e-seller, retailer is known as e-retailer,
consumer is known as e-consumer and the transaction is known as e-transaction. Due to ease in
transaction the number of e-consumer is growing at high rate and within a very short period it
will defeat physical consumers. Considering these aspects strong protective mechanisms are
required to be set up and stringent measures in form of laws needed to be framed otherwise it
will not only affect the e-consumers but respective Government shall also lose their state
revenues.
The internet has provided consumers with a powerful tool for searching for and buying goods
and services. Mail order or catalogue shopping has been in existence in the US since 1980. This
was the predecessor of online commerce, which started off in India post the dotcom bust in
2000.64
2.5.3 Reasons for the Growth of E-Consumer:

Number of E-consumer is growing these days due to its user-friendly nature but at the same time
the risk factors for using internet for E-shopping is also increasing and about to catch danger
mark if not restricted and regulated properly by a time bound regulation on the same. Numerous
reasons are there for the protection of E-consumer like creations of hackers duplicate account,
disclosure of private information without consent, masking, caching etc. but few problems make
the protective measure indispensible in this respect and required speediest protective mechanism.
It ranges from rules for opening bank accounts to standards for the manufacture and safety of
goods. Government, from the local trading standards office to the regulators of the stock market
and banks, ensure that these regulations are applied, and provide complaint procedures when
things go wrong.
64
Venkatesh Ganesh, “Going back to brick and mortar” https://www.thehindubusinessline.com/news/variety/going-
back-to-brick-and-mortar/article20497399.ece1 (last visited on Mar. 19, 2018).
22
CHAPTER 3- PRIVACY CONCERNS IN ELECTRONIC COMMERCE:
"Privacy is not an optional good, like a second home or an investment account” 65.
For the purpose of the following research, informational privacy shall mean the individual's right
to informational self-determination, that is, the right to decide personally about the disclosure
and application of their personal data. The 21st century is an age of internet. With the help of
internet, several E-commerce activities are taking place giving rise to number of transactions in
an online medium. In order to carry out these transactions, a consumer has to give lot of details, a
denial of which will not complete the transaction. Thus, the E-commerce platform has become a
dangerous place giving rise to privacy concerns from consumer’s perspective. Privacy is a right
which a man acquires once he is born in this world. The very nature of privacy implies that no
one can interfere with the personal well being of an individual. But in this era of E commerce,
privacy in spite of being a natural right possessed by an individual is invaded through many
ways. It has merely become a joke of the century. “Someone who tailed me all day long could
find out all sorts of personal things, but nobody is going to bother, so I don’t worry about it.
This is like that.”66
The home, in other words, was a haven of privacy. Most public spaces were also havens of
anonymity. Every day, we do all sorts of things: talk, write notes, make phone calls, send
messages, drive cars, visit people, go shopping, make love, go to work, watch television, and
take a nap.67 But we expect our words, notes, messages, and behaviors to be gone with the wind.
We never expect to leave a paper or electronic trail. Nor do we want to. Yet the new technology
has the power to destroy all this. It threatens our right to privacy.
Online privacy can be compromised by two kinds of voluntary online self-disclosure. One way is
by means of explicit disclosure, such as adding personal information to profiles in social
networks, to blogs, or to personal websites. Explicit disclosure occurs intentionally and
purposefully. The other way, which is of greater impact, is through implicit disclosure. The use
65
supra note 20.
66
Diane Anderson & Keith Perine, Privacy Issue Makes DoubleClick a Target, THE STANDARD, Feb. 3, 2000
http://www.thestandard.com/article/display/0,1151,9480,00.html, Bob Tedeschi, Net Companies Look Offline for
Consumer Data, N.Y. TIMES CYBERTIMES, June 21, 1999 http://www.nytimes.com/
library/tech/99/06/cyber/commerce/21commerce.html.
67
supra note 14.
23
of almost any kind of online service is accompanied by the collection, storage and aggregation of
vast amounts of data, for example about the users browsing and online shopping activities.
Among other things, these data are used to provide users with future online experiences
according to their preferences. Storing IP-addresses, placing cookies, using web-bugs, as well as
browser and OS fingerprints allows the website operators and third parties to track the users'
online behavior. These data can then be used to generate information about the users.68
3.1 Personally Identifying Information (PII):
3.1.1 E-Commerce and Information Privacy:

Earlier, privacy was almost implicit, because it was hard to find and gather information. But in
the digital world, whether it's digital cameras or satellites or just what you click on, we need to
have more explicit rules - not just for governments but for private companies- Bill Gates
Everything we look at on the Internet is noted and retained. 69 The resulting information may be
used, sold, published, or correlated with other sources of data. Most of us are gradually aware of
the fact that businesses are collecting information about us to use in marketing products to us. At
some moment it became impossible not to add up all the little hints. That check cashing card
we’d applied for at the supermarket in order to write checks for groceries gave the supermarket
the ability to track our purchases; when supermarkets began accepting credit cards that gave
them the same ability. The sweater we order from a catalog arrived in the mail along with new
glossy catalogs for people who wear sweaters. That cooking magazine we subscribed to seemed
to show up along with a score of apparently independent special offers for folks interested in
cooking.
Privacy is the ability of an individual to seclude themselves from others. Informational privacy
means confidentiality, secrecy, data protection, and control over personal information. 70 The
informational privacy deals with that aspect of a person which is very personal to him. Such
aspect which he would not like to disclose to everyone without his consent. Well in order to
68
While the term "data" refers to the original data itself, "information" is understood as the product of the analysis
of data.
69
supra note 66.
70
supra note 20.
24
know what constitutes information privacy, we have to understand certain aspects related to it.
When a person searches anything online or does a transaction, his information is automatically
stored. Internet providers keep detailed logs about every page that you visit, and they will very
rarely reveal the amount of time that this (more or less sensitive) data will be stored.71 Search
engine save your exact data along with lot of other information. The information includes your
search habits, time for which you have used that website etc. In this case not every activity done
by the companies is a breach of information privacy. As in order to complete a business online or
any other activity a person has to submit his personal details which is referred here as
information privacy. The problem lies in the fact that more information is extracted from the
person without his or her knowledge. In short, Privacy is not simply an absence of information
about us in the minds of others; rather it is the control we have over information about ourselves.
No wonder, that privacy of an individual should be valued on par with the fundamental right to
freedom in a democracy.
It seems like privacy is no longer a right possessed by an individual. Now days we have more
conversation with our mail boxes, our social networking sites, Whatsapp and other online
shopping websites. Clearly, we live in a half-augmented cyber world, where our
character/traits are no longer only known to a circle in near proximity. A person’s privacy is very
important for his self- development in the society in which he lives. Today’s, E-commerce era
has threatened this privacy of people. It’s basically like living in a 24/7 surveillance all the time.
The very essence of democracy is in danger by the online breach of privacy. A consumer will
have trust issues if does not feel safe in an online medium.
Privacy is thus a matter people are constantly talking about, debating, and insisting on.
Anonymity is another matter. We rarely stop to think, however, how much we depend not only
on choice, but on anonymity. 72 Imagine the following situation (not so unrealistic): highways are
monitored by radar and computers, so that every time-every single time-we drive faster than the
speed limit, the computer catches us. It records our speed, it matches it immediately to the car we
are driving, and imposes a swift, automatic fine. Such a regime would be, I suspect, intensely
71
Vlad Tiganasu, https://articles.informer.com/internet-privacy-myth-or-reality.html, (last visited on Mar. 15, 2018).
72
supra note 14.
25
unpopular. Driving on the highway would no longer be anonymous; there would always be a
watchful eye. Go one step further: imagine that there were cameras installed at the offices, stores,
or factories where we work, so that any time we violated some rule or law, we would be instantly
caught. People would ultimately find this intolerable. Even worse, imagine the cameras were
installed in our homes. Notice that I am not assuming any change in the actual laws. If you were
totally law-abiding, you would have nothing to fear. Most people, I imagine, would not meet this
standard. But even if they could, they would resent the loss of anonymity. They would resent the
fact that their private lives were no longer private. Here anonymity is plainly an adjunct of
privacy. A person with a camera in the bedroom is neither private nor anonymous. A person
sitting in a car full of people, none of whom she knows, is not in a "private" situation but is
nonetheless anonymous, and this may be something she feels is important. Anonymity is a value
that is not often recognized or appreciated. Take the highway situation. If we asked people
whether they approved of speeding laws, probably most would say that they do. Nevertheless, all
of us violate these laws from time to time. We assume that there is some slack, some give in the
system. We assume that enforcement is imperfect. We feel free, consciously or unconsciously, to
deviate from the norms, so long as we do not deviate too much or too often. This "right" to
deviate depends on anonymity: the fact that most of the time, nobody (or at least no police
officer) is actually looking and that drivers of other cars, though they might see us, have no idea
who we are, and do not care. But new technology can act as a threat to this cozy and convenient
situation.
3.1.2 Disclosure and Transfer Of Private Information:

With the use of sophisticated technology in today’s age the disclosure and transfer of information
of consumers have become very easy. It depends on each person whether the disclosure of his
private or personal data will cause any harm to him or not. Defining personal data is a difficult
task as it varies from person to person. With just one click a seller can transfer PII of consumers
to other parties without the consent of the consumers. The information can be sold to any person
not necessarily in the same country but anywhere in the world. Thus this becomes a very
complex situation. The low cost and effort involved, combined with the lack of consumer
26
awareness of contemporary data transfers (and the resulting lack of social pressure marshaled
against dissemination), makes the profit gained a win–win for the disseminator.73
Violations of Personal Information (PI) privacy also called data protection occurred when PI is
improperly collected, used or disclosed. Westin 74 stated that there are three statements on how
people agree or disagreed about PI privacy concerns:
 Consumers have lost all control over how PI is collected and used by companies.
 Most businesses handle the PI they collect about consumers in a proper and confidential way.
 Existing laws and organizational practices provide a reasonable level of protection for
consumer privacy today.
Today, more people rely on online or web services in their daily life transactions such as buying
groceries, renew driving license, checking their health. To make sure that human activities are
successful, they need to release their important and PI such as identity card number, ATM pin
number and also other secret information regarding occupation, health, and family. A first
important class of techniques deals with privacy preservation when data are to be released to
third parties. In this case, data once are released are no longer under the control of the
organizations owning them.
The above mentioned criteria explains that once the information of a consumer is released to the
third parties, then it is no longer owned or controlled by the company operating that particular
transaction. Thus, once that personal information is released to third parties it is not in the hands
of the company to control it anymore. Anyone can therefore have access to that information once
being released to third party. The central theme of the aforesaid points is to suggest that there has
to be a framework in which consumer’s information can be restricted from being transferred to
third parties.
Today, more people rely on online or web facilities to avail the services. As E commerce
platform saves a lot of time people prefer to do their transactions online rather than doing it in
the physical or as it is known as the brick world. Personal information only should be kept by the
owner itself or control the disclosure in order to ensure its privacy. But, in web-based
73
supra note 15.
74
25 ALAN F. WESTIN, PRIVACY AND FREEDOM, 166-170, Washington and Lee L. Rev. Issue 1, (1967).
27
application, this information should be disclosed in order to fulfill the transaction. Although the
private information is being disclosed, normally, for the security and privacy reason, it can’t be
accessed by unauthorized users. For this reason, there are three main issues that need to be
considered:75
 Personal information shouldn’t be accessed by unauthorized users.

 Only required PI will be posed.
 Personal information should not pass to those do not need the information.
3.2 Personal Information and Privacy Issues:
3.2.1 Social Networking Sites and Online Privacy:
“It can be rightly said that when in the world where everyone tells everything, one should value
privacy and seclusion more.”
People all over the globe are now days obsessed with the social networking sites. There are many
social media websites these days such as face book, Whatsapp, twitter, etc. With social
networking sites users well over a billion and growing mobile and wearable trends that put us
online almost around the clock, we are ever connected and endlessly sharing what seems like our
every idea.
But in order to use a social networking site and see other people posts the person has to first
create a profile. The main purpose of these social networking sites is to establish a kinship in the
virtual world. But little did the users know that this boon was accompanied by crime too. This
lack of lucency of the social networking sites and the day to day crimes taking place in the
cyberspace have forced us to critically think what we really want to share and how our
information is being handled. Therefore, the privacy policies should be read very carefully
before giving our consent.76
75
Norjihan Abdul Ghani & Zailani Mohamed Sidek, Personal Information Privacy Protection in E-commerce, 6
Wseas Transactions On Information Science And Applications, Issue 3 (2009).
76
Karpura Kanti Nanda & Devika Pattnaik, Right To Privacy: Concerns Vis-À-Vis Social Media, Odisha, RSRR
Blog Series, Issue 2.
28
The services provided by these social media are free of cost. It is rightly observed that Our
Privacy Died When We Grew Obsessed with Free. 77 When the service is free, the user is the
product i.e., in other words, when companies like Facebook create applications that we use in our
everyday lives, for free, the real price is in what we sacrifice for the right to use the application
for free, our information. These social network websites these days are also used for buying and
selling things. Thus, they can also be covered under the E-commerce platform. For instance,
facebook these days is used as a medium for business purposes also. Similarly, on instagram
advertisements of products can be posted to attract the buyers. In order to do that, people create
their pages and hence it will also be covered under the E-commerce activity.
A 2013 study asked 528 U.S.-journalists whether fear of online surveillance had changed their
research behavior. Sixteen percent stated that this fear had actually made them not search for
certain terms in search engines or not access certain websites; twelve percent said they had
considered to refrain from these actions. A lack of informational privacy may thus constrain the
users' access to information outside the mainstream. 78
A feeling of being watched during these processes hinders the creation of ideas. As Professor
Paul M. Schwartz notes, "perfected surveillance of naked thought's digital expression short-
circuits the individual's own process of decision-making."79
Thus, Professor Julie E. Cohen 80 calls for "informational autonomy, and Professor Daniel J.
Solove81 calls for "free zones for individuals to flourish".
3.3 The Big Data Challenge:

The foundations of big data rest on collecting as much raw information as possible before we
even begin to understand what insight can be deduced from the data. As a result, long-standing
Fair Information Practices like collection limits and purpose limitations are increasingly viewed
77
Daniel Newman, https://www.forbes.com/sites/danielnewman/2014/08/20/there-is-no-privacy-on-the-internet-of-
things/#448339227eb5, ( last visited on Mar.15, 2018).
78
FDR Group, The Impact of U.S. Government Surveillance on Writers: Findings from a Survey of PEN
Membership,
PEN AMERICA (Oct. 31, 2013), http://www.pen.org/sites/default/files/Chi]]ing%2oEffectsPEN%2oAmerican.pdf.
79
Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 VAND. L. REV. 1607, 1656, (1999).
80
supra note17.
81
supra note 12.
29
as important, and a number of organizations and business associations have called for privacy
protections to focus more on how data might be used rather than limit which data can be
collected. 82
And big data is all about categorization. Any given individual’s data only becomes useful when
it is aggregated together to be exploited for good or ill. Data analytics harness vast pools of data
in order to develop elaborate mechanisms to categorize and organize. In the end, the worry may
not be so much about having information gathered about us, but rather being sorted into the
wrong or disfavored bucket. 83 Take the example of an Atlanta man who returned from his
honeymoon to find his credit limit slashed from $10,800 to $3,800 simply because he had used
his credit card at places where other people were likely to have a poor repayment history.
3.3.1 Virtually Irretrievable Data:

Virtually irretrievable data is the data that doesn’t exist in the physical world. Such kind of data
is generated in an online platform where the consumer information is stored and then transported
to other companies for commercial use. The data is then used to study the consumer behavior,
their shopping patterns and other personal habits and choices. If a consumer for example orders
any item, say a laptop from a shopping website, and then if something goes wrong with the
product or if the information provided by him or her is being misused by the shopping website,
then in such a case he knows that he can sue that company. But what if the consumer doesn’t
know that by whom his information is stolen or misused. The more serious threats arise when
such information leaves the hands of its collectors and enters the realm of cyberspace a place
where it is virtually irretrievable. . Thus the information collected and sold to a third party can be
sold multiple times to different parties. Thus the consumer will be left remediless in such kind of
situations where he doesn’t even know where his information is being used and for what
purpose.84 Thus E-commerce possesses serious concerns relating to privacy of the consumers.
Thus, the disclosure of that information is not binding or obligatory on the third person who
possesses it.
82
World Econ. F., Unlocking The Value Of Personal Data: From Collection To Usage 4 (2013),
http://www3.weforum.org/docs /WEF_IT_UnlockingValuePersonalData_CollectionUsage_Report_2013.pdf.
83
Lior Jacob Strahilevitz, Toward a Positive Theory of Privacy Law, 126 HARV. L. REV. 2010, 2021-33 (2013);
Omer Tene, Privacy: For the Rich or for the Poor?, CONCURRING OPINIONS (July 26, 2012, 2:05 AM),
http://www.concurringopinions.com/archives/2012/07/privacy-for-the-rich-orfor-the-poor.html.
84
supra note 15.
30
3.3.2 Buying and Selling Of Data:
Perhaps the only word more abused and used in the tech space than “Internet of Things” is “Big
Data.” In itself, Big Data means very little. It is merely the massive collection of information that
resides out in cyberspace that is waiting to be somehow organized, visualized, and
contextualized. 85 Some people adopt silly but vaguely reassuring tactics, confuse the collectors
by using different variations of your name; make up several different assumed middle initials;
choose your favorite merchants and fill out their information cards so that they will reap the extra
cents from selling you to the data banks; trade your shopper’s advantage cards with your
neighbors; open bank accounts at different banks; fill in forms with your work address and phone
number rather than your home address and phone number, and pay your bills using different
credit cards.86
3.3.3 Data Brokers:

The concept of data brokers is directly related to the informational privacy of the consumers. It’s
rightly said that “if data is the new oil, then there is a gigantic oil spill all around you. 87
The
trade-off of privacy for convenience and even power is one that many people are happy to make.
Few in the west keep any significant secrets from their smart phones, which know whom we talk
to, where we have been, and what we write, read, watch and photograph. “Data brokers are
companies that collect personal information about consumers from a variety of public and non-
public sources and resell the information to other companies.” 88 Data brokers in simple words
mean that the person who collects the personal information of the consumers and then sell it to
third parties for profit making purposes. They may also be referred to as information brokers or
information retailers.
The basic motive behind the collection of information of consumers is to track their habits and
preferences and then make an analysis on the basis of that information gathered. The data
collected through data mining by the companies is sold to third parties. The companies are
85
https://www.theguardian.com/technology/2016/aug/31/personal-data-corporate-use-google-amazon (last visited
on Mar. 17, 2018).
86
Id.
87
https://economictimes.indiatimes.com/tech/internet/how-data-brokers-are-selling-all-your-personal-info-for-less-
than-a-rupee-to-whoever-wants-it/articleshow/57382192.cms (last visited on Mar. 17, 2018).
88
The Federal Trade Commission, “FTC to Study Data Broker Industry’s Collection and Use of Consumer Data.”
News release, December 18, 2012. http://www.ftc.gov/opa/2012/12/databrokers.shtm (last visited on Mar. 20,
2018).
31
incentivized or are given profit to sell the information of consumers. There are some companies
whose name we have not even heard of who have more information about us than anyone else.
The Web pages we visit, where we're shopping, who we're interfacing with on social media - all
of that information is available to be collected by entities that park themselves on the various
websites. 89 The information gathered and analyzed then goes to other parties who want to make
profit out of the information provided by the consumers without even knowing about it.
A person’s personal information is something which is very dear to him. He considers it as an

asset which he cherishes. Intruding into a person’s life by misusing the information which he
considers to be completely safe with the E-commerce platform he is dealing with is infringing
his right by stepping on his privacy. Your personal data - be it your residential address, your
phone number, email id, details of what you bought online, age, marital status, income and
profession is all up for sale. Most of this personal data is sold for less than a rupee per person
which is the cost of a chewing gum. 90 Thus, these companies treat the data of consumers as an
asset to be stored and used by them for their lucrative goals. When you sign up for free
discounts, fill out questionnaires, or your click stream in general, you are giving up all the data
voluntarily and agreeing to privacy policies that allow you to do so. Depending upon the website,
that information can go to ad networks and analytics companies. Take for instance, a person who
buys a book through a website which specifically sells all kinds of books. The person before
buying clicks on other books also which he liked. If this information search ends in the hands of
data brokers, then it will be added to your digital biography.
“Globally, data broking is an approximately $200-billion industry. Marketing products generate

over 50% revenue, followed by risk mitigation, which constitutes approximately 45% of the
revenue, and, finally, people search constitutes the remainder.” Data brokerage is still at a
nascent stage in India and there is no legislation which specifically governs privacy and data
brokerage. Data brokerage in itself is not illegal but it definitely works in a grey zone. India’s IT
Act 2000 does not specifically deal with the issues of data brokerage. As there are no specific
provisions to deal with rampant practices of data appropriation allow corporations and
governments to build their wealth and power, without the headache of obtaining consent and
89
https://www.npr.org/sections/alltechconsidered/2016/07/11/485571291/firms-are-buying-sharing-your-online-
info-what-can-you-do-about-it (last visited on Mar. 17, 2018).
90
supra note 87.
32
providing compensation for the resource they desire. Almost in all such situations the consumer
is not even aware about their data being misappropriated let alone gives their consent to using
such personal information.
3.3.4 Publishing Personal Data:
Broadly, publishing personal data concerns publishing any information relating to an identifiable
living individual on a website. This raises some issues which differ from publication in a hard
copy medium:
 Publication on a website renders the material, by default, immediately available for transfer
to a user in any country in the world. Publication through a website offers the material posted
available to any person. It is not necessary that such information will be transferred to any
person in the same country. It may also be transferred to any person in the world.
 Publication on a website due to its greater reach be regarded as different in kind from its
publication in a hard copy medium.
 The fact that the website is a computerized medium also brings the publication firmly within
the scope of data protection legislation.
 Publication on a website will give rise to issues concerning the security of the computer
system driving the website and the ease or difficulty with which the system may be hacked
and material altered or damaged.
Thus the above mentioned points highlight the fact that once a consumer clicks in an online
platform, the information which he registers may not be safe anymore. Now, the important point
of discussion is that what harm is being caused if his information is leaked or stolen by some
other party. Lack of privacy makes a consumer reluctant to buy online as he develops trust issues
with the website or for that matter any other E-commerce platform he is dealing with.
In yet another case, i.e. Infinity e-search (Gurgaon BPO)91, a young person Karan Bahari aged
24 years was working for a Gurgaon based website designing and online marketing firm Infinity
e-search. He was alleged to have fraudulently sold information on 1000 bank accounts of British
customers from an Indian call centre to an undercover British journalist working for a British
newspaper, The Sun‘ for 2750 pounds. The employee Karan, however, denied the charge and
91
Infinity e-search (Gurgaon BPO) Decided by Delhi High Court on June 24, 2005 (India).
33
claimed that he was only a middleman and that he did not sell data collected by his employer i.e.
Infinity e-search Company. The company also denied any involvement in the case as it did not
handle any data for the bank named in the said newspaper and that his employee Karan Bahari
did not have access to confidential data of any kind. In this case, it was alleged that the British
journalist for The Sun used Karan Bahari who was working in the Infinity e-search, as an
intermediately, offered him a job and requested for a presentation on a CD and later claimed that
the CD contained confidential data about thousand bank accounts of British customers who were
customers from an Indian call centre. However, on investigation, the fact that the CD contained
such data could not be substantiated by the journalist and therefore, the charges of fraud could
not be proved against Karan Bahari or his employer i.e. the infinity e-search company. But the
case has risen on apprehension that there is possibility of an anti out-sourcing backlash if Indian
online companies do not take sufficient care of the data which they handle.
3.3.5 Breach of Consumer Privacy:

Big data is transforming individual privacy and not in equal ways for all. We are increasingly
dependent upon technologies, which in turn need our personal information in order to function.
This reciprocal relationship has made it incredibly difficult for individuals to make informed
decisions about what to keep private.92 Perhaps more important, the privacy considerations at
stake will not be the same for everyone: they will vary depending upon one’s socioeconomic
status. It is essential for society and particularly policymakers to recognize the different burdens
placed on individuals to protect their data.
Privacy norms can play an important role defining social and individual life for rich and poor.
Privacy upholds social “rules of civility” that create “a certain kind of human dignity and
autonomy which can exist only within the embrace of community norms.” 93He cautioned that
these benefits would be threatened when social and communal relationships were replaced by
individual interactions with “large scale surveillance organizations. 94
92
Joseph W. Jerome, Buying And Selling Privacy: Big Data’s Different Burdens And Benefits, 66 STAN. L. REV.
47-53 (2013).
93
Robert C. Post, The Social Foundations of Privacy: Community and Self in the Common Law Tort, 77 CALIF. L.
REV. 957, 959 (1989).
94
Id.
34
Today, privacy has become a commodity that can be bought and sold. While many would view
privacy as a constitutional right or even a fundamental human right 95 .Our age of big data has
reduced privacy to a dollar figure. There have been efforts both serious and silly to quantify the
value of privacy. Browser add-ons such as Privacyfix try to show users their value to
companies, 96 and a recent study suggested that free Internet services offer $2,600 in value to
users in exchange for their data.97 Curiously, this number tracks closely with a claim by Chief
Judge Alex Kozinski that he would be willing to pay up to $2,400 per year to protect his family’s
online privacy. 98 In an interesting Kickstarter campaign, Federico Zannier decided to mine his
own data to see how much he was worth. He recorded all of his online activity, including the
position of his mouse pointer and a webcam image of where he was looking, along with his GPS
location data for $2 a day and raised over $2,700.99 “Monetizing privacy” has become something
of a holy grail in today’s data economy. We have seen efforts to establish social networks where
users join for a fee and the rise of reputation vendors that protect users’ privacy online, but these
services are luxuries. And when it comes to our privacy, price sensitivity often dictates
individual privacy choices. Because the “price” an individual assigns to protect a piece of
information is very different from the price she assigns to sell that same piece of information,
individuals may have a difficult time protecting their privacy. 100 Privacy clearly has financial
value, but in the end there are fewer people in a position to pay to secure their privacy than there
are individuals willing to sell it for anything its worth.
A recent study by the European Network and Information Security Agency discovered that most
consumers will buy from a more privacy invasive provider if that provider charges a lower
95
supra note 54.
96
Joe Mullin, How Much Do Google and Facebook Profit from Your Data?, ARS TECHNICA (Oct. 9, 2012, 6:38
AM PDT), http://arstechnica.com/tech-policy/2012/10/howmuch-do-google-and-facebook-profit-from-your-data, (
last visited on Mar. 15, 2018).
97
Net Benefits: How to Quantify the Gains that the Internet Has Brought to Consumers, ECONOMIST (Mar. 9,
2013),http://www.economist.com/news/finance-andeconomics/21573091-how-quantify-gains-internet-has-brought-
consumers-net-benefits.
98
Matt Sledge, Alex Kozinksi, Federal Judge, Would Pay a Maximum of $2,400 a Year for Privacy,
HUFFINGTON POST (Mar. 4, 2013, 5:51 PM EST), http://www.huffingtonpost.com/2013/03/04/alex-kozinski-
privacy_n_2807608.html.
99
Federico Zannier, A Bite of Me, KICKSTARTER, http://www.kickstarter.com /projects/1461902402/a-bit-e-of-
me (last visited on Mar. 29, 2018).
100
Alessandro Acquisti et al., What Is Privacy Worth?
27-28 (2010), http://www.heinz.cmu.edu/~acquisti/papers/acquistiISR-worth.pdf.
35
price.101 The study also noted that when two companies offered a product for the same price, the
more privacy-friendly provider won out. This was hailed as evidence that a pro-privacy business
model could succeed, but this also anticipates that, all things being equal, one company would
choose not to collect as much information as a competitor just to be seen as “privacy friendly.”
This defeats much of the benefit that a big data economy promises.
3.4 Phishing:
In general terms phishing means stealing someone else’s information for their own gain. Online
identity theft of the consumer has long been an epidemic. An official definition of online identity
theft is the practice of pretending to be someone else on the internet. 102 Thus, this technique is
used to fool the consumers and get access to their personal information. A more comprehensive
definition sees phishing as “a social engineering attack in which an adversary lures an
unsuspecting Internet user to a web site posing as a trustworthy business with which the user has
a relationship”, and continues to state that “the broad goal is identity theft; phishers try to fool
web visitors into revealing their login credentials, sensitive personal information, or credit card
numbers with the intent of impersonating their victims for financial gain”.103 The people using
internet will be sent these spoofed emails which are difficult to detect through normal security. It
is not necessary that each person may understand the technicalities required detecting these fake
emails and hence they fall a prey to them. These emails are difficult to detect by visual checks
and spam filters, and are designed to be highly believable and trustworthy. Online tools are used
to send these spoofs. Moreover, these spoofed emails can be sent to a large number of persons at
the same time thus increasing the possibility of their attack.
A typical phishing attack is made up of two components: an authentic-looking email and a

fraudulent Web page. 104 The content of the phishing email is usually designed to confuse, upset,
or excite the recipient. This spoofed Web page may also include a graphical user interface (GUI)
101
NICOLA JENTZSCH ET AL., EUR. NETWORK & INFO. SEC. AGENCY, STUDY ON MONETISING
PRIVACY: AN ECONOMIC MODEL FOR PRICING PERSONAL INFORMATION 1 (2012),
http://www.enisa.europa.eu/activities/identity-and-
trust/library/deliverables/monetisingprivacy/at_download/fullReport.
102
supra note 16.
103
Greg Megaw & Stephen V. Flowerday, Phishing within E-commerce: A Trust and Confidence Game, IEEE.
(2010).
104
M. Tariq Banday & Jameel A. Qadri, Phishing – A Growing Threat to E-commerce, The Business Review, ISSN.
76-83, (2007).
36
intended to lure the user into entering their bank account information, credit card number, social
security number, passwords, or other sensitive information.105
In general, according to the Anti-Phishing Working Group (AWPG), overall unique phishing
attacks received and reported increased by 186% from 2013 to 2015. Countless other mass
phishing emails were blocked by anti-spam filters and so were not counted.106
The primary purpose of phishing is to lure the consumers so that they will click the spoofed
emails and then the information will be sent to the party who has sent these emails. Thus for this
purpose they create fake websites. A phishing Web site is a site that is designed to mimic the
legitimate Web site of the organization whose brand is being spoofed. In many cases, it is set up
by the attacker to capture a victim’s authentication information or other personal identification
information, which can then be used in identity theft or other fraudulent activity. 107
Deceptive phishing is the most common method adopted now days to get the information of
people and then ultimately their privacy is lost. The case of National Association of Software
and Service Companies ( NASSCOM) v. Ajay Sood and others,108 ruled that phishing on the
internet is an illegal act entitling the victim for an injunction and recovery of damages just as in
case of passing off. In the instant case, the plaintiff i.e. National Association of Software and
Service Companies having its trade name NASSCOM, was the India‘s premier software
association and the defendants were running an employment agency providing employment and
recruitment opportunities to job-seekers. In order to obtain personal data, which they could use
for the purposes of recruitment, the defendants composed and sent e-mails to the concerned
parties in the name of NASSCOM. On a complaint from the plaintiff, the High Court of Delhi
passed an ex-parte ad interim injunction restraining the defendants from using the trade name or
any other name deceptively similar to NASSCOM. The Court further restrained the defendants
from representing themselves as being associated as a part of NASSCOM and ordered a search
of the defendant‘s premises by a local Commission. On the basis of two hard disks of computers
recovered from the defendants it was found that the e-mails were sent by the defendants to
105
Id.
106
https://www.vadesecure.com/en/ecommerce-security-issues/ (last visited on Mar. 23, 2018).
107
e-comm4entrepreneur.blogspot.ihtmln/2008/06/phishing. ( last visited on Mar. 23 2018).
108
National Association of Software and Service Companies ( NASSCOM) v. Ajay Sood and others 119 (2005)
DLT 596.
37
fictitious persons in order to hide their illegal fraudulent activities. The investigation also
revealed that the defendants had collected huge amount of money by fraudulently using the
NASSCOM‘S trade name. Finding no other way to escape liability and punishment, the
defendants admitted their crime and the parties agreed to a mutual compromise under which the
defendants were to pay 1.6 million rupees to the plaintiff‘s by way of damages for violation of
plaintiff‘s trade name rights. The hard disks seized from the defendant‘s possession were ordered
to be handed over to the plaintiffs who would be the sole owner of those disks. This case is
considered as a landmark decision in the history of Indian cybercrimes for obvious reason.
Firstly, phishing is punishable as a cyber offence although there is no specific statutory
legislation to this effect. The Court in this case expressed a view that of late, phishing has
developed as a sophisticated method of committing organized cybercrime by befooling even the
most experienced and knowledgeable persons. Phishing criminals sneak into a computer network
or a social networking site and obtain e-mail addresses of the people and create messages that
purport to come from direct bosses. They manipulate legitimate websites to redirect e-mails to
bogus sites that collect victim‘s information.
Recent Indian Cyber Lotto Case109 was very interesting on online gambling. A man called Kola
Mohan invented the story of winning the Euro Lottery. He himself created a website and an
email address on the Internet with the address ‗eurolottery@usa.net.‘ Whenever accessed, the
site would name him as the beneficiary of the 12.5 million pound. After confirmation a Telugu
newspaper published this as a news. He collected huge sums from the public as well as from
some banks for mobilization of the deposition in foreign currency. However, the fraud came to
light when a cheque discounted by him with the Andhra Bank for Rs. 1.73 million bounced.
Mohan had pledged with Andhra Bank the copy of a bond certificate purportedly issued by
Midland bank, Sheffields, London stating that a term deposit of 12.5 million was held in his
name.
In a recent case in which Mumbai Police Solved Phishing scam110. In 2005, a financial Institute
complained that they were receiving misleading emails ostensibly emanating from ICICI Bank’s
email ID. The Investigation was carried out with help of those emails received by the customers
109
Prashant Mali: Cyber Law & Cyber Crimes, 85, Snow White Publications. 1st ed. (2012).
110
Cyber Crime Cell, Mumbai: Case of Phishing. Mumbai Police, http://www.cybercellmumbai.com/case-
studies/case-of-fishing [last visited on Mar. 23, 2018].
38
of that financial Institute and arrested the accused, the place of offence at Vijaywada was
searched for the evidence. There one Lap Top and Mobile Phone was seized which was used for
the commission of the crime. The arrested accused had used open source code email application
software for sending spam emails. He has downloaded the same software from net and then used
it as it is. He used to spam the email to customers of financial Institute. After spamming emails
to financial Institute customers he got the response from around 120 customers of which 80 are
genuine and others are not correct because it do not have debit card details as required for e-
banking. The financial Institute customers those who have received his email felt that the email
was originated from the financial Institute bank. When they filled the confidential information
and submitted that time said information was directed to accused. This was possible because the
dynamic link was given in the first page (Home page) of the fake web site. The dynamic link
means when people click on the link provided in spamming email that time only the link will be
activated. The dynamic link was coded by handling the Internet Explorer on click event and the
information of the form will be submitted to the web server (Where the fake web site is hosted).
Then server will send the data to configured email address and in this case email configured was
to the accused email. So on submission of the confidential information the information was
directed to email ID accused email .The all the information after fishing (user name, password,
Transaction password, Debit card Number and PIN, mothers maiden name) which he had
received through Wi-Fi internet connectivity of Reliance.com which was available on his Acer
Lap Top. This crime has been registered u/s U/Sec. 66 of IT Act, sec 419, 420, 465, 468, 471 of
I.P.C r/w which attract the punishment of 3 years imprisonment and fine up to 2 lakh rupees.
Cyber Stalking:
Mrs. Ritu Kholi Case111 is a good example of cyber stalking. The gravity of cyber stalking came
into focus in India when Delhi Police was asked by one Mrs. Ritu Kholi to file-complaint against
an unknown person who was using Mrs. Kholi‘s name to chat over the Internet for four
consecutive days. While chatting on the Net, the unknown person was posing as Mrs. Kholi, was
given her address to anyone who would respond and was using obscene language. He would also
encourage others to telephone Mrs. Kholi by giving her telephone number. Because of this
mischief, Mrs. Kholi received 40 calls in three days mostly at odd hours from places like
111
Farooq Ahmad: Cyber Law of India (Law on Internet), 411, New era Law Publication, 3rd ed..
39
Ahmedabad, Bombay, Cochin and Kuwait which shattered personal life and mental peace of the
victim. The Police machinery swung into action. After making thorough investigation, the IP
addresses were traced which led to the arrest of Manish Kathuria who pleaded guilty. The
accused was arrested under Section 509 of the IPC and was afterwards released on bails (the case
was registered before coming into force of the IT Act, 2000).
3.5 Online Shopping and Consumer Protection:

The trend of buying online has grown tremendously over the past decade. People seem to be
catching the interest of transaction online as it saves a lot of time. Moreover, shopping online
gives a consumer lot of options of products at a variety of prices. The fact that a consumer is able
to buy the product of his choice by a single click acts as a cherry on the top. Product information
is more extensive and price / product comparisons are also possible, enabling consumers to make
choices. E-commerce allows consumers to electronically exchange goods and services with no
barriers of time or distance. There are many benefits of online shopping which I shall discuss
here. Some of them being the convenience of the consumers, easy mode of payment, availability
of wide range of products which are usually not available in the physical market.
E-commerce in India brought a leading change in the life style of Indian consumer with the entry
of on line retailer Amazon and online auctioneer e Bay in late 1990’s. 112 Thereafter several
innovative steps were taken to go further with their business promotion by making use of web for
advertising their products and increasing the platform for online commerce through these
websites. The scenario further changed with the use of social networking which brought a
remarkable flow of online purchases after the year 2006.The picture as on date is that number of
modes are in operation for on line purchases throughout the country.
Our time value has gone up and our activities are more convenient, accurate, and faster. It does
not require us to go to the store to buy any given product. One or two clicks do just enough to
get the product shipped right to the door step.113 Traditional distribution of products had to go
through many steps until consumer receives. Ecommerce allowed skipping of many of these
steps, getting us the profits that could have been lost in those steps.
112
http://blogs.consumerawakening.com/E-commerce-and-consumer-law/, Posted on June 7, 2016 (last visited on
Mar. 20, 2018).
113
supra note 16.
40
The requirements possessed by an E-consumer are same as that of a traditional consumer. But E-
consumers are more vulnerable to attacks on their privacy as compared to the traditional
consumers. In light of this, it could be suggested that the need for “trust” is even greater in E-
commerce than in offline trade. Yet businesses have been poor at creating trust in E-commerce,
and in many jurisdictions consumer protection laws continue to be weak. With e retailers failing
to create the necessary trust, the law plays a crucial role in creating consumer trust in E-
commerce-trust that will benefit businesses, consumers and society. As a result better E-
consumer protection will increase consumer confidence leading to greater E consumerism, which
benefits the trio partners i.e. businesses, consumers and society. The reception of E-commerce
was immediate as it offered automation of E-commerce for instance, displaying products on the
web, taking orders, processing payments online and co-coordinating inventory and delivery
departments. The E-commerce industry is likely to evidence an upsurge in online consumer base
new product categories and online retailer to optimize the online shopping experience. It has
been predicted that E-commerce sales will increase at a steady rate of 19 percent year to year. 114
But in spite of all the advantages of shopping online, there are serious threats attached to it. The
cyberspace and its capacity to collect and arrange vast amounts of information without the digital
consumer even knowing this is an emerging threat to traditional privacy values. Today
transactions over the internet often require the consumers to divulge large amounts of personal
information including credit/ debit card details and delivery details. Also the possession of such
information gives E-business the opportunity to analyze it, discovering the trends and increasing
the efficiency of their business dealings.115 Consumers usually have no idea about the potential
uses of such information, and as such have no idea as to the possible misuse of such information
and the violation of their privacy that could happen.
Online privacy is perhaps the number one E-commerce concern. The rapid increase in use of E-
commerce is accompanied by rise in the number of attacks against the privacy of online
transactions. Consumers have doubts about the privacy of personal information supplied to e-
traders. In the digital economy, individuals may leave behind electronic "footprints" or records of
where they have been, what they spent time looking at, the thoughts they have aired, the
115
Swetha Swathy, November 14, 2017, https://blog.ipleaders.in/consumer-protection-laws/ , (last visited on Mar.
20, 2018).
41
messages they sent, and the goods and services they purchased. 116 The related privacy issues
arise from the fact that all this computer-processable personal information, whether
automatically generated or not, can potentially be collected, stored, detailed, individualized,
linked and put to a variety of uses in places geographically dispersed all around the world,
possibly without user knowledge or consent.117
There are certain privacy issues which arise when a consumer shops online through any E
commerce platform. Smith118 has defined such aspects relation to information privacy which are
discussed below.
3.6 Harm To Self-Development Caused By Online Self-Disclosure:

A lack of privacy may cause harms to the individuals themselves. Individuals' cognitive
processes depend on unbiased and unrestricted access to information and an uninhibited
development of ideas.
Entering a search query and accessing a website can be activities that disclose the users'
thoughts. 119 While users are searching for information online, website operators and internet
service providers can store the URL of the accessed websites, search engine operators can record
the searched items and accessed hits, and email providers can retain email metadata. 120
Similarly the documentation of the search for information creates "intellectual records", which
provide a "partial transcript of the operation of a human mind. 121
116
Poonam Pathak, Challenges Of Online Shopping And Consumer Protection, 3 IJMSS. Issue-09 September, (2015).
117
Id at 2.
118
supra note 6.
119
Ira S. Rubinstein et al., Data Mining and Internet Profiling: Emerging Regulatory and Technological Approaches,
75 CHI. L. REv. 261,272 (2008).
120
Kurt Opsahl, Why Metadata Matters, ELErRONIC FRONTIER FOUNDATION (June 7, 2013),
https://www.eff.org/deeplinks/2o13/o6/why-metadata-matters.
121
Neil M. Richards, Intellectual Privacy, 87 TEx. L. REV. 387,436 (2008).
42
Chapter 4: Statutory Framework of US and Indian Laws in Context of Privacy in
Electronic Commerce
The purpose of this chapter to analyze whether the existing laws afford a principle which can
properly be invoked to protect the privacy of that individual in E-commerce; and, if that does,
what the nature and extent of protection is. The purpose of this chapter is to show that the present
law prevalent in India is not adequate enough to protect the consumers in E-commerce activities.
USA has so many legislations which are based on the privacy concerns of consumers. The
legislations include privacy of citizens in health related sectors, electronic communication,
children online privacy etc. USA is a technology friendly and a developed country does have
legislations which provides for the consumer’s protection in E-commerce.
India on the other hand does not have any specific law dealing with the consumer’s privacy. In
India, we still have the ages old Indian Contract Act which came into force in the year 1872.
Apart from the Contract Act we have the Information Technology Act 2000 which has certain
provisions dealing with the personal data of consumers. Apart from these laws, we have the
Indian penal code, 1860 which contains certain provisions that govern the instances of online
fraud. But these Acts does not have any specific provision dealing with the consumer privacy
online. The present chapter thus focuses on various laws which govern the privacy of consumers
in E-commerce. It also discusses various loopholes of the laws and thus will give a clear picture
as to the status quo of current regime.
A comparative analysis will be done between India and USA to highlight that the laws in USA
are quite well equipped and advanced to deal with the issue of online privacy of consumers.
India too needs to adopt and enact such laws to prevent the privacy of consumer being misused
in an online platform.
4.1 E Commerce Privacy Laws For Consumer Protection In India:
4.1.1 Information Technology Act, 2000:

Pre-amendment, the Information Technology Act, 2000 provided a shade of privacy protection to
guard against unwarranted disclosure. These were provisions in the nature of prohibition of
disclosure of information gathered in the course of performance of functions mandated under the
Act. Continuing this approach, the Amendment of 2008 added several sections which seek to
43
guard against the disclosure of information which is gathered in the course of their functions.
What is interesting is that these regulations go beyond the regulations on telecommunications
insofar as providing for affirmative duties on intermediaries as well as penal sanctions for non-
adherence. These are mostly in the nature of protecting strict confidentiality with the data and
provide for penal sanctions. The second area where the dissemination of information is
prohibited pertains to obscene materials and pedophilia. These are not analyzed for the causal
ingredient since for the prohibition it is the existence of ‘obscenity’ and not a breach of privacy
that is vital. Hence, they cannot be properly considered as legislative measures to protect the
privacy harms of information dissemination.
The existing rules and laws which regulate the internet possess several problems which were not
thought by the legislators earlier as the technology was not so advanced earlier. The problem is
not whether the Internet should be regulated, but how. This entirely new sort of communication
poses several entirely new sorts of problem for regulators. A legal framework for E-commerce
has been provided by the Information Technology Act (IT), 2000, making India only the twelfth
country worldwide which has such a comprehensive legislation for E-commerce in place. This
Act also effects consequential amendments in the Indian Penal Code and the Indian Evidence
Act, 1872, to bring them in line with the requirements of digital transactions. The IT Act
essentially seeks to address three areas or perceived requirements for the digital era:
 To make possible E-commerce transactions both business to business(B2B) and business to

consumer (B2C).
 To make possible E-governance transactions both government to citizen and citizen to
government
 To curb cyber crime and regulate the Internet.
The Information Technology (Amended) Act, 2000 was amended in 2008 to increase security of
E-commerce transactions, with special provisions for legal recognition of digital signatures and
electronic documents.
Section 43 of the IT Act, 2000:
Section 43 holds a person liable if he uses the computer of a person without an authorized access
or introduces any virus in it, or damages or disrupts the functions of that computer. The laws are
44
clear that the person who is wholly liable to pay the damages by means of monetary
compensation.
This section does not talk about the situation when a person’s identity is not known and data is
stolen from a computer. The section also states that any person who gains access to someone
else’s computer will be punished. Thus intention is immaterial according to this section which
defeats the very purpose of introducing it at the first place under the Act. Thus the main issue of
privacy can’t be tackled by this section. These steps need to be matched by sorting out the issues
of privacy of a person in online medium.
In Pune Citibank Mphasis Call Center Fraud case 122 some ex employees of BPO arm of
Mphasis Ltd Msource, defrauded US Customers of Citi Bank to the tune of RS 1.5 crores. Life
was good for John Varghese. The 31 year old Pune resident had just returned from a holiday in
Bangkok. Another Qualis was on the way to augment his lone taxi. Apart from his taxi business,
John did other 'odd jobs'. Then suddenly, the police swooped. And Pune, the rest of India and
very soon, the world awoke to India's first major e-banking fraud. The crime was obviously
committed using "Unauthorized Access" to the "Electronic Account Space" of the customers.
The MphasiS-Citibank funds siphoning case is particularly noteworthy because of the ease with
which a bunch of young BPO employees from middle-class, criminal-free backgrounds allegedly
pulled off a financial fraud worth nearly half-a-million dollars. The five accused employees of
MsourcE the BPO arm of MphasiS BFL- unit supervisor Maurelene Fernandes (25), Bijoy
Alexander (26, HR), and former customer care executives Ivan Thomas (30), Siddhartha Mehta
(20) and Stephan Daniel (24) were no geeks or hackers. They were not breaking through
firewalls or decoding encrypted software. Instead, they are said to have identified glaring
loopholes in the MphasiS system, devised a modus operandi, roped in friends like John.
India's first outsourcing cyber fraud was a well-planned scam. The call centre agents used to
befriend their victims during routine calls and extract confidential details like passwords and
PINs. Says Jerry Jaitirth Rao, chairman of MphasiS: "They seem to have used a technique called
social engineering to get confidential information through friendly conversations." Social
engineering has become a popular mode of soliciting information because people are getting
122
http://www.legalserviceindia.com/lawforum/index.php?topic=2236.0 ( last visited on Mar.27, 2018).
45
more aware of the digital route called phishing. 123 In phishing, bogus e-mails are sent to an
account holder asking him to fill in details about his bank account and passwords for verification.
The e-mails seem to come from the bank and unsuspecting customers often reply, parting with
confidential information.
The scam may never have come to light but for Citibank, New York, and Citigroup Investigative
Services, Mumbai, which detected the fraud, did their own snooping and then urged the Pune
police to lay a trap. The Pune cyber crime cell, headed by Assistant Commissioner of Police
Sanjay Jadhav, had revealed that even Citigroup realized the illegal funds transfers had happened
through MphasiS only when former employees spilled the beans after being nabbed by the
police. Being the authorized E-banking service providers to Citibank, MphasiS-MsourcE
employees were privy to confidential details of various account holders. The only pieces missing
were the password/PINs which the prime accused in the scam Maurelene and Ivan — allegedly
got by "sweet-talking" five account holders. "People seem to have given these PINs innocently.
Once you give your house keys to the thief, there's bound to be havoc," says Jadhav. Having
obtained the PINs, the group allegedly opened fictitious e-mail accounts to divert E-banking
funds transfer confirmations.
Thus, the original account holders never got the confirmations they would have otherwise got in
the event of a funds transfer. Neither Citibank nor MphasiS detected anything amiss after the
first illegal transfer in November 2004. However, Citibank finally smelt a rat, after at least one
account-holder complained. It alerted Citigroup Investigative Services in Mumbai, headed by
Rajendra Bhagwat. Bhagwat's team in Mumbai immediately touched base with the recipient
banks in Pune and confirmed the fraud. The Pune police's cyber crime cell was alerted and a trap
duly laid. On April 1, Ivan and a co-accused, Shailesh Bhulewar, came to check about a transfer
in a Rupee Co-operative Bank branch in Pune. The police immediately swung into action and
detained the suspects. There have been a total of 16 arrests since that day, with investigations
throwing up fresh details virtually every day. Many of the accused have been charged under
section 67 of the IT Act, 2000 and Indian Penal Code sections 420 (cheating), 465, 467 and 671
(forgery) besides other sections.
123
Abhay Vaidya,
https://timesofindia.indiatimes.com/home/sunday-times/deep-focus/Indias-first-BPO-scam-
unraveled/articleshow/1086438.cms (last visited on Apr. 1, 2018).
46
Been E-conned yet? Even if you haven't, you may know someone who has. But not many would
have opted for the legal route. Cyber law expert Pavan Duggal points out: "Though online frauds
are taking place regularly, not all of them are reported. Ironically, in most cases victims are well-
educated."124 Even if cases do get reported, how many are likely to get solved? Fly-by-night
operators of here-today, gone-tomorrow websites seldom leave any clues. "Most of the time,
investigators fail to trace them as they do not leave any physical evidence behind. Law-enforcing
agencies simply do not have the appropriate tools to detect and prosecute them under the IT Act,
2000. "The Act is basically meant to facilitate E-commerce and is grossly inadequate to deal
with cyber crimes. Under the Act, crimes can be investigated only by a senior police officer of
ACP rank or above which means the only recourse for victims is the cyber cell, functioning from
police headquarters. Not surprisingly, the number of cases registered is minuscule. Since the IT
Act does not cover the entire gamut of online frauds, most cases are referred to the economic
offence wing of the police. Here, cases are registered under the Indian Penal Code, namely
Sections 420, 460, 468 and 471. But the IPC was enacted in 1860 and thus is not efficient
enough t deal with such kind of online fraud issues.
ITA-2000 is versatile enough to accommodate the aspects of crime not covered by ITA-2000 but
covered by other statutes since any IPC offence committed with the use of "Electronic
Documents" can be considered as a crime with the use of a "Written Documents". Cheating",
"Conspiracy", "Breach of Trust" etc are therefore applicable in the above case in addition to
section in ITA-2000. Under ITA-2000 the offence is recognized both under Section 66 and
Section 43. Accordingly, the persons involved are liable for imprisonment and fine as well as a
liability to pay damage to the victims to the maximum extent of Rs 1 crore per victim for which
the "Adjudication Process" can be invoked.
Perhaps India needs to take a cue from the US which has specific laws relating to online frauds.
In the meantime, technology may prove the savior. India too needs to adopt a technology like US
which will enhance the privacy protection.
124
Id.
47
Section 43A of the IT (Amendment) Act, 2008: Liability for body-corporate:
The newly inserted Section 43A by the Amendment Act of 2008 makes a start at introducing a
mandatory data protection regime in Indian law. The section obliges corporate bodies who
‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’
security practices, failing which; they would be liable to compensate those affected by any
negligence attributable to this failure. It is only the narrowly-defined as ‘body Corporate’
engaged in ‘commercial or professional activities’ that are the targets of this section. Thus
government agencies and non-profit organizations are entirely excluded from the ambit of this
section. “Sensitive personal data or information” is any information that the Central Government
may designate as such, when it sees fit to. The “reasonable security practices” which the section
obliges body corporate to observe are restricted to such measures as may be specified either “in
an agreement between the parties” or in any law in force or as prescribed by the Central
Government. By defining both “sensitive personal data” and “reasonable security practice” in
terms that require executive elaboration, the section in effect pre-empts the courts from evolving
an iterative, contextual definition of these terms.
Information Gathering:
The term information125 has been defined as "information" includes data, text, images, sound,
voice, codes, computer programmes, software and databases or micro film or computer
generated micro fiche. The ever increasing reach of the internet was belatedly realized by the
Indian legislature in 2001 126 and it has been playing a game of catch up ever since. 127 However,
regulations pertaining to privacy were largely absent from the statute.
One can find that rules for interception of telecommunications were only framed in 1999 128 after
the Supreme Court decision in PUCL v. Union of India129 These rules provide the blueprint for
the interference with privacy rights for ‘intrusion upon a person’s solitude or seclusion’ and
‘information collection.’ These rules are the close mirrors to the rules which have recently been
125
Information Technology Act, 2000 ( No. 21 of 2000) Act of parliament, Sec. 2 (v).
126
APAR GUPTA, COMMENTARY ON THE INFORMATION TECHNOLOGY ACT, 2000 3-4 (LexisNexis
Butterworths Wadhwa 2007).
127
Department Of Information Technology, Ministry Of Communications & Information Technology, Government
Of India, Report Of The Expert Committee On Proposed Amendments To Information Technology
ACT 2000, (2005), http://www.mit.gov.in/sites/upload_files/dit/files/downloads/itact2000/ITAct.doc.
128
Indian Telegraph (First Amendment) Rules, 1999.
129
PUCL v. Union of India (1997) 1 S.C.C. 301.
48
enacted under sections 69 and 69B.
In Delhi Hackers’ Case,130 Delhi police arrested two hackers on 6 th February 2001. It was the
most breaking news in India because two people were arrested by the Delhi police for allegation
of hacking a website. This was probably the first case in India where accused were arrested; as
said by police Commissioner Rajan Bhagat. Both the hackers were detained for allegedly
blocking the website named goZnextjob.com. This website provides support and information to
prospective employers and job-seekers. The accused posted a message on that website declaring
that it was closed but actually it was very much open. The hackers were sent to judicial custody
for 14 days as they were charged under section 406 of Indian Penal Code i.e. criminal breach of
trust, and section 66 0f the Information Technology Act 2000 i.e. offence of hacking. Though
they were denied bail by the Metropolitan magistrate on 8th February 2001 after they were
arrested on 6th February 2001; on 12th February Additional Session judge of Delhi, Mr. P.K.
Gauba granted bail to those two hackers who were the partners of software solutions Mr. Amit
Pasani and Mr. Kapil Juneja. Thus, even if the people get caught, they are granted bail as the
present laws do not have stringent punishment for those who violate the privacy.
In Kumar v. Whiteley131 the accused gained unauthorized access to the Joint Academic Network
(JANET) and deleted, added files and changed the passwords to deny access to the authorized
users. Investigations had revealed that Kumar was logging on to the BSNL broadband Internet
connection as if he was the authorized genuine user and ‘made alteration in the computer
database pertaining to broadband Internet user accounts’ of the subscribers. The CBI had
registered a cyber crime case against Kumar and carried out investigations on the basis of a
complaint by the Press Information Bureau, Chennai, which detected the unauthorized use of
broadband Internet. The complaint also stated that the subscribers had incurred a loss of Rs
38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore, Chennai and other
cities. He was sentenced to undergo a rigorous imprisonment for one year with a fine of Rs 5,000
under section 420 IPC (cheating) and Section 66 of IT Act (Computer related Offense).
130
M. Dasgupta: Cyber Crime in India, 88, Calcutta Eastern Law House Kolkata,(2008).
131
http://cyberlawcybersecurity.com/cyber-security-law-cases/ ( last visited on Mar. 10, 2018).
49
In State v. Rajesh Gosain & Anr.132 on the complaint of Mr. Vijay Govind Saxena, General
Manager (HR), M/s. Vogueserv International Pvt. Ltd. alleging that their ex-employees, namely,
Mr. Rajesh Gosain, Mr. Alok Gupta, Mr. Abhishek Arvind and Mr. Mohit Kothiwal had
committed theft of data by way of unauthorized access to the computer system, network and
emails of the company and also took wrongful possession of sensitive and confidential
information entrusted to them in their capacity. It was further alleged that the aforesaid persons
diverted business from Vogueserv International Pvt. Ltd. to their newly formed company.
Section 66 E of the IT (Amendment) Act, 2008:
Section 66E of the Information Technology Act, 2008 is titled “punishment for violation of
privacy.” Though, the title of the section is worded broadly it seeks to apply only to capturing an
“image of the private area of a person”, “under circumstances violating the privacy of the
person.” The circumstances violating the privacy of a person are when such person has a
reasonable expectation that (a) he or she could disrobe in privacy without being concerned that
an image of his/her private area was being captured; or (b) any part of his/her private area would
not be visible to the public, whether such person is in a public or a private place.
This section does not talk about the situations when a person’s information is gathered without
his consent and misused. There are cases when person’s details such as his name, address, phone
number, email id etc. are being stolen. Thus, this section does not cover such cases. The sections
scope is very narrow in nature and hence should be amended to include all cases where a
person’s privacy might be violated and not just the case of image of a private person is being
captured.
This section provides for Punishment for publishing or transmitting obscene material in
electronic form. In the case of Avnish Bajaj v. State (NCT Delhi),133 Baazee.com was an online
auction website and Avnish Bajaj was in Chief Executive Officer (CEO). He was arrested in
December, 2004 for distributing cyber pornographic material. The charges against him arose
132
State v. Rajesh Gosain & Anr DE/0409/2014.
133
Avnish Bajaj v. State (NCT Delhi) (2005) 3 Comp. LJ 364 (Delhi). This case is popularly known as Baazee.com
case.
50
from the fact that someone had sold copies of pornographic CD through Baazee.com website.
The CD was also being sold in the Delhi market. It was as a result of joint action of Delhi and
Mumbai police that the accused was arrested. However, he was later released on bail by the
Delhi High Court as there was no prima facie evidence that Mr. Bajaj directly or indirectly
published the said pornography and the actual obscene recording of chip could not be viewed on
Baazee.com. The investigation in this case revealed that Bajaj was of an Indian origin and had
family ties in India. His company‘s web-site i.e. Baazee.com was a customer web-site which was
dealing online sale of property on commission basis. An obscene MMS clipping ‘A DPS girl
having fun’ was listed for sale on Baazee.com on November 27, 2004 and some copies of this
clipping were sold by the company. The accused Mr. Bajaj in his defense pleaded that Section 67
of the Information Technology Act under which he was charged and arrested relates to
publication of obscene material and not the transmission of such material. The Court ruled that
the burden rests on the accused to prove that he was only the service provider and not the content
provider. The court held that accused deserved to be released on bails as the evidence showed
that the obscene material may have been unwittingly offered for sale on his company‘s web-site
and there was probability of the alleged crime having been actually committed by some other
person. The accused was, however, ordered to furnish two sureties of one lakh rupees each and
surrender his passport and not to leave India without the permission of the court. He was finally
enlarged on bail subject to condition that he shall participate and assist in the investigation. Thus,
lack of evidence helped the accused to be released and the case was thus dismissed.
After much discontentment and debate,134 the Information Technology Act, 2000 received its
first major amendment in 2008. 135 The Amendment Act sought to rectify the many deficiencies
which had been noticed with the application of the enactment. The amendment sought to make
the Information Technology Act, 2000 a self sufficient Act with respect to internet behavior.
Hence the legislature introduced section 69. Section 69 is titled the “power to issue directions for
interception or monitoring or decryption of any information through any computer resource.”
The section mirrors section 5(2) of the Telegraph Act, 1885 containing the same limitations on
134
Editorial, Plugging IT Loopholes,
Hindu Bus. Line, Sept. 6, 2005, Http://Www.Blonnet.Com/2005/09/06/Stories/2005090600061000.Htm.
135
Information Technology (Amendment) Act, 2008, No. 10 of 2009, Act of Parliament.
51
the exercise of the power to issue directions. It contains a similar structure adhering to the
constitutional limitations as prescribed in PUCL, where the direction may only be issued when
 Public emergency; or
 Public safety situations exist.
It does not cause surprise that the recent regulations prescribed under section 69(2) for providing
the procedure for issuing directions also broadly follow Rule 419-A.136 They mirror most of the
procedural safeguards of documentary adherence, oversight and automatic expiry. Thus, only
when a situation of public safety is concerned this section will be used.
Section 69B of IT (Amendment) Act, 2008:
Though styling itself to be concerned properly with the processing of information, section 69B is
a hybrid between information gathering and processing. 137 The section is titled “power to
authorize to monitor or collect traffic data or information through any computer resource for
cyber security.” The section’s objectives are essentially better internet management with the
specific mandate of “enhancing cyber security and for identification, analysis and prevention of
intrusion or spread of computer contaminant.” Towards this goal the section allows for issuing
directions to “monitor and collect traffic data or information generated, transmitted, received or
stored in any computer resource.” A review of the regulations formed under the section make it
clear that the harms which will be incurred are in the nature of information processing, such as
aggregation and identification.138 The section provides similar safeguards as found in section 69,
but the conditions for exercise of the power are entirely different. Due to this, the reasons which
have to be recorded are not on the high thresholds which are set under section 69. 139 Hence, there
lies an argument against the constitutionality of the section as the regulations formed under it
clearly contemplate independent directions to monitor data, which as a technical pre-requisite
necessarily requires interception.
136
Rule 419 A of Indian Telegraph Rules, 1951.
137
Information Technology ( Amendment ) Act, 2008, (No. 10 of 2009),Act of Parliament, Sec. 69B.
138
Rule 3(4), Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or
Information) Rules, 2009 (“may include the monitoring of data or information for any person or any class of
persons.”)
139
Rule 3(2), Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or
Information) Rules, 2009 (contains the different types of situations which can threaten cyber security).
52
4.1.2 The Information Technology (Reasonable Security Practices and Sensitive Personal
Data or Information) Rules, 2011 (SPDI Rules):
The SPDI Rules have been issued under Section 43A of the IT Act. Section 43A, relates to
Compensation for Failure to Protect Data and enables the enactment of reasonable security
practices and procedures for the protection of sensitive personal data. The SPDI Rules
incorporate, to a limited extent, the OECD Guidelines, specifically: collection limitation, purpose
specification, use limitation and individual participation. The SPDI Rules mandate certain
requirements for the collection of information, and insist that it be done only for a lawful purpose
connected with the function of the organization. In addition, every organization is required to
have a detailed privacy policy. The SPDI Rules also set out instructions for the period of time
information can be retained, and gives individuals the right to correct their information.
Disclosure is not permitted without consent of the provider of the individual, or unless such
disclosure is contractually permitted or necessary for legal compliance. When it comes to sharing
information with Government agencies, then the consent of the provider is not required and such
information can be shared for purposes such as verification of identity, prevention, detection and
investigation including of cyber incidents, prosecution, and punishment of offences. The SPDI
Rules apply only to corporate entities and leaves the government and government bodies outside
its ambit; the rules are restricted to sensitive personal data‘, which includes attributes like sexual
orientation, medical records and history, biometric information etc., and not to the larger
category of personal data.
Further, the Cyber Appellate Tribunal which hears appeals under the IT Act has issued its last
order in 2011. The absence of effective enforcement machinery therefore raises concerns about
the implementation of the SPDI Rules. It is thus necessary to make a comprehensive law to
adequately protect personal data in all its dimensions and to ensure effective enforcement
machinery for the same.
Conventional Treatment of Information Disclosure/Dissemination:
What further complicates the mix of privacy injuries is the nature of the information. Information
which lies at the root of privacy in all cases is not the same. It deals with different scope of
human activities and a breach into the privacy of each incurs a different grade of harm. Claims
have often been made that the publication of facts harms the privacy of person in society. Here
53
we are specifically concerned about the information privacy of consumers. The above mentioned
provision is not applicable in cases of privacy breach by a third party in an online medium.
4.1.3 Data Protection and IT Act, 2000:

The ‘data protection’ and the ‘Information Technology Act, 2000 has its own implication with
each other relation. The objectives of the Act clearly speak about the protection of the cyber
relation matters. It provides for protection against certain of breaches in relation to data from
computer systems. The said Act comprises provisions to prevent the unlawful use of computers,
computer systems and data stored therein. There are several provisions has been inserted which
are related to the ‘data protection’. The new section 43A and Section 72A of the Act clearly
speaks about the protection of data.
This 2008 Amendment Act represents significant steps towards combating the multitude of
crimes of the cyber age. The changes introduced in the statutory data protection in Indian laws
thereby finally ceding to the demand of the US and European nations over the past decade. The
service providers are now facing imprisonment for the disclosure of the ‘personal information’140
in violation of contractual obligation. Moreover, the disclosure of ‘sensitive personal
information’141 makes the perpetrator liable to pay damage.
Therefore, as a matter of right data protection has been given the same status. The technological
development is the matter of the main focus given to analyze the EU Data Protection legislation
and the stands of Indian Information Technology amendment Act 2008. It talks about the corporate
exercise of the Data like excess, share, discloser, publication security measure and the penalty in the
light of the Information Technology Act 2008. Another is IT Rules 2011 is also gives the
140
Under the Personal Data (protection) Bill 2013, Section 2 (p) “personal data” means any data which
relates to a natural person if that person can, whether directly or indirectly in conjunction with any
other data, be identified from it and includes sensitive personal data.
141
Under the Personal Data (protection) Bill 2013, Section 2 (x) “sensitive personal data” 53 means
personal data as to the data subject’s – (i) Biometric data; (ii) Deoxyribonucleic acid data; (iii) Sexual
preferences and practices; (iv) Medical history and health; (v) Political affiliation; (vi) Commission, or
alleged commission, of any offence; (vii) [Ethnicity, religion, race or caste]; and (viii) [financial and credit
information].
54
impression of right concern implication in its provisions. 142 The importance of the outsourcing
business in India, and how this may impact the flow of business from European Union companies.
Absence of an Effective Injury Discovery and Redressal System:
Thus the IT Act fails to address the privacy issues of consumers effectively. In spite of having
certain provisions in the Act, no provision deals with the privacy issues of online consumer per
se. In this internet era where almost all the transactions are done by using some or the other
online medium, this lacuna in the law needs to be taken care of.
The other problem being the non-adherence to procedure which is compounded by the absence
of an effective legal measure to discover the privacy harm, until the information is publicly
distributed making the subject aware of the infraction. This seems necessary as a notification
may cause the concealment of the information which is sought to be gathered. However, this
problem is acute. The limited precedent at hand is in cases where an offence is alleged against a
person and the information gathered through surveillance is presented in court. The PUCL case
itself arose out of statistics of a study presented by the Central Bureau of Investigation which
stated the high degree of warrantless eavesdropping on conversations of politicians.
Even in the unlikely event that an ordinary person suspects that he is under electronic
surveillance, his remedies are onerous to enforce. The Courts in their magnanimity may
entertain (a) a writ proceeding under Article 226 or 32 of the Constitution of India for judicial
review of the police action and for appropriate relief; (b) criminal action against the officers
responsible for criminal trespass subject to other provisions of Code of Criminal Procedure,
1973; (c) damages in tort by filing a civil suit; and (d) appropriate compensation in a public law
jurisdiction from the Court of judicial review under Article 226 or 32 of the Constitution. These
remedies may look attractive, however, they take substantial time, effort, money and lawyering
to enforce. Hence relying on litigation to cure privacy breaches will be ineffective.
There is no direct legislative provision with respect to privacy infringement on the internet but
the IT Act, 2000 under sections 72 and 72A provides for penalty for breach of confidentiality
142
Information Technology Rules 2011, http://www.ijlt.in/pdffiles/IT-
(Reasonable%20Security%20Practices)-Rules- 2011.pdf, (last visited on Feb. 20, 2018).
55
and privacy and punishment for disclosure of information in breach of lawful contract
respectively.
However, the cyber law of India is a piecemeal legislation that covers multiple areas and in this
attempt it is not covering even a single area effectively. India must either formulate a
comprehensive and holistic techno legal framework or it must adopt specific and dedicated laws
for various fields. There is no doubt that India needs a new and better cyber law and the old one
must be repealed.
On the first, though governments (such as the US government) have taken several steps,
countries like India are yet to develop reliable technologies. One of the criticisms leveled against
the IT Act is that it does not have any clause ensuring security and protection of the online
consumer. It might be argued that the existing Consumer Protection Act, 1986 is quite
comprehensive and can be extended to cover online consumers also, as, after all; online shopping
is just another way of transacting business. However, even if this be the case there are several
aspects peculiar to digital transactions such as electronic payments, confidentiality, transaction
data, etc. that lead to problems arising in cyberspace. 143 An international consensus on privacy
protection is developing around the OECD guidelines on the protection of privacy and trans-
border flows of personal data, which embodies well-established principles of fair information
practices. In light of the above negatives associated with E-commerce (specially with buying on
the Internet) and taking into consideration the rapid growth of this industry, it is important that
consumer groups in India take this problem seriously and come up with guidelines that can be
used to make shopping on the Internet a safe experience.
4.2.1 Indian Penal Code, 1860 (IPC):

In absence of a specific legislation dealing with online privacy, provisions of IPC are also used
as it is the main law which governs the crimes in India. In an online world, there are many cases
where online fraud is committed.
The Sony.Sambandh.com Case 144 (2002) was the first cyber related fraud case in which the
accused was convicted. This case has sent out a message that the provisions of the Indian Penal
143
supra note 24.
144
supra note 131.
56
Code can be effectively applied to certain categories of cybercrimes which are not covered under
the Information Technology Act, 2000. The complainant, Sony India Private Ltd. was running a
website called www.sony.sambandh.com enabled non-resident Indians to send Sony products to
their relatives and friends in India after they make online payment for the products. In May,
2002, someone logged on to the website under the identity of Ms. Barbara Campa and ordered a
Sony colored TV set and a cordless headphone. She gave her credit card number for payment
and requested the product to be delivered to Arif Azim in Noida. The payment was cleared by
the complainant Sony India Ltd. who delivered the items to Arif Azim after following the
relevant procedure of due diligence. It also took a digital photography showing the delivery
being accepted by Arif Azim. Nearly one and a half month after this transaction, the credit card
agency informed Sony (India) company that it was an unauthorized fraudulent transaction as the
real owner had denied having made the purchase. Thereupon, the company lodged a complaint
for online cheating to the CBI which registered a case against Arif Azim under Section 418, 419,
420 of the Indian Penal Code. The investigation of the case revealed that the accused Arif Azim
who was working at a call center at Noida gained access to the credit card number of an
American national, which he had misused on the company‘s website. The CBI recovered the
colored TV and cordless headphone from Arif Azim. The Court on the basis of evidence of
witnesses and material before it found Arif Azim guilty of offence under Section 418, 419, 420,
IPC and convicted him for cyber fraud and cheating. However, in view of the young age of the
accused i.e. 24 years and this being his first conviction, the Court ordered his release on
probation for a period of one year.
Bangalore techie convicted for hacking government site (2009, Deccan Herald)6 in November
2009, The Additional Chief Metropolitan Magistrate, Egmore, Chennai, sentenced N G Arun
Kumar, a techie from Bangalore to undergo a one-year rigorous imprisonment for one year with
a fine of Rs 5,000 under Section 420 IPC (cheating) and Section 66 of IT Act (hacking). 145
Investigations had revealed that Kumar was logging on to the BSNL broadband internet
connection as if he was the authorized genuine user and ‘made alteration in the computer
database pertaining to broadband internet user accounts’ of the subscribers. The CBI had
registered a cyber crime case against Kumar and carried out investigations on the basis of a
145
http://www.deccanherald.com/content/35482/bangalore-techie-convicted-hacking-govt.html, (last visited on
April 2, 2018).
57
complaint by the Press Information Bureau, Chennai, which detected the unauthorized use of
broadband internet. The complaint also stated that the subscribers had incurred a loss of Rs
38,248 due to Kumar’s wrongful act. He used to ‘hack’ sites from Bangalore as also from
Chennai and other cities, they said.
4.3.1 The Right to Information Act, 2005146:

The Indian law has made some exceptions to the rule of privacy in the interest of the public,
especially, subsequent to the enactment of the Right to Information Act, 2005 (RTI). The RTI
Act, makes an exception under section 8 (1) (j), which exempts disclosure of any personal
information which is not connected to any public activity or of public interest or which would
cause an unwarranted invasion of privacy of an individual. What constitutes an unwarranted
invasion of privacy is not defined. However, courts have taken a positive stand on what
constitutes privacy in different circumstances.
4.3.2 Data Protection & Right to Information Act, 2005:

In India, Right to Information come with that contention that, “the practical regime of right to
information for citizens to secure information under the control of public authorities in order to
promote transparency and accountability for matters connected therewith or incidental thereto”.
This is the preamble of the Act 2005 and the Section 2(j) speaks about the definition of ‘right to
information’. Now the issue arise that ‘data’ which was kept with the public authority are safe or
not. The digital data as per clause (iv) of Section 2(j) is being maintaining properly or not is
really in doubt.
The ‘data protection’ in this Act is concern is being taken care as a matter of right to the
individual. In a case, Bennett Coleman v. Union of India 147 the court held that ‘it is
indisputable that by freedom of press meant the right of all citizens to speak, publish and express
their views,’ and ‘freedom of speech and expression includes within its compass the right of all
citizens to read and be informed’.
In Indian Express Newspaper (Bombay) v. Union of India,148 the Court held that, “the basic
purpose of freedom of speech and expression is that all members should be able to form their
146
Right to Information Act, 2005, ( No. 22 of 2005), Act of Parliament.
147
Bennett Coleman v. Union of India AIR 1973 SC 60.
148
Indian Express Newspaper (Bombay) v. Union of India (1985)1 SCC 641.
58
beliefs and communicate them freely to others. In sum, the fundamental principle involved here
is the people’s right to know”.
4.3 Data Protection & Consumer:

The consumer relation with the organization is a very vital to articulate the ‘data protection’
matter. In the other way, due to E-commerce data protection of consumers is in danger and the
misuse is growing day by day. The only issue is relating to collection, storage, accuracy and use
of data provided by internet users. The most concern about this is BPO fraud, all this fraud come
under the penal provision of the IT Act.149 This phenomenon is only because of the customer
relation with the authority. If the authority i.e. the service provider maintains the proper privacy
policy then this situation will not arise. But the unfortunate part is that the authority is not at all
bothered about this kind of privacy policy. The enforcement agencies are also not aware of all
such kind of violation of rights.
A P SHAH REPORT ON ONLINE PRIVACY:

In the light of the recommendations given by Justice A P Shah in his report on protection of
online privacy, the following suggestions can be made. The report has stated nine national
privacy principles. The nine national privacy principles include: 150
Principle 1: Notice
A data controller shall give simple to understand notice of its information practices to
all individuals, in clear and concise language, before any personal information is collected from
them. Such notices should include:
During Collection
 What personal information is being collected;
 Purposes for which personal information is being collected;
149
Adv. Swati Sinha, “Data Protection Law in India-Needs and Position,”
Feb.21, 2015, http://www.legalserviceindia.com/article/l368-Data- Protection-Law-In-India.html.
150
Report of the group of experts on Privacy, Ajit Prakash Shah (Former Chief Justice, High Court of Delhi), 16th
2012, Planning Commission, (Ministry Of Planning, S & T And Earth Sciences),
http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf, ( last visited on Jan. 10, 2018).
59
 Uses of collected personal information;
 Whether or not personal information may be disclosed to third persons;
 Security safeguards established by the data controller in relation to the personal information;
 Processes available to data subjects to access and correct their own personal information;
Example of Implementation: A telecom service provider must make available to individuals a

privacy policy before any personal information is collected by the company. The notice must
include all categories of information as identified in the principle of notice. For example, the
service provider must identify the types of personal information that will be collected from the
individual from the initial start of the service and during the course of the consumer using the
service. For a telecom service provider this could range from name and address to location
data. The notice must identify if information will be disclosed to third parties such as
advertisers, processers, or other telecom companies. If a data breach that was the responsibility
of the company takes place, the company must notify all affected customers. If individuals have
their personal data accessed or intercepted by Indian law enforcement or for other legal purposes,
they have the right to be notified of the access after the case or other purpose for the data has
been met.
Principle 2: Choice and Consent

A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their
personal information, and take individual consent only after providing notice of its information
practices. Only after consent has been taken will the data controller collect, process, use, or
disclose such information to third parties, except in the case of authorized agencies. When
provision of information is mandated by law, it should be in compliance with all other National
Privacy Principles. Information collected on a mandatory basis should be anonymized within a
reasonable timeframe if published in public databases. As long as the additional transactions are
performed within the purpose limitation, fresh consent will not be required. The data subject
shall, at any time while availing the services or otherwise, also have an option to withdraw
his/her consent given earlier to the data controller. In such cases the data controller shall have the
option not to provide goods or services for which the said information was sought if such
information is necessary for providing the goods or services. In exceptional cases, where it is not
60
possible to provide the service with choice and consent, then choice and consent should not be
required.
Example of implementation: If an individual is signing up to a service, a company can only

begin collecting, processing, using and disclosing their data after consent has been taken. If the
provision of information is mandated by law, as is the case for the census, this information must
be anonymized after a certain amount of time if it is published in public databases. If there is a
case where consent is not possible, such as in a medical emergency, consent before processing
information, does not need to be taken.
Principle 3: Collection Limitation

A data controller shall only collect personal information from data subjects as is necessary for
the purposes identified for such collection, regarding which notice has been provided and
consent of the individual taken. Such collection shall be through lawful and fair means.
Principle 4: Purpose Limitation

Personal data collected and processed by data controllers should be adequate and relevant to the
purposes for which they are processed. A data controller shall collect, process, disclose, make
available, or otherwise use personal information only for the purposes as stated in the notice after
taking consent of individuals. If there is a change of purpose, this must be notified to the
individual. After personal information has been used in accordance with the identified purpose it
should be destroyed as per the identified procedures. Data retention mandates by the government
should be in compliance with the National Privacy Principles.
Principle 5: Access and Correction

Individuals shall have access to personal information about them held by a data controller; shall
be able to seek correction, amendments, or deletion such information where it is inaccurate; be
able to confirm that a data controller holds or is processing information about them; be able to
obtain from the data controller a copy of the personal data. Access and correction to personal
information may not be given by the data controller if it is not, despite best efforts, possible to do
so without affecting the privacy rights of another person, unless that person has explicitly
consented to disclosure.
61
Principle 6: Disclosure of Information
A data controller shall only disclose personal information to third parties after providing notice
and seeking informed consent from the individual for such disclosure. Third parties are bound to
adhere to relevant and applicable privacy principles. Disclosure for law enforcement purposes
must be in accordance with the laws in force. Data controllers shall not publish or in any other
way make public personal information, including personal sensitive information.
Principle 7: Security
A data controller shall secure personal information that they have either collected or have in their
custody, by reasonable security safeguards against loss, unauthorized access, destruction, use,
processing, storage, modification, unauthorized disclosure [either accidental or incidental] or
other reasonably foreseeable risks.
Principle 8: Openness
A data controller shall take all necessary steps to implement practices, procedures, policies and
systems in a manner proportional to the scale, scope, and sensitivity to the data they collect, in
order to ensure compliance with the privacy principles, information regarding which shall be
made in an intelligible form, using clear and plain language, available to all individuals.
Principle 9: Accountability
The data controller shall be accountable for complying with measures which give effect to the
privacy principles. Such measures should include mechanisms to implement privacy policies;
including tools, training, and education; external and internal audits, and requiring organizations
or overseeing bodies extend all necessary support to the Privacy Commissioner and comply with
the specific and general orders of the Privacy Commissioner.
4.4 European Union Directive on Data Protection:

On October 24, 1995, the European Union adopted Directive 95/46. 151 The objectives of the
Directive 95/46 are stated as being to protect the fundamental rights and freedoms of natural
persons, and in particular their right to privacy with respect to the processing of personal data,
and to prevent the restriction and prohibition of the free flow of personal data between member
states for privacy reasons (Art 1).
151
Directive on the processing of personal data (Data Protection Directive).
62
The Data Protection Directive:
 Provides that personal data may only be processed if specific criteria are met;
 Requires member states to balance data protection with freedom of expression;
 Sets out rights for individuals – being
 The right to be informed that their information is being processed;
 The right to access their information and the right to object to certain types of
processing.
Directive on Privacy and Electronic Communication:
In 1997, European Union adopted a directive relating to privacy in the telecommunication sector.
152
Widespread concern about the potential threats to privacy posed by the internet prompted the
EU to adopt a replacement directive – the directive on privacy and electronic communication. 153
This Directive also contains provisions of relevance to anybody who maintains a website or who
uses email for the distribution of marketing material.
4.5 US Legislative Framework on Privacy Laws in E-Commerce:

The word privacy cannot be found in the U.S. constitution. But, provisions of the Constitution
have been construed to protect specific privacy rights of individuals. Typically, if a person has a
'legitimate expectation of privacy' then a person may enjoy certain privacy rights. 154 For a person
to have a 'legitimate expectation of privacy,' one needed to show that one had an actual
expectation of privacy and that their expectation of privacy is an expectation that the public
recognizes, or is prepared to recognize as reasonable. 155 However, over the past three decades,
the U.S. Congress has enacted a various legislation granting individuals specific privacy rights.
4.5.1 Fourth Amendment and Right to Privacy:
The Fourth Amendment to the US Constitution protects the people's right "to be secure in their
persons, houses, papers, and effects, against unreasonable searches and seizures". The fourth
amendment also applies to the information stored online. In part, this is because the Fourth
152
Directive 97/66/EC.
153
2002/58/ EC of the European Parliament and of the council of July 12, 2002.
154
Smith v. Maryland, 442 U.S. 735, 740 (1979).
155
Id.
63
Amendment defines the "right to be secure" in spatial terms directly applies to the "reasonable
expectation of privacy" in an online context. The Fourth Amendment protects "the right of the
people to be secure in their persons, houses, papers, and effects, against unreasonable searches
and seizures." The Fourth Amendment has been stressed as a right that protects people and not
places, which leaves the interpretation of the amendment's language broad in scope. In addition,
society has not reached clear consensus over expectations of privacy in terms of more modern
(and developing, future) forms of recorded and/or transmitted information.
The right of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated; and no Warrants shall issue but upon
probable cause, supported by Oath or affirmation, and particularly describing the place to be
searched, and the persons or things to be seized. 156 The fourth amendment of the US constitution
protects citizens of US from arbitrary search and seizure of their property and place which also
includes their houses. The aim of this provision is to protect the citizens from unreasonable
interference in their lives. The courts must determine what constitutes a search or seizure under
the Fourth Amendment. If the conduct challenged does not fall within the Fourth Amendment,
the individual will not enjoy protection under Fourth Amendment.
A. Search
A search under Fourth Amendment occurs when a governmental employee or agent of the
government violates an individual's reasonable expectation of privacy. 157 A person's reasonable
expectation of privacy means that someone who unreasonably and seriously compromises
another's interest in keeping her affairs from being known can be held liable for that exposure or
intrusion.
B. Seizure of a Person
A seizure of a person, within the meaning of the Fourth Amendment, occurs when the police's
conduct would communicate to a reasonable person, taking into account the circumstances
surrounding the encounter that the person is not free to ignore the police presence and leave at
his will.
156
4th amendment, US constitution ( Bill of Rights).
157
Legal Information Institute, Cornel Law School, https://www.law.cornell.edu/wex/fourth_amendment,( last
visited on March 27, 2018).
64
The U.S. Supreme Court initially ruled in Olmstead v. U.S158 that electronic eavesdropping by
federal agents without judicial approval is not a search or seizure since the government
intercepted conversations without entering the defendant's home and conversations aren't
tangible things to be seized. However, this decision was later overruled in Katz v. United
States 159 Justice Brandeis based his dissent and wrote that “the makers of our constitution
undertook to secure conditions favorable to the pursuit of happiness. They conferred against the
government, the right to be let alone- the most comprehensive of rights and the right most valued
by civilized men.” He said that it appears that the constitutional right to privacy is here to stay.
The expectation of privacy test was propounded in the case of Katz v. United States160 Justice
Harlan in his concurring opinion stated this test. The test states that a person must have a
reasonable expectation of privacy and the test should be recognized by the society as reasonable.
Thus a person expecting privacy in an open ground will not be a reasonable expectation of
privacy and hence citizens can’t expect the government to protect their privacy.
In United States v. Jones,161 the majority decided that long-term surveillance via a GPS beacon
attached to a car bumper constituted a search due to the physical trespass upon the bumper. Yet
Justice Sotomayor concurring and Justice Alito joined by Justices Ginsburg, Breyer, and Kagan
concurring in the judgment suggested that the collection of sufficiently large amounts of
information might amount to a search (thus implicating the Fourth Amendment) regardless of
physical trespass. By focusing too much on what information is gathered rather than how it is
gathered, efforts to protect reasonable expectations of privacy threatened by new and developing
surveillance technologies will disserve the legitimate interests of both information aggregators
and their subjects.
Although the Court resolved Jones on the narrow grounds of physical trespass, five justices
wrote or joined concurring opinions showing sympathy for the proposition that citizens hold
reasonable expectations of privacy in large quantities of data, even if they lack reasonable
expectations of privacy in the constitutive parts of that whole. Thus, they would have held that
Jones had a reasonable expectation in the aggregate of data documenting his public movements
158
supra note 56.
159
Katz v. United States 389 U.S. 347.
160
Id.
161
United States v. Jones 132 S. Ct. 945.
65
over the course of four weeks, even though he did not have any expectation of privacy in his
public movements on any particular afternoon.
In Kyllo v. United States162, the Court was invited to limit Fourth Amendment protection to
activities in the home that can be regarded as “intimate.” Writing for the Court, Justice Scalia
demurred precisely because he thought the Court had neither the qualifications nor the authority
to determine what is and is not “intimate.” He therefore focused on the invasiveness of the
technology itself - a heat detection device and it’s potential to render a wide range of activities in
the home, whether “intimate” or not, subject to government surveillance.163
Technology and Fourth Amendment Doctrine:
The Court is aware of the challenges that technological development has posed to its traditional
Fourth Amendment assumptions. Though the Court has yet to encounter data mining directly, in
a series of recent cases it has expressed fear about uninhibited adoption of technologically dated
Fourth Amendment precedents.
In City of Ontario v. Quon,164 the Court was faced with the question of whether an employee
could have a reasonable expectation of privacy in text messages stored on a government
employer’s servers. 165 Yet rather than address the question head on, the Court ruled that the
search was reasonable regardless of the employee’s privacy interest.
In Riley v. California,166 the Court unanimously refused to extend the traditional search-incident-
to-arrest exception by which arresting officers could rifle through the effects of an arrestee
without Fourth Amendment scrutiny to the search of an arrestee’s cell phone. Chief Justice
Roberts explained that to compare the search of a cell phone to that of a wallet or a purse “is like
saying a ride on horseback is materially indistinguishable from a flight to the moon.” Modern
cell phones, as a category, implicate privacy concerns far beyond those implicated by the search
of a cigarette pack, a wallet, or a purse. Any extension of that reasoning to digital data has to rest
on its own bottom.” 167 These cases suggest that the Court is aware that modern surveillance
162
Kyllo v. United States, 533 U.S. 27, 37–38 (2001).
163
Id.
164
City of Ontario v. Quon 130 S. Ct. 2619 (2010).
165
Id.
166
Riley v. California 134 S. Ct. 2473 (2014).
167
Id.
66
technologies represent a problem for traditional Fourth Amendment doctrine, but is still casting
about for a solution that might prove workable in the context of data mining.
4.6 Laws relating to Electronic Privacy in US:
4.6.1 Electronic Communication Privacy Act, 1986:
The passing of the Electronic Communications Privacy Act of 1986 ("ECPA") 168 was considered
as a victory for privacy by many in US. It created the statutory framework of privacy protections
and related standards for law enforcement access covering electronic communications and
remotely stored electronic records. Significantly, the ECPA established the standards that
currently control law enforcement access to personal e-mail and electronic records, such as
pictures and date books, stored on remote servers.
In 1986, relatively few people had Internet access; commercial electronic mail services and
commercial data processing centers were emerging, but both primarily served the business
community. The World Wide Web was barely a gleam in its creator's eye. Today, increasing
numbers of individuals have adopted the Internet for business and interpersonal communication
and as a data repository. Millions of individuals use e-mail, chat, and "blog" on a daily basis.
Electronic Communication Privacy Act 1986 was enacted by the United States Congress to
extend government restrictions on wire taps from telephone calls to include transmissions of
electronic data by computer. ECPA was an amendment to Title III of the Omnibus Crime
Control and Safe Streets Act of 1968 (the Wiretap Statute), which was primarily designed to
prevent unauthorized government access to private electronic communications. "Electronic
communications" means any transfer of signs, signals, writing, images, sounds, data, or
intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo
electronic or photo optical system that affects interstate or foreign commerce, but excludes the
following:
 Wire or oral communication
 Communication made through a tone-only paging device
 Communication from a tracking device (as defined in section 3117)
168
Electronic Communications Privacy Act, 18 U.S.C. (1986).
67
 Electronic funds transfer information stored by a financial institution in a communications
system used for the electronic storage and transfer of funds
The body of electronic surveillance laws created by the ECPA breaks down into three statutes:
the Wiretap Act, 169 the Pen Register statute, and the Stored Communications Act ("SCA").170
The Wiretap Act and Pen Register statute regulate prospective surveillance of Internet
communications (communications "in transit"), and the SCA governs retrospective surveillance
(stored communications).
 Title I of the ECPA protects wire, oral, and electronic communications while in transit. It sets
down requirements for search warrants that are more stringent than in other settings.
 Title II of the ECPA, the Stored Communications Act (SCA), protects communications held
in electronic storage, most notably messages stored on computers. Its protections are weaker
than those of Title I, however, and do not impose heightened standards for warrants.
 Title III prohibits the use of pen register and /or trap and traces devices to record dialing,
routing, addressing, and signaling information used in the process of transmitting wire or
electronic communications without a court order.
Under ECPA, it is relatively easy for a government agency to demand service providers hand
over personal consumer data stored on the service provider's servers. Email that is stored on a
third party's server for more than 180 days is considered by the law to be abandoned.
Amendments: The ECPA was significantly amended by the Communications Assistance to Law
Enforcement Act (CALEA) in 1994, the USA PATRIOT Act in 2001, the USA PATRIOT
Reauthorization Act in 2006, and the FISA Amendments Act of 2008 .
Court Orders under the ECPA:
The ECPA divides the universe of communications that the government might wish to obtain
into three categories: (1) wire communications, which are voice communications that pass, at
some point, through a telephone or cable wire; (2) oral communications, which are words or
other sounds made by individuals in a context where they have an expectation of privacy; (3)
169
18 U.S.C. §§ 2511-2522 (2000).
170
18 U.S.C. Chapter 121 §§ 2701–2712 (1986).
68
electronic communications, which is a residual category that includes every other type of signal
that is communicated by wire, radio, or other type of communications system. Wire
communications, e.g., telephone conversations, tend to be afforded the highest level of
protection.
The Wiretap Act applies when the government wishes to intercept the content of a
communication at the time that it is made. To do so, the criminal prosecutor must obtain an order
from a court based on a finding that there is probable cause to believe that a particular criminal
offense has been or is about to be committed and that particular communications concerning the
offense will be obtained through the interception. 171 The court must also find that normal
investigative procedures are unlikely to succeed or to be too dangerous. The wiretap, as regulated
by the order, must minimize the likelihood of intercepting communications unrelated to the
criminal offense.172 Disclosure and use of the intercepted communications is permitted for law
enforcement as well as for foreign intelligence and national security purposes. 173
The targeted person must receive notice of the surveillance within 90 days after it is completed,
and, if determined to be in the interest of justice by the court, portions of the intercepted
communications. 174 An official who violates the terms of the Wiretap Act may be subject to
175
criminal penalties or civil damages. Moreover, wire and oral, but not electronic
communications that are illegally intercepted may be excluded from evidence in a court or
administrative proceeding.176
The Stored Communications Act applies to records and communications held by two types of
service providers, providers of “electronic communications service” such as email accounts and
providers of “remote computing service,” which covers outsourced storage and processing
services, what today is commonly referred to as the “cloud. It covers the content of the material
in storage, such as the content of emails, metadata, such as from information on emails, and
subscriber records, such as the name, address, and payment method of the subscriber to the ISP.
The Stored Communications Act provides for different means of collection, corresponding to
171
18 U.S.C. § 2518(3).
172
18 U.S.C. § 2518(5)
173
18 U.S.C. § 2517.
174
18 U.S.C. § 2818(8)(d).
175
18 U.S.C. § 2511; 18 U.S.C. § 2520.
176
18 U.S.C. § 2518(10)(a)
69
different levels of privacy protection. The Stored Communications Act applies to a variety of
network providers, including certain social media sites and text messaging services.
For the content of unopened (and perhaps opened) emails in electronic storage for 180 days or
less, the government must obtain an ordinary criminal search warrant; for emails in electronic
storage for more than 180 days and other content files, the government has a choice between a
subpoena (administrative or judicial) with notice to the individual, notice plus a court order
based on “specific and articulable facts showing that there are reasonable grounds to believe”
that the information is “relevant and material to an ongoing criminal investigation”, or an
ordinary criminal search warrant; for metadata, a §2703(d) order or an ordinary criminal search
warrant; and for subscriber records, a subpoena (administrative or judicial), a 2703(d) order, or a
search warrant. In marked contrast with the Wiretap Act, there is no duty to narrowly tailor the
request for personal data or minimize the personal data once obtained based on its relevance to
the particular criminal investigation. 177 The Act does not restrict use and dissemination of that
personal data for other law enforcement purposes. While notice to the customer of the request is
generally required at some point, the remedies available are more limited than in the case of the
Wiretap Act: government officers can be sued in a civil action and can be criminally prosecuted
for violating the terms of the Stored Communications Act, but information acquired in violation
of the Act is not subject to exclusion in a criminal trial. 178
The Pen Register Act applies to metadata that is intercepted at the time that the communication is
made. It applies to the metadata associated with telephone calls (to/from information) and
Internet communications such as email (to/from information) and websites visited (IP addresses).
To install an interception device, the government must certify to a court that “the information
likely to be obtained by such installation and use is relevant to an ongoing criminal
investigation” and the court is then directed to issue an order authorizing such installation and
use.179 Contrary to both the Wiretap Act and the Stored Communications Act, the default rule is
that the individual subject to the surveillance is not notified of the device, even after the
conclusion of the investigation, 180 and the statute contains no particularity and minimization
177
Kerr O.S., The Next Generation Privacy Act, 162 U. Pa. L. Rev. 373, 402-404 (2014).
178
18 U.S.C. § 2707 (civil action); 18 U.S.C. § 2701 (criminal prosecution).
179
8 18 U.S.C. § 3123(a).
180
18 U.S.C. § 3123(d).
70
requirements, or use and dissemination restrictions. A government officer who knowingly fails to
obtain such an order can be fined or imprisoned. 181
The protections afforded by the ECPA (i.e. the Wiretap Act, the Stored Communications Act,
and the Pen Register Act) against unlawful disclosures by telecommunications and Internet
service providers do not turn on the nationality of the subscriber to the service. The ECPA is
designed to protect the three types of communications outlined above, as long as, in the case of
wire and electronic communications they pass through a system “that affects interstate or foreign
commerce”, 182 or, in the case of oral communications they are “uttered by a person”183.Likewise,
the statute defines the “user” of an electronic communications service broadly, as including “any
person”184 and defines “remote computing service” as “the provision to the public” 185 of storage
and processing services. Based on this statutory language, a federal court of appeals concluded in
a recent case that the ECPA “extends its protections to non-citizens.”186 In that case, which was
decided in the context of a civil fraud proceeding, a corporation sought access to the emails of an
Indian citizen, imprisoned abroad, that were stored on a US server by a US corporation,
Microsoft. The court found that the relevant provision of the ECPA, which protected the material
from disclosure, applied equally to the Indian citizen abroad. An EU citizen, therefore, would
enjoy the same guarantees as a US person under the ECPA.
In Smith v. Maryland,187 it was held that no warrant was required for the state’s use of a pen
register or trap and trace device, if the device merely identified the telephone numbers for calls
made and received from a particular telephone. No Fourth Amendment search or seizure
occurred, the Court held, since the customer had no justifiable expectation of privacy in
information which he knew or should have known the telephone company might ordinarily
capture for billing or service purposes.
181
18 U.S.C. § 3121(d).
182
18 U.S.C. § 2510(1),(12).
183
18 U.S.C. § 2510(2).
184
18 U.S.C. § 2510(13).
185
18 U.S.C. §2711(2).
186
Suzlon Energy Ltd v. Microsoft Corp., 671 F.3d 726, 729 (9th Cir. 2011).
187
Smith v. Maryland 442 U.S. 735, 741-46 (1979).
71
4.6.2 Freedom of Information Act, 1967188:
It requires the government to make available to the public certain government information. 189
4.6.3 Privacy Act, 1974190:

The Privacy Act of 1974 is the closest analogue to a European Data Protection Law in that it
seeks to regulate comprehensively personal data processing, albeit only with respect to federal
government departments and agencies. It regulates the collection, use, and disclosure of all types
of personal information, by all types of federal agencies, including law enforcement agencies. At
a general level, the Privacy Act contains most of the elements of the EU right to personal data
protection. The Act Prescribes guidelines within the framework of the Freedom of Information
Act to protect individual privacy by regulating the Federal Government's collection,
maintenance, use, or dissemination of personal, identifiable information. It Provides individuals
right of access to Federal agency records concerning them. 191
The Privacy Act requires transparency in personal data processing: the responsible government
agency must alert the public to the existence of a personal records system by publishing a notice
in the Federal Register (the U.S. equivalent to the EU’s Official Journal);192 when information is
collected from individuals, they must be told of the nature of the government database. 193
Personal information stored by government agencies that is used to make determinations about
individuals must be maintained with “such accuracy, relevance, timeliness, and completeness as
is reasonably necessary to assure fairness to the individual in the determination.” 194 The Privacy
Act requires that agencies establish “rules of conduct” for their employees and “appropriate
administrative, technical, and physical safeguards to insure the security and confidentiality of
records.”195 As for proportionality, the Privacy Act requires that the agency “maintain in its
records only such information about an individual as is relevant and necessary to accomplish a
purpose of the agency required to be accomplished by statute or by executive order of the
188
5 U.S.C. § 552.
189
5 USC S 552(a) (2001).
190
5 U.S.C. § 552a.
191
5 USC S 552 (2001).
192
5 U.S.C. § 552a(e)(4).
193
8 5 U.S.C. § 552a(e)(3).
194
5 U.S.C. § 552a(e)(5)
195
5 U.S.C. § 552a(e)(9)-(10).
72
President.”196 Sharing with other government agencies is, in principle, prohibited without the
consent of the individual involved. 197 Special protection is afforded for the sensitive data
category of information on how individuals exercise their First Amendment rights (freedom of
expression and association).198
The Privacy Act gives individuals the right of access to their records and the right to request
correction of “any portion thereof which the individual believes is not accurate, relevant, timely
or complete.” 199 Legal oversight under the Privacy Act is conducted largely by private litigants
and the courts: the Privacy Act gives individuals the right to sue the government for violations of
their Privacy Act rights and to obtain, depending on the circumstances, damages or injunctive
relief. 200 In addition, government officials may be criminally prosecuted for certain violations of
the Privacy Act.201 These same provisions afford individuals a judicial remedy for violations of
the Privacy Act.
4.6.4 Fair Credit Reporting Act, 1970 (FCRA):
The Act gave consumers the ability to stop the sharing of credit application information. 202The
primary privacy statute establishing standards for the collection, maintenance, and disclosure of
credit information by credit agencies. 203 The FCRA seeks to protect the confidentiality of
information bearing on the creditworthiness and standing of consumers. The FCRA limits the
permissible purposes for which reports that contain such information (known as consumer
reports) may be disseminated, and consumer reporting agencies must verify that anyone
requesting a consumer report has a permissible purpose for receiving the report.
FACTA (Fair and Accurate Credit Transactions Act) is an amendment to FCRA (Fair Credit
Reporting Act) that was added, primarily, to protect consumers from identity theft. Similarly,
under the FCRA, as amended by FACTA, individuals have a right to opt out of having certain
196
5 U.S.C. § 552a(e)(1).
197
5 U.S.C. § 552a(b).
198
5 U.S.C. § 552a(e)(7).
199
5 U.S.C. § 552a(d).
200
5 U.S.C. § 552a(g).
201
5 U.S.C. § 552a(i).
202
15 USC S 1681 (2001). 'Information and Privacy: Questions and Answers', at <www.aba.com> (last visited on
Apr. 1, 2018).
203
Laurence A. Young, 'The Landscape of Privacy' [20011 Conference on Consumer Finance Law, Quarterly
Report.
73
consumer report information shared by a consumer reporting agency with an affiliate, in addition
to another opt-out opportunity prior to any use of a broader set of consumer report information
by an affiliate for marketing reasons.
The first US legislation specifically addressing the harmful consequences of personal data held
in computerized databases was the Fair Credit Reporting Act of 1970. Often referred to by its
initials a common practice in US legal discourse, FCRA was passed to reform the consumer
credit reporting industry, imposing limits on data sharing and making it easier for individuals to
correct errors, the consequences of which could be severe. Many Americans might be surprised
to know that the first US president to highlight these issues was Richard Nixon. For example, in
February of 1974 Nixon gave a radio address titled ‘About the American Right of Privacy’ from
which it was clear that he understood how information technology’s dark side could extend far
beyond financial damage due to erroneous credit data. Nixon talked about careers being ruined
and worse: ‘marriages have been wrecked; reputations built up over a lifetime have been
destroyed by the misuse or abuse of data technology in both private and public hands’. FCRA
established a model for future US data protection legislation. First, address the interest of
individual citizens by providing notice of, and consent to, a specific type of personal data record.
Second, establish an administrative procedure for individual redress administered by a specified
agency (for FCRA, that agency is the FTC, the Federal Trade Commission). Third, address the
interests of law enforcement and national security by defining the terms and conditions under
which protected data can be accessed. These include the scope and purpose of the requested
access plus the desired level of justification. The latter can range from a “Fourth Amendment
warrant” supported by probable cause, down to a subpoena drafted by an attorney or police
officer, or even a simple written request from an agency administrator.
74
4.6.5 Electronic Fund Transfer Act, 1978:
The Act requires businesses to inform consumers of their information sharing practices with
regard to any electronic transaction. 204 For example, businesses that offer customers the
opportunity to transact business on-line must inform customers how the business will disclose
that information to third parties.
4.6.6 Occupational Safety and Health Act 1970:
Imposes restrictions on the maintenance of employees' medical records. Employers may be

required to disclose information to government but cannot disclose this information to anyone
else.205
4.6.7 Health Insurance Portability and Accountability Act 1996:

Healthcare providers that transmit information are prohibited from using or disclosing protected
health information except under certain circumstances. These circumstances include minimum
disclosure for specific public policy related purposes affecting public health, research, health
oversight, law enforcement, and coroners. 206 The Privacy Rule promulgated pursuant to HIPAA
requires covered entities to provide individuals with a notice of privacy practices. The Rule
imposes several content requirements, including:
 The covered entities’ permissible uses and disclosures of PHI;

 The individual’s rights with respect to the PHI and how those rights may be exercised;
 A list of the covered entity’s statutorily prescribed duties with respect to the PHI; and
 Contact information for the individual at the covered entity responsible for addressing
complaints regarding the handling of PHI.
4.6.8 The Computer Fraud and Abuse Act, 1986207:

It prohibits intentional acts of unauthorized computer access. It further, provides federal
prosecution of persons seeking access to a financial institution's computer or data files. 208
204
15 USC S 1693 (2001).
205
42 USC S12101 (2001).
206
64 Fed. Reg. 59918 (2001).
207
18 U.S.C. § 1030.
208
18 USC S 1030 (2001).
75
4.6.9 The Children's Online Privacy Protection Act of 1998 (COPPA) 209:
It requires commercial Internet sites directed at children under the age of thirteen to provide a
privacy notice, obtain parental consent before collecting certain information, and restrict the
disclosure of collected information. 210 It imposes extensive obligations on organizations that
collect personal information from children under 13 years of age online. COPPA’s purpose is to
provide parents and legal guardian’s greater control over the online collection, retention and
disclosure of information about their children.
Operators of websites or online services that are directed to children under 13 years old, or who
knowingly collect information from children online, must provide a conspicuous privacy notice
on their site. The notice must include statutorily prescribed information, such as the types of
personal information collected, how the operator will use the personal information, how the
operator may disclose the personal information to third parties, and details regarding a parent’s
ability to review the information collected about a child and opt out of further information
collection and use. In most cases, an operator that collects information from children online also
must send a direct notice to parents that contain the information set forth above along with a
statement that informs parents the operator intends to collect the personal information from their
child. The operator also must obtain verifiable parental consent prior to collecting, using or
disclosing personal information from children.
The CAN-SPAM Act of 2003: In 2003, Congress enacted the Controlling the Assault of Non
Solicited Pornography and Marketing Act (CAN-SPAM). The Act restricts knowingly sending
commercial messages to deceive or mislead recipients. It requires spammers to contain a return
address to allow people to opt out and it creates civil and criminal penalties for violations. In
Remsburg v. Docusearch 211 the New Hampshire Supreme Court adopted a bold new theory
upon which companies could be liable for the way they disseminate personal information. In this
case, a man bought data about a woman from a database company. He used the information
about her work address to confront her at her place of employment and kill her. The court held
that the company could be liable if it did not act with “reasonable care in disclosing a third
person’s personal information to a client.”
209
15 U.S.C. 6501–6505.
210
15 USC 6501 (2001).
211
https://caselaw.findlaw.com/nh-supreme-court/1132429.html ( last visited on Apr. 11, 2018).
76
Privacy Policies and Contract Law:
After 9/11, federal agencies contacted several airlines and requested that they turn over their
passenger records, which contained personal information about passengers including names,
flight numbers, credit card information, hotel information, and meal requests. Several airlines
complied, but their compliance in breach of their privacy policies. In several cases, groups of
plaintiffs sued the airlines for breach of contract. However, courts concluded that general
statements of policy were not contractual and that the plaintiffs had failed to establish damages.
Data Security Breaches In February and March of 2005, several data brokers announced major
security breaches in the personal data that they stored. Choice Point, one of the largest data
brokers with files on nearly every American citizen, sold personal data on over 145,000 people
(the figure was later revised to 162,000) to fraudulent companies established by a ring of identity
thieves. Other companies announced data leaks and break-ins, including LexisNexis.
These events gave renewed attention to the growing problem of identity theft, a crime that affects
about 10 million Americans each year. The Choice Point breach came to light when Choice Point
mailed letters to 30,000 California residents informing them of what had happened. This
disclosure was done pursuant to California’s security breach notice requirement, which provided:
Any person or business that conducts business in California, and that owns or licenses
computerized data that includes personal information, shall disclose any breach of the security of
the system following discovery or notification of the breach in the security of the data to any
resident of California whose unencrypted personal information was, or is reasonably believed to
have been, acquired by an unauthorized person. The disclosure shall be made in the most
expedient time possible and without unreasonable delay, consistent with the legitimate needs of
law enforcement.
Soon thereafter, the attorney generals of other states began demanding that their residents be
notified as well, and Choice Point announced that it would voluntarily notify all who had been
affected. By early 2006, nearly half of the states had passed security breach disclosure laws
similar to California’s, and about a dozen had passed security freeze laws that allow people to
freeze access to their credit reports.
77
4.6.10 PRIVACY IN THE GRAMM, LEACH, BLILEY ACT, 1999 (GLBA):
In November 1999, the U.S. Congress passed the greatest piece of bank restructuring legislation
since the 1930s, the Gramm Leach, Bliley Act (GLBA). Although this Act is primarily
concerned with the breaking down of the 'Glass-Steagall' barrier and the creation of the new
'financial holding company', 212 the inclusion of a special Title V on privacy was essential to the
ultimate passage of this Act.213
Specifically, Title V, Subtitle A of the Act governs the treatment of nonpublic personal
information about consumers by financial institutions. This is a compromise approach. The
limited version in Title V was finally agreed to; with the understanding Congress would be
reviewing this issue more generally in the next congressional session(s). Section 508 of the Act
commissioned a report by the Secretary of the Treasury, in conjunction with federal banking
regulators, to study the effectiveness of the Act's privacy provisions. 214 Under GLB, customers
and consumers have a legal right to opt out of having their non-public personal information
shared by a financial institution with third parties.
Key privacy concepts:
Some of the key concepts of the GLBA's Title V Privacy Provisions are as follows:
 First, Title V applies only to financial institutions. Financial institutions are any institution
engaged in activities that are financial in nature or incidental to such financial activities.
Financial institutions include banks, securities brokers and dealers, insurance underwriters
and agents, finance companies, mortgage bankers, and travel agents. 215
 Second, Title V restricts the sharing of nonpublic personal info. Nonpublic personal
information generally is any information that is not publicly available and that: a consumer
provides to a financial institution to obtain a financial product of service from the institution,
results from a transaction between the consumer and the institution involving a financial
212
Gramm, Leach, Bliley Act, Pub. L. No 106-102 (1999).
213
Id at S 501(a) (codified as amended at 15 USCA S6801 (2000)).
214
Id at S 508(a) (codified as amended at 15 USCA S6808 (2000)).
215
Privacy of Consumer Financial Information.
78
product or service, or a financial institution otherwise obtains about a consumer in
connection with providing a financial product or service. 216
 Third, Title V prevents the sharing of this nonpublic personal info with nonaffiliated third
parties. A nonaffiliated third party is any person except a financial institution's affiliate or a
person employed jointly by financial institution and a company that is not the institution's
affiliate. An affiliate of financial institution is any company that controls, is controlled by, or
is commonly controlled with the financial institution. But Title V does allow disclosures by a
financial institution to its own agents to market the institution's products or services.
 Fourth, the distinction between consumers and customers is important because title V creates
additional duties for financial institutions with respect to customers. Consumers who are not
customers are entitled to initial privacy opt-out notice only if their financial institution wants
to share their nonpublic personal information with nonaffiliated third parties outside of the
exceptions. A customer is a consumer who has customer relationship with a financial
institution. And customers are entitled to initial and annual privacy notices regardless of the
information disclosure practices of the financial institution. Moreover, a financial institution
must not disclose an account number or similar form of access number or access code for a
credit card, deposit, or transaction account to any nonaffiliated third party. (More cut and
copy from this article).
It is unusual in the United States to find any comprehensive privacy laws that enumerate a
complete set of rights and responsibilities for those who process personal data.” 217 Rather,
regulation of the use and disclosure of personal information focuses on “specific, sectoral
activities,” such as credit reporting, health care, or E-commerce. Accordingly, informational
privacy is governed by a variety of different laws, administered by different agencies or
217
Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 VAND. L. REV. 1609, 1632, (1999).
79
sometimes by no agency at all218 setting forth divergent requirements governing the treatment of
information by type and business sector.219
4.6.11 CLOUD ACT, 2017:

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), 2017 that will allow the US
government more access to Americans’ data for law enforcement purposes, as well as foreign
government’s access to US companies for data on their own citizens has been signed into law by
President Donald Trump, March 23. It creates a modern legal framework for how law
enforcement agencies can access data across borders.
Five years ago, the United States Department of Justice (DOJ) issued a warrant to Microsoft to
handover the data of one of its customers, who was suspected of being involved in illegal
activity. The controversy, however, was that the customer in question was Irish, who lived in
Ireland and his digital communications resided on a data server in Ireland. The issue was that
was Microsoft legally obligated to turn over data on a private Irish citizen to American law
enforcement authorities without the permission of the Irish government? It’s basically an update
to the Electronic Communications Privacy Act (ECPA), a series of laws that regulate how U.S.
law enforcement officials can access data stored overseas. Up until last week, the U.S. could
only access data stored overseas through mutual legal-assistance treaties (MLATs). With a
MLAT, two or more nations put in writing exactly how they are willing to help each other with
legal investigations. The Senate votes on each MLAT, and it must receive a two-thirds
approval to pass. The CLOUD Act also gives the executive branch the ability to enter into
“executive agreements” with foreign nations, which could allow each nation to get its hands on
user data stored in the other country, no matter the hosting nation’s privacy laws. These
agreements don’t require congressional approval.
218
Right to Financial Privacy Act (RFPA) of 1978, 12 U.S.C. §§ 3401-3422 (2006) (protecting the confidentiality of
personal financial records by creating a statutory Fourth Amendment protection for bank records); Electronic
Communications Privacy Act (ECPA) of 1986, 18 U.S.C. §§ 2510-2522 (extending restrictions against wiretaps to
include transmissions of electronic data by computer); Video Privacy Protection Act (VPPA) of 1988, 18 U.S.C. §§
2710-2712 (preventing disclosure of personally identifiable rental records of “prerecorded video cassette tapes or
similar audio visual materials”).
219
Gramm-Leach-Bliley Financial Services Modernization Act (GLBA), 15 U.S.C. §§ 6801-6809, 6821-6827
(empowering various agencies to promulgate data-security regulations for financial institutions); Health Insurance
Portability and Accountability Act (HIPAA) of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as
amended in scattered sections of 18, 26, 29, and 42 U.S.C.) (regulating the use and disclosure of “Protected Health
Information”).
80
United States v. Microsoft220, in which Microsoft argued that the SCA prior to enactment of the
CLOUD Act did not cover requests for the contents of communications stored overseas. Many
other tech companies took the same position. The CLOUD Act now effectively moots the
question that was presented in Microsoft. It leaves no doubt that the SCA applies to data stored
overseas by companies subject to jurisdiction in the United States.
4.7 Role of Federal Trade Commission In Protection Of Consumers Privacy:
Fair Information Practice Principles: There are five core principles of privacy protection: (1)
Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5)
Enforcement/Redress. 221 But out of these five core principles notice and consent principles are
the most important when it comes to the protection of online privacy of consumers.
Notice/Awareness:
The most fundamental principle is notice. Consumers should be given notice of an entity’s
information practices before any personal information is collected from them. Without notice, a
consumer cannot make an informed decision as to whether and to what extent to disclose
personal information. Moreover, three of the other principles discussed below choice/consent,
access/participation, and enforcement/redress are only meaningful when a consumer has notice
of an entity’s policies, and his or her rights with respect thereto.
Choice/Consent:
The second widely-accepted core principle of fair information practice is consumer choice or
consent. At its simplest, choice means giving consumers options as to how any personal
information collected from them may be used. Specifically, choice relates to secondary uses of
information i.e., uses beyond those necessary to complete the contemplated transaction. Such
secondary uses can be internal, such as placing the consumer on the collecting company’s
220
United States v. Microsoft 253 F.3d 34.
221
https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf. (last
visited on Apr. 11, 2018).
81
mailing list in order to market additional products or promotions, or external, such as the transfer
of information to third parties.
Outside of the regulated industries context, the Federal Trade Commission (FTC) is the primary
federal privacy regulator in the US. Section 5 of the FTC Act, which is a general consumer
protection law that prohibits ‘unfair or deceptive acts or practices in or affecting commerce,’ is
the FTC’s primary enforcement tool in the privacy arena. The FTC has used its authority under
section 5 to bring numerous privacy enforcement actions for a wide-range of alleged violations
by entities whose information practices have been deemed ‘deceptive’ or ‘unfair.’ Although
section 5 does not give the FTC fining authority, it does enable the Commission to bring
enforcement actions against alleged violators, and these enforcement actions typically have
resulted in consent decrees that prohibit the company from future misconduct and often require
audits biennially for up to 20 years. 222 Under section 5, the FTC is able to fine businesses that
have violated a consent decree. At the state level, attorneys general also have the ability to bring
enforcement actions for unfair or deceptive trade practices, or to enforce violations of specific
state privacy laws. Some state privacy laws allow affected individuals to bring lawsuits to
enforce violations of the law.
The case of FTC v. Eli Lilly 223 was settled in 2002 after the agency alleged that the
pharmaceutical company failed to follow responsible code development practices and thereby
exposed the identity of people who had expressed an interest in Prozac, an anti-depressant
medication (FTC, 2002). The breach of personally identifiable information resulted from a
programming error. Research commissioned by the FTC and performed by the author and
colleagues, determined that this error would have been remediated if standard IT practices –
including preproduction testing – had been followed. While such practices were stipulated in the
company’s own policies, research indicated that these policies had not yet been applied to web-
and email-based marketing activities. From the FTC’s perspective, Lilly was culpable firstly of
deceiving consumers by assuring them on its website that their interest in Prozac, and their
personally identifiable information, would be kept private and secure. The FTC argued that such
222
Rosemary P Jay,
https://www.huntonprivacyblog.com/wpcontent/uploads/sites/28/2011/04/DDP2015_United_States.pdf, ( last
visited on Apr. 10, 2018).
223
https://www.ftc.gov/sites/default/files/documents/cases/2002/05/elilillydo.htm ( last visited on Apr. 11, 2018).
82
assurances to the data subjects were material to their decision to provide that information.
Secondly, it was alleged that, by failing to live up to those privacy promises, Eli Lilly potentially
caused harm to the persons who were exposed.
Transparency has been a core priority in the FTC’s efforts to protect consumer privacy. Although
some of our early work focused on the use of online privacy statements to inform consumers
about the collection and use of their information, more recently we, along with many others,
have recognized the limitations of that approach. The commission has also recognized privacy in
the health sector. The Commission entered into a consent agreement with CVS Caremark
Corporation, requiring the company to properly dispose of sensitive information, including
prescription information. 224
Self- Regulation And Fair Information Practice Principles (FIPP):
Sometimes known as just the Fair Information Practices (FIPs).23 The FIPPs were first stated in
a 1973 report by the U.S. Department of Health, Education, and Welfare (HEW), and they
became extremely influential in shaping privacy law in the United States and around the world.
For example, the FIPPs were restated and expanded in the OECD Guidelines of 1980 as well as
the Asia Pacific Economic Cooperation (APEC) Privacy Framework of 2004. One of the most
prominent FIPPs is the individual’s right to have notice about the data gathered about them and
the right to know how it will be used. Another of the most prominent FIPPs is the individual’s
right to consent to the collection and use of her personal data. These two FIPPs became the
backbone of the U.S. self-regulatory approach, with privacy policies seeking to satisfy the right
to notice, and with user choice seeking to satisfy the right to consent.
For example, in 1999, America Online (AOL)’s privacy policy stated: “In general, our service
automatically gathers certain usage information like the numbers and frequency of visitors to
AOL.COM and its areas, very much like television ratings that tell the networks how many
people tuned in to a program. We only use such data in the aggregate.” The policy went on to
assure visitors that AOL “does not use or disclose information about your individual visits to
AOL.COM or information that you may give us, such as your name, address, email address or
224
https://www.ftc.gov/sites/default/files/documents/public_statements/role-ftc-consumer-privacy-
protection/091208iapp.pdf (last visited on Mar. 28, 2018).
83
telephone number, to any outside companies.” This very early privacy policy included a
certification seal from TRUSTe, which certified that the partnered website would notify its users
about “what information is gathered, how the information is used; and who information is shared
with.”225
In Re DoubleClick Inc. Privacy Litigation 226 DoubleClick Inc. (defendant) was the world’s
largest provider of Internet advertising products. When Internet users (plaintiffs) visited any
DoubleClick-affiliated website, a cookie would be placed on the user’s hard drive. Typically, the
purpose of a cookie is to store data like usernames and passwords to make it easier for users to
access websites. The plaintiffs claimed, however, that DoubleClick’s cookies collected other
private and personal information, like names, addresses, phone numbers, and Internet browsing
activity. The plaintiffs sued, alleging both statutory and common-law claims. The plaintiffs sued,
alleging both statutory and common-law claims. One claim was an alleged violation of Title II of
the Electronic Communications Privacy Act (ECPA), which prohibits unauthorized access to
communications facilities to access stored electronic communications. DoubleClick eventually
entered into a settlement agreement with the plaintiffs. Under the settlement's terms,
DoubleClick was required to explain its privacy policy in "easy-to-read" language; conduct a
public information campaign consisting of 300 million banner ads inviting consumers to learn
more about protecting their privacy; and institute data purging and opt-in procedures among
other requirements.
The US is one of most developed countries in terms of internet technology. In the US, the
protection of the right of E-commerce consumers to privacy has been sought through the means
of self-regulation by the E-commerce industry. 227 The US mainly advocates mainly take
advantage of industry self regulation to protect E-commerce consumer right to privacy.
However, its first real legislation on network in which the consumer interests are considered,
came when it passed the Child Online Privacy Protection Act on October 21, 1998. The Act
focuses on the protection of children’s privacy rights, which clearly provides provider
225
Daniel J. Solove & Woodrow Hartzog, The FTC And The New Common Law Of Privacy, 114 Columbia L. Rev.
583, 583- 600 (2014).
226
Re DoubleClick Inc. Privacy Litigation 154 F. Supp. 2d 497 ( 2001).
227
supra note 115.
84
obligations and penalties when the consumer is 13 years old. The technique of self-regulation has
proved to be very effective in US.
The primary source of authority for FTC privacy enforcement was Section 5, which prohibits
“unfair or deceptive acts or practices in or affecting commerce.”228 An “unfair or deceptive” act
or practice is a material “representation, omission or practice that is likely to mislead the
consumer acting reasonably in the circumstances, to the consumer’s detriment” or a practice that
“causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by
consumers themselves and not outweighed by countervailing benefits to consumers or to
competition.” Thus, in its enforcement under Section 5, the FTC had two bases for finding
privacy violations—“deceptive” trade practices and “unfair” trade practices. Division of privacy
and identity protection (DPIP) was created in 2006 and it enforces section 5.
 Unfair Practices means an act or practice is unfair where it

 Causes or is likely to cause substantial injury to consumers;
 Cannot be reasonably avoided by consumers; and is not outweighed by countervailing
benefits to consumers or to competition.
Public policy, as established by statute, regulation, or judicial decisions may be considered with
all other evidence in determining whether an act or practice is unfair.
FTC v. Accusearch, Inc.229 Akiba.com is a website owned by Accusearch. Akiba made money
by selling private telephone records. It worked only as an intermediary - all research was done by
outside parties. The outside researcher would bill Accusearch, and Accusearch would bill the
end-user. The Accusearch website stated that its users could acquire "details of incoming or
outgoing calls from any phone number for every country of the world."
The FTC brought an action to stop Accusearch and its president (Collectively "Accusearch")
from continuing sales of personal data and to disgorge its profits made from allegedly illegal
sales. The District Court issued the injunction, and Accusearch appealed where the Tenth Circuit
broadly supported the FTC’s authority under Section 5 to bring an action against a company that
228
15 U.S.C. § 45(a)(1).
229
FTC v. Accusearch, Inc 570 F.3d 1187 (2006).
85
wrongfully collected and disseminated confidential information. The Communications Decency
Act, 47 U.S.C. § 230 (2006) ("CDA") was Accusearch's basis for the claim that it was immune to
this suit which states that “No provider or user of an interactive computer service shall be treated
as the publisher or speaker of any information provided by another information content
provider.”
The court found that Congress intended section 230 to, among other things, “encourage service
providers to self-regulate the dissemination of offensive material.” Because Accusearch had not
only failed to regulate itself, but had intentionally sought out unlawful transactions as indicated
by its advertising, solicitation of orders, and processing of payments the court found that
Congress would not have intended section 230 to protect it.
Outside of the specifically regulated contexts discussed above, a privacy notice in the US must
only be provided in the context of collecting personal information from consumers online. There
is no requirement of general application that imposes an obligation on unregulated organizations
to provide a privacy notice regarding its offline activities with respect to personal information.
4.8 Foreign Intelligence Surveillance Act, 1978 (FISA):

Congress passed FISA in 1978 to govern surveillance activities, including to:
(1) Establish a Foreign Intelligence Surveillance Court (FISC) (staffed with independent judges
with life tenure);
(2)Require a warrant issued by a FISC judge for electronic surveillance, to ensure high-level
approval of narrowly-tailored and targeted requests; and
(3) Create the Senate and House Intelligence Committees, to provide oversight of the Executive
Branch. Section 702 contains important limitations, oversight, and accountability provisions,
including FISC approval of surveillance requests only after several safeguards have been met,
including that the government:
 have a valid “foreign intelligence purpose;”

 follow FISC targeting procedures;
 use specific identifiers to limit collections and avoid overly broad queries; and
86
 employ minimization procedures to destroy raw data between two and five years after
collection.
The United States has recently implemented several reforms to provide additional protections
and safeguards with respect to U.S. surveillance activities. Since 2013, the Review Group on
Intelligence and Communications Technology (“Review Group”) and the Privacy and Civil
Liberties Oversight Board (“PCLOB”) have provided independent, expert recommendations on
how the United States can reform its approaches to surveillance to respect privacy and civil
liberties while advancing national security. In 2014, Presidential Policy Directive-28 230 was
issued., which requires that all signals intelligence agencies:
 prioritize the protection of privacy, civil liberties, and personal information of people outside
of the United States;
 provide similar retention and dissemination policies for non-U.S. persons; and
 Limit bulk collection of signals intelligence. •
USA Freedom Act, 2015:
In June 2015, Congress passed the USA Freedom Act, which, among other things:
 prohibits bulk collection of intelligence information under Section 215 of the PATRIOT Act
and other authorities;
 increases transparency reporting by both companies and the U.S. government, by permitting
companies to publish statistics on the national security requests they receive and requiring
robust reporting by the U.S. government;
 codifies the Administration’s practice of systematically declassifying FISC decisions; and
 Provides for “experts in privacy and civil liberties” to advise the FISC.
230
http://www.itic.org/dotAsset/9/3/935d1fab-cf99-45cd-8d54-2c3a13803aeb.pdf, (last visited on Apr. 11, 2018).
87
Judicial Redress Act, 2015:
The act extends the Privacy Act of 1974. It provides qualifying non individuals with the rights to
review copy and request amendments to records about themselves maintained by federal
agencies.
4.9 Present Scenario of Online Privacy Laws in US:

Massachusetts law contains certain specific data security standards, including required technical
safeguards, on all private entities with Massachusetts consumers or employees. Nevada
encryption law Nevada law requires that organizations doing business in Nevada and that accept
payment cards must comply with the Payment Card Industry Data Security Standard. It requires
that other organizations doing business in Nevada use encryption when transferring ‘any
personal information through an electronic, non-voice transmission other than a facsimile to a
person outside of the secure system of the data collector’, and moving ‘any data storage device
containing personal information beyond the logical or physical controls of the data collector or
its data storage contractor’.
DuckDuckGo (DDG) is an Internet search engine that emphasizes protecting

searchers' privacy and avoiding the filter bubble of personalized search results. DuckDuckGo
distinguishes itself from other search engines by not profiling its users and by deliberately
showing all users the same search results for a given search term, and emphasizes returning the
best results, rather than the most results, generating those results from over 400 individual
sources, including crowd sourced sites such as Wikipedia, and other search engines
like Bing, Yahoo!, and Yandex.
The company is based in Paoli, Pennsylvania, in Greater Philadelphia, and has 40 employees.
The company name originates from the children's game duck, duck, goose. DuckDuckGo is very
clear in its privacy policy. DuckDuckGo says it doesn't track you, it doesn't send your searches to
other sites, by default it does not use any cookies, it does not collect personal information, it does
not log your IP address or other information about your computer that may be sent automatically
with your searches, it doesn't store any personal information at all. Those are pretty strong
promises, with no weasel-wording. And, as far as I can see, DuckDuckGo's privacy policy seems
like a model privacy policy. It is a model of clarity, plain language, and lack of legal obfuscation.
88
And privacy policies have bite. The FTC has filed lawsuits after companies that violate their own
advertised privacy policy. (Not just little companies you've never heard of: They even went after
Facebook!) The way privacy law works in the US is, basically, there are almost no privacy rules
that restrict what information web sites can collect except that if they have a privacy policy, they
must abide by it. Breaching your own privacy policy may be fraud, which is illegal. Also,
violating your own privacy policy represents "unfair or deceptive acts or practices", and the FTC
is empowered to pursue anyone who engages in "unfair or deceptive acts or practices" in court.
DuckDuckGo would be pretty dumb to breach their own privacy policy; their privacy policy is
clear and unambiguous and leaves them little wiggle room.
DuckDuckGo is a search engine that pledges not to collect any information on you or your
searches. You can search using DuckDuckGo's website instead of Google.com, or you can
download an extension if you still want to search using your address bar.
State Breach Laws:
At present, 47 states, the District of Columbia, the US Virgin Islands, Guam and Puerto Rico
have enacted breach notification laws that require data owners to notify affected individuals in
the event of unauthorized access to or acquisition of personal information, as that term is defined
in each law. In addition to notification of individuals, the laws of 15 states also require notice to
a state regulator in the event of a breach, typically the state attorney general. Although most state
breach laws require notification only if there is a reasonable likelihood that the breach will result
in harm to affected individuals, a number of jurisdictions do not employ such a harm threshold
and require notification of any incident that meets their definition of a breach.
California Shine The Light Law:
It is a privacy law passed by the California State Legislature in 2003. It became an active part of
the California Civil Code on January 1, 2005. It is considered one of the first attempts by a state
legislature in the United States to address the practice of sharing customers' personal
information for marketing purposes, also known as "list brokerage." The law outlines procedures
requiring companies to disclose upon the request of a California resident what personal
information has been shared with third parties, as well as the parties with which the information
has been shared.
89
The “Shine the Light” law was created in an attempt to protect the privacy of California residents
and help end these undesirable business practices by making it a requirement that businesses
disclose certain information that those businesses collect and then share with third parties for
marketing purposes, as well as let consumers know to whom their personal information was
shared with.231
In order to comply with the requirement of this law, the business entity must provide the details
of the third party who has used the personal information of the consumers. If customer requests
information under the law and your business does not provide this information, the customer
may file a civil lawsuit to recover damages that he feels were caused by your failure to disclose.
Typically, a business will have a 90-day grace period in which the information the customer
requested can be finally provided to him. If the information is provided within this grace
period, the business will not have to pay damages. Damages are limited to $500 unless a willful,
intentional or reckless violation is found by the court. In that case, damages can be as high as
$3,000 and there will be no 90-day grace period.
4.10 OECD Guidelines and International Privacy:

Internationally, there was substantial growth in information privacy law. The most significant
development was the creation of guidelines for the protection of information privacy by the
Organization of Economic Cooperation and Development (OECD) in 1980. 232 The OECD
Privacy Guidelines built upon the Fair Information Practices articulated by HEW in 1973. The
OECD Guidelines contain eight principles:
 collection limitation—data should be collected lawfully with the individual’s consent;
 data quality—data should be relevant to a particular purpose and be accurate;
 purpose specification—the purpose for data collection should be stated at the time of the data
collection and the use of the data should be limited to this purpose;
 use limitation—data should not be disclosed for different purposes without the consent of the
individual;
231
https://termsfeed.com/blog/your-california-privacy-rights/, ( last visited on Apr. 11, 2018).
232
GUIDELINES ON THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA, available in
MARC ROTENBERG, PRIVACY LAW SOURCEBOOK (2002). For a comparison of U.S. privacy law to the OECD
guidelines, see Joel R. Reidenberg, Restoring Americans’ Privacy in Electronic Commerce, 14 BERKELEY J. L. & TECH.
771 (1999).
90
 security safeguards—data should be protected by reasonable safeguards;
 openness principle—individuals should be informed about the practices and policies of those
handling their personal information;
 individual participation—people should be able to learn about the data that an entity
possesses about them and to rectify errors or problems in that data;
 Accountability- the entities that control personal information should be held accountable for
carrying out these principles.
Thus, the laws of US enhance the privacy of a consumer. On the other hand, Indian laws are not
efficient enough to deal with the online privacy of consumers which leads to lack of trust in
Electronic Commerce.
91
CHAPTER-5 CONCLUSIONS AND SUGGESTIONS:
First part of this chapter deals with the chapter wise conclusions. On the basis of research
conducted, the following findings are submitted hereunder:
A) Conclusions
Findings:
The first research question that has been formulated was what is the meaning of privacy and
electronic commerce? From the study of second chapter which is the conceptual analysis of
privacy and electronic commerce vis-à-vis consumer rights, it can be summed up that privacy is
an inherent right possessed by an individual. Electronic commerce deals with every platform
which uses the medium of internet for buying and selling products and services.
Based on the research carried out in chapter three, it can be rightly said that Privacy “the age of
online privacy is dead, and we killed it.” Chapter three has answered the research question that
how privacy of consumers is infringed in an online medium. Technology liberates and confines;
it creates and it destroys. It brings us marvelous gifts, but it is dangerous and powerful as well.
What the new world of technology means for a free society is not yet clear. A free society, after
all, does not rest on formal laws, documents, constitutions, and codes. These are, of course,
important. Legal culture is never static. It changes with the times. Yesterday is already history.
Yesterday leaves its traces behind, but today and tomorrow are what really count. Technology
has changed our society, and continues to change it. Where the road is taking us, is something
beyond our feeble powers to predict. In this chapter, it has been shown that the privacy problem
focuses on providing individuals the ability to control how their data is managed and used by a
particular organization. In this chapter, cases of Supreme Court have also been cited to show the
importance of privacy to an individual.
Chapter four has dealt with the existing laws that are prevalent in India and US on privacy in E-
Commerce. Research questions three, four and five have been answered in this chapter. There
are plenty of cases which have been dealt in this chapter which clearly states that Indian laws are
inefficient to deal with the issue of online privacy of the consumers. In totality, the present laws
provide no real legal protection to consumers except through IT Act, 2000. However, IT Act in
itself is not adequate to deal with the issue of privacy of consumers in electronic commerce.
92
Moreover, A P Shah report on online privacy has been stated which clearly talks about the nine
principles out of which, notice and consent principles are the most important.
On the other hand, the privacy laws of US can be said to be a patchwork of various laws. As US
is a federal country, having a uniform legislative framework is very difficult. In the US, privacy
protection is essentially a liberty protection i.e. protection of the personal space from
government. Thus, the American understanding of the right to be let alone has come to represent
a desire for as little government intrusion as possible. The FTC has described notice and consent
to be the most fundamental principles, and has focused all of its privacy related efforts on getting
websites to post privacy policies and its enforcement efforts in holding websites accountable
when they fail to adhere to them. Further, US statutes and regulations have also tended to focus
on notice and consent.
The hypothesis in this research work was in comparison to US privacy laws in electronic
commerce Indian law is ill-equipped and fails to the emerging challenge of affording adequate
protection to consumer’s privacy online. Thus, it has been proved through the work that Indian
laws are not adequate for the protection of consumers in E-Commerce.
On the basis of the study, these major concerns can be highlighted:
Firstly, Indian laws are not adequate enough to deal with the privacy of consumers in Electronic
commerce. Privacy issues possess a major hurdle in building trust with the consumers when they
buy or sell online.
Secondly, personal information of consumers while dealing in E-commerce platform is in real

danger. The real problem lies in the fact that once the information has been registered online
whether with due consent or without it, it remains there forever. Since personal information has
to be given for any kind of transaction online, traces of the information can be easily found
without consent of a consumer. This has raised serious privacy concerns for a consumer.
Thirdly, there are evidences of misappropriation of personal information of consumers in E-

Commerce which has given rise to its authenticity for transactions. Privacy is an intrinsic part of
a human being and that being infringed without consent raises an important issue that has to be
dealt with in a stringent manner.
93
B) Suggestions
 It is recommended that India should have a set of clear guidelines on the collection,
monitoring, storage, and owning of data, for authorities, tech companies and other
stakeholders which are in area of collecting user data.
 It is recommended to have a strong privacy policy and security measures to protect the
citizens from potential cyber security threats and misuse of power in the hands of the
government and private parties. The privacy law should be drafted in such a way that it
protects all forms of personal data such as passwords, financial information, health
conditions, medical history, and biometric information along with a requirement to seek
consent of individuals before collecting any personal information. If an application needs the
personal information of the user, then that data needs to be destroyed soon after its use.
 It is recommended to have a regulatory body like TRAI (Telecom Regulatory Authority of
India) regulate how data is being used and captured and the availability of data in public
domain by state and non-state actors.
 Seek judicial authorization for access to any information stored in any data centre, if the need
arises.
 Provide proper physical and digital safeguards for different data centers.
 Develop tools with Privacy Enhancing Technology integration to allow users control over
their location disclosure and give them the choice of remaining anonymous.
 Immediately end all ongoing mass-surveillance and refrain from collecting data on citizens
en masse in the name of national security or public order.
 In cases of national security or counter-terrorism purpose, obtain prior authorization.
 It is recommended that while collecting data from users, there should be informed notice and
consent from users on the storing and usage of data.
 It is recommended that there is need to educate the end user and simplify the language used
to write the policy, user agreements, and terms & conditions as much as possible. End user
agreements need to be simpler and specific. The exclusions should be highlighted to show
which data will be shared and which will not be. The user needs to be specifically informed
about where and how his or her data will be used (purpose) and the data collected should be
limited to the declared use.
94
 The current need of India is to have a law that will strictly comply with the OECD and FTC
guidelines which lays down the standard principles of notice and consent for consumer’s
protection online. Having a sound legislative framework in the present era of technology is a
must. Today’s world can be called as the world of E-commerce. Having a strong legislation
would lead to a tremendous growth in the E-commerce activities and it will give a boon to
the online world.
So, an exceptional attention with innovative approach should be taken at the time of developing
new digital platforms for public services, as users look for guaranteed quality, anonymity,
privacy, and security. It is suggested to use Privacy Enhancing Technologies during the
development process of those platforms. This is the time for a new deal on data, and
governments need to ensure protection of personal privacy and freedom.
Thus, the above mentioned principles if adopted by companies will serve a great deal in
protecting consumer’s privacy online. On the other hand, enacting a law solely on the consumer
privacy protection should be the focus of the legislature. India can take help from California’s
shine the light law in this context.
India should also adopt a law similar to California’s shine the light law which protects the
consumer’s information online. If India has to become a consumer friendly industry, then it must
protect its consumer’s information by ensuring that their privacy remains intact. A citizen has a
right to safeguard the privacy of his own, his family, marriage, procreation, motherhood,
child-bearing and education among other matters. None can publish anything concerning the
above matters without his consent whether truthful or otherwise and whether laudatory or
critical.” This particular holding frames privacy as a horizontal right because it restrains
“everybody”, not just the state, from reporting on private matters.
India is not painting on a blank canvas. Indeed, a patchwork of laws, such as the Information
Technology Act and various laws in the financial sector, have previously touched on discrete
data protection issues. But, in the wake of the Supreme Court of India’s decision in Puttaswamy
vs. Union of India, in which the court recognized a fundamental right to privacy, the journey to
begin crafting a comprehensive framework for India has begun in earnest.
95
India has a fantastic opportunity to innovate and come up with a new regulatory framework.
We shouldn’t fritter it away by replicating an outdated model of European data regulation,
which even the Europeans are struggling to implement. India should adopt a legislative
framework like US, although not in the strict sense but certain laws like US can be inculcated
in India as well. At the other end of the spectrum is the US approach, which focuses on
protecting the individual from excessive State regulation. The US model recognizes the value of
data vis-a-vis encouraging innovation, and therefore allows collection of personal information as
long as the individual is informed of such collection and use.
But we also need to be alive to the fact that the Indian bureaucracy and Indian political system
works very differently from US. Our systems of governance are already far too centralized,
concentrating too much power in the hands of too few. Creating a centralized privacy
protection authority will contribute to that centralization of power and will have ramifications
for liberty, freedom and economic competition in 21st century India.
Thus, let’s change the internet, for the better. Let’s encourage countries and states to serve as
laboratories of change, testing theories for what might be a better internet or a worse internet.
Let’s stop treating the internet like it’s a fragile figurine that we might break through rough
handling. We couldn’t kill it if we tried.
96
BIBLIOGRAPHY:
A) Books:
 NANDAN KAMATH, LAW RELATING TO COMPUTERS INTERNET & E-
COMMERCE – A GUIDE TO CYBER LAWS& THE INFORMATION TECHNOLOGY
ACT, 2000, 394-407, Delhi, Universal Law Publishing Co. Pvt. Ltd, 4th ed.(2009).
 1 ROBERT GELLMAN & PAM DIXON, ONLINE PRIVACY, A REFERENCE
HANDBOOK ON ONLINE PRIVACY, 1-20,California, contemporary world issues series, ,
(2011).
 ALAN DAVIDSON, THE LAW OF E-COMMERCE, 216-221, Delhi Cambridge University
Press, 1st ed.(2009).
 KAMLESH K BAJAJ & DEBJANI NAG, E- COMMERCE, 14-18, New Delhi: Tata
McGraw Hill Education Private Limited, 2nd ed. (2005).
 GRAHAM J H SMITH, INTERNET LAW AND REGULATION, 684- 693, London, Sweet
& Maxwell, 4th ed. (2007).
 KERMIT L. HALL & JOHN J. PATRICK, THE PURSUIT OF JUSTICE, 150-158, New
York, Oxford University Press, 1st ed. (2006).
 1 P. K. MAJUMDAR, LAW OF CONSUMER PROTECTION IN INDIA, New Delhi,
Orient Publishing Company, 6th ed. (2015).
B) Articles:
 Babita Gupta & Lakshmi S. Iyer & Robert S. Weisskirch , Facilitating Global E-commerce:
A Comparison Of Consumers Willingness To Disclose Personal Information Online In The
USA And In India, JECR, Vol. 11, No. 1, (2010).
 Muthaiyah Saravanan &Ernest Jude & Antony Joseph & Wai Kok Chew, Review of E-
commerce Issues: Consumers Perception On Security And Privacy, (IBERJ, Vol. 3, No. 9
(2011).
 Samuel D. Warren; Louis D. Brandeis, The right to privacy, 193-220, Harvard L. REV., Vol.
4, No. 5, Dec. 15, (1890).
 Daniel J. Solove, Privacy self-management and consent dilemma, Har. L. REV. (2012).
 Dr. Gargi Rajvanshi & Mayank Singhal, Data Privacy and growth of E commerce- An Indian
Perspective, Bharti L. REV. (2016).
97
 Lawrence M. Friedman, The Eye That Never Sleeps: Privacy and the Law in the Internet Era,
561-578, Tulsa L. REV., Vol. 40, Issue 4, (2005).
 Corey Ciocchetti, Just Click Submit: The Collection, Dissemination, and Tagging of
Personally Identifying Information, 553-642, Vanderbilt Journal of Entertainment and
Technology Law, Vol. 10, No. 3, (2008).
 Shashi nath mandal, E-Consumers' Protection in India, Global Journals Inc, Volume 16 Issue
5, (2016).
 Julie E. Cohen, what privacy is for, Har. L. REV. Vol. 126, (2013).
 Poonam Pathak, Challenges Of Online Shopping And Consumer Protection, IJMSS, Vol.03
Issue-09 September, (2015).
 Apar Gupta, balancing Online Privacy In India, 43-57, The Indian Journal Of Law And
Technology, Vol. 6,(2010).
 Anita L. Allen, Coercing Privacy, 40 WM. & MARY L. REV. 723,740 (1999).
 Jessica Litman, Information Privacy, 1283-1300, Stanford L. REV, Vol. 52, No. 5, May
(2000).
 Jayanta Ghosh & Dr. Uday Shankar, Privacy And Data Protection Laws In India: A
Right- Based Analysis, 54-72, Bharati L. REV. (2016).
 Clayton Moore Henry, Financial Institutions and E-commerce: A US Perspective on the
Issue of Privacy, 5 Y.B. Int'l Fin. & Econ. L. 361 (2000-2001).
 Dr. Rama Sharma & Vibha Srivastava & Gargi Bhadoria, Consumer Protection in the Era of
E-commerce, IJR Vol-1, Issue-8, September (2014).
 Kamlesh K Bajaj & Debjani Nag, E- Commerce, 14-18, New Delhi: Tata McGraw Hill
Education Private Limited, 2nd ed. (2005).
 Michael C. James, “A Comparative Analysis of the Right to Privacy in the United States,
Canada and Europe”, Connecticut Journal of International Law , Vol. 29, Issue 2, ( 2014).
 Karpura Kanti Nanda & Devika Pattnaik, Right To Privacy: Concerns Vis-À-Vis Social
Media,(Odisha, RSRR Blog Series issue 2).
 Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 VAND. L. REV. 1607,1656
(1999).
 Alan F. Westin, Privacy and Freedom, 166-170, Washington and Lee Law Review, Volume
25 Issue 1, (1967).
98
 Norjihan Abdul Ghani1 , Zailani Mohamed Sidek, Personal Information Privacy Protection
in E-commerce, Wseas Transactions On Information Science And Applications, Issue 3,
Volume 6, March (2009).
 Joseph W. Jerome, Buying and Selling Privacy: Big Data’s Different Burdens And Benefits,
47-53, 66 STAN. L. REV. September 3,( 2013).
 Robert C. Post, The Social Foundations of Privacy: Community and Self in the Common
Law Tort, 77 CALIF. L. REV. 957, 959 (1989).
 Greg Megaw & Stephen V. Flowerday, Phishing within E-commerce: A Trust and
Confidence Game, South Africa, IEEE,( 2010).
 M. Tariq Banday & Jameel A. Qadri, Phishing – A Growing Threat to E-commerce, 76-83,
The Business Review, ISSN, (2007).
 Prashant Mali: Cyber Law & Cyber Crimes, 85, 1st ed. Snow White Publications, (2012).
 Farooq Ahmad: Cyber Law of India (Law on Internet), 411, 3rd ed. New era Law
Publication.
 Poonam Pathak, Challenges Of Online Shopping And Consumer Protection, IJMSS, Vol.03
Issue-09 September, (2015).
 Neil M. Richards, Intellectual Privacy, 87 TEx. L. REV. 387,436 (2008).
 Ira S. Rubinstein et al., Data Mining and Internet Profiling: Emerging Regulatory and
Technological Approaches, 75 CHI. L. REv. 261,272 (2008).
C) Dictionaries:
 Black’s Law Dictionary, H.C. Black, 269, West Publishing 6th ed. 1990).
 Dictionary of information science and technology, Mehdi Khosrow-Pour, (USA, Idea Group
Reference, 2006).
99
D) Webliography:
 www.manupatra.com
 www.legalserviceindia.com
 www.dictionary.cambridge.org/
 www.dictionary.oxford.org/
 www.thehindu.com
 www.indiankonoon.com
 www.google.com
 www.thehindubusinessline.com
 www.forbes.com
 www.ftc.gov
 www.theguardian.com
 www.heinz.cmu.edu
 economictimes.indiatimes.com
 www.deccanherald.com
100

Ashwini Dissertation PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ashwini Dissertation PDF

Încărcat de

Drepturi de autor:

Formate disponibile

THE NATIONAL LAW INSTITUTE UNIVERSITY, BHOPAL

Privacy Issues In Electronic Commerce From Consumer’s Perspective- A Comparative

Submitted in partial fulfillment of the requirement of award of the Degree of LL.M.

under the Guidance

Associate Prof. Kavita Singh

Place: Bhopal ASHWINI KELKAR

CLOUD Clarifying Lawful Overseas Use of Data Act

COPPA Children's Online Privacy Protection Act

FCRA Fair Credit Reporting Act

FTC Federal Trade Commission

OECD Organization for Economic Cooperation and Development

PII Personally Identifying Information

SCA Stored Communication Act

SCR Supreme Court Reporter

www World Wide Web

 Information Technology Act, 2000.

INDIAN CASE LAWS:

Delhi Hackers’ Case……………………………………………………………………….…….52

PUCL v. Union of India (1997) 1 S.C.C. 301……………………………………………….......51

Carter v. Carter Coal Co. 298 U.S. 238 (1936)………………………………………..………....15

Jane Roe v. Henry Wade 410 US 113 (1973)…………………………………………...…….....19

Re DoubleClick Inc. Privacy Litigation 154 F. Supp. 2d 497 (200……………………….…..…84

United States v. Jones 132 S. Ct. 945…………………… ………….………………….……….65

1.1 STATEMENT OF PROBLEM:

1.3 RESEARCH QUESTIONS:

 What is the meaning of privacy and electronic commerce?

1.4 OBJECTIVES OF THE STUDY:

1.5 METHOD OF RESEARCH:

1.6 SCOPE OF THE STUDY:

2.1 Electronic Commerce:

2.3 Origin of the term Commerce in United States:

 Physical: An imposition whereby another individual is restricted from experiencing an

2.4.1 Origin of the term Privacy:

2.4.2 Concept of Privacy through Judicial Lens in India:

2.4.3 Essential Nature Of Privacy:

2.4.4 Various Aspects Of Privacy:

2.4.5 Privacy under US Constitution:

In Olmstead v. United States56 A case of wire-tapping or electronic surveillance without actual

2.5 Meaning of Consumer:

2.5.3 Reasons for the Growth of E-Consumer:

3.1 Personally Identifying Information (PII):

3.1.1 E-Commerce and Information Privacy:

3.1.2 Disclosure and Transfer Of Private Information:

 Personal information shouldn’t be accessed by unauthorized users.

3.2 Personal Information and Privacy Issues:

3.2.1 Social Networking Sites and Online Privacy:

3.3 The Big Data Challenge:

3.3.1 Virtually Irretrievable Data:

3.3.3 Data Brokers:

A person’s personal information is something which is very dear to him. He considers it as an

“Globally, data broking is an approximately $200-billion industry. Marketing products generate

3.3.4 Publishing Personal Data:

3.3.5 Breach of Consumer Privacy:

A typical phishing attack is made up of two components: an authentic-looking email and a

3.5 Online Shopping and Consumer Protection:

3.6 Harm To Self-Development Caused By Online Self-Disclosure:

4.1 E Commerce Privacy Laws For Consumer Protection In India:

4.1.1 Information Technology Act, 2000:

 To make possible E-commerce transactions both business to business(B2B) and business to

Section 43 of the IT Act, 2000:

Section 66 of the IT Act, 2000:

Section 66 E of the IT (Amendment) Act, 2008:

Section 67 of the IT Act, 2000: